{"id":13520623,"url":"https://github.com/chronicle/detection-rules","last_synced_at":"2025-03-31T18:31:12.548Z","repository":{"id":43276327,"uuid":"331114594","full_name":"chronicle/detection-rules","owner":"chronicle","description":"Collection of YARA-L 2.0 sample rules for the Chronicle Detection API","archived":false,"fork":false,"pushed_at":"2023-12-18T23:16:09.000Z","size":404,"stargazers_count":193,"open_issues_count":8,"forks_count":45,"subscribers_count":29,"default_branch":"main","last_synced_at":"2023-12-19T06:29:58.880Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://chronicle.security","language":"YARA","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chronicle.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2021-01-19T21:30:23.000Z","updated_at":"2023-12-20T16:27:10.112Z","dependencies_parsed_at":"2023-12-20T16:27:09.505Z","dependency_job_id":"874eb383-c96c-4e48-97e9-dc9e150a75d0","html_url":"https://github.com/chronicle/detection-rules","commit_stats":null,"previous_names":[],"tags_count":0,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chronicle%2Fdetection-rules","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chronicle%2Fdetection-rules/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chronicle%2Fdetection-rules/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chronicle%2Fdetection-rules/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chronicle","download_url":"https://codeload.github.com/chronicle/detection-rules/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246517744,"owners_count":20790480,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T06:00:19.028Z","updated_at":"2025-03-31T18:31:12.540Z","avatar_url":"https://github.com/chronicle.png","language":"YARA","funding_links":[],"categories":["Uncategorized","Detection Content \u0026 Signatures"],"sub_categories":["Uncategorized"],"readme":"# Google Security Operations Detection Rules\n\nThis repository contains example YARA-L rules and dashboards for use within\n[Google Security Operations (SecOps)](https://cloud.google.com/security/products/security-operations).\n\nThe rules in this repository are distinct from Google SecOps\n[Curated Detections](https://cloud.google.com/chronicle/docs/detection/curated-detections)\nthat are developed by Google Cloud Threat Intelligence and designed to generate\ndetections \u0026 alerts that are highly actionable. Curated Detections are available\nto Google SecOps customers with an Enterprise license or higher.\n\nBefore deploying any rules, using Google SecOps' [test rule](https://cloud.google.com/chronicle/docs/detection/manage-all-rules)\nfunctionality is considered a best practice and provides the opportunity for\nusers to tune rules to their environment before creating alerts for them.\n\nDashboard YAML files can be [imported](https://cloud.google.com/chronicle/docs/reports/import-export-dashboards#import_dashboards)\ninto Google SecOps dashboards using the `Add` - `Import Dashboard` capability\nfound next to the Personal Dashboards or Shared Dashboards section of the UI.\nThe intent of this is to provide sample dashboards that can serve as templates,\ninspiration or starting points for your own dashboards and can be modified as\nyou see fit.\n\n## Directory Structure\n\n| Directory                                    | Description                    |\n|--------------------------------------------- | ------------------------------ |\n| [`rules/community/`](rules/community/)       | YARA-L rules created by members of the Google SecOps team and user community |\n| [`tools/rule_manager/`](tools/rule_manager/) | CLI tool used to manage rules and other content via Google SecOps' REST API |\n\n## Getting Started\n\nRules can be created within your Google SecOps instance by using the\n[Rules Editor](https://cloud.google.com/chronicle/docs/detection/manage-all-rules).\nSimply download the rule from the repository and copy the content of the rule\nto the rules editor when creating a new rule.\n\nDetailed instructions can be found in your Google SecOps instance under\ndocumentation.\n\nThe [rule manager](tools/rule_manager/) tool and accompanying documentation \u0026\ntutorials can be used to easily implement a Detection-as-Code pipeline for\nmanaging rules via Google SecOps' [REST API](https://cloud.google.com/chronicle/docs/reference/rest).\n\n## How to Get Help\n\nIf you have questions related to this project, please open a new issue in this\nGitHub repository. You can also ask questions related to Google SecOps in the\n[Google Cloud Security Community](https://www.googlecloudcommunity.com/gc/Google-Cloud-Security/ct-p/googlecloud-security).\n\n## How to Contribute\n\nInterested in contributing to this project? We'd love to hear from you! Example\ncontributions include new rules and updates to existing rules.\n\nPlease refer to our [contribution guide](CONTRIBUTING.md) for further\ninformation.\n\nOur style guide for authoring YARA-L detection rules can be found [here](STYLE_GUIDE.md).\n\n## Useful Resources\n\n### YARA-L rules and Unified Data Model (UDM)\n\n* [Monitoring events using rules](https://cloud.google.com/chronicle/docs/how-to#monitoring-events-using-rules)\n* [Overview of the YARA-L language](https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview)\n* [YARA-L language syntax](https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax)\n* [Unified Data Model usage guide](https://cloud.google.com/chronicle/docs/unified-data-model/udm-usage)\n* [Unified Data Model field list](https://cloud.google.com/chronicle/docs/reference/udm-field-list)\n\n### Code Samples\n\n* [Example Code for interacting with Google SecOps' API](https://github.com/chronicle/api-samples-python/tree/master/detect/v1alpha)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchronicle%2Fdetection-rules","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchronicle%2Fdetection-rules","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchronicle%2Fdetection-rules/lists"}