Use curated detection rules for third party vendor alerts

Supported in:

This document provides an overview of the rule sets within the third party vendor alerts category, the required data sources, and configuration you can use to tune the alerts generated by each rule set.

Rule sets in the third party vendor alerts category surface third party vendor alerts as Google Security Operations detections. This category includes the following rule sets:

  • Carbon Black alerts: Passthrough rules for Carbon Black alerts.
  • CrowdStrike alerts: Passthrough rules for CrowdStrike alerts.
  • Microsoft Defender for Endpoint alerts: Passthrough rules for Microsoft Defender for Endpoint Graph alerts.
  • SentinelOne Threats alerts: Passthrough rules for SentinelOne alerts.

Supported devices and log types

This section lists the data required by each rule set.

Rule sets in the third party vendor alerts category have been tested and are supported with the following Google SecOps supported EDR data sources:

  • Carbon Black (CB_EDR)
  • Crowdstrike Falcon (CS_EDR)
  • Microsoft Defender for Endpoint (MICROSOFT_GRAPH_ALERT)
  • SentinelOne CF (SENTINELONE_CF)

For a list of all Google SecOps supported data sources, see Supported log types and default parsers.

Tune alerts returned by rule sets

You can reduce the number of detections a rule or rule set generates using rule exclusions.

A rule exclusion defines the criteria used to exclude an event from being evaluated by the rule set, or by specific rules in the rule set. You can create one or more rule exclusions to help reduce the volume of detections. See Configure rule exclusions for more information.

Need more help? Get answers from Community members and Google SecOps professionals.