Re: GTI in SecOps

smit8 · 03-28-2025 07:21 AM

Is GTI natively ingested into SecOps or do I need to configure that? How can I write rules using it (assume it's in entity graph)?

ashnaiku

Suppose you are looking for Curated Rules ins SecOps .

As part of these curated detections, GCTI provides and manages a set of YARA-L rules to help customers identify threats to their enterprise.

The GCTI-managed rules do the following:

Provide customers with immediately actionable intelligence which can be used against their ingested data.
Leverages Google Threat Intelligence by providing customers with a way to use this information through curated detections.

smit8

I am actually looking to make my own rules using GTI for enrichment. I have the curated ones already

ashnaiku

This might help - Ingest and store Google Cloud Threat Intelligence data
https://cloud.google.com/chronicle/docs/detection/use-enriched-data-in-rules#query-gcp-threat-intel-...

Google Security Operations ingests data from Google Cloud Threat Intelligence (GCTI) data sources that provide you with contextual information you can use when investigating activity in your environment. You can query the following data sources:

GCTI Tor Exit Nodes
GCTI Benign Binaries
GCTI Remote Access Tools

There is a sample custom rule - gcti_tor_exit_nodes

Some more custom rules using TI

https://github.com/chronicle/detection-rules/tree/main/rules/community/threat_intel

hzmndt

@smit8 are you on SecOps standard/enterprise/enterprise plus?

1. For Enterprise plus, there is ATI -> https://cloud.google.com/chronicle/docs/detection

You can write rule with mandiant ioc -> https://cloud.google.com/chronicle/docs/detection/ati-fusion-feed

Also you can use -> https://cloud.google.com/chronicle/docs/detection/use-enriched-data-in-rules