Skip to main content

Cyware Threat Intelligence eXchange

Google Threat Intelligence

Connector Category: API Feed Source

Notice

This integration is available in Intel Exchange from v3.7.5.3.

About Integration 

Intel Exchange integrates with Google Threat Intelligence (GTI) to provide enriched threat intelligence, enabling faster and more informed investigation. This integration strengthens cybersecurity by offering contextual insights and relationships across multiple threat domains to support proactive threat detection and mitigation.

In Intel Exchange, the Google Threat Intelligence integration retrieves the following types of threat data objects:

  • Indicators of Compromise (IOCs)

  • Tools

  • Malware

  • Threat Actors

  • Threat Lists

  • Vulnerabilities

  • Campaigns

  • Reports

Use Cases 

  • Access real-time threat intelligence across multiple domains to detect emerging threats.

  • Operationalize threat data by integrating with existing security workflows for actionable intelligence.

  • Prioritize and remediate vulnerabilities identified through GTI feeds.

  • Investigate malware and tool activities identified through GTI feeds.

  • Enhance threat hunting and proactive defense strategies using comprehensive intelligence.

  • Distribute relevant threat information to teams for improved situational awareness.

Configure Google Threat Intelligence

Integrate with Google Threat Intelligence (GTI) as a feed source and start receiving threat intel in Intel Exchange. You can use the following sections for more information:

Configure GTI as a Feed Source

Configure Google Threat Intelligence (GTI) as an API feed source in Intel Exchange to retrieve indicators of compromise (IOCs), tools, malware, threat actors, threat lists, vulnerabilities, campaigns, and reports from GTI.

Before you Start 

  • You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in Intel Exchange.

  • You must have the base URL and API key of your Google Threat Intelligence account.

Steps 

To configure GTI as an API feed source in Intel Exchange, follow these steps:

  1. Go to Administration > Integration Management. In FEED SOURCES, click APIs.

  2. Click Add API Source.

  3. Search and select Google Threat Intelligence.

  4. Click Add Instance and enter the following details:

    • Instance Name: Enter a unique name to identify the instance. For example, Prod-Google Threat Intelligence.

    • Base URL: Enter the base URL of your Google Threat Intelligence instance. The default base URL is https://www.virustotal.com/api/v3.

    • API Token: Enter the API token to authenticate with Google Threat Intelligence.

    • Verify SSL: Select this to verify the SSL certificate and secure the connection between the Intel Exchange and Google Threat Intelligence servers. By default, verification is enabled.

      Note

      Enabling SSL verification is recommended. If you disable this option, it may result in the use of an expired SSL certificate while configuring the instance. This may not establish the connection properly, and you will not be notified in case of a broken or improper connection.

  5. Click Save.

After the Google Threat Intelligence is configured successfully, you can view the feed channels. You can configure multiple instances by clicking Manage > Add More.

Configure GTI Feed Channels

Configure the feed channels to retrieve threat data from Google Threat Intelligence (GTI) and store them in collections within Intel Exchange

Note

This configuration applies to all feed channels except the Threat Lists feed channel. To configure a Threat List feed channel, see Configure Threat Lists Feed Channel.

Steps 

To configure the feed channels, follow these steps:

  1. Go to Administration > Integration Management. In FEED SOURCES, click APIs.

  2. Search and select Google Threat Intelligence.

  3. Click the vertical ellipsis, and select Manage.

  4. Click Manage Feed Channels.

  5. Select a feed channel and turn on the toggle. Use the following information while configuring the channel:

    • Start Date and Time: Enter the date and time to start polling feeds. Select a date within 15 days from the current date.

    • Collection Name: Enter the name of the collection to group the feed data. For example, Google Threat Intelligence Feeds. Intel Exchange creates the collection and stores all the feeds from the feed channel.

    • Polling Cron Schedule: Select from one of the following Polling Cron Schedule types to define when to poll the data:

      • Manual: Allows you to manually poll from the source collection.

      • Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto

    • TLP: Set the TLP for the feeds that do not have a TLP already assigned. The default TLP is Amber. Alternatively, you can select None to ensure that no TLP is assigned to the feeds.

    • Default Source Confidence: Enter the confidence score for the feeds that do not have a confidence score already assigned. The default confidence score is 100.

    • Deprecates after: Specify the number of days after which the threat data (indicator) will be marked as deprecated, unless the source defines its own expiry duration. The allowed range is 1-180 days.

    • Custom Score: Select the Relevance and Severity Score for the channel.

    • Default Tags: Select any tags to identify and categorize the feeds.

  6. Click Save.

The feed channel is configured, and you can poll feeds from the channel. You can enable the other feed channels and poll feeds, and view the feeds. 

Configure Threat Lists Feed Channel

Configure the Threat List feed channel to retrieve threat lists from Google Threat Intelligence (GTI).

Steps 

To configure the feed channel, follow these steps:

  1. Go to Administration > Integration Management. In Feed Source, click APIs.

  2. Search and select the Google Threat Intelligence.

  3. Click the vertical ellipsis, and select Manage.

  4. Click Manage Feed Channels.

  5. Select the Retrieve Threat Lists Feed channel and turn on the toggle. Use the following information while configuring the channel:

    • Collection Name: Enter the name of the collection to group the feed data. For example, Google Threat Intelligence Feeds. Intel Exchange creates the collection and stores all the feeds from the feed channel.

