Applied Threat Intelligence overview

Applied Threat Intelligence helps you identify and respond to threats. It continually analyzes and evaluates your security telemetry against indicators of compromise (IOCs) curated by Mandiant threat intelligence.

When Applied Threat Intelligence is enabled, Google Security Operations SIEM ingests IOCs curated by Mandiant threat intelligence with an IC-Score greater than 80. When a match is found, an alert is generated, and you can then investigate the match using the IOC matches page. The IOC Matches page displays possible IOC matches for domains, IP addresses, and file hashes. The page includes information about the match, including the following:

  • GCTI Priority
  • Indicator Confidence Score (IC-Score)
  • Associations
  • Campaigns

You can view detailed information about events that triggered the match, information from the threat intelligence source, and the rationale behind the IC-Score.

Google Security Operations SIEM curated detections evaluate your event data against Mandiant threat intelligence data, and generates an alert when one or more rules identify a match to an IOC with either the Active Breach or High label.

To use Applied Threat Intelligence, do the following:

  1. Enable the Applied Threat Intelligence curated detections.
  2. Investigate alerts using the IOC matches page.

You can also learn more about how IC-Score is set.