Applied Threat Intelligence priority overview

Supported in:

Applied Threat Intelligence (ATI) alerts in Google SecOps are IoC matches that have been contextualized by YARA-L rules using curated detection. The contextualization leverages Mandiant threat intelligence from Google SecOps context entities, which allows intelligence-driven alert prioritization.

ATI priorities are provided in the Applied Threat Intelligence - Curated Prioritization rule pack, which is available in Google SecOps Managed Content with the Google SecOps Enterprise Plus license.

ATI prioritization features

The most relevant ATI prioritization features include:

  • Mandiant IC-Score: Mandiant automated confidence score.

  • Active IR: Indicator is sourced from an active incident response engagement.

  • Prevalence: Indicator is commonly observed by Mandiant.

  • Attribution: Indicator is strongly associated with a threat tracked by Mandiant.

  • Scanner: Indicator is identified as a known internet scanner by Mandiant.

  • Commodity: Indicator is common knowledge in the security community.

  • Blocked: Indicator was not blocked by security controls.

  • Network Direction: Indicator is connecting in an inbound or outbound network traffic direction.

You can view the ATI priority feature for an alert on the IoC matches > Event viewer page.

ATI priority models

ATI leverages {Google SecOps} events and Mandiant threat intelligence to assign a priority to IoCs. This prioritization is based on features relevant to both the priority level and IoC type, forming logic chains that classify the priority. The ATI actionable threat intelligence models can then help you respond to the generated alerts.

Priority models are used in the curated detection rules provided in the Applied Threat Intelligence - Curated prioritization rule pack. You can also create custom rules using Mandiant threat intelligence through Mandiant Fusion Intelligence, available with the Google SecOps Enterprise Plus license. For more information about writing Fusion feed YARA-L rules, see Applied Threat Intelligence fusion feed overview.

The following priority models are available:

Active breach priority

The Active breach model prioritizes indicators that have been observed in Mandiant investigations associated with active or past compromises. Network indicators in this model attempt to match only outbound direction network traffic.

Relevant features used by the model include: Mandiant IC-Score, Active IR, Prevalence, Attribution, and Scanner (for network models).

High priority

The High model prioritizes indicators that weren't observed in Mandiant investigations, but were identified by Mandiant threat intelligence as being associated with threat actors or malware. Network indicators in this model attempt to match only outbound direction network traffic.

Relevant features used by the model include: Mandiant IC-Score, Prevalence, Attribution, Commodity, and Scanner (for network models).

Medium priority

The Medium model prioritizes indicators that weren't observed in Mandiant investigations, but were identified by Mandiant threat intelligence as associated with commodity malware. Network indicators in this model match only outbound direction network traffic.

Relevant features used by the model include: Mandiant IC-Score, Prevalence, Attribution, Blocked, Commodity, and Scanner (for network models).

Inbound IP address authentication

The Inbound IP address authentication model prioritizes IP addresses that authenticate to local infrastructure in an inbound network direction. The UDM authentication extension must exist in events for a match to occur. Although not enforced for all product types, this rule set also attempts to filter out some failed authentication events. For example, this rule set is not scoped for some SSO authentication types.

Relevant features used by the model include: Mandiant IC-Score, Blocked, Network Direction, and Active IR.

Need more help? Get answers from Community members and Google SecOps professionals.