Overview of the Mandiant Threat Defense Rules category

This document provides an overview of the Mandiant Threat Defense rule sets, the required data sources, and the configuration options for tuning the alerts they generate in the Google Security Operations platform.

Rules set in the Mandian Hunt Rules category label security-relevant events across all Google SecOps-enabled detection content for Google Cloud and endpoint environments to be used in conjunction with composite rules. This category includes the following rule sets:

• Cloud Identification rules: Logic derived from Mandiant Threat Defense investigation and response to cloud incidents across the globe. These rules are designed to detect security-relevant cloud events and are designed for use by correlation rules in the cloud composite rule set.

• Endpoint Identification rules: Logic derived from Mandiant Threat Defense investigation and response to incidents across the globe. These rules are designed to detect security-relevant endpoint events and are designed for use by correlation rules in the endpoint composite rule set.

Supported devices and log types

These rules primarily rely on Cloud Audit Logs logs, endpoint detection and response logs, and network proxy logs. Google SecOps Unified Data Model (UDM) automatically normalizes these log sources.

For a list of all Google SecOps supported data sources, see Supported default parsers.

The following categories outline the most important log sources required for the curated composite content to function effectively:

Endpoint identification rule log sources

• Linux threats
• macOS threats
• Windows threats

Google Cloud identification rule log sources

• Google Cloud threats
• AWS
• Microsoft Azure
• Microsoft Office 365
• Okta

Google Cloud and endpoint rule log sources

• Applied Threat Intelligence
• Chrome Enterprise Premium threats
• Risk Analytics for UEBA

For a complete list of the available curated detections, see Use curated detections. Contact your Google SecOps representative if you need to enable the detection sources using a different mechanism.

Google SecOps provides default parsers that parse and normalize raw logs to create UDM records with data required by composite and curated detection rule sets. For a list of all Google SecOps supported data sources, see Supported log types and default parsers.

Modify rules in a rule set

You can customize the behavior of rules within a rule set to meet your organization's needs. Adjust how each rule operates by selecting one of the following detection modes, and configure whether the rules generate alerts:

• Broad: detects potentially malicious or anomalous behavior, but may produce more false positives due to the general nature of the rule.
• Precise: detects specific malicious or anomalous behavior

To modify the settings, do the following:

1. From the rules list, select the checkbox next to each rule that you want to modify.
2. Configure the Status and Alerting settings for the rules as follows:
   • Status: applies the mode (Precise or Broad) to the selected rule. Set to Enabled to activate the rule's status to the mode.
   • Alerting: controls whether the rule generates an alert on the Alerts page. Set to On to enable alerts.

Tune alerts from rule sets

You can reduce the number of alerts generated by a composite rule by using rule exclusions.

A rule exclusion specifies criteria that prevent certain events from being evaluated by a rule or rule set. Use exclusions to reduce detection volume. See Configure rule exclusions for more information.

Need more help? Get answers from Community members and Google SecOps professionals.