Creating a Dashboard for Rule Modifications in Goo...

skadav · 08-29-2024 05:19 AM

Hello,

I am currently working on setting up a dashboard in Google SecOps (previously Chronicle) to monitor and track rule modifications. My objective is to create a dashboard that provides insights into the changes made to the rules, such as creation, updates, and deletions.

Please let me know if anyone has idea about it.

Thanks,
Suraj

rafaelramirez

Hi Suraj,

Google SecOps has a rule dashboard where you can see all your created rules. See https://cloud.google.com/chronicle/docs/detection/view-all-rules

In this dashboard you will be able to see:

Trend chart displays the rule with the greatest number of detections over the past 3 weeks.
Displays a graph of the activity associated with the rules. Hovering over a bar in the chart displays the date and number of detections.
Run frequency indicates the approximate frequency the rule will execute.
Live Status (Enabled or Disabled).
Rule severity as in the Rule metadata.

If you edit the rule you will be able to see the View Version. In this section you will see the different modifications done to the rule, timestamps and updates.

AymanC

hi @skadav

Do you have GCP Cloudaudit logs being ingested into your instance? If so the following documentation will help -> https://cloud.google.com/chronicle/docs/administration/audit-logging

Kind Regards,

Ayman

cmorris

Yes, ingest GCP audit logs and then from there you can take a look at this - https://medium.com/@thatsiemguy/auditing-chronicle-admin-actions-27c9f011283d

Creating a Dashboard for Rule Modifications in Google SecOps Preview Dashboard