View alerts and IoCs
The Alerts and IoCspage displays all the alerts and Indicators of Compromise (IoC) that are impacting your enterprise. To access the Alerts and IoCspage, click Detection > Alerts and IoCsin the navigation menu.
The page includes an Alertstab and IoC matchestab.
-
Use the Alertstab to view the current alerts in your enterprise.
Alerts can be generated by security infrastructure, by security personnel, or by Google Security Operations rules.
In systems with data RBAC enabled, you can only view alerts and detections that originate from rules that are associated with your assigned scopes. For more information, see data RBAC impact on Detections .
-
Use the IoC matchestab to view the IoCs that have been flagged as suspicious and have been seen in your enterprise.
Google SecOps continuously ingests data from your infrastructure and other security data sources, and automatically correlates suspicious security indicators with your security data. If a match is found (for example, a suspicious domain is seen in your enterprise), Google SecOps labels the event as an IoC and displays it on the IoC matchespage. For more information, see How Google SecOps automatically matches IoCs .
In systems with data RBAC enabled, you can only view IoC matches for assets you have permission to access. For more information, see data RBAC impact on Breach analytics and IoCs .
IoC details, such as confidence score, severity, feed name, and category, can also be viewed on the IoC matches dashboard .
View alerts
The Alertspage displays a list of the alerts that have been detected in your enterprise within the specified date and time range. You can use this page to view, at a glance, information about the alerts such as severity, priority, risk score, and verdict. Color-coded icons and symbols help you to quickly identify alerts that need your immediate attention.
You can use the Filter and Set date and time range features to narrow the list of alerts that are displayed.
Use the Column manager(insert link to section on this page) to specify the columns you want to be displayed on the page. You can also sort the lists in ascending or descending order.
Expand the alert to view the event timestamp, type, and summary.
Click the alert Namein the list to pivot to the Alert view and view additional information about the alert and its status.
Alerts generated by composite detections
Alerts can be generated by composite detections , which use composite rules that consume outputs (detections) from other rules combined with events, metrics, or entity risk signals. These rules detect complex, multistage threats that individual rules can miss.
Composite detections can help analyze events through defined rule interactions and triggers. This improves accuracy, reduces false positives, and provides a comprehensive view of security threats by correlating data from different sources and attack stages.
The Alertspage indicates the source of the alert in the Inputscolumn. When the alert is from composite detections, the column displays 'Detection'.
To view the composite detections that triggered the alert, do one of the following on the Alertspage:
- Expand the alert and view the composite detections in the Detectionstable.
- Click the Rule nameto open the Detectionspage.
- Click the alert Nameto open the Alert detailspage.
Filter alerts
You can narrow the list of alerts that are displayed using filters. Perform the following steps to add filters for the list of alerts:
- Click the Filtericon or Add filterin the upper left corner of the page to open the Add filterdialog.
-
Specify the following information:
- Field: Enter the object you want to filter or start typing it in the field and select it from the list.
- Operator: Enter =(Show only) or !=(Filter out) to indicate how the value should be treated.
- Value: Select the check boxes for the fields you want to match or filter out. The list that is displayed is based on the Fieldvalue.
-
Click Apply. The filter is displayed as a chip on the filter bar above the Alerts list. You can add multiple filters, as needed.
To clear a filter, click the xon the filter chip to remove it.
View IoC matches
The IoC matchespage lists the IoCs that have been detected in your network and matched against a list of known suspicious IoCs in intelligent threat feeds. You can view information about the IoCs, such as type, priority, status, categories, assets, campaigns, sources, IOC ingest time, first seen, and last seen. The color-coded icons and symbols help you to quickly identify which IOCs need your attention.
How Google SecOps automatically matches IoCs
Google SecOps automatically ingests IoCs curated by Google threat intelligence sources, including Mandiant, VirusTotal, and Google Cloud Threat Intelligence (GCTI). You can also ingest your own IoC data through feeds, such as MISP_IOC. For more information about ingesting data, see Google SecOps data ingestion .
After the data is ingested, the Universal Data Model (UDM) event data is continuously analyzed to find IoCs that match known malicious domains, IP addresses, file hashes, and URLs. When a match is found, an alert is generated.
The following UDM event fields are considered for matching:
| Enterprise | Enterprise Plus |
|---|---|
| about.file | |
| network.dns.answers | |
| network.dns.questions | network.dns.questions |
| principal.administrative_domain | |
| principal.asset | |
| principal.ip | |
| principal.process.file | principal.process.file |
| principal.process.parent_process.file | principal.process.parent_process.file |
| security_result.about.file | security_result.about.file |
| src.file | src.file |
| src.ip | |
| target.asset.ip | |
| target.domain.name | |
| target.file | target.file |
| target.hostname | target.hostname |
| target.ip | target.ip |
| target.process.file | target.process.file |
| target.process.parent_process.file |
If you have a Google SecOps Enterprise Plus license and the Applied Threat Intelligence (ATI) feature enabled, IoCs are analyzed and prioritized based on an Indicator Confidence Score (IC-Score) from Mandiant. Only those IoCs with an IC-Score greater than 80 are automatically ingested.
In addition, specific UDM fields in the events are analyzed using YARA-L rules to identify matches and determine the priority level to be assigned to the alert (Active Breach, High, or Medium). These fields include:
- network
- direction
- security_result
- []action
- event_count (used specifically for Active Breach IP addresses)
The following IoC intelligence sources are available in Google SecOps out-of-box:
- Google Threat Intelligence (GTI) Feeds
- Google Threat Intelligence (GTI)
- Mandiant Threat Intelligence (Curated and Enriched)
- Mandiant
- Curated Detections
- VirusTotal
- Applied Threat Intelligence (ATI)
- Mandiant Fusion
- Curated Detections
- Enriched open-source intelligence (OSINT)
Filter IoCs
You can narrow the list of IoCs that are displayed using filters. Perform the following steps to add filters for the list of IoCs:
- Click the Filtericon in the upper left corner of the page to open the Filtersdialog.
-
Specify the following information:
- Logical operator: Select Orto match any of the combined conditions (disjunction) or Andto match all of the comgined conditions (conjuntion).
- Column- Select the column to filter by.
- Operator: In the middle column, select Show only() or Filter out() to indicate how the value should be treated.
- Value: Select the check boxes for the values to show or filter out based on the Columnvalue.
-
Click Apply. The filter is displayed as a chip on the filter bar above the IoCs list. You can add multiple filters, as needed.
Example of filtering for critical IoCs:
If you're looking for IoCs that have been identified as critically severe, select Severityin the left column, Show onlyin the middle column, and Criticalin the right column.
Example of filtering for Applied Threat Intelligence IoCs:
If you want to view only Applied Threat Intelligence IOCs, select Sourcesin the left column, Show onlyin the middle column, and Mandiantin the right column.
You can also filter IoCs using the Filtersflyout panel on the left side of the page. Expand the column name, find the value, and click the Moreicon to select Show onlyor Filter out.
To clear a filter, click the xon the filter chip to remove it or Clear all.
Specify date and time range for alerts and IoCs
To specify the date and time range for the alerts and IoCs to be displayed, click the Calendaricon to open the Set date and time rangewindow. You can specify the date and time range using the pre-set time ranges on the Rangetab or choose a specific time of event occurrence on the Event timetab.
Use pre-set time and date range
To specify the date and time range using pre-set options, click the Rangetab and select one of the following options:
- Today
- Last hour
- Last 12 hours
- Last day
- Last week
- Last 2 weeks
- Last month
- Last 2 months
- Custom: Select the start and end date on the calendar, and then click the Start timeand End timefields to select the time.
Use event time for date and time range
To specify the date and time range based on events, click the Event timetab, select the date on the calendar and then select one of the following options:
- Exact time: Click the Event timefield and select the specific time the events occurred.
- +/- 1 Minute
- +/- 3 Minutes
- +/- 5 Minutes
- +/- 10 Minutes
- +/- 15 Minutes
- +/- 1 Hour
- +/- 2 Hours
- +/- 6 Hours
- +/- 12 Hours
- +/- 1 Day
- +/- 3 Days
- +/- 1 Week
Refresh the alerts and IoC lists
Use the Refresh timemenu in the upper right hand corner to select how often the alerts list should be refreshed. The following options are available:
- Refresh now
- No auto refresh (default)
- Refresh every 5 minutes
- Refresh every 15 minutes
- Refresh every hour
Sort alerts and IoCs
You can sort the alerts and IoCs that are displayed in ascending or descending order. Click the column headings to sort the list.
View IoC details
To view the details about an incident, such as priority, type, source, IC-Score, and category, click the IoC to open the IoC detailspage. From this page, you can do the following:
- Mute or unmute IoC
- View event prioritization
- View associations
Mute or unmute IoC
If an IoC is generated due to an administrator or testing action, you can mute the indicator to prevent false positives.
- To mute the IoC, click Mutein the upper right corner.
- To unmute the status, click Unmutein the upper right corner.
View event prioritization
Use the Eventstab to view how the events where the IoC was seen is prioritized.
Click the event to open the Event viewer, which displays the priority and rationale and event details.
View associations
Use the Associationstab to view associations for any actor or malware to help investigate breaches and prioritize alerts.
SOAR alerts
For Google SecOps customers, SOAR alerts are shown on this page, and include a case ID. Click the case ID to open the Casespage. On the Casespage, you can get information on both the alert and the page, where you can view details about both the alert and its associated case, and take response actions. For more information, see Cases Overview .
On the Alerts and IoCspage, the Change alert statusand Close alertbuttons are disabled for Google SecOps customers. To manage alert status or close an alert, do the following: 1. Go to the Casespage. 1. In the Case detailssection > alert overview, click Go to caseto access the case.
Need more help? Get answers from Community members and Google SecOps professionals.
