Skip to main content

IOC Generation Not Happening Despite Alert Triggers in SecOps

  • April 29, 2025
  • 2 replies
  • 29 views
R
Forum|alt.badge.img+1

Hi everyone,

We're currently working on ingesting IOC (Indicators of Compromise) data into SecOps. To achieve this, we’ve created custom rules and are successfully ingesting logs through a feeder. The logs contain known malicious IPs that have been verified via the Mandiant portal with a threat score above 80. The alerts are being triggered as expected based on these IPs.

However, we’re noticing that IOCs are not being generated despite the alerts. Has anyone faced a similar issue? Is there any specific configuration or step required to ensure IOCs are created from triggered alerts?

Any guidance or suggestions would be greatly appreciated.

Thanks in advance!

    2 replies

    dnehoda
    Staff
    Forum|alt.badge.img+16
    • dnehoda
    • Staff
    • April 30, 2025

    Hello Rowan, 

    This seems to need some more information or better understanding.   When you say it didnt create an IOC, what do you mean by that.   I would believe that the alert/rule you created was based upon information from threat intel related to an IOC with a particular risk score.  

    Are you stating that you are not seeing this being populated into the Alerts and IOC page?  

      R
      Forum|alt.badge.img+1
      • rohan1804
      • Author
      • New Member
      • May 2, 2025

      Hello Rowan, 

      This seems to need some more information or better understanding.   When you say it didnt create an IOC, what do you mean by that.   I would believe that the alert/rule you created was based upon information from threat intel related to an IOC with a particular risk score.  

      Are you stating that you are not seeing this being populated into the Alerts and IOC page?  


      Hi @dnehoda ,

      I'm currently ingesting logs into Google SecOps using the AWS S3 feeder. Alerts are being successfully generated from these logs, which include malicious IPs with threat scores above 80.

      However, the IOCs are not being populated on the IOC page, despite the alerts being triggered. For context, we have created custom detection rules using content from this repository. The link is below:

      https://github.com/chronicle/detection-rules/tree/main/rules/community/aws/cloudtrail

      Could you please help us understand why the IOCs might not be appearing and if there's any additional configuration required?

      Thanks!

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.