Google Threat Intelligence: Enhanced Threat Hunting with MITRE ATT&CK Integration

What Changed

Four threat hunting analytic rules and corresponding hunting queries were updated to add MITRE ATT&CK tactics and techniques, plus parser function modernization.

Detection Logic

The analytic rules target threat intelligence correlation across multiple data sources:

• Domain/IP/URL rules: Join network traffic (CommonSecurityLog, imDnsActivity, UrlClickEvents) against Google Threat Intelligence indicators in ThreatIntelligenceIndicator table
• Hash rule: Uses _Im_FileEvent (modernized from imFileEvent) to correlate file hashes against threat intelligence
• Core logic requires active indicators with valid timeframes (isnull(ValidUntil) or ValidUntil > now())
• Entity types mapped include IP addresses, domains, URLs, and file hashes

MITRE Mapping

• T1071 (Application Layer Protocol): Added to domain and IP hunting rules targeting command and control communications
• T1566 (Phishing): Added to URL hunting rule targeting initial access vectors

Affected Files

Solutions/Google Threat Intelligence/Analytic Rules/ThreatHunting/ThreatHuntDomain.yaml
Solutions/Google Threat Intelligence/Analytic Rules/ThreatHunting/ThreatHuntHash.yaml
Solutions/Google Threat Intelligence/Analytic Rules/ThreatHunting/ThreatHuntIp.yaml
Solutions/Google Threat Intelligence/Analytic Rules/ThreatHunting/ThreatHuntUrl.yaml
Solutions/Google Threat Intelligence/Hunting Queries/ThreatHuntDomain.yaml
Solutions/Google Threat Intelligence/Hunting Queries/ThreatHuntHash.yaml
Solutions/Google Threat Intelligence/Hunting Queries/ThreatHuntIp.yaml
Solutions/Google Threat Intelligence/Hunting Queries/ThreatHuntUrl.yaml
(packaging artefacts: mainTemplate.json, createUiDefinition.json, Solution_GoogleThreatIntelligence.json)