Overview of Applied Threat Intelligence curated detections

Supported in:

This document provides an overview of the Curated Detection rule sets within the Applied Threat Intelligence Curated Prioritization category, available in Google Security Operations Enterprise Plus. These rules use Mandiant Threat Intelligence to proactively identify and alert on high-priority threats.

Curated detection rule sets

The Curated Prioritization category includes the following rule sets that support the Applied Threat Intelligence feature in Google SecOps:

  • Active Breach Priority Network Indicators: detects network-related indicators of compromise (IOCs) in event data using Mandiant Threat Intelligence. Prioritizes IOCs with the Active Breach label.
  • Active Breach Priority Host Indicators: Detects host-related IOCs in event data using Mandiant Threat Intelligence. Prioritizes IOCs with the Active Breach label.
  • High Priority Network Indicators: Identifies network-related IOCs in event data using Mandiant Threat Intelligence. Prioritizes IOCs with the High label.
  • High Priority Host Indicators: Detects host-related IOCs in event data using Mandiant Threat Intelligence. Prioritizes IOCs with the High label.
  • Inbound IP Address Authentication Indicators: Identifies IP addresses that are authenticating to local infrastructure in an inbound network direction. Prioritizes with the High label.
  • Medium Priority Network Indicators: Identifies network-related IOCs in event data using Mandiant Threat Intelligence. Prioritizes IOCs with the Medium label.
  • Medium Priority Host Indicators: Identifies host-related IOCs in event data using Mandiant Threat Intelligence. Prioritizes IOCs with the Medium label.

When you enable the rule sets, Google SecOps starts evaluating your event data against Mandiant Threat Intelligence data. If any rule detects a match to an IOC labeled Active Breach or High, an alert is generated. For more information about how to enable curated detection rule sets, see Enable all rule sets.

Supported devices and log types

You can ingest data from any log type that Google SecOps supports with a default parser. For the list, see Supported log types and default parsers.

Google SecOps evaluates your UDM event data against IOCs curated by Mandiant Threat Intelligence and identifies matches for domains, IP addresses, file hashes, or URLs. It analyzes UDM fields that store these rule sets.

If you replace a default parser with a custom parser, and you change the UDM field where a domain, IP address, file hash, or URL is stored, it may impact the behavior of these rule sets.

The rule sets use the following UDM fields from Google SecOps events. These fields, combined with prioritization features from Mandiant Threat Intelligence, help determine priority levels, such as Active Breach, High, or Medium:

  • network.direction
  • security_result.[]action
  • event_count (active breach IP address only)

For IP address indicators, the network.direction is required. If the network.direction field is not populated in the UDM event, then Applied Threat Intelligence checks the principal.ip and target.ip fields against RFC 1918 internal IP address ranges to determine the network direction. If this check does not provide clarity, then the IP address is considered to be external to the customer environment.

Tuning alerts returned by Applied Threat Intelligence category

You can reduce the number of detections a rule or rule set generates using rule exclusions.

In the rule exclusion, define the criteria of a UDM event that exclude the event from being evaluated by the rule set. Events with values in the specified UDM field won't be evaluated by rules in the rule set.

For example, you might exclude events based on the following information:

  • principal.hostname
  • principal.ip
  • target.domain.name
  • target.file.sha256
  • target.url

See Configure rule exclusions for information about how to create rule exclusions.

If a rule set uses a predefined reference list, the reference list description provides detail about which UDM field is evaluated.

The Inbound IP Address Authentication rule set uses three UDM fields that could be used for tuning alerts from this rule set:

  • principal.ip
  • principal.asset.ip
  • src.ip

Need more help? Get answers from Community members and Google SecOps professionals.