Investigate a GCTI alert

Google Cloud Threat Intelligence (GCTI) alerts are derived from both Google's internal threat detection infrastructure and research provided by GCTI security analysts.

For Chronicle customers who are also Chronicle SIEM customers, GCTI alerts are displayed on the Alerts and IOCs page. They are located under the Source column. Alerts that have been generated by GCTI are labeled as Curated detections.

View a GCTI Alert

To see your GCTI alerts, follow these steps:

  1. Click Alerts and IOCs on the top right menu.
  2. Under the Source tab, alerts are labeled as either Custom alert or Curated detections. Curated detections are created by GCTI. Click Source to have all the Alerts with the Curated detections tag move to the top.
  3. Click the text in the Details column of the alert you want to investigate.

Alerts and IOCs page

When you click the text in the Details column, a page opens with two tabs: Alert graph and Alert details. Alert graph is an interactive graph that allows you to expand your search. Alert details shows you important information about the alert.

To learn how to use Alert graph and Alert details, follow the steps in Investigate an Alert.

The Curated detections dashboard is where all the GCTI related rules are located.

To get to the Curated detections dashboard, follow these steps:

  1. Click Rules tab from the main menu.
  2. There are three tabs: Rules dashboard, Rules editor, and Curated detections. Click Curated detections.

Curated detections is where all the GCTI rules and the alerts they generate are located.

Investigate GCTI rules

Above the table are two tabs: Rules sets and Dashboard.

In Rules sets, there is a table that shows all the rules and rule sets (groups of rules that are used together). In this tab, you can do the following:

  • Collapse or expand different sections
  • Enable or disable Alerting and Status
  • Use the boxes in the left hand corner of the table to apply changes to a single rule set or to all rule sets

Curated detections

In the Dashboard section, you will see rules separated by category.

Chronicle rules dashboard

If you click on an alert in the Dashboard section, a page will open that shows you a timeline of recent detections for that alert.

Rule detection page

Using Precise and Broad rules

There are two types of rules in Rules sets: Precise and Broad. You can enable or disable Precise or Broad rules separately depending on the type of search you are doing.

  • Precise rules are rules that find malicious behavior with a higher degree of confidence with fewer false positives due to the more specific nature of the rule.
  • Broad rules find behavior that could potentially be malicious or anomalous. Since these rules are more general than the Precise ones, there is a higher chance for false positives.