Description
Description
This rule aims to correlate IP Address found in event data with Google Threat Intelligence Threat List indicators to identify potentially malicious or suspicious activity. The rule avoids matching against Google Threat Intelligence’s own logs (event.module: "ti_google_threat_intelligence") to ensure external observations are flagged.
Rule Configuration
Source Custom Query
NOT event.module : "ti_google_threat_intelligence"
Indicator Index Patterns
logs-ti_google_threat_intelligence_latest.dest_ip_ioc-*
Indicator Index Query
@timestamp >= "now-30d/d"
Indicator Mapping
| Field | Indicator index field |
|---|---|
source.ip |
threat.indicator.ip |
destination.ip |
threat.indicator.ip |
Required Fields
threat.indicator.ip
Indicator Prefix Override
gti.threat.indicator
Related Integration
Google Threat Intelligence
Tags
[
"Google Threat Intelligence",
"IP Address IOC",
"Elastic",
"Threat Intelligence"
]
Target Ruleset
threat_intel
Target Rule Type
Indicator Match
Tested ECS Version
8.16.0
Query
No response
New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
No response
References
No response
Redacted Example Data
No response