Cloud SIEM • Detection Engineering • YARA-L
Google SecOps (Chronicle) Detection Lab
Google Chronicle • YARA-L 2.0 • Python API • UDM Search
Engineering a cloud-native threat detection lab within Google SecOps to hunt for SSH brute force, encoded PowerShell, and DNS exfiltration.
Architecture & Components
Core components
- —Google Security Operations (Chronicle SIEM)
- —YARA-L 2.0
- —Dataplane Ingestion API
- —UDM (Unified Data Model)
Challenges & Engineering Decisions
Rule Tuning & Validation
Problem
Validating complex encoded PowerShell detections required controlled log injection.
Solution
Used Python helper scripts to send specific UDM scenarios and tuned rules in the Rules Editor.
Outcome
- —Successfully detected T1059 behavior
- —Verified detections with zero false positives in test tenant
Reflection
Building in Google SecOps solidified my understanding of UDM-centric hunting and cloud-native detection at scale.