Skip to main content
Question

GCTI Validation

  • November 4, 2025
  • 4 replies
  • 119 views
Aj_Detection
Forum|alt.badge.img+3

Hi Team

Am looking to create outbound rule  from firewall to the GCTI IP.  So using the below lines in my rule as suggested by the SECOPS. Expecting your support on this for better understanding.
 

   $feed.graph.metadata.entity_type = "IP_ADDRESS"

    $feed.graph.metadata.product_name = "GCTI Feed"

    $feed.graph.metadata.source_type = "GLOBAL_CONTEXT"


 1. I would like to know how to validate the above lines and its values. If i do the UDM search i can able to see the   graph.metadata.source_type = "DERIVED_CONTEXT" and not the graph.metadata.source_type = "GLOBAL_CONTEXT"

  1. Since i have the source type : Mandiant Threat Intelligence. (Refer : Below Snap-2) 
    3. How i can confirm GCTI feeds are integrated.
    4. Is the feeds are updated at any frequency or feeds are updated live.
    Snap:1

  2. Snap: 2
     


    Regards
    Ajay P
    Detection Engineering

    4 replies

    kentphelps
    Staff
    Forum|alt.badge.img+11
    • kentphelps
    • Staff
    • November 5, 2025

    For information on the www.virustotal.com IP address take a look at this blog post.  If you take a look in the same docs page from your screen shot on the left margin go down to Investigate a GCTI Alert to get details on how to identify GCTI alerts in the Alerts and IOCs page.

      Aj_Detection
      Forum|alt.badge.img+3
      • Aj_DetectionBronze 1
      • Author
      • Bronze 1
      • November 27, 2025

      is GCTI feed has domain and url ?

       

      Aj_Detection
      Forum|alt.badge.img+3
      • Aj_DetectionBronze 1
      • Author
      • Bronze 1
      • November 27, 2025

      Hi 

      i have source type only “DERIVED_CONTEXT”. how to validate the below GCTI queries for entity type = IP, Domain, File

       

      $gcti_feed.graph.metadata.entity_type = "DOMAIN_NAME"

          $gcti_feed.graph.metadata.product_name = "GCTI Feed"

          $gcti_feed.graph.metadata.source_type = "GLOBAL_CONTEXT"

      ******************************************************************
      metadata.source_type = “DERIVED_CONTEXT”

      *********************************************************
      PRODUCT NAME = no values


      Thanks
      Ajay P​​​​​​​

      harry21
      Forum|alt.badge.img
      • harry21
      • New Member
      • November 29, 2025

      really information!

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.