Skip to main content
Question

GCTI Validation

  • November 4, 2025
  • 1 reply
  • 35 views
Aj_Detection
Forum|alt.badge.img

Hi Team

Am looking to create outbound rule  from firewall to the GCTI IP.  So using the below lines in my rule as suggested by the SECOPS. Expecting your support on this for better understanding.
 

   $feed.graph.metadata.entity_type = "IP_ADDRESS"

    $feed.graph.metadata.product_name = "GCTI Feed"

    $feed.graph.metadata.source_type = "GLOBAL_CONTEXT"


 1. I would like to know how to validate the above lines and its values. If i do the UDM search i can able to see the   graph.metadata.source_type = "DERIVED_CONTEXT" and not the graph.metadata.source_type = "GLOBAL_CONTEXT"

  1. Since i have the source type : Mandiant Threat Intelligence. (Refer : Below Snap-2) 
    3. How i can confirm GCTI feeds are integrated.
    4. Is the feeds are updated at any frequency or feeds are updated live.
    Snap:1

  2. Snap: 2
     


    Regards
    Ajay P
    Detection Engineering

1 reply

kentphelps
Staff
Forum|alt.badge.img+10
  • kentphelps
  • Staff
  • 144 replies
  • November 5, 2025

For information on the www.virustotal.com IP address take a look at this blog post.  If you take a look in the same docs page from your screen shot on the left margin go down to Investigate a GCTI Alert to get details on how to identify GCTI alerts in the Alerts and IOCs page.


Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.