
Summary
GTI/MaliciousIndicator is a threat-detection rule that flags when an IP address, domain, or file hash appearing in any log event matches entries in Google Threat Intelligence (GTI) / VirusTotal enrichment. The rule leverages vt_iocstream enrichment data (last_analysis_stats, reputation, threat_severity, and the GTI URL) to determine maliciousness and to elevate the alert severity based on GTI’s threat verdict and the number of vendors flagging the indicator as malicious. It scans a broad set of log sources (CloudTrail, Cloudflare, CrowdStrike, AWS/GCP/Azure audit logs, network traffic logs, etc.) and uses fields such as p_any_ip_addresses, p_any_domain_names, and p_any_sha256_hashes to identify indicators. If a match is confirmed as malicious and there was observed interaction, the runbook recommends blocking the indicator, isolating affected hosts, and resetting potentially exposed credentials. The rule maps to MITRE ATT&CK technique TA0043:T1595.001 and uses a deduplication period of 60 minutes to avoid duplicate alerts for the same indicator. The included tests illustrate scenarios such as a known malicious file hash with high severity, malicious IPs with medium detections, multiple malicious domains, benign indicators with no enrichment, and reviewed LUT matches for the same value. Reference: VirusTotal GTI. Runbook emphasizes manual verification via the GTI URL and lake-wide event correlation before containment actions. This rule is currently Disabled and labeled Experimental, but it provides a structured, enrichment-driven approach to identifying high-risk indicators in multi-source logs.
Categories
- Network
- Endpoint
Data Sources
- Network Traffic
- File
- Process
ATT&CK Techniques
- T1595.001
Created: 2026-07-07