Emerging Threats Center detail view
The Emerging Threats Center feed provides a detailed view of selected campaigns or reports. When you select a threat in the feed, the system opens a page that combines information from Google Threat Intelligence with data from your environment to help you analyze threat impact and coverage.
Each page contains several expandable panels that display related threat intelligence, detection data, and associated entities. In each panel, click chevron_forward Arrow next to the section name to expand it and view more details.
The Emerging Threats Center detailed view includes the following panels:
Associated Rules
The Associated Rules panel lists detection rules related to the selected campaign and includes a MITRE ATT&CK matrix visualization that shows your rule coverage for specific tactics, techniques, and procedures (TTPs). Rules associations apply only to campaigns, not to reports.
Emerging Threats continuously ingests intelligence from Google Threat Intelligence and aligns it with your organization's telemetry. It automates campaign discovery, enrichment, and correlation through the following processes:
- Ingest campaign intelligence: The system automatically collects campaign intelligence from Google Threat Intelligence, which includes data from global research, Mandiant incident response engagements, and Mandiant Managed Defense telemetry.
- Generate simulated log events: In the background, Gemini produces high-fidelity, anonymized simulated log events that mirror real adversary behavior.
- Automatically highlight detection coverage: The system runs the simulated log events against the Google Cloud Threat Intelligence (GCTI) curated detection rules and coverage reports that show where Google SecOps has detections and where gaps exist.
- Accelerate rule creation: Once gaps are identified, Gemini automatically drafts new detection rules based on the tested patterns and provides a summary of the rule logic and expected behavior. The final step requires human review and approval of these rules before moving them to production.
The following table describes the columns in the Associated Rules panel:
| Column name | Description |
|---|---|
| Rule name | Displays the rule title and associated rule set or detection category. Clicking the rule name opens the Detections page, which
shows the detections produced by this rule. |
| Tags | Lists rule tags or labels applied to the detection rule. |
| Past 4 weeks activity | Shows alert or detection activity for the rule over the past four weeks. |
| Last detection | Displays the timestamp of the most recent alert generated by the rule. |
| Severity | Indicates the severity level configured for the detections generated by the given rule. |
| Alerting | Specifies whether alerting is enabled or disabled for the rule. |
| Live status | Shows whether the rule is active or inactive in your environment. |
If no rules are associated with the campaign, the panel displays the text No rules.
View MITRE ATT&CK coverage
The Associated Rules panel includes a MITRE ATT&CK visualization matrix that shows your rule coverage for specific tactics, techniques, and procedures (TTPs).
Use the following tabs to change the visualization layout:
- Cards: View techniques as detailed cards grouped by tactic.
- Overview: View a condensed summary of your coverage.
- Minimap: View a high-level, color-coded grid of your coverage matrix.
Filter and search the matrix
Use the following lists to filter the rules displayed in the matrix:
- Rule Type: Filter the matrix by All, Curated, or Custom rules.
- Live Status: Filter by the current deployment status of the rules.
- Alerting Status: Filter rules by an alerting status of All, On, or Off.
To find specific coverage information, use the Search by list to search the matrix by TTP, Log Type, MITRE Data Source, or Rule Name.
Customize heat map metrics
Click View Options to customize the heat map metrics:
- Display sub-techniques: Shows or hides sub-techniques in the matrix.
- Aggregation Mode: Changes how the system calculates the heat map colors:
- Cumulative: Displays the total coverage for a technique and its sub-techniques.
- Normalized Average: Displays the normalized average coverage for a technique and its sub-techniques.
- Weakest Link: Displays the lowest coverage value for a technique and its sub-techniques.
View technique details
Click a specific card to open a detailed context panel. This panel provides in-depth details about the selected technique and includes the following sections:
- Description: A detailed explanation of the selected MITRE ATT&CK technique.
- Subtechniques: A table listing the related sub-techniques and the number of associated rules for each.
- Curated Rules: A table displaying the associated rules that match your applied filters. This table includes the rule name, live status, alerting status, and specific TTP.
- Log Types: A table listing the applicable log types and their corresponding MITRE data sources.
Disabled Rules
The Disabled Rules panel lists detection rules related to the campaign that are currently not enabled, if there are any. This helps you identify potential threat coverage gaps. Rule associations for a campaign are determined as described in Associated Rules.
