IoC Matches
On Google SecOps Enterprise tiers, ELLIO indicators participate in built-in IoC matching: when any ingested event touches an active ELLIO IP, the match surfaces in the IoC Matches view - with no detection rules required. The ELLIO entities carry the full IoC shape (the indicator, a finite validity window, and the threat block), so this works out of the box once the SIEM integration is running.

What a match carries
Section titled “What a match carries”| IoC Matches field | From the ELLIO entity |
|---|---|
| Feed / sources | ELLIO: Threat Intelligence (or the feed name you configured) |
| Categories | the verdict and behavior labels - classification:malicious, cve:..., tag:... |
| Confidence | High for classified verdicts (malicious / promiscuous / benign), Low for unknown |
| Severity | shows [n/a] in the IoC Matches view for entity-feed IoCs; severity travels on the entity itself and on the detection-rule alerts |
| First / last seen | when the matching traffic was observed in your tenant |
| Assets | which of your assets touched the indicator |
Expiry is automatic
Section titled “Expiry is automatic”IoC matching honors the indicator’s validity window: when an IP drops off ELLIO’s active set, its lease expires within days and it stops producing matches. You never accumulate matches against stale intelligence.
- Benign indicators match too. If you send the
benignclassification, known-good IPs can produce INFORMATIONAL-severity matches - informative (“this IP is ELLIO-verified good”), but if you prefer silence, simply excludebenignfrom the feed in ELLIO Platform’s classification selection. - IoC Matches complements the detection rules: matches give you passive coverage of everything; the rules add severity grading, correlation (allowed / callback), and alerting.