Solved

How can I get the most value from Google SecOps Enterprise only - especially from the threat intelligence side?

Forum|Forum|2 months ago
December 30, 2025
6 replies
145 views

sanjay78
Bronze 2

Hi everyone,

I’m new to Google SecOps and currently working with the Enterprise edition. I’d like to understand how I can get the most benefit from the platform’s threat intelligence capabilities.

I’m aware that I can use VirusTotal Context in my use cases for enrichment and detection, but I’m curious about how I can leverage Mandiant intelligence in a similar way. I can see Mandiant alerts and IOCs in the interface, but I’m not entirely sure how to make the best use of that data for proactive threat hunting, detection rule development.

Could anyone share best practices or examples of how they’re using Mandiant within Google SecOps Enterprise? Any tips or guidance for someone new to SecOps would be greatly appreciated.

Thanks in advance!

Best answer by AymanC

Hi @sanjay78,

I think the below DOCS is useful, it discusses the different enrichment sources that are available.

https://docs.cloud.google.com/chronicle/docs/investigation/entity-context-in-search#access_control_considerations
Enrich event and entity data with Google SecOps | Google Security Operations | Google Cloud Documentation

Kind Regards,

Ayman

Redteamlead
Bronze 1
Forum|Forum|2 months ago
December 31, 2025

You can start with the Applied Threat Intelligence Curated Detection Rule Pack and adjust detection modes and alert thresholds to balance sensitivity and noise by combing custom YARA-L rules.

Example 1: Basic Domain Match (Any Network Activity Involving Mandiant Fusion Domains)

This rule detects any events where a domain matches a Mandiant Fusion IOC.

rule mandiant_fusion_domain_match {
  meta:
    description = "Detects domains matching Mandiant Fusion IOCs"
    severity = "HIGH"

  events:
    $fusion.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
    $fusion.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
    $fusion.graph.metadata.source_type = "GLOBAL_CONTEXT"
    $fusion.graph.metadata.entity_type = "DOMAIN_NAME"

    // Join Fusion domain to common UDM hostname fields (adapt based on your telemetry)
    $domain = $fusion.graph.entity.hostname
    strings.coalesce(
      $e.principal.hostname,
      $e.target.hostname,
      $e.network.dns.questions.name,
      $e.network.http.hostname
    ) = $domain

  match:
    $domain over 1d  // Adjusts time window as needed

  condition:
    $fusion and $e
}

keiS
Bronze 4
Forum|Forum|2 months ago
January 8, 2026

@Redteamlead

Excuse me for interrupting.
I'm also interested in this topic. Is the Applied Threat Intelligence Curated Detection Rule Pack and Mandiant Fusion IOC information available for Google SecOps Enterprise?
I thought these were features only available for Enterprise+.

+12

kentphelps
Staff
Forum|Forum|2 months ago
January 8, 2026

@keiS You are correct. ATI is only available in Enterprise+

Please reference https://cloud.google.com/security/products/security-operations for some more detail

keiS
Bronze 4
Forum|Forum|2 months ago
January 9, 2026

@kentphelps Thank you for your response. I understand.

+14

AymanC
Bronze 5
Answer
Forum|Forum|2 months ago
January 11, 2026

Hi @sanjay78,

I think the below DOCS is useful, it discusses the different enrichment sources that are available.

Kind Regards,

Ayman

+12

kentphelps
Staff
Forum|Forum|1 month ago
January 13, 2026

@keiS @Redteamlead Take a look at this weeks announcement to see if this can help out:

BYOL Threat Intelligence integration

Example 1: Basic Domain Match (Any Network Activity Involving Mandiant Fusion Domains)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded