Applied Threat Intelligence priority overview

Supported in:

Applied Threat Intelligence (ATI) alerts in Google SecOps are IOC matches that have been contextualized by YARA-L rules using Curated Detection. The contextualization leverages Mandiant intelligence from Google SecOps context entities, which allows intelligence-driven alert prioritization. ATI priorities are available in Google SecOps Managed as the Applied Threat Intelligence - Curated Prioritization rule pack with Google SecOps license.

Applied Threat Intelligence prioritization features

Applied Threat Intelligence features are extracted from Mandiant intelligence. Following are the most relevant Applied Threat Intelligence priority features.

  • Mandiant IC-Score: Mandiant automated confidence score

  • Active IR: Indicator is sourced from an active incident response engagement

  • Prevalence: Indicator is commonly observed by Mandiant

  • Attribution: Indicator is strongly associated with a threat tracked by Mandiant

  • Scanner: Indicator is identified as a known internet scanner by Mandiant

  • Commodity: Indicator is not yet common knowledge in the security community

  • Blocked: Indicator was not blocked by security controls.

  • Network Direction: Indicator is connecting in an inbound or outbound network traffic direction.

You can view the Applied Threat Intelligence priority feature for an alert on the IOC Matches > Event Viewer page.

Applied Threat Intelligence priority models

Applied Threat Intelligence uses features that are extracted from Mandiant intelligence and Google SecOps events to generate a priority. Features that are relevant to the priority level and indicator type are formed into logic chains that output different classes of priority. You can use the Applied Threat Intelligence priority models that focus strongly on actionable threat intelligence. These priority models help you to take action on alerts generated from these priority models.

Priority models are used in the curated detection rules in the Applied Threat Intelligence- curated prioritization rule pack. You can build your own rules using Mandiant intelligence by using the Mandiant Fusion Intelligence which is available with the Google SecOps license. For more information on writing Fusion feed YARA-L rules, see Applied Threat Intelligence fusion feed overview.

Active Breach priority

The Active Breach model prioritizes indicators that have been observed in Mandiant investigations associated with active or past compromises. Network indicators in this model attempt to match only outbound direction network traffic. Relevant features used by the model include: Mandiant IC-Score, Active IR, Prevalence, Attribution and Commodity. Network models also use Scanner.

High priority

The Active Breach model prioritizes indicators that were not observed in Mandiant investigations but were identified by Mandiant intelligence as strongly associated with threat actors or malware. Network indicators in this model attempt to match only outbound direction network traffic. Relevant features used by the model include: Mandiant IC-Score, Prevalence, Attribution and Commodity. Network models also use Scanner.

Inbound IP Address Authentication

The Inbound IP Address Authentication model prioritizes IP addresses authenticating to local infrastructure in an inbound network direction. The UDM authentication extension must exist in events for a match to occur. This rule set also attempts to filter out some failed authentication events, however, this is not comprehensively enforced for all product types. This rule set is not scoped to include some SSO authentication types. Relevant features used by the model include: Mandiant IC-Score, Blocked, Network Direction and Active IR.