Investigate a GCTI alert

Google Cloud Threat Intelligence (GCTI) alerts are derived from both Google's internal threat detection infrastructure and research provided by GCTI security analysts.

For Chronicle SIEM customers, GCTI alerts are displayed on the Alerts and IOCs page. They are located under the Source column. Alerts that have been generated by GCTI are labeled as Curated detections.

View a GCTI Alert

To see your GCTI alerts, follow these steps:

  1. From the navigation bar, click Detection > Alerts and IOCs.
  2. Under the Source tab, GCTI alerts are labeled as Curated detections. Click Source to have all the Alerts with the Curated detections tag move to the top.
  3. Click the link in the Name column of the alert you want to investigate.

When you click the text in the Name column, a page opens with three tabs: Overview, Graph and Alert history. Graph is an interactive graph that lets you expand your search. Alert history shows you important information about the alert.

To learn how to use Graph and Alert history, follow the steps in Investigate an Alert.

The Curated detections dashboard is where all the GCTI related rules are located.

To get to the Curated detections dashboard, follow these steps:

  1. From the navigation bar, click Detection > Rules & detections.
  2. There are four tabs: Rules dashboard, Rules editor, and Curated detections amd Exclusions. Click Curated detections. Curated detections is where all the GCTI rules and the alerts they generate are located.

Investigate GCTI rules

Above the table are two tabs: Rules sets and Dashboard.

In Rules sets, there is a table that shows all the rules and rule sets (groups of rules that are used together). In this tab, you can do the following:

  • Collapse or expand different sections
  • Enable or disable Alerting and Status
  • Use the boxes in the left hand corner of the table to apply changes to a single rule set or to all rule sets

Curated detections

The Dashboard section displays the rules separated by category.

Rules dashboard

If you click an alert in the Dashboard section, a page opens which shows you a timeline of recent detections for that alert.

Using Precise and Broad rules

There are two types of rules in Rules sets: Precise and Broad. You can enable or disable Precise or Broad rules separately depending on the type of search you are doing.

  • Precise rules are rules that find malicious behavior with a higher degree of confidence with fewer false positives due to the more specific nature of the rule.
  • Broad rules find behavior that could potentially be malicious or anomalous. Since these rules are more general than the Precise ones, there is a higher chance for false positives.