Overview of Applied Threat Intelligence curated detections
This document provides an overview of the Curated Detection rule sets in the Applied Threat Intelligence Curated Prioritization category, which is available in Google Security Operations Security Operations Enterprise Plus. These rules leverage Mandiant threat intelligence to proactively identify and alert on high-priority threats.
This category includes the following rule sets that support the Applied Threat Intelligence feature in Google Security Operations SIEM:
- Active Breach Priority Network Indicators: Identifies network-related indicators of compromise (IOCs) in event data using Mandiant threat intelligence. Prioritizes IOCs with the Active Breach label.
- Active Breach Priority Host Indicators: Identifies host-related IOCs in event data using Mandiant threat intelligence. Prioritizes IOCs with the Active Breach label.
- High Priority Network Indicators: Identifies network-related IOCs in event data using Mandiant threat intelligence. Prioritizes IOCs with the High label.
- High Priority Host Indicators: Identifies host-related IOCs in event data using Mandiant threat intelligence. Prioritizes IOCs with the High label.
When you enable the rule sets, Google Security Operations SIEM starts evaluating your event data against Mandiant threat intelligence data. If one or more rules identify a match to an IOC with either the Active Breach or High label, an alert is generated. For more information about how to enable curated detection rule sets, see Enable all rule sets.
Supported devices and log types
You can ingest data from any log type that Google Security Operations SIEM supports with a default parser. For the list, see Supported log types and default parsers.
Google Security Operations evaluates your UDM event data against IOCs curated by Mandiant threat intelligence and identifies if there is a domain, IP address, or file hash match. It analyzes UDM fields that store a domain, IP address, and file hash.
If you replace a default parser with a custom parser, and you change the UDM field where a domain, IP address, or file hash is stored, you may affect the behavior of these rule sets.
The rule sets use the following UDM fields to determine priority, such as Active Breach or High.
network.direction
security_result.[]action
For IP address indicators, the network.direction
is required. If the
network.direction
field is not populated in the UDM event, then Applied Threat
Intelligence checks the principal.ip
and target.ip
fields against RFC 1918
internal IP address ranges to determine the network direction. If this check
does not provide clarity, then the IP address is considered to be external to
the customer environment.
Tuning alerts returned by Applied Threat Intelligence category
You can reduce the number of detections a rule or rule set generates using rule exclusions.
In the rule exclusion, define the criteria of a UDM event that exclude the event from being evaluated by the rule set. Events with values in the specified UDM field won't be evaluated by rules in the rule set.
For example, you might exclude events based on the following information:
principal.hostname
principal.ip
target.domain.name
target.file.sha256
See Configure rule exclusions for information about how to create rule exclusions.
If a rule set uses a predefined reference list, the reference list description provides detail about which UDM field is evaluated.