Google SecOps 中的 Applied Threat Intelligence (ATI) 快訊是 IoC 比對結果,已透過精選偵測功能,使用 YARA-L 規則提供情境資訊。情境化功能會運用 Google SecOps 情境實體的 Mandiant 威脅情報,根據情報決定快訊優先順序。
ATI 優先順序會顯示在 Applied Threat Intelligence - Curated Prioritization 規則套件中。只要擁有 Google SecOps Enterprise Plus 授權,就能在 Google SecOps Managed Content 中使用這項規則套件。
ATI 優先順序功能
最相關的 ATI 優先順序功能包括:
Mandiant IC-Score:Mandiant 自動化信賴度分數。
進行中的 IR 行動:指標來自進行中的事件應變行動。
普遍程度:Mandiant 經常觀察到這個指標。
歸因:指標與 Mandiant 追蹤的威脅高度相關。
掃描器:指標由 Mandiant 識別為已知的網際網路掃描器。
商品:指標是安全社群的常識。
已封鎖:指標未遭安全控制項封鎖。
網路方向:指標正在連線至傳入或傳出網路流量方向。
您可以在「IoC matches」(IoC 比對結果) >「Event viewer」(事件檢視器) 頁面中,查看快訊的 ATI 優先順序功能。
ATI 優先模型
ATI 會運用 {Google SecOps} 事件和 Mandiant 威脅情報,為 IoC 指派優先順序。這項優先順序是根據與優先等級和 IoC 類型相關的功能而定,形成可分類優先順序的邏輯鏈。接著,您就能運用 ATI 可據以行動的威脅情報模型,回應產生的快訊。
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eApplied Threat Intelligence (ATI) in Google SecOps uses YARA-L rules to contextualize IOC matches with Mandiant intelligence, enabling intelligence-driven alert prioritization.\u003c/p\u003e\n"],["\u003cp\u003eATI's prioritization is based on Mandiant intelligence features, including Mandiant IC-Score, Active IR, Prevalence, Attribution, Scanner, Commodity, Blocked status, and Network Direction.\u003c/p\u003e\n"],["\u003cp\u003eATI employs priority models like Active Breach, High priority, and Inbound IP Address Authentication, each using specific feature combinations to focus on actionable threat intelligence.\u003c/p\u003e\n"],["\u003cp\u003eThe Active Breach model emphasizes indicators observed in Mandiant investigations with active or past compromises, while the high priority focuses on indicators identified by Mandiant as strongly associated with threat actors or malware.\u003c/p\u003e\n"],["\u003cp\u003eYou can leverage the pre-built "Applied Threat Intelligence - Curated Prioritization" rule pack or build custom rules using Mandiant Fusion Intelligence with a Google SecOps license.\u003c/p\u003e\n"]]],[],null,["# Applied Threat Intelligence priority overview\n=============================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nApplied Threat Intelligence (ATI) alerts in Google SecOps are IoC\nmatches that have been contextualized by YARA-L rules using curated detection.\nThe contextualization leverages Mandiant threat intelligence from Google SecOps\ncontext entities, which allows intelligence-driven alert prioritization.\n\nATI priorities are provided in the **Applied Threat Intelligence - Curated Prioritization** rule pack, which is available in Google SecOps Managed Content with the Google SecOps Enterprise Plus license.\n\nATI prioritization features\n---------------------------\n\nThe most relevant ATI prioritization features include:\n\n- **Mandiant IC-Score**: Mandiant automated confidence score.\n\n- **Active IR**: Indicator is sourced from an active incident response engagement.\n\n- **Prevalence**: Indicator is commonly observed by Mandiant.\n\n- **Attribution**: Indicator is strongly associated with a threat tracked by Mandiant.\n\n- **Scanner**: Indicator is identified as a known internet scanner by Mandiant.\n\n- **Commodity**: Indicator is common knowledge in the security community.\n\n- **Blocked**: Indicator was not blocked by security controls.\n\n- **Network Direction**: Indicator is connecting in an inbound or outbound network\n traffic direction.\n\nYou can view the ATI priority feature for an alert on the\n**IoC matches** \\\u003e **Event viewer** page.\n\nATI priority models\n-------------------\n\nATI leverages {Google SecOps} events and Mandiant threat intelligence to assign a priority to IoCs. This prioritization is based on features relevant to both the priority level and IoC type, forming logic chains that classify the priority. The ATI actionable threat intelligence models can then help you respond to the generated alerts.\n\nPriority models are used in the curated detection rules provided in the **Applied Threat\nIntelligence - Curated prioritization** rule pack. You can also create custom rules\nusing Mandiant threat intelligence through Mandiant Fusion Intelligence,\navailable with the Google SecOps Enterprise Plus license. For more information about\nwriting Fusion feed YARA-L rules,\nsee [Applied Threat Intelligence fusion feed overview](/chronicle/docs/detection/ati-fusion-feed).\n\nThe following priority models are available:\n\n### Active breach priority\n\nThe Active breach model prioritizes indicators that have been observed in Mandiant\ninvestigations associated with active or past compromises. Network indicators\nin this model attempt to match only outbound direction network traffic.\n\nRelevant features used by the model include: Mandiant IC-Score, Active IR, Prevalence, Attribution, and Scanner (for network models).\n\n### High priority\n\nThe High model prioritizes indicators that weren't observed in Mandiant\ninvestigations, but were identified by Mandiant threat intelligence as being associated\nwith threat actors or malware. Network indicators in this model attempt to match\nonly outbound direction network traffic.\n\nRelevant features used by the model include: Mandiant IC-Score, Prevalence, Attribution, Commodity, and Scanner (for network models).\n\n### Medium priority\n\nThe Medium model prioritizes indicators that weren't observed in Mandiant\ninvestigations, but were identified by Mandiant threat intelligence as associated with commodity malware.\nNetwork indicators in this model match only outbound direction network\ntraffic.\n\nRelevant features used by the model include: Mandiant IC-Score, Prevalence,\nAttribution, Blocked, Commodity, and Scanner (for network models).\n| **Note:** We recommend keeping ATI medium rule packs in non-alerting mode due to the potential volume of Medium priority indicators.\n\n### Inbound IP address authentication\n\nThe Inbound IP address authentication model prioritizes IP addresses that authenticate to local infrastructure in an inbound network direction. The UDM authentication extension must exist in events for a match to occur. Although not enforced for all product types, this rule set also attempts\nto filter out some failed authentication events. For example, this rule set is not scoped for some SSO\nauthentication types.\n\nRelevant features used by the model include: Mandiant IC-Score, Blocked, Network Direction, and Active IR.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]