Hello Rowan,
This seems to need some more information or better understanding. When you say it didnt create an IOC, what do you mean by that. I would believe that the alert/rule you created was based upon information from threat intel related to an IOC with a particular risk score.
Are you stating that you are not seeing this being populated into the Alerts and IOC page?
Hello Rowan,
This seems to need some more information or better understanding. When you say it didnt create an IOC, what do you mean by that. I would believe that the alert/rule you created was based upon information from threat intel related to an IOC with a particular risk score.
Are you stating that you are not seeing this being populated into the Alerts and IOC page?
Hi @dnehoda ,
I'm currently ingesting logs into Google SecOps using the AWS S3 feeder. Alerts are being successfully generated from these logs, which include malicious IPs with threat scores above 80.
However, the IOCs are not being populated on the IOC page, despite the alerts being triggered. For context, we have created custom detection rules using content from this repository. The link is below:
https://github.com/chronicle/detection-rules/tree/main/rules/community/aws/cloudtrail
Could you please help us understand why the IOCs might not be appearing and if there's any additional configuration required?
Thanks!
