View alerts and IoCs

Supported in:

The Alerts and IoCs page displays all the alerts and Indicators of Compromise (IoC) that are impacting your enterprise. To access the Alerts and IoCs page, click Detection > Alerts and IoCs in the navigation menu.

The page includes an Alerts tab and IoC matches tab.

  • Use the Alerts tab to view the current alerts in your enterprise.

    Alerts can be generated by security infrastructure, by security personnel, or by Google Security Operations rules.

    In systems with data RBAC enabled, you can only view alerts and detections that originate from rules that are associated with your assigned scopes. For more information, see data RBAC impact on Detections.

  • Use the IoC matches tab to view the IoCs that have been flagged as suspicious and have been seen in your enterprise.

    Google SecOps continuously ingests data from your infrastructure and other security data sources, and automatically correlates suspicious security indicators with your security data. If a match is found (for example, a suspicious domain is seen in your enterprise), Google SecOps labels the event as an IoC and displays it on the IoC matches page. For more information, see How Google SecOps automatically matches IoCs.

    In systems with data RBAC enabled, you can only view IoC matches for assets you have permission to access. For more information, see data RBAC impact on Breach analytics and IoCs.

    IoC details, such as confidence score, severity, feed name, and category, can also be viewed on the IoC matches dashboard.

View alerts

The Alerts page displays a list of the alerts that have been detected in your enterprise within the specified date and time range. You can use this page to view, at a glance, information about the alerts such as severity, priority, risk score, and verdict. Color-coded icons and symbols help you to quickly identify alerts that need your immediate attention.

You can use the Filter and Set date and time range features to narrow the list of alerts that are displayed.

Use the Column manager (insert link to section on this page) to specify the columns you want to be displayed on the page. You can also sort the lists in ascending or descending order.

Expand the alert to view the event timestamp, type, and summary.

Click the alert Name in the list to pivot to the Alert view and view additional information about the alert and its status.

Alerts generated by composite detections

Alerts can be generated by composite detections, which use composite rules that consume outputs (detections) from other rules combined with events, metrics, or entity risk signals. These rules detect complex, multistage threats that individual rules can miss.

Composite detections can help analyze events through defined rule interactions and triggers. This improves accuracy, reduces false positives, and provides a comprehensive view of security threats by correlating data from different sources and attack stages.

The Alerts page indicates the source of the alert in the Inputs column. When the alert is from composite detections, the column displays 'Detection'.

To view the composite detections that triggered the alert, do one of the following on the Alerts page:

  • Expand the alert and view the composite detections in the Detections table.
  • Click the Rule name to open the Detections page.
  • Click the alert Name to open the Alert details page.

Filter alerts

You can narrow the list of alerts that are displayed using filters. Perform the following steps to add filters for the list of alerts:

  1. Click the Filter icon or Add filter in the upper left corner of the page to open the Add filter dialog.
  2. Specify the following information:

    • Field: Enter the object you want to filter or start typing it in the field and select it from the list.
    • Operator: Enter = (Show only) or != (Filter out) to indicate how the value should be treated.
    • Value: Select the check boxes for the fields you want to match or filter out. The list that is displayed is based on the Field value.
  3. Click Apply. The filter is displayed as a chip on the filter bar above the Alerts list. You can add multiple filters, as needed.

To clear a filter, click the x on the filter chip to remove it.

View IoC matches

The IoC matches page lists the IoCs that have been detected in your network and matched against a list of known suspicious IoCs in intelligent threat feeds. You can view information about the IoCs, such as type, priority, status, categories, assets, campaigns, sources, IOC ingest time, first seen, and last seen. The color-coded icons and symbols help you to quickly identify which IOCs need your attention.

How Google SecOps automatically matches IoCs

Google SecOps automatically ingests IoCs curated by Google threat intelligence sources, including Mandiant, VirusTotal, and Google Cloud Threat Intelligence (GCTI). You can also ingest your own IoC data through feeds, such as MISP_IOC. For more information about ingesting data, see Google SecOps data ingestion.

After the data is ingested, the Universal Data Model (UDM) event data is continuously analyzed to find IoCs that match known malicious domains, IP addresses, file hashes, and URLs. When a match is found, an alert is generated.

The following UDM event fields are considered for matching:

Enterprise Enterprise Plus
about.file
network.dns.answers
network.dns.questions network.dns.questions
principal.administrative_domain
principal.asset
principal.ip
principal.process.file principal.process.file
principal.process.parent_process.file principal.process.parent_process.file
security_result.about.file security_result.about.file
src.file src.file
src.ip
target.asset.ip
target.domain.name
target.file target.file
target.hostname target.hostname
target.ip target.ip
target.process.file target.process.file
target.process.parent_process.file

If you have a Google SecOps Enterprise Plus license and the Applied Threat Intelligence (ATI) feature enabled, IoCs are analyzed and prioritized based on an Indicator Confidence Score(IC-Score) from Mandiant. Only those IoCs with an IC-Score greater than 80 are automatically ingested.

