Skip to main content
Solved

SIEM Investigation Search Not Returning Results for MANDIANT_ACTIVE_BREACH_IOC

  • February 12, 2026
  • 8 replies
  • 157 views
desertfalcon

Hello

 

I am using the below parameter to display MANDIANT_ACTIVE_BREACH_IOC data:

 

graph.metadata.vendor_name = "MANDIANT_ACTIVE_BREACH_IOC"

 

However, when I run this query in the SIEM search under the Investigation tab, it returns zero results.

At the same time, under the IOC Alerts and Data tabs, I can see that events are matching against the MANDIANT_ACTIVE_BREACH_IOC feed, which confirms that the data is being ingested and matched correctly.

Could you please help me understand why the search is returning zero results specifically for this feed?

 

Best answer by cmorris

You're welcome ​@desertfalcon. You are not able to use SIEM search or custom detection rules for this feed.

8 replies

cmorris
Staff
Forum|alt.badge.img+12
  • cmorris
  • Staff
  • February 12, 2026

MANDIANT_ACTIVE_BREACH_IOC matches will show, but it is not directly searchable.

    desertfalcon
    • desertfalconBronze 1
    • Author
    • February 12, 2026

    @cmorris , thank you for your reply. so it means that I can only see the IOCs inside Alerts & IOCs tab and will never be able to search them via SIEM search ? secondly, Can I make detection rules using MANDIANT_ACTIVE_BREACH_IOC  or not ?

    cmorris
    Staff
    Forum|alt.badge.img+12
    • cmorris
    • Staff
    • Answer
    • February 12, 2026

    You're welcome ​@desertfalcon. You are not able to use SIEM search or custom detection rules for this feed.

      desertfalcon
      • desertfalconBronze 1
      • Author
      • February 13, 2026

      @cmorris thanks again for your quick support. Will this limitation on MANDIANT_ACTIVE_BREACH_IOC is intentional or it is a limitation in the Google Secops product ? Further, What google recommends about the effective way of monitoring this feed other then watching the IOC matches in alert and IOCs tab. 

      cmorris
      Staff
      Forum|alt.badge.img+12
      • cmorris
      • Staff
      • February 13, 2026

      Intentional - Curated Detections use it.

        cmerchant
        Forum|alt.badge.img+2
        • cmerchantBronze 1
        • Bronze 1
        • February 13, 2026

        Question on this, does this mean the documentation here is wrong? I could have sworn I was able to search it when this feature came out initally.

        https://docs.cloud.google.com/chronicle/docs/investigation/entity-context-in-search#access_control_considerations

         

        The following sources provide global context support:

        • Safe Browsing
        • VirusTotal Relationships
        • WHOIS
        • Uppercase
        • Open Source Intel IOC (OPEN_SOURCE_INTEL_IOC)
        • Mandiant Active Breach IoC (MANDIANT_ACTIVE_BREACH_IOC)
        • Mandiant Fusion IoC (MANDIANT_FUSION_IOC)
        cmorris
        Staff
        Forum|alt.badge.img+12
        • cmorris
        • Staff
        • February 13, 2026

        @cmerchant - Thank you, I filed a documentation bug earlier to have this corrected.

        desertfalcon
        • desertfalconBronze 1
        • Author
        • February 13, 2026

        @cmorris , thank you for you quick support for the community? I wanted to ask, Is there any way to store the matched IOCs in reference set automatically ? or the only option currently is to export the data in csv ?

        Terms & ConditionsCookie settingsAccessibility statement
        Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

        © 2025 Google. All rights reserved.