Alerts

Digital Threat Monitoring (DTM) continuously ingests Documents from the deep and dark web to search for mentions of topics or entities that you designate in Monitors. When content in a collected Document matches the conditions that you define in one of your Monitors, an Alert is created. The new Alert is displayed in the Alerts tab of the DTM web console.

DTM provides numerous capabilities to filter and triage these Alerts to help you focus on the ones that matter most. You can update and enrich Alerts directly in the DTM web console during your investigation to further streamline response and mitigation efforts across your organization. 

Email notifications can be sent when Alerts are created or modified. For more information, see Configuring DTM Email Notifications.

Review Alerts
Filter Alerts
Triage and add analysis to alerts

Review Alerts

Click any Alert to view additional information beyond what's displayed in the Alert List. The Overview tab includes the following sections:

  • Characterization: Details about the Content, Language, Type, and Threat associated with the Alert.
  • Source Information: Information about the source Document that matched the Monitor conditions.
  • Content: Details about where matched or discovered content was found in the source Document.

Your view will vary depending on the Alert Type of the Alert you have selected.

The following workflow to review Alerts is specific to Alerts for which the Alert Type is Message. All Alerts will have a similar workflow for exploring the context surrounding where the monitored content was found in the source material. 

  1. Log into the Google Threat Intelligence platform.

  2. Click the Digital Threat Monitoring tab.

  3. Select the Overview tab.

    1. Select the Message Thread tab to view the complete message thread, with the option to Scroll to highlighted message. Red boxes highlight the Message Thread tab and a link to Scroll to highlighted message.
  4. Click the Raw Text View tab to view specific identifiers that have been located throughout the document.

    1. Matched in Content lets you highlight the section of the content where text specified in the Monitor conditions has been detected. Click each term to highlight it within the content.
    2. Discovered in Content shows additional identifiers that were discovered in the Document. Click each term to highlight it within the content.A red box highlights the Raw Text View tab, the selected matched word in the Alert content, and terms in Discovered content
  5. Click the Entities tab to obtain a consolidated view of all the entities that were either matched or discovered in the Document. The table also displays the following:

    • IC-Score: If available, the Indicator Confidence Score (IC-Score) of the entity is listed. For more information, see Understanding IC-Score.

    • Type: The matched topic or entity name of each entity is shown. For more information, see DTM Monitor & Research Tools Fields.

    • Matched: Indicates whether the entity was matched to the Monitor conditions:

      • Yes: The entity explicitly matched a condition defined in a Monitor.

      • No: The entity didn't match a Monitor condition but was discovered in the Document as a known Entity or Topic identifier.Red boxes highlight IC-Score and Type columns.

        The Entities tab header displays the total count of entities present in the document.

  6. The raw JSON can be downloaded for external use. To download, select the Raw (JSON) tab, then click Download.

    To help read raw-JSON interactively, the Fold line option is provided to collapse JSON objects if desired.

    Red boxes highlight the Raw (JSON) tab, the Download button, and the Fold Line option.

Filter Alerts

DTM provides several ways to help you filter out extraneous Alerts and focus only on Alerts of interest: 

  1. Log into the Google Threat Intelligence platform.

  2. Select the Digital Threat Monitoring tab.

  3. Select the Alerts tab.

    • Optional: Specify a time period to be applied to all additional filters.

    • Enter a search query in the Add a Filter bar.

      Lucene syntax is supported for search queries. For more information, see Lucene Queries in DTM.

    • Select filters from the nested Filter By menu in the Add a Filter bar.

    • Select one or more filter checkboxes in the Filters pane.

  4. Click Clear All to remove all filters.

  5. Click Save to make the new filtered view your default view upon login.

Filter descriptions

The Filters pane displays all available filters and subfilters at a glance:

  • Status: Filter Alerts based on their status within the broader categories of Open or Closed.

    • Open: Alerts that are new or currently being worked.

      • Escalated: An analyst has completed their investigation of the Alert and escalated to the Customer, a third party, or another Google Threat Intelligence organization for further action.

        Alerts that have been updated with an Analysis are automatically given a status of Escalated. For more information, see Add Analysis.

      • In Progress: The Alert is actively being triaged.

      • New: The Alert has not been viewed and therefore no triage has been performed.

      • Read: The Alert has been viewed but no additional action has been logged.

        This status is automatically applied when a New Alert has been opened by any user.

    • Closed: Alerts that have been triaged and require no further action. 

      • Resolved: The Alert has been triaged and the underlying cause has been addressed.

        This status will be applied to all Alerts that were marked Closed in previous releases of DTM.

      • No Action Required: The Alert has been reviewed and explicitly determined to require no action.

      • Duplicate: The Alert is duplicative of another Alert that is already being investigated.

