This document provides an overview of the rule sets within the
third-party vendor alerts category, the required data sources, and
configuration you can use to tune the alerts generated by each rule set.
Rule sets in the third-party vendor alerts category surface third-party vendor
alerts as Google Security Operations detections. This category includes the
following rule sets:
Carbon Black alerts: Passthrough rules for Carbon Black alerts.
CrowdStrike alerts: Passthrough rules for CrowdStrike alerts.
Microsoft Defender for Endpoint alerts: Passthrough rules for Microsoft Defender for Endpoint Graph alerts.
SentinelOne Threats alerts: Passthrough rules for SentinelOne alerts.
Cybereason EDR Passthrough rules: Passthrough rules for Cybereason EDR alerts.
Deep Instinct EDR Passthrough rules: Passthrough rules for Deep Instinct EDR alerts.
Digital Guardian EDR Passthrough rules: Passthrough rules for Digital Guardian EDR alerts.
ESET EDR Passthrough rules: Passthrough rules for ESET EDR alerts.
Fortinet FortiEDR Passthrough rules: Passthrough rules for Fortinet FortiEDR alerts.
LimaCharlie EDR Passthrough rules: Passthrough rules for LimaCharlie EDR alerts.
MalwareBytes EDR Passthrough rules: Passthrough rules for MalwareBytes EDR alerts.
PAN EDR Passthrough rules: Passthrough rules for PAN EDR alerts.
Sophos EDR Passthrough rules: Passthrough rules for Sophos EDR alerts.
Symantec EDR Passthrough rules: Passthrough rules for Symantec EDR alerts.
Uptycs EDR Passthrough rules: Passthrough rules for Uptycs EDR alerts.
Supported devices and log types
This section lists the data required by each rule set.
Rule sets in the third-party vendor alerts category have been tested and are
supported with the following Google SecOps supported EDR data sources:
Carbon Black (CB_EDR)
CrowdStrike Detection Monitoring (CS_DETECTS)
Microsoft Defender for Endpoint (MICROSOFT_GRAPH_ALERT)
You can reduce the number of detections a rule or rule set generates using
rule exclusions.
A rule exclusion defines the criteria used to exclude an event from being evaluated
by the rule set, or by specific rules in the rule set. You can create one or more rule
exclusions to help reduce the volume of detections.
See Configure rule exclusions for more information.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Use curated detection rules for third-party alerts\n==================================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nThis document provides an overview of the rule sets within the\n*third-party vendor alerts* category, the required data sources, and\nconfiguration you can use to tune the alerts generated by each rule set.\n\nRule sets in the third-party vendor alerts category surface third-party vendor\nalerts as Google Security Operations detections. This category includes the\nfollowing rule sets:\n\n- **Carbon Black alerts**: Passthrough rules for Carbon Black alerts.\n- **CrowdStrike alerts**: Passthrough rules for CrowdStrike alerts.\n- **Microsoft Defender for Endpoint alerts**: Passthrough rules for Microsoft Defender for Endpoint Graph alerts.\n- **SentinelOne Threats alerts**: Passthrough rules for SentinelOne alerts.\n- **Cybereason EDR Passthrough rules**: Passthrough rules for Cybereason EDR alerts.\n- **Deep Instinct EDR Passthrough rules**: Passthrough rules for Deep Instinct EDR alerts.\n- **Digital Guardian EDR Passthrough rules**: Passthrough rules for Digital Guardian EDR alerts.\n- **ESET EDR Passthrough rules**: Passthrough rules for ESET EDR alerts.\n- **Fortinet FortiEDR Passthrough rules**: Passthrough rules for Fortinet FortiEDR alerts.\n- **LimaCharlie EDR Passthrough rules**: Passthrough rules for LimaCharlie EDR alerts.\n- **MalwareBytes EDR Passthrough rules**: Passthrough rules for MalwareBytes EDR alerts.\n- **PAN EDR Passthrough rules**: Passthrough rules for PAN EDR alerts.\n- **Sophos EDR Passthrough rules**: Passthrough rules for Sophos EDR alerts.\n- **Symantec EDR Passthrough rules**: Passthrough rules for Symantec EDR alerts.\n- **Uptycs EDR Passthrough rules**: Passthrough rules for Uptycs EDR alerts.\n\n### Supported devices and log types\n\nThis section lists the data required by each rule set.\n\nRule sets in the third-party vendor alerts category have been tested and are\nsupported with the following Google SecOps supported EDR data sources:\n\n- Carbon Black (`CB_EDR`)\n- CrowdStrike Detection Monitoring (`CS_DETECTS`)\n- Microsoft Defender for Endpoint (`MICROSOFT_GRAPH_ALERT`)\n- SentinelOne CF (`SENTINELONE_CF`)\n- Cybereason EDR (`CYBEREASON_EDR`)\n- Deep Instinct EDR (`DEEP_INSTINCT_EDR`)\n- Digital Guardian EDR (`DIGITAL_GUARDIAN_EDR`)\n- ESET EDR (`ESET_EDR`)\n- Fortinet FortiEDR (`FORTINET_FORTIEDR`)\n- LimaCharlie EDR (`LIMACHARLIE_EDR`)\n- MalwareBytes EDR (`MALWAREBYTES_EDR`)\n- PAN EDR (`PAN_EDR`)\n- Sophos EDR (`SOPHOS_EDR`)\n- Symantec EDR (`SYMANTEC_EDR`)\n- Uptycs EDR (`UPTYCS_EDR`)\n\nFor a list of all Google SecOps supported data sources, see\n[Supported log types and default parsers](/chronicle/docs/ingestion/parser-list/supported-default-parsers).\n\n### Tune alerts returned by rule sets\n\nYou can reduce the number of detections a rule or rule set generates using\n[rule exclusions](/chronicle/docs/detection/rule-exclusions).\n\nA rule exclusion defines the criteria used to exclude an event from being evaluated\nby the rule set, or by specific rules in the rule set. You can create one or more rule\nexclusions to help reduce the volume of detections.\nSee [Configure rule exclusions](/chronicle/docs/detection/rule-exclusions) for more information.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]