Overview of Applied Threat Intelligence curated detections

This document provides an overview of the Curated Detection rule sets in the Applied Threat Intelligence Curated Prioritization category, which is available in Google Security Operations Security Operations Enterprise Plus. These rules leverage Mandiant threat intelligence to proactively identify and alert on high-priority threats.

This category includes the following rule sets that support the Applied Threat Intelligence feature in Google Security Operations SIEM:

  • Active Breach Priority Network Indicators: Identifies network-related indicators of compromise (IOCs) in event data using Mandiant threat intelligence. Prioritizes IOCs with the Active Breach label.
  • Active Breach Priority Host Indicators: Identifies host-related IOCs in event data using Mandiant threat intelligence. Prioritizes IOCs with the Active Breach label.
  • High Priority Network Indicators: Identifies network-related IOCs in event data using Mandiant threat intelligence. Prioritizes IOCs with the High label.
  • High Priority Host Indicators: Identifies host-related IOCs in event data using Mandiant threat intelligence. Prioritizes IOCs with the High label.

When you enable the rule sets, Google Security Operations SIEM starts evaluating your event data against Mandiant threat intelligence data. If one or more rules identify a match to an IOC with either the Active Breach or High label, an alert is generated. For more information about how to enable curated detection rule sets, see Enable all rule sets.

Supported devices and log types

You can ingest data from any log type that Google Security Operations SIEM supports with a default parser. For the list, see Supported log types and default parsers.

Google Security Operations evaluates your UDM event data against IOCs curated by Mandiant threat intelligence and identifies if there is a domain, IP address, or file hash match. It analyzes UDM fields that store a domain, IP address, and file hash.

If you replace a default parser with a custom parser, and you change the UDM field where a domain, IP address, or file hash is stored, you may affect the behavior of these rule sets.

The rule sets use the following UDM fields to determine priority, such as Active Breach or High.

  • network.direction
  • security_result.[]action

For IP address indicators, the network.direction is required. If the network.direction field is not populated in the UDM event, then Applied Threat Intelligence checks the principal.ip and target.ip fields against RFC 1918 internal IP address ranges to determine the network direction. If this check does not provide clarity, then the IP address is considered to be external to the customer environment.

Tuning alerts returned by Applied Threat Intelligence category

You can reduce the number of detections a rule or rule set generates using rule exclusions.

In the rule exclusion, define the criteria of a UDM event that exclude the event from being evaluated by the rule set. Events with values in the specified UDM field won't be evaluated by rules in the rule set.

For example, you might exclude events based on the following information:

  • principal.hostname
  • principal.ip
  • target.domain.name
  • target.file.sha256

See Configure rule exclusions for information about how to create rule exclusions.

If a rule set uses a predefined reference list, the reference list description provides detail about which UDM field is evaluated.