      • Not Relevant: The Alert is valid based on matched Monitor conditions but is not a cause for concern and requires no action.

      • Tracked Externally: The Alert is being triaged in another system outside of DTM.

  • Attributes: Filter based on Alert-specific properties that can be manually enabled to aid in further investigation or mitigation efforts.

    • Flagged: Alerts selected for follow-up using the Flag for follow-up feature.
    • Has Analysis: Alerts that have been reviewed by an analyst.
  • Severity: Filter Alerts according to their Severity (High, Medium, or Low). Severity scoring models combine data science and Google Threat Intelligence expertise to help you prioritize response efforts and resources. The Severity score identifies how urgently actionable an alert is based on factors such as the following:

    • Degree of potential damage
    • Ease and likelihood of exploitation
    • Number of false positives in a typical environment
  • Alert Type: Filter on Alert Type, which is based on the type of source Document that matched a Monitor condition.

    • Compromised Credentials: Specific user account logins and passwords detected in compromised credentials data collected from the deep and dark web.
    • Domain Discovery: Newly registered domains detected in open source DNS record databases such as WhoisDS and ZoneFiles.
    • Forum Posts: Posts in cybersecurity forums on the deep and dark web.
    • Messages: Chat messages in cybersecurity groups using messaging services such as Telegram.
    • Pastes: Content that is pasted to websites that let users store and share plain text data such as code snippets, configuration files, or scripts.
    • Shop Listings: Items for sale on the deep and dark web, especially stolen payment cards and known hosts for attacker access.
    • Tweets: Messages from the Twitter microblogging site with a focus on cybersecurity relevance.
    • Web Content: Cybersecurity-based information collected from the open internet.
  • Monitors: Filter Alerts based on specific Monitors that you've created.

Triage and add analysis to alerts

DTM offers numerous features to update Alerts during your investigation to streamline response, mitigation, and auditing efforts.

The following capabilities can be performed in the Alerts List view or by selecting specific Alerts and updating each directly:

  • Flag Alerts
  • Bulk Edit Alerts
  • Add tags to Alerts

The following capabilities can only be performed by selecting specific Alerts and updating each directly:

  • Add Analysis
  • View History

Flag Alerts

This feature lets you flag Alerts for easy reference or to be filtered for later follow up. Click Flag for follow-up to designate Alerts for follow up.Working with alerts flag

Bulk Edit Alerts

This feature streamlines Alert triage by letting you update the status of multiple Alerts at the same time. Select the Alerts to be updated and click Mark Selected As to update the status of all designated Alerts simultaneously.

Working with alerts bulk edit

Add Tags to Alerts

Tags are an simple way to correlate associated Alerts for easy reference, either by searching or filtering Alerts. Add tags to Alerts by clicking New Tag. Enter a tag name to create a new tag, or select from the list of existing tags.Working with alerts add tag

Tags can be used to filter Alerts by selecting Tags from the Filter By drop-down in the Add a Filter bar.Working with alerts bulk edit

Add an Analysis to an Alert

This feature lets you share additional information about the Alert and capture ongoing work to streamline the triage process.  Perform the following workflow to add an Analysis to an Alert.

  1. Select an Alert from Alerts List.

  2. Choose Add Analysis from the Actions drop-down.Working with alerts add analysis

  3. An Analysis tab will automatically be added to the Alert.

  4. Enter the Intelligence Analysis details using plain text or Markdown syntax.

    A preview of the rendered Markdown will appear next to the Intelligence Analysis text field.

  5. Include Attachments as needed.

    • There is a limit of five attachments per analysis.
    • Supported file types include: .doc, .docx, .xls, .xlsx, .pdf, .jpg, .png, .zip, .csv, or .txt files.
    • Maximum file size is 10 MB.
  6. Click Save.Working with alerts analysis tab
    The following characteristics are applied to the Alert once an Analysis is added:

  • The Alert is included in filter results when the Attribute > Has Analysis filter is selected.
  • The status of the Alert is automatically updated to Open > Escalated.
  • There is no built-in viewer for attachments, so they can only be viewed by downloading them and opening them in your viewer of choice.
  • Any user in your DTM org can update or delete an Analysis by clicking Update Analysis.Working with alerts update analysis

View History of an Alert

DTM provides a clear audit trail of all modifications to an Alert. Perform the following workflow to view the history of updates to an Alert.

  1. Select an Alert from Alerts List.
  2. Choose View History from the Actions drop-down.Working with alerts view history
  3. The Alert History modal is displayed, showing the date and timestamp for any of the following modification types and the user that made the changes:
    • Status updates
    • Addition or removal of tags
    • Addition, update, or deletion of an Analysis