In addition, specific UDM fields in the events are analyzed using YARA-L rules to identify matches and determine the priority level to be assigned to the alert (Active Breach, High, or Medium). These fields include:

  • network
  • direction
  • security_result
  • []action
  • event_count (used specifically for Active Breach IP addresses)

The following IoC intelligence sources are available in Google SecOps out-of-box:

Google SecOps Enterprise License Google SecOps Enterprise Plus License
  • Google Threat Intelligence (GTI) Feeds
  • Google Threat Intelligence (GTI)
  • Mandiant Threat Intelligence (Curated and Enriched)
  • Mandiant
  • Curated Detections
  • VirusTotal
  • Applied Threat Intelligence (ATI)
  • Mandiant Fusion
  • Curated Detections
  • Enriched open-source intelligence (OSINT)

Filter IoCs

You can narrow the list of IoCs that are displayed using filters. Perform the following steps to add filters for the list of IoCs:

  1. Click the Filter icon in the upper left corner of the page to open the Filters dialog.
  2. Specify the following information:

    • Logical operator: Select Or to match any of the combined conditions (disjunction) or And to match all of the comgined conditions (conjuntion).
    • Column - Select the column to filter by.
    • Operator: In the middle column, select Show only () or Filter out () to indicate how the value should be treated.
    • Value: Select the check boxes for the values to show or filter out based on the Column value.

  3. Click Apply. The filter is displayed as a chip on the filter bar above the IoCs list. You can add multiple filters, as needed.

Example of filtering for critical IoCs:

If you're looking for IoCs that have been identified as critically severe, select Severity in the left column, Show only in the middle column, and Critical in the right column.

Example of filtering for Applied Threat Intelligence IoCs:

If you want to view only Applied Threat Intelligence IOCs, select Sources in the left column, Show only in the middle column, and Mandiant in the right column.

You can also filter IoCs using the Filters flyout panel on the left side of the page. Expand the column name, find the value, and click the More icon to select Show only or Filter out.

To clear a filter, click the x on the filter chip to remove it or Clear all.

Specify date and time range for alerts and IoCs

To specify the date and time range for the alerts and IoCs to be displayed, click the Calendar icon to open the Set date and time range window. You can specify the date and time range using the pre-set time ranges on the Range tab or choose a specific time of event occurrence on the Event time tab.

Use pre-set time and date range

To specify the date and time range using pre-set options, click the Range tab and select one of the following options:

  • Today
  • Last hour
  • Last 12 hours
  • Last day
  • Last week
  • Last 2 weeks
  • Last month
  • Last 2 months
  • Custom: Select the start and end date on the calendar, and then click the Start time and End time fields to select the time.

Use event time for date and time range

To specify the date and time range based on events, click the Event time tab, select the date on the calendar and then select one of the following options:

  • Exact time: Click the Event time field and select the specific time the events occurred.
  • +/- 1 Minute
  • +/- 3 Minutes
  • +/- 5 Minutes
  • +/- 10 Minutes
  • +/- 15 Minutes
  • +/- 1 Hour
  • +/- 2 Hours
  • +/- 6 Hours
  • +/- 12 Hours
  • +/- 1 Day
  • +/- 3 Days
  • +/- 1 Week

Refresh the alerts and IoC lists

Use the Refresh time menu in the upper right hand corner to select how often the alerts list should be refreshed. The following options are available:

  • Refresh now
  • No auto refresh (default)
  • Refresh every 5 minutes
  • Refresh every 15 minutes
  • Refresh every hour

Sort alerts and IoCs

You can sort the alerts and IoCs that are displayed in ascending or descending order. Click the column headings to sort the list.

View IoC details

To view the details about an incident, such as priority, type, source, IC-Score, and category, click the IoC to open the IoC details page. From this page, you can do the following:

  • Mute or unmute IoC
  • View event prioritization
  • View associations

Mute or unmute IoC

If an IoC is generated due to an administrator or testing action, you can mute the indicator to prevent false positives.

  • To mute the IoC, click Mute in the upper right corner.
  • To unmute the status, click Unmute in the upper right corner.

View event prioritization

Use the Events tab to view how the events where the IoC was seen is prioritized.

Click the event to open the Event viewer, which displays the priority and rationale and event details.

View associations

Use the Associations tab to view associations for any actor or malware to help investigate breaches and prioritize alerts.

Google SecOps customers

For Google SecOps customers, SOAR alerts are displayed here and include a case ID. Click the case ID to open the Cases page. From the Cases page, you can get information on both the alert and the case. You also can respond to it. For more information, see Cases Overview.

Also, the Change alert status and Close alert buttons on the Alerts and IoCs page are deactivated for Google SecOps customers. However, Google SecOps customers can carry out changes to alerts from the Cases page. To pivot to the Cases page from the alert view, click Go to case in the Case details section of the alert overview page.

Need more help? Get answers from Community members and Google SecOps professionals.