Hello Google Threat Intelligence Team,
I would like clarification on how indicators are represented in the Active Threat Intelligence Feed within Google SecOps.
Specifically, does the feed differentiate between:
-
Primary (directly observed) indicators
-
Associated (related infrastructure) indicators
To clarify what I mean:
A primary indicator would be an artifact that was directly observed in confirmed malicious activity. For example:
-
A specific phishing URL used in an intrusion (e.g.,
hxxps://login-example[.]com/auth) -
A C2 domain actively used by malware in a breach
-
A hash of malware recovered during incident response
An associated indicator, however, might include:
-
The IP address hosting that phishing domain (which may also host other benign domains)
-
Additional domains resolving to the same infrastructure but not directly observed in the campaign
-
Infrastructure sharing WHOIS, SSL certificate, ASN, or registration artifacts with the malicious domain
-
A CDN IP address (e.g., infrastructure behind Amazon or other cloud providers) that is indirectly related to the malicious URL
In these cases, the associated artifact may not be malicious on its own but is contextually linked through analytical correlation.
My questions are:
-
Does the Active Threat Intelligence Feed explicitly distinguish between directly observed indicators and analytically associated infrastructure?
-
Is there a metadata field that identifies whether an indicator was:
-
Observed in an active breach
-
Infrastructure-linked
-
Historically associated
-
-
Should associated infrastructure indicators be treated as fully actionable detection IOCs, or primarily as contextual enrichment?
-
How does this distinction (if it exists) influence confidence, severity, or GCTI priority?
Understanding this difference is important for avoiding overblocking (e.g., blocking shared cloud infrastructure IPs) while still leveraging intelligence effectively for detection and hunting.
Thank you for your clarification.