How to create an automated traffic allow list by Compute Engine instance type in Chronicle

  1. Manually created instances:
  • Example name: jump1-prod-us-east-1
  • Prefix example: “jump”
  • Example name: nginx-production-2j3l; Format: {instance-group}-{GCP-created-unique-identifier}
  • Prefix example: “nginx” to group environments or “nginx-production” to separate environments
  • Example name: gke-prod-application-flink-452f94ad-5k1jf; Format: {cluster}-{node-pool}-{GCP-created-unique-identifier}
  • Prefix example: “gke-prod-application-flink
  1. Create rule
  2. Edit rule
  3. Retrohunt: Run a rule against historic data to identify detections, aka matches
  4. List detections: Get matches to your rule
  1. Download and setup the Chronicle API, api-samples-python repository, from GitHub
  2. Copy the custom .py scripts from GitHub into the detect/v2 folder
  3. Update the variables in the constants.py file
Chronicle rule with unique domain access per instance or prefix type
  • Grab someone from your SRE and/or engineering team
  • Look through the lists to validate these domains are approved
  • Make the rules live and enable alerting.
Example Chronicle allow list with a regex on the hostname

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Test your configuration files

Becoming the architect I wanted to be

What do I want to do with code?

How to build a microservice with AWS Lambda in Groovy

I completed all 5 exercises in the IBM Quantum Challenge 2021, here’s how I did it!

Contributing To Open Source Through Git Workflows

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chronicle

Chronicle

More from Medium

Splunk IOC Scanner: a use case every-single-SOC needs

Detecting and responding to Apache “Log4j 2” (CVE-2021–44228) using Google Chronicle

Q&A with Forgepoint EIR Billy Gouveia on Incident Response and Thwarting Ransomware

Robinhood Breach Underscores Danger of Account Takeover