Investigating a GCTI Alert

For Google Chronicle customers who are also Google Cloud Threat Intelligence (GCTI) customers, GCTI alerts are displayed on the Enterprise Insights page, as shown below. These alerts are derived from both Google's internal threat detection infrastructure and research provided by GCTI security analysts.

GCTI Alert view

Complete the following steps to navigate to Google Cloud Threat Intelligence Alert view:

  1. Hover over the VERDICT column to open the ALERT SUMMARY, displaying additional information about the alert.

    GCTI Alert Summary ALERT SUMMARY

  2. Click VIEW ALERT to open the GCTI Alert view.

    GCTI Alert View GCTI ALERT view

    GCTI Alert view provides additional information from Google about the alert, including an analysis from GCTI of the threat and its severity. This view also shows the analyst update logs, which include all of the feedback added by your security analysts.

Submitting alert feedback

You can provide feedback for the alerts GCTI has provided for your enterprise. This feedback is visible to both the GCTI team and your own security team, since it is incorporated into your Chronicle account and accessible from Enterprise Insights and GCTI Alert view.

To submit alert feedback:

  1. Click UPDATE in the GCTI Alert view.

    Update Alert Classification

    Update Alert Classification pop-up window

  2. Adjust the values in the Verdict field.

    Possible values include the following:

    • True Positive—Correct security result.
    • False Positive—Incorrect security result.
    • None—No feedback to provide.
  3. Adjust the value for the Usefulness field.

    Possible values include the following:

    • Useful—Security result was useful and should be raised again (implied by a True Positive).
    • Not Useful—Security result was not useful and should not be raised again.
    • None—No feedback to provide.
  4. Adjust the Severity using the slider. You can set a value between 1 (Informational) to 100 (Critical).

  5. You can add feedback to the Comments field explaining your reasoning for your selections for Verdict, Usefulness, and Severity. These comments are visible to your own security team and to Chronicle.

  6. When you have finished entering your alert feedback, click SAVE.

Closing an alert

When an alert is no longer useful, you can click CLOSE, opening a pop-up window similar to the one that appears when you click UPDATE.

Select values for:

  • Verdict
  • Usefulness
  • Severity

You can also add additional information in the Comments field.

The CLOSE option hides the alert in the default view of Enterprise Insights and prevents you from adding any updates to the alert.