Applied Threat Intelligence priority overview
Applied Threat Intelligence (ATI) alerts in Google Security Operations are IOC matches that have been contextualized by YARA-L rules using Curated Detection. The contextualization leverages Mandiant intelligence from Google Security Operations context entities, which allows intelligence-driven alert prioritization. ATI priorities are available in Google Security Operations Managed as the Applied Threat Intelligence - Curated Prioritization rule pack with Google Security Operations Security Operations Enterprise Plus license.
Applied Threat Intelligence priority models
Applied Threat Intelligence uses features that are extracted from Mandiant intelligence and Google Security Operations events to generate a priority. Features that are relevant to the priority level and indicator type are formed into logic chains that output different classes of priority. You can use the Active Breach and High Priority Applied Threat Intelligence priority models that focus strongly on actionable threat intelligence. These priority models help you to take action on alerts generated from these priority models. Additional models for medium and low priority events also use a similar logic.
Features
Applied Threat Intelligence features are extracted from Mandiant intelligence. Following are the most relevant Applied Threat Intelligence priority features.
Mandiant IC-Score: Mandiant automated confidence score
Active IR: Indicator is sourced from an active incident response engagement
Prevalence: Indicator is commonly observed by Mandiant
Attribution: Indicator is strongly associated with a threat tracked by Mandiant
Scanner: Indicator is identified as a known internet scanner by Mandiant
Commodity: Indicator is not yet common knowledge in the security community
You can view the Applied Threat Intelligence priority feature for an alert on the IOC Matches > Event Viewer page.
Priority models are used in the curated detection rules in the Applied Threat Intelligence- curated prioritization rule pack. You can build your own rules using Mandiant intelligence by using the Mandiant Fusion Intelligence which is available with the Google Security Operations Security Operations Enterprise Plus license. For more information on writing Fusion feed YARA-L rules, see Applied Threat Intelligence fusion feed overview.