The following table describes the columns:
| Column name | Description |
|---|---|
| Rule name | Shows the name of the disabled rule. Click the rule name to open a detailed view that describes the rule's logic, configuration, and associated rule set, similar to the view on the Curated Detections page. |
| Category | Displays the rule type or category. |
| Rule set | Identifies the rule source, such as Mandiant Frontline Threats, Mandiant Hunt Rules, or Mandiant Intel Emerging Threats. |
| Precision | Indicates the rule precision type (Broad or Precise). |
| Alerting | Shows whether alerting is enabled. |
| Last updated | Displays the timestamp for when the rule was last modified. |
Recent Associated Entities
The Recent Associated Entities panel lists entities from your environment that are linked to the selected threat and potentially affected by it.
The panel lists user and asset entities that meet the following criteria:
- Appeared in detections within the past seven days.
- Appeared in events linked to an IoC associated with the threat.
- Have an assigned risk score.
The following table describes the columns in the Recent Associated Entities panel:
| Column name | Description |
|---|---|
| Entity name | Displays the asset or entity associated with a campaign. Click the entity name to open the Risk Analytics page, which shows details about that entity's recent risk score changes and the detections that contributed to it. |
| Entity type | Indicates the type of entity, such as asset or user account. |
| IOC matches | Shows the number of IoCs from the campaign that match your organization's telemetry and are associated with the entity in recent detections. |
| Entity risk score | Displays the calculated risk score for the entity based on recent IoC matches. |
IOCs
The IOCs panel displays the following tables:
IOC Matches
The IOC Matches table lists IoCs that are detected or matched within your environment for the selected campaign.
The following table describes the columns:
| Column name | Description |
|---|---|
| IOC | Displays the domain, IP address, hash, or URL. Clicking the IoC opens the Entity context panel, which provides additional
information about the IoC and where it has been seen in your environment. |
| Type | Displays the IoC category, such as DOMAIN, IP, FILE (HASH_SHA256), or URL. |
| GTI score | Shows the threat score assigned by GTI on a 0-100 scale. |
| GCTI priority | Indicates the relative priority level assigned by GCTI. |
| Assets | Lists assets in your environment involved in events matching the IoC. |
| Associations | Displays related GTI entities for the indicator, such as threat actors or campaigns. |
| First seen | Shows when the indicator was first detected in your environment. |
| Last seen | Shows the most recent time the indicator was detected in your environment. |
When you click an IoC in the table, the Entity context panel opens to provide additional information about the indicator. For general information about reviewing entity attributes, alerts, and taking quick actions, see Use UDM Search to investigate an entity.
You can also use the Entity context panel to review the following advanced threat details:
- Point-in-time state: Use the date and time picker to view the entity's attributes exactly as they appear at a specific point in time.
- Related cases: View a table of cases related to the entity within a specified lookback period (for example, the past 30 days). This table includes the case name, stage, priority, and status.
- Associated threat intelligence: Expand the bottom sections to view related
Google Threat Intelligence data linked to the entity. These sections include:
- Reports: View related threat reports and their publication dates.
- Campaigns: View associated threat campaigns and when they were created.
- Actors: Identify connected threat actors and the date of their most recent activity.
- Malware: Identify malware families linked to the entity.
GTI-associated IOCs
The GTI-associated IOCs table lists additional IoCs that GTI associates with the campaigns. Click the Files, URLs, Domains, or IPs tab to view the specific indicators for that category.
The following table describes the columns:
| Column name | Description |
|---|---|
| IOC | Displays the domain, IP address, hash, or URL. |
| Type | Displays the IoC category, such as DOMAIN, IP, FILE, HASH_SHA256, or URL. |
| GTI score | Shows the threat score assigned by GTI on a 0-100 scale. |
| Associated actors | Lists the threat actors connected to the IoC.
You can click the name of an actor to view more information in the |
| Associated malware | Lists the malware families linked to the IoC.
You can click the malware name to view more information in the |
| GTI discovered | Shows the timestamp of when GTI first recorded the IoC. |
| GTI last updated | Shows the timestamp of when the IoC was most recently updated by GTI. |
Need more help? Get answers from Community members and Google SecOps professionals.