New SOC Prime detection rules available in Chronicle

2 min readApr 29, 2021

The Chronicle team is excited to release new SOC Prime detection rules, now available to use in the Chronicle Detect rules engine. SOC Prime Threat Detection Marketplace is the industry standard one-stop shop for Detection as Code operations and practices, offering access to detection signatures across multiple languages. This new set of detection content makes it simple for security teams to incorporate and build new threat detection rules, and apply them across all the security telemetry stored in Chronicle.

The capabilities of the Chronicle Detect rules engine are accessed using the YARA-L threat detection language which was designed by and for security practitioners to express complex threat behavior. SOC Prime and Chronicle partnered closely to develop a Sigma to YARA-L converter so that you can easily port or migrate existing rules from legacy systems to Chronicle. And now, you can access 500+ YARA-L based SOC Prime rules — at no additional charge — in the Chronicle GitHub repository.

“We’re excited to partner with Chronicle and enable our customers to implement flexible SOC Prime rulesets to be used as part of the Chronicle Detect rule engine. These new detections will help security teams identify threats and IOCs across all of the security telemetry they feed into the Chronicle platform.” — Andrii Bezverkhyi, Founder and CEO, SOC Prime

This brand new content set offers rules in the following categories:

Cloud Security — rules related to IaaS, SaaS, or PaaS data sources, such as web skimming attacks, suspicious command line activity containing secrets, and the execution of threats like ntdsutil.exe.

Compliance — rules that cover compliance-related security controls. For example, the ability to configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.

Proactive Exploit Detection — rules related to CVEs and exploits. Examples include CVE detection, such as a vulnerable CRYPT32.DLL library, CVE-2020–1350 (SIGRED), as well as suspicious activity such as anonymous users changing machine passwords, RDP logins from non-private IP ranges, and potential abuse of Active Directory Replication Service (ADRS) from a non machine account.

Threat Hunting — rules for threat hunting hypotheses that develop an understanding of the customer attack surface. Rules such as “detect local user creation” create a basis for more advanced detections that build upon the knowledge that local users typically should not be created on windows servers such as Active Directory controllers.

Using SOC Prime rules, security teams can elastically apply these new detections across incoming and historical security telemetry in the Chronicle platform.

Chronicle customers can access the new SOC Prime rules in the soc_prime_rules folder, and can add them to their Chronicle via the Detection UI or the Detection API. All technical documentation is available in your Chronicle instance.

To learn more about Chronicle’s SOC Prime rules, check out the Chronicle GitHub repository and visit SOC Prime’s Threat Detection Marketplace. Read the blog post to learn more about the Chronicle Detect rules engine. Interested in learning more about Chronicle? Complete our contact form.