Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

IoC Matches

On Google SecOps Enterprise tiers, ELLIO indicators participate in built-in IoC matching: when any ingested event touches an active ELLIO IP, the match surfaces in the IoC Matches view - with no detection rules required. The ELLIO entities carry the full IoC shape (the indicator, a finite validity window, and the threat block), so this works out of the box once the SIEM integration is running.

An ELLIO IoC match: malicious classification, ELLIO: Threat Intelligence source, High confidence

IoC Matches field From the ELLIO entity
Feed / sources ELLIO: Threat Intelligence (or the feed name you configured)
Categories the verdict and behavior labels - classification:malicious, cve:..., tag:...
Confidence High for classified verdicts (malicious / promiscuous / benign), Low for unknown
Severity shows [n/a] in the IoC Matches view for entity-feed IoCs; severity travels on the entity itself and on the detection-rule alerts
First / last seen when the matching traffic was observed in your tenant
Assets which of your assets touched the indicator

IoC matching honors the indicator’s validity window: when an IP drops off ELLIO’s active set, its lease expires within days and it stops producing matches. You never accumulate matches against stale intelligence.

  • Benign indicators match too. If you send the benign classification, known-good IPs can produce INFORMATIONAL-severity matches - informative (“this IP is ELLIO-verified good”), but if you prefer silence, simply exclude benign from the feed in ELLIO Platform’s classification selection.
  • IoC Matches complements the detection rules: matches give you passive coverage of everything; the rules add severity grading, correlation (allowed / callback), and alerting.