Console
    Contact Us Start free

    Investigate a GCTI alert

    Supported in:

    Google Cloud Threat Intelligence (GCTI) alerts are derived from both Google's internal threat detection infrastructure and research provided by GCTI security analysts.

    For Google Security Operations customers, GCTI alerts are displayed on the Alerts and IOCspage. They are located under the Sourcecolumn. Alerts that have been generated by GCTI are labeled as Curated detections.

    View a GCTI Alert

    To see your GCTI alerts, follow these steps:

    1. From the navigation bar, click Detection > Alerts and IOCs.
    2. Under the Sourcetab, GCTI alerts are labeled as Curated detections. Click Sourceto have all the Alerts with the Curated detectionstag move to the top.
    3. Click the link in the Namecolumn of the alert you want to investigate.

    When you click the text in the Namecolumn, a page opens with three tabs: Overview, Graphand Alert history. Graphis an interactive graph that lets you expand your search. Alert historyshows you important information about the alert.

    To learn how to use Graphand Alert history, follow the steps in Investigate an Alert .

    The Curated detectionsdashboard is where all the GCTI related rules are located.

    To get to the Curated detectionsdashboard, follow these steps:

    1. From the navigation bar, click Detection > Rules & detections.
    2. There are four tabs: Rules dashboard, Rules editor, Curated detectionsand Exclusions. Click Curated detections. Curated detectionsis where all the GCTI rules and the alerts they generate are located.

    Investigate GCTI rules

    Above the table are two tabs: Rules setsand Dashboard.

    In Rules sets, there is a table that shows all the rules and rule sets (groups of rules that are used together). In this tab, you can do the following:

    • Collapse or expand different sections
    • Enable or disable Alertingand Status
    • Use the boxes in the left hand corner of the table to apply changes to a single rule set or to all rule sets

    Curated detections

    The Dashboardsection displays the rules separated by category.

    Rules dashboard

    If you click an alert in the Dashboardsection, a page opens which shows you a timeline of recent detections for that alert.

    Using Precise and Broad rules

    There are two types of rules in Rules sets: Preciseand Broad. You can enable or disable Preciseor Broadrules separately depending on the type of search you are doing.

    • Precise rulesfind malicious behavior that is highly likely to be malicious and requires investigation. Enable precise rules when you expect your security team to take direct remediation action on the security events they generate.

    • Broad rulesidentify and label behavior that could be malicious or anomalous, serving as potentially relevant security signals. Enable broad rules when the goal is to gather contextual data for detection purpose. Detections from these rules are not intended for individual action.

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: