Console
    Contact Us Start free

    View IOCs using Applied Threat Intelligence

    Supported in:

    When Applied Threat Intelligence is enabled, the IOC Matchestab displays additional columns. The IOC matchestab displays all the indicators of compromise (IOC) that were matched in your Google Security Operations data. You can view and filter IOCs curated by Applied Threat Intelligence.

    On the IOC matchespage you can do the following.

    View IOCs

    The IOC matchespage displays all the IOCs and their details, such as type, priority, status, categories, assets, campaigns, sources, IOC ingest time, first seen, and last seen. The color-coded icons and symbols help you to quickly identify which IOCs need your attention.

    View data

    Click the to display the calendar. You can adjust the time range for the displayed data. Adjust the time range by choosing one of the pre-set time ranges on the left side (ranging from last five minutes to last month). You can also specify a custom time range by choosing a start and end date anywhere on the calendar.

    Filter IOCs

    In the left column, select the category to filter by. You can use the following options to filter:

    • Type

    • GCTI Priority

    • Status

    • Categories

    • Sources

    • Associations

    • Campaigns

    To select more advanced filters, click the icon and then select the elements to filter on. You also need to select a logical operator:

    • OR. Must match any of the combined conditions

    • AND. Must match all of the combined conditions

    To add more filters, click Add filter.

    When you add a filter, it appears as a chip above the table.

    To use two filters from the same category, the filters appear in the same chip. To find IOCs labeled as Active IR or High (both under the GCTI Prioritylabel), complete the following steps:

    1. Select a logical operator.

    2. Select the first filter.

    3. Select the second filter. When you click the second filter, there are two new options: Show onlyand Filter outinstead. Click Show only.

    View applied intelligence IOCs

    1. In the left column, click Sources.

    2. Click Mandiantto filter the data and view applied intelligence IOCs.

    Clear filters

    • Click the icon next to the filter you want to delete.

    • Click Clear allto clear all the existing filters from the page.

    View IOC details

    You can click an IOC to view details such as priority, type, source, IC-Score, and category. If you are getting IOC mapping but there are no events, then there is a mistake in the field mapping or there are no rules. For more information, contact Google SecOps Support .

    For a selected indicator, on the IOC detailspage, you can do the following:

    Mute or unmute action

    If an IOC is generated due to an administrator or testing action, you can mute the indicator to prevent false positives.

    • To mute the status, click the IOC, and then click Mute. The status of the indicator is changed to Muted.

    • To unmute the status, click the IOC, and then click Unmute. The status of the indicator is changed to Unmuted.

    Event viewer

    On the Eventstab, on a selected indicator, you can view how an event is prioritized and the details for an event. For each event, you can view priority and rationale, UDM fields, and event details. The priority and rationale displays how priority is determined for the event.

    Associations

    On the Associationstab, on a selected indicator, you can investigate potential breaches. You can view associations for any actor or malware. This also helps to prioritize alerts.

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: