Non-prioritized IoC Matching rules category overview
This document outlines the expansion of curated detections through the integration of Google's Indicators of Compromise (IoC) feeds. These rule sets build on curated threat intelligence to identify malicious activities within Google SecOps environments, specifically focusing on threats identifiable through high-fidelity indicators like IPs, domains, and file hashes.
The non-prioritized IoC Matching rules category provides comprehensive coverage for threats often missed by standard managed content, including cryptomining, Command and Control (C2) communications, and the use of malicious anonymization services. The Applied Threat Intelligence curated detections are Mandiant-based and use prioritization logic for alerts ('Active Breach' or 'High' designations), while the non-prioritized IoC Matching category focuses on matching a high volume of curated IoCs from Google's feeds to exclusively identify specific threat activities.
Rule set descriptions
This category includes detection logic for Singleton Identification and contains non-alerting logic designed to detect direct hits against specific IoC feeds. These serve as producer rules that populate metadata for deeper correlation.
Understand Non-prioritized IoC Matching identification rules
These rules utilize direct matching against Google's IoC Feeds to tag security-relevant events. They are designed to function as the identification layer of the detection funnel, providing high-confidence indicators of malicious infrastructure or tools.
Supported Indicators and Log types
The rules rely on Google SecOps Unified Data Model (UDM) records, which normalize various log sources to match against the following feed types:
Indicator Category |
Feed Examples |
Supported Log Types |
Network Infrastructure |
C2 IPs, C2 Egress IPs,, Malicious Proxy/VPN IPs, Tor Exit Nodes |
Cloud Audit Logs, Network Proxy Logs, Firewall Logs |
Host/Endpoint Indicators |
Malicious Linux Binaries, Crypto mining Hashes, RMM Tool Samples |
EDR Logs, Process Launch Events |
Domain Indicators |
C2 Domains, Crypto mining Domains |
DNS Logs, Web Proxy Logs |
Modify rules in a rule set
Following the standard Mandiant Hunt configuration, you can adjust how IoC Matching rules operate within your environment:
- Broad: Detects any potentially malicious feed hit. While providing maximum visibility, this may increase detection volume for common indicators like VPN or Proxy IPs. Also, it is advisable not to enable alerting for these broad rules while keeping the detection on.
- Precise: Focuses on the highest-confidence behavioral clusters to minimize noise.
To modify settings, use the Google SecOps rules list to toggle the Status (Enabled/Disabled) and Alerting (On/Off) for each rule.
Tune alerts from rule sets
Use rule exclusions to prevent specific authorized internal tools or known-good traffic from triggering ATI-based alerts. This helps you maintain a high signal-to-noise ratio and is particularly useful for excluding authorized use of administrative tools that might otherwise be flagged by RMM tool feeds.
Need more help? Get answers from Community members and Google SecOps professionals.