Applied Threat Intelligence priority overview

Applied Threat Intelligence (ATI) alerts in Google Security Operations are IOC matches that have been contextualized by YARA-L rules using Curated Detection. The contextualization leverages Mandiant intelligence from Google Security Operations context entities, which allows intelligence-driven alert prioritization. ATI priorities are available in Google Security Operations Managed as the Applied Threat Intelligence - Curated Prioritization rule pack with Google Security Operations Security Operations Enterprise Plus license.

Applied Threat Intelligence priority models

Applied Threat Intelligence uses features that are extracted from Mandiant intelligence and Google Security Operations events to generate a priority. Features that are relevant to the priority level and indicator type are formed into logic chains that output different classes of priority. You can use the Active Breach and High Priority Applied Threat Intelligence priority models that focus strongly on actionable threat intelligence. These priority models help you to take action on alerts generated from these priority models. Additional models for medium and low priority events also use a similar logic.

Features

Applied Threat Intelligence features are extracted from Mandiant intelligence. Following are the most relevant Applied Threat Intelligence priority features.

  • Mandiant IC-Score: Mandiant automated confidence score

  • Active IR: Indicator is sourced from an active incident response engagement

  • Prevalence: Indicator is commonly observed by Mandiant

  • Attribution: Indicator is strongly associated with a threat tracked by Mandiant

  • Scanner: Indicator is identified as a known internet scanner by Mandiant

  • Commodity: Indicator is not yet common knowledge in the security community

You can view the Applied Threat Intelligence priority feature for an alert on the IOC Matches > Event Viewer page.

Priority models are used in the curated detection rules in the Applied Threat Intelligence- curated prioritization rule pack. You can build your own rules using Mandiant intelligence by using the Mandiant Fusion Intelligence which is available with the Google Security Operations Security Operations Enterprise Plus license. For more information on writing Fusion feed YARA-L rules, see Applied Threat Intelligence fusion feed overview.