Emerging Threats detailed view
The Emerging Threats feed provides a detailed view of selected campaigns or reports. When you select a threat in the feed, the system opens a page that combines information from Google Threat Intelligence with data from your environment to help you analyze threat impact and coverage.
Each page contains several expandable panels that display related threat intelligence, detection data, and associated entities. In each panel, click chevron_forward Arrow next to the section name to expand it and view more details.
The Emerging Threats detailed view Includes the following panels:
Associated Rules
The Associated Rules panel lists detection rules related to the selected campaign. Rules associations apply only to campaigns, not to reports.
Emerging Threats continuously ingests intelligence from GTI and aligns it with your organization's telemetry. It automates campaign discovery, enrichment, and correlation through the following processes:
- Ingest campaign intelligence: The system automatically collects campaign intelligence from GTI, which includes data from global research, Mandiant incident response engagements, and Mandiant Managed Defense telemetry.
- Generate simulated log events: In the background, Gemini produces high-fidelity, anonymized simulated log events that mirror real adversary behavior.
- Automatically highlight detection coverage: The system runs the simulated log events against the Google Cloud Threat Intelligence (GCTI) curated detection rules and coverage reports that show where Google SecOps has detections and where gaps exist.
- Accelerate rule creation: Once gaps are identified, Gemini automatically drafts new detection rules based on the tested patterns and provides a summary of the rule logic and expected behavior. The final step requires human review and approval of these rules before moving them to production.
The following table describes the columns in the Associated Rules panel:
| Column name | Description |
|---|---|
| Rule name | Displays the rule title and associated rule set or detection category. Clicking the rule name opens the Detections page, which
shows the detections produced by this rule. |
| Tags | Lists rule tags or labels applied to the detection rule. |
| Past 4 weeks activity | Shows alert or detection activity for the rule over the past four weeks. |
| Last detection | Displays the timestamp of the most recent alert generated by the rule. |
| Severity | Indicates the severity level configured for the detections generated by the given rule. |
| Alerting | Specifies whether alerting is enabled or disabled for the rule. |
| Live status | Shows whether the rule is active or inactive in your environment. |
If no rules are associated with the campaign, the panel displays the text No rules.
Disabled Rules
The Disabled Rules panel lists detection rules related to the campaign that are currently not enabled, if there are any. This helps you identify potential threat coverage gaps. Rule associations for a campaign are determined as described in Associated Rules.
The following table describes the columns:
| Column name | Description | |
|---|---|---|
| Rule name | Shows the name of the disabled rule. | Click the rule name to open a detailed view that describes the rule's
logic, configuration, and associated rule set, similar to the view on the
Curated Detections page. |
| Category | Displays the rule type or category. | |
| Rule set | Identifies the rule source, such as Mandiant Frontline Threats, Mandiant Hunt Rules, or Mandiant Intel Emerging Threats. | |
| Precision | Indicates the rule precision type (Broad or Precise). | |
| Alerting | Shows whether alerting is enabled. | |
| Last updated | Displays the timestamp for when the rule was last modified. |
Recent Associated Entities
The Recent Associated Entities panel lists entities from your environment that are linked to the selected threat and potentially affected by it.
The panel lists user and asset entities that meet the following criteria:
- Appeared in detections within the past seven days.
- Appeared in events linked to an IoC associated with the threat.
- Have an assigned risk score.
The following table describes the columns in the Recent Associated Entities panel:
| Column name | Description |
|---|---|
| Entity name | Displays the asset or entity associated with a campaign. Click the entity name to open the Risk Analytics page, which shows details about that entity's recent risk score changes and the detections that contributed to it. |
| Entity type | Indicates the type of entity, such as asset or user account. |
| IOC matches | Shows the number of IoCs from the campaign that match your organization's telemetry and are associated with the entity in recent detections. |
| Entity risk score | Displays the calculated risk score for the entity based on recent IoC matches. |
IOCs
The IOCs panel displays the following tables:
IOC Matches
The IOC Matches table lists IoCs that are detected or matched within your environment for the selected campaign.
The following table describes the columns:
| Column name | Description |
|---|---|
| IOC | Displays the domain, IP address, hash, or URL. Clicking the IoC opens the Entity context panel, which provides additional
information about the IoC and where it has been seen in your environment. |
| Type | Displays the IoC category, such as DOMAIN, IP, FILE (HASH_SHA256), or URL. |
| GTI score | Shows the threat score assigned by GTI on a 0-100 scale. |
| GCTI priority | Indicates the relative priority level assigned by GCTI. |
| Assets | Lists assets in your environment involved in events matching the IoC. |
| Associations | Displays related GTI entities for the indicator, such as threat actors or campaigns. |
| First seen | Shows when the indicator was first detected in your environment. |
| Last seen | Shows the most recent time the indicator was detected in your environment. |
GTI-associated IOCs
The GTI-associated IOCs table lists additional IoCs that GTI associates with the campaigns.
The following table describes the columns:
| Column name | Description |
|---|---|
| IOC | Displays the domain, IP address, hash, or URL. |
| Type | Displays the IoC category, such as DOMAIN, IP, FILE, HASH_SHA256, or URL. |
| GTI score | Shows the threat score assigned by GTI on a 0-100 scale. |
| Associated actors | Lists the threat actors connected to the IoC.
You can click the name of an actor to view more information in the |
| Associated malware | Lists the malware families linked to the IoC.
You can click the malware name to view more information in the |
| GTI discovered | Shows the timestamp of when GTI first recorded the IoC. |
| GTI last updated | Shows the timestamp of when the IoC was most recently updated by GTI. |
Need more help? Get answers from Community members and Google SecOps professionals.