Use curated detection rules for third-party alerts

Supported in:

This document provides an overview of the rule sets within the third-party vendor alerts category, the required data sources, and configuration you can use to tune the alerts generated by each rule set.

Rule sets in the third-party vendor alerts category surface third-party vendor alerts as Google Security Operations detections. This category includes the following rule sets:

  • Carbon Black alerts: Passthrough rules for Carbon Black alerts.
  • CrowdStrike alerts: Passthrough rules for CrowdStrike alerts.
  • Microsoft Defender for Endpoint alerts: Passthrough rules for Microsoft Defender for Endpoint Graph alerts.
  • SentinelOne Threats alerts: Passthrough rules for SentinelOne alerts.
  • Cybereason EDR Passthrough rules: Passthrough rules for Cybereason EDR alerts.
  • Deep Instinct EDR Passthrough rules: Passthrough rules for Deep Instinct EDR alerts.
  • Digital Guardian EDR Passthrough rules: Passthrough rules for Digital Guardian EDR alerts.
  • ESET EDR Passthrough rules: Passthrough rules for ESET EDR alerts.
  • Fortinet FortiEDR Passthrough rules: Passthrough rules for Fortinet FortiEDR alerts.
  • LimaCharlie EDR Passthrough rules: Passthrough rules for LimaCharlie EDR alerts.
  • MalwareBytes EDR Passthrough rules: Passthrough rules for MalwareBytes EDR alerts.
  • PAN EDR Passthrough rules: Passthrough rules for PAN EDR alerts.
  • Sophos EDR Passthrough rules: Passthrough rules for Sophos EDR alerts.
  • Symantec EDR Passthrough rules: Passthrough rules for Symantec EDR alerts.
  • Uptycs EDR Passthrough rules: Passthrough rules for Uptycs EDR alerts.

Supported devices and log types

This section lists the data required by each rule set.

Rule sets in the third-party vendor alerts category have been tested and are supported with the following Google SecOps supported EDR data sources:

  • Carbon Black (CB_EDR)
  • CrowdStrike Detection Monitoring (CS_DETECTS)
  • Microsoft Defender for Endpoint (MICROSOFT_GRAPH_ALERT)
  • SentinelOne CF (SENTINELONE_CF)
  • Cybereason EDR (CYBEREASON_EDR)
  • Deep Instinct EDR (DEEP_INSTINCT_EDR)
  • Digital Guardian EDR (DIGITAL_GUARDIAN_EDR)
  • ESET EDR (ESET_EDR)
  • Fortinet FortiEDR (FORTINET_FORTIEDR)
  • LimaCharlie EDR (LIMACHARLIE_EDR)
  • MalwareBytes EDR (MALWAREBYTES_EDR)
  • PAN EDR (PAN_EDR)
  • Sophos EDR (SOPHOS_EDR)
  • Symantec EDR (SYMANTEC_EDR)
  • Uptycs EDR (UPTYCS_EDR)

For a list of all Google SecOps supported data sources, see Supported log types and default parsers.

Tune alerts returned by rule sets

You can reduce the number of detections a rule or rule set generates using rule exclusions.

A rule exclusion defines the criteria used to exclude an event from being evaluated by the rule set, or by specific rules in the rule set. You can create one or more rule exclusions to help reduce the volume of detections. See Configure rule exclusions for more information.

Need more help? Get answers from Community members and Google SecOps professionals.