    • GTI Score Threshold: Specify the minimum GTI score to filter objects.

    • AV Detection Threshold: Set the minimum number of antivirus detections required.

    • Threat Lists to be Polled: Select specific threat lists to retrieve. If none are selected, all available lists will be fetched.

    • Must have associated Malware Families: Select whether to include only indicators linked to malware families.

    • Must have associated Campaigns: Select whether to include only indicators linked to campaigns.

    • Must have associated Reports: Select whether to include only indicators linked to reports.

    • Must have associated Threat Actors: Select whether to include only indicators linked to threat actors.

    • Polling Cron Schedule: Select from one of the following Polling Cron Schedule types to define when to poll the data:

      • Manual: Allows you to manually poll from the source collection.

      • Auto: Allows you to automatically poll for threat intel from the source at specific time intervals. The default polling cron schedule is Auto.

        • Enter a frequency in minutes between 60 and 10080 in Polling Time. The default polling time is 1440 minutes.

      • TLP: Set the TLP for the feeds that do not have a TLP already assigned. The default TLP is Amber. Alternatively, you can select None to ensure that no TLP is assigned to the feeds.

      • Default Source Confidence: Enter the confidence score for the feeds that do not have a confidence score already assigned. The default confidence score is 100.

      • Deprecates after: Specify the number of days after which the threat data (indicator) will be marked as deprecated, unless the source defines its own expiry duration. The allowed range is 1-180 days.

      • Custom Score: Select the Relevance and Severity Score of the channel.

      • Default Tags: Select any tags to identify and categorize the feeds.

  6. Click Save.

The feed channel is configured, and you can poll feeds from the channel. You can enable the other feed channels and poll feeds, and view the feeds.

Test Feed Channel Connectivity

Test the connectivity of the GTI API feed channels to ensure that the connection with the correct API endpoint is established and that you have permission to poll feeds.

Before you Start 

  • Ensure that the Google Threat Intelligence API feed source is enabled.

  • Ensure that the feed channel for which you want to test connectivity is enabled.

Steps 

To test the connectivity of a feed channel, follow these steps:

  1. Go to Administration > Integration Management. In Feed Sources, click APIs.

  2. Search and select the Google Threat Intelligence app.

  3. On a feed channel, click the vertical ellipsis and select View Details.

  4. In the Working Status section, click Test Connectivity.

If the connection is established, then the working status shows Running. If the connectivity is broken, then the working status shows a Connection Error. Hover over the tooltip next to Connection Error to view the error code. 

Note

When a feed channel loses connectivity, it is automatically disabled, and the system attempts to restore connectivity three times every hour. If the connectivity is successfully restored, the feed channel is automatically re-enabled.

To understand the error code and troubleshoot broken connectivity, see Troubleshoot Integrations.

Google Threat Intelligence Feed Channels

The following table lists the feed channel and the API endpoint used to retrieve feeds from Google Threat Intelligence:

Feed Channel

Primary API Endpoint

Related Objects Endpoint

Comments

Retrieve IOC Stream Feeds

{{base_url}}/ioc_stream 

NA

NA

Retrieve Tool Feeds

{{base_url}}/collections?filter=collection_type:software-toolkit 

  • collections/{id}/{relationship} 

  • collections/{id}/mitre_tree 

Fetches objects and attacks related to tool.

The following are the available relationships:

associations, domains, files, ip_addresses, and urls

Retrieve Malware Feeds

{{base_url}}/collections?filter=collection_type:malware-family 

  • collections/{id}/{relationship} 

  • collections/{id}/mitre_tree 

Fetches objects and attacks related to malware.

The following are the available relationships:

associations, domains, files, ip_addresses, and urls

Retrieve Threat Actors Feeds

{{base_url}}/collections?filter=collection_type:threat-actor 

  • collections/{id}/{relationship} 

  • collections/{id}/mitre_tree 

Fetches objects and attack patterns related to threat actor. 

The following are the available relationships:

associations, domains, files, ip_addresses, urls, and suspected_threat_actors

Retrieve Threat Lists Feeds

{{base_url}}/threat_lists/{threat_list_id}/{time} 

NA

NA

Retrieve Vulnerability Feeds

{{base_url}}/collections?filter=collection_type:vulnerability 

  • collections/{id}/{relationship} 

  • collections/{id}/mitre_tree 

Fetches objects and attacks related to vulnerability.

The following are the available relationships:

associations, domains, files, ip_addresses, and urls

Retrieve Campaigns Feeds

{{base_url}}/collections?filter=collection_type:campaign 

  • collections/{id}/{relationship} 

  • collections/{id}/mitre_tree 

Fetches objects and attacks related to campaign.

The following are the available relationships:

associations, domains, files, ip_addresses, and urls

Retrieve Report Feeds

{{base_url}}/collections?filter=collection_type:report 

  • collections/{id}/{relationship} 

  • collections/{id}/mitre_tree 

Fetches objects and attacks related to report.

Allowed values for {relationship}:

associations, domains, files, ip_addresses, and urls