Hello Google Threat Intelligence Team,I would like clarification on how indicators are represented in the Active Threat Intelligence Feed within Google SecOps.Specifically, does the feed differentiate between: Primary (directly observed) indicators Associated (related infrastructure) indicators To clarify what I mean:A primary indicator would be an artifact that was directly observed in confirmed malicious activity. For example: A specific phishing URL used in an intrusion (e.g., hxxps://login-example[.]com/auth) A C2 domain actively used by malware in a breach A hash of malware recovered during incident response An associated indicator, however, might include: The IP address hosting that phishing domain (which may also host other benign domains) Additional domains resolving to the same infrastructure but not directly observed in the campaign Infrastructure sharing WHOIS, SSL certificate, ASN, or registration artifacts with the malicious domain A CDN IP address (e.g., infrastructure behind Amazon or other cloud providers) that is indirectly related to the malicious URL In these cases, the associated artifact may not be malicious on its own but is contextually linked through analytical correlation.My questions are: Does the Active Threat Intelligence Feed explicitly distinguish between directly observed indicators and analytically associated infrastructure? Is there a metadata field that identifies whether an indicator was: Observed in an active breach Infrastructure-linked Historically associated Should associated infrastructure indicators be treated as fully actionable detection IOCs, or primarily as contextual enrichment? How does this distinction (if it exists) influence confidence, severity, or GCTI priority? Understanding this difference is important for avoiding overblocking (e.g., blocking shared cloud infrastructure IPs) while still leveraging intelligence effectively for detection and hunting.Thank you for your clarification.

Question

Clarification on Associated vs. Primary Indicators in Active Threat Intelligence Feed

Forum|Forum|2 months ago
February 15, 2026
4 replies
53 views

desertfalcon

Hello Google Threat Intelligence Team,

I would like clarification on how indicators are represented in the Active Threat Intelligence Feed within Google SecOps.

Specifically, does the feed differentiate between:

Primary (directly observed) indicators
Associated (related infrastructure) indicators

To clarify what I mean:

A primary indicator would be an artifact that was directly observed in confirmed malicious activity. For example:

A specific phishing URL used in an intrusion (e.g., hxxps://login-example[.]com/auth)
A C2 domain actively used by malware in a breach
A hash of malware recovered during incident response

An associated indicator, however, might include:

The IP address hosting that phishing domain (which may also host other benign domains)
Additional domains resolving to the same infrastructure but not directly observed in the campaign
Infrastructure sharing WHOIS, SSL certificate, ASN, or registration artifacts with the malicious domain
A CDN IP address (e.g., infrastructure behind Amazon or other cloud providers) that is indirectly related to the malicious URL

In these cases, the associated artifact may not be malicious on its own but is contextually linked through analytical correlation.

My questions are:

Does the Active Threat Intelligence Feed explicitly distinguish between directly observed indicators and analytically associated infrastructure?
Is there a metadata field that identifies whether an indicator was:
- Observed in an active breach
- Infrastructure-linked
- Historically associated
Should associated infrastructure indicators be treated as fully actionable detection IOCs, or primarily as contextual enrichment?
How does this distinction (if it exists) influence confidence, severity, or GCTI priority?

Understanding this difference is important for avoiding overblocking (e.g., blocking shared cloud infrastructure IPs) while still leveraging intelligence effectively for detection and hunting.

Thank you for your clarification.

+10

Rob_P
Staff
Forum|Forum|2 months ago
February 17, 2026

Hello @desertfalcon -

Thanks for reaching out on this topic, let me do some additional research on ATI feeds and bring back some additional answers for you. Initially I don't believe we do separate out Primary and Secondary indicators, that may be addressed in the IC-Scores and Severity components but let me confirm this with our team.

I appreciate your patience as I look into this more. I’ll reply back as soon as I have a clearer answer.

Respectfully,

- Rob

Like

+2

Ulab
Bronze 1
Forum|Forum|2 months ago
February 17, 2026

The Active Threat Intelligence Feed does not explicitly separate primary (directly observed) and associated (infrastructure-linked) indicators. Metadata like IC-Scores or Severity may hint at confidence or priority, but associated infrastructure is mainly for context, not always actionable. Treat primary indicators as actionable and associated ones for enrichment to avoid overblocking shared resources.