Skip to main content
Question

SIEM Investigation Search Not Returning Results for MANDIANT_ACTIVE_BREACH_IOC

  • February 12, 2026
  • 3 replies
  • 0 views
desertfalcon
Forum|alt.badge.img

Hello

 

I am using the below parameter to display MANDIANT_ACTIVE_BREACH_IOC data:

 

graph.metadata.vendor_name = "MANDIANT_ACTIVE_BREACH_IOC"

 

However, when I run this query in the SIEM search under the Investigation tab, it returns zero results.

At the same time, under the IOC Alerts and Data tabs, I can see that events are matching against the MANDIANT_ACTIVE_BREACH_IOC feed, which confirms that the data is being ingested and matched correctly.

Could you please help me understand why the search is returning zero results specifically for this feed?

 

3 replies

cmorris
Staff
Forum|alt.badge.img+11
  • cmorris
  • Staff
  • February 12, 2026

MANDIANT_ACTIVE_BREACH_IOC matches will show, but it is not directly searchable.

desertfalcon
Forum|alt.badge.img
  • desertfalcon
  • Author
  • New Member
  • February 12, 2026

@cmorris , thank you for your reply. so it means that I can only see the IOCs inside Alerts & IOCs tab and will never be able to search them via SIEM search ? secondly, Can I make detection rules using MANDIANT_ACTIVE_BREACH_IOC  or not ?

cmorris
Staff
Forum|alt.badge.img+11
  • cmorris
  • Staff
  • February 12, 2026

You're welcome ​@desertfalcon. You are not able to use SIEM search or custom detection rules for this feed.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.