Google SecOps - GCTI Threat Intelligence Finding
| Id | b3e7f921-5c4a-4d8e-a2f9-7b1d3e6c9a5f |
| Rulename | Google SecOps - GCTI Threat Intelligence Finding |
| Description | Creates incidents in Microsoft Sentinel when Google Security Operations raises an active threat intelligence alert (GCTI_FINDING). These alerts are generated by Google’s global threat intel corpus and represent high-confidence threats, distinct from customer-authored rule detections. |
| Severity | High |
| Tactics | InitialAccess Execution CommandAndControl Exfiltration |
| Techniques | T1078 T1566 T1071 T1048 |
| Required data connectors | GSDetectionAlerts |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 10m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleSecOps/Analytic Rules/GoogleSecOps-GCTIThreatIntelligenceFinding.yaml |
| Version | 1.0.0 |
| Arm template | b3e7f921-5c4a-4d8e-a2f9-7b1d3e6c9a5f.json |
GoogleSecOpsDetectionAlerts
| where detectionType == "GCTI_FINDING"
| where alertState == "ALERTING"
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: varPrincipalIp
- entityType: IP
fieldMappings:
- identifier: Address
columnName: varTargetIp
- entityType: IP
fieldMappings:
- identifier: Address
columnName: varSourceIp
- entityType: IP
fieldMappings:
- identifier: Address
columnName: varCorrelationIp
- entityType: URL
fieldMappings:
- identifier: Url
columnName: urlBackToProduct
tactics:
- InitialAccess
- Execution
- CommandAndControl
- Exfiltration
requiredDataConnectors:
- dataTypes:
- DetectionAlerts_CL
connectorId: GSDetectionAlerts
alertDetailsOverride:
alertDisplayNameFormat: 'GCTI Finding: {{ruleName}} : {{id}}'
alertDescriptionFormat: 'Google Threat Intelligence confirmed finding. Rule: {{ruleName}}. {{description}}'
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
lookbackDuration: P1D
groupByCustomDetails:
- alert_identifier
enabled: true
matchingMethod: Selected
createIncident: true
id: b3e7f921-5c4a-4d8e-a2f9-7b1d3e6c9a5f
severity: High
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
customDetails:
DetectionTime: detectionTime
TargetUser: varTargetUserUserid
SourceIP: varSourceIp
CorrelationIP: varCorrelationIp
PrincipalIP: varPrincipalIp
TargetHostname: varTargetHostname
alert_identifier: id
DetectionType: detectionType
RiskScore: riskScore
Severity: severity
RuleName: ruleName
RuleId: ruleId
SourceUser: varSourceUserUserid
TargetIP: varTargetIp
PrincipalHostname: varPrincipalHostname
Description: description
PrincipalUser: varPrincipalUserUserid
SourceHostname: varSourceHostname
query: |
GoogleSecOpsDetectionAlerts
| where detectionType == "GCTI_FINDING"
| where alertState == "ALERTING"
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleSecOps/Analytic Rules/GoogleSecOps-GCTIThreatIntelligenceFinding.yaml
kind: Scheduled
queryPeriod: 10m
version: 1.0.0
name: Google SecOps - GCTI Threat Intelligence Finding
queryFrequency: 10m
triggerThreshold: 0
relevantTechniques:
- T1078
- T1566
- T1071
- T1048
description: |
Creates incidents in Microsoft Sentinel when Google Security Operations raises an active threat intelligence alert (GCTI_FINDING). These alerts are generated by Google's global threat intel corpus and represent high-confidence threats, distinct from customer-authored rule detections.
triggerOperator: gt