IOC Generation Not Happening Despite Alert Trigger...

rohan1804

Hi everyone,

We're currently working on ingesting IOC (Indicators of Compromise) data into SecOps. To achieve this, we’ve created custom rules and are successfully ingesting logs through a feeder. The logs contain known malicious IPs that have been verified via the Mandiant portal with a threat score above 80. The alerts are being triggered as expected based on these IPs.

However, we’re noticing that IOCs are not being generated despite the alerts. Has anyone faced a similar issue? Is there any specific configuration or step required to ensure IOCs are created from triggered alerts?

Any guidance or suggestions would be greatly appreciated.

Thanks in advance!

dnehoda

Hello Rowan,

This seems to need some more information or better understanding. When you say it didnt create an IOC, what do you mean by that. I would believe that the alert/rule you created was based upon information from threat intel related to an IOC with a particular risk score.

Are you stating that you are not seeing this being populated into the Alerts and IOC page?

rohan1804

Hi @dnehoda ,

I'm currently ingesting logs into Google SecOps using the AWS S3 feeder. Alerts are being successfully generated from these logs, which include malicious IPs with threat scores above 80.

However, the IOCs are not being populated on the IOC page, despite the alerts being triggered. For context, we have created custom detection rules using content from this repository. The link is below:

https://github.com/chronicle/detection-rules/tree/main/rules/community/aws/cloudtrail

Could you please help us understand why the IOCs might not be appearing and if there's any additional configuration required?

Thanks!

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

IOC Generation Not Happening Despite Alert Triggers in SecOps