View Alerts and IOCs

Supported in:

The Alerts and IOCs page displays all the alerts and indicators of compromise (IOC) currently impacting your enterprise. This page provides multiple tools that enable you to filter and view your alerts and IOCs.

  • Alerts can be designated by your security infrastructure, by your security personnel, or by Google Security Operations Rules.

  • On systems that use data RBAC, you can only see alerts and detections that originate from rules that are associated with your assigned scopes. For more information, see data RBAC impact on Detections.

  • On systems that use data RBAC, you can only see matches for IOCs that are associated with assets that you have permission to access. For more information, see data RBAC impact on Breach analytics and IOCs.

  • IOCs are designated automatically by Google SecOps. Google SecOps is always absorbing data from both your own infrastructure and numerous other security data sources. It automatically correlates suspicious security indicators with your security data. If a match is found (for example, a suspicious domain is found within your enterprise), Google SecOps labels the event as an IOC and displays it on the IOC matches tab.

In the navigation bar, click Detection > Alerts and IOCs.

Alerts and IOCs

View alerts

The Alerts tab displays a list of all of the current alerts in your enterprise. Click an alert name in the list to pivot to Alert view. Alert view displays additional information about the alert and its status.

You can view the severity, priority, risk score, and verdict of each alert at a glance. The color-coded icons and symbols help you to quickly identify which alerts need your attention.

View composite detections

Alerts can be generated by composite detections. The Inputs column of an alert in the alerts list indicates its sources which can be events, entities, or detections (or a combination of these). An alert is classified as a composite detection only if its Inputs column lists Detection.

To view the series of composite detections that triggered an alert, do the following:

  1. In the Alerts list, click the rule name.
  2. On the Detections page, go to the Detections table to view the related series of composite detections.

Alternatively, you can do the following: 1. In the Alerts list, click the alert name. 1. On the Alert details page, go to the Detections table to view all related detections.

Refresh the alert list

To select how often to refresh the displayed alert list, go to the Refresh time drop-down menu in the upper right hand corner. You can choose to have the board automatically refresh itself every 5 minutes, 15 minutes, or 1 hour. You can also click the circular arrows icon to immediately display the latest results.

To the right of refresh time, there is a search bar labeled Showing which contains a small calendar icon. Here, you can adjust the time range for the displayed data.

Click the calendar icon to display the calendar. Adjust the time range by choosing one of the pre-set time ranges on the left hand side (ranging from last five minutes to last month). You can also specify a custom time range by choosing a start and end date anywhere on the calendar.

Using filters

To use a filter, click the blue funnel-shaped Filter icon in the upper left corner of the table.

A dialog appears labeled Alert list filter.

In the left column, select the category to filter by from the following choices:

  • Author
  • Case
  • Priority
  • Reputation
  • Rule
  • Rule ID
  • Severity
  • Status
  • Verdict

In the middle column, select the type of filter:

  • Show only—Show items that match the filter.
  • Filter out—Show items that don't match the filter.

In the right column, select the elements to filter on. You also need to select a logical operator:

  • OR—Must match any of the combined conditions (disjunction)
  • AND—Must match all of the combined conditions (conjunction)

For example, if you are looking for alerts that have been labeled as critically severe, you would click Severity in the left column and Critical in the right column and choose Show Only.

To add more filters, click + Add filter.

When you add a filter, it appears as a chip above the table.

If you want to use two filters from the same category, they appear in the same chip. To find alerts labeled as High or Critical (both under the Severity label), complete the following steps:

  1. Select the first filter.
  2. Open the second filter.
  3. When you click the second filter, there are two new options: Show only and Filter out instead. Click Show only.

Clear filters

To remove one filter, click the trashcan icon next to the filter you want to delete.

To clear all the existing filters from the page, click the blue Clear all button next to where all the chips are.

View IOC matches

The IOC Domain Matches lists the domains that your security infrastructure has flagged as suspicious and have been seen recently within your enterprise.

To view the IOCs in your enterprise, click the IOC Matches tab. You can adjust the dates under investigation by clicking Last 3 Days in the upper right corner to open the date range and event time dialog window.

IOC matching occurs only if the event timestamp lies within the active time range interval present in the threat intelligence feed. The active time range is the time interval during which the IOC is valid. If a threat intelligence feed does not have an active time range interval, an IOC match is returned anytime the domain is identified in feed data.

When you activate Applied Threat Intelligence, the IOC Matches tab displays additional information. For more information, see Applied Threat Intelligence.

IOC Matches tab

You can sort domains by name or by any of the other column categories listed on the page, including the following:

  • Categories
  • Sources
  • Assets
  • Confidence
  • Severity
  • IOC Ingest time
  • First Seen
  • Last Seen

You can also filter the IOCs displayed by using the Procedural Filtering menu to the left.

Google SecOps customers

For Google SecOps customers, SOAR alerts are displayed here and include a case ID. Click the case ID to open the Cases page. From the Cases page, you can get information on both the alert and the case. You also can respond to it. For more information, see Cases Overview.

Also, the Change alert status and Close alert buttons on the Alerts and IOCs page are deactivated for Google SecOps customers. However, Google SecOps customers can carry out changes to alerts from the Cases page. To pivot to the Cases page from the alert view, click Go to case in the Case details section of the alert overview page.

Need more help? Get answers from Community members and Google SecOps professionals.