This article provides an overview of content pack management and procedures for creating and managing content packs in the Resolution Intelligence Cloud.
Content packs help you group multiple detection rules in a centralized place and publish them to Chronicle to analyze a huge volume of logs and detect security threats posed to enterprises. You can create and manage the packs at domain, organization, or tenant levels. However, the content pack can only be edited at the creator level. For example, if a content pack is created at the domain level, only users at that level can edit it. Users at tenant or organization levels cannot.
Google Chronicle is a cloud-based service designed to collect and process logs to identify anomalies. Chronicle accepts both unstructured and structured logs.
By default, only the base pack is available in the account, and you can enhance these packs based on the subscriptions you have. Examples of packs are AWS, Office 365, Active Directory, Exploit, etc.
Creating Content Packs
The Content Pack page helps you search all packs by pack name. Quickly enable, delete, edit, and disable packs.
User Permissions Required
A Publisher from these categories - Domain, Organization and Tenant can create packs.
To create a content pack to publish detection rules to Chronicle,
-
Do one of the following to access Configurations:
- Click the Configurations icon at the top navigation bar.
- Click the hamburger menu on the left and select CONFIGURATIONS.
- Click Content Packs, under Signals.
- From the Packs listing page, click Create New in the top right corner.
- In the pack creation form, enter Pack Name and Description.
- In the Rules section, click Add Rules.
A side panel opens.- Add one or more rules to associate with the pack. For more information on detection rules, refer to this article.
Note: Add the rules that are in the published and approved states only. - Click Reset to clear the selection.
- Click Submit.
Selected rules are added to the pack.
- Add one or more rules to associate with the pack. For more information on detection rules, refer to this article.
8. In the Accounts section, add one or more accounts to associate with Pack.
Note: If you are at domain-level, you can associate a pack with organizations only. If you are at the organization level, you can associate a pack with tenants only. If you are at the tenant level, you cannot associate a pack with any other tenants, organizations, or domains.
9. On the right of the pack page, you can do the following:
-
- Comments: collaborate with others by adding comments.
- Activity log: find the actions taken by different users on the pack.
10. Click Save as Draft.
Your pack will be saved as a draft.
11. Click Publish.
Your pack and its associated rules will be published to selected accounts.
Note: After publishing a pack at the domain level, the pack name and rules are not editable at the organization and tenant level.
Content Pack Notifications
Trigger for Content Pack Publishing
- Trigger: An email notification is sent when a user clicks the Publish button in the content pack.
Content Pack Publishing Notifications
-
Success Notification:
- A success notification is sent if the pack, associated with multiple rules, is successfully published to all child accounts.
-
Partial Success Notification
-
Details:
If the content pack is only partially published, a partial success notification is sent. This email includes an attachment detailing:- The number of rules that failed to publish.
- The number of rules that were disabled.
- The number of rules that failed to create in the parent account.
-
User Actions:
In case of failed or disabled rules, users are advised to take the following steps:-
For failed rules:
- Attempt to republish the entire content pack.
- Alternatively, publish a specific rule by switching to the respective child account before you click on the rule hyperlink in the spreadsheet.
-
For disabled rules:
- Enable all rules across tenants by enabling them at the parent level.
- Alternatively, enable specific disabled rules by switching to the respective tenant’s account before you click on the rule hyperlink in the spreadsheet.
-
For failed rules:
-
Details:
Note: Whenever a user modifies a rule associated with a content pack or updates the pack details and republishes it, a new notification is sent with latest information.
Detection Rules Notifications
Trigger for Single Detection Rule Publishing
An email notification is sent when a user clicks the Associate and Publish button for a single rule associated with multiple packs.
Single Rule Publishing Notification
- Success Notification: If the rule is successfully published to all the associated packs, a success notification is sent to the user immediately.
-
Failure Notification: If the rule fails to publish:
- An email is sent with an attachment that details the name of the failed rule.
-
User Actions:
In case of failed or disabled rules, users are advised to take the following steps:-
For failed rules:
- Attempt to republish the entire content pack.
- Alternatively, publish any specific rule by switching to the respective child account before you click on the rule hyperlink in the spreadsheet.
-
For disabled rules:
- Enable all rules across tenants by enabling them at the parent level.
- Alternatively, enable any specific disabled rule by switching to the respective tenant’s account before you click on the rule hyperlink in the spreadsheet.
-
For failed rules:
Editing Content Packs
The edit pack option is only visible at the creator level (which can be at a domain, organization and tenant). At this level, you can edit all the details, such as the description, edit the rules list, and select accounts to associate with the pack.
Finding Content Packs
The free text search filters content packs by pack name only. There is no Search button.
Filtering Content Packs
You can filter the packs by All Changes Published, Unpublished Changes, and All filters.
Sorting Content Packs
The packs feed lists all content packs with status (All changes published and unpublished changes) on the listing page after creating, saving, or publishing them.
All Changes Published: If the rules linked to a pack are in a published state, then the pack transforms to this state.
Unpublished Changes: If any rule is unpublished, then the pack transforms into this state.
You can sort the packs based on the following list of options:
Item | Description |
---|---|
Name |
A name that is given to a pack |
Status |
A state of being a pack is in |
Rules |
Rule(s) that are associated with the pack |
Created by |
The user who created the pack |
Created On |
Date and Time when a pack is created for the first time |
Modified On |
Date and Time of last change to a pack |
Modified by | The user who modified the details after creating a pack |
To rearrange the content packs in descending or ascending order, click or .
Comments
0 comments
Please sign in to leave a comment.