Google Threat Intelligence
Connector Category: Enrichment Tools
Notice
This integration is available in Intel Exchange starting v3.7.5.3 onwards.
About Integration
Intel Exchange integrates with Google Threat Intelligence (GTI) to enrich domains, IPs, URLs, hashes, and vulnerabilities. This integration adds contextual threat intelligence from GTI, helping you understand the relevance, severity, and relationships of the enriched indicators. With enriched context, analysts can make faster, more informed decisions during threat investigation and response.
Use Cases
Gain real-time visibility into known malicious indicators and their associated threat context.
Correlate enriched indicators across data sources to uncover connections with threat actors, malware, and campaigns.
Identify and assess vulnerabilities using GTI's intelligence to prioritze remediation efforts effectively.
Enhance the accuracy of threat analysis by leveraging GTI's comprehensive enrichment data.
You can enrich Indicator (Domain, IP, URL, Hash) and Vulnerability threat data objects using the Google Threat Intelligence integration in Intel Exchange.
Configure Google Threat Intelligence as an Enrichment Tool
Configure Google Threat Intelligence (GTI) in Intel Exchange to enrich threat data objects.
Before you Start
Ensure that you have the Base URL and API key of your Google Threat Intelligence account.
Ensure that your user group has Create, Update, and View permissions for enrichment tools and their associated policies in Intel Exchange.
Steps
To configure Google Threat Intelligence (GTI) as an enrichment tool in Intel Exchange, follow these steps:
Sign in to Intel Exchange and go to Administration > Enrichment Management > Enrichment Tools.
Search and select Google Threat Intelligence.
Click Add Account and use the following information:
Account Name: Enter a unique account name to identify the instance. For example, Google Threat Intelligence-Prod.
Base URL: Enter the base URL to directly connect to the application's server. For example, https://www.virustotal.com/api/v3.
API Key: Enter the API key from your Google Threat Intelligence account to authenticate communication between the Intel Exchange and Google Threat Intelligence servers.
Verify SSL: Select Verify SSL to verify the SSL certificate and secure the connection between Intel Exchange and Google Threat Intelligence servers. By default, Verify SSL is selected.
Note
It is recommend you enable Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.
Click Save.
After you save the account, you can use Google Threat Intelligence to enrich Indicator (Domain, IP, URL, Hash) and Vulnerability threat data objects.
Enable Google Threat Intelligence Type
After successfully adding an account, you can view and enable the Google Threat Intelligence feed enrichment type.
Configure Enrichment Quota
You can also configure a quota to define a limit to the number of enrichment requests Intel Exchange makes to Google Threat Intelligence. After the quota expires, you cannot make enrichment requests until the quota resets for the next quota duration. For more information, see Define Quota in Configure Enrichment Tools.
The following table shows the number of API calls and quota units consumed by the Google Threat Intelligence enrichment tool for each enrichment:
Enrichment Tool | Feed Enrichment Type | Number of API calls | Quota Consumed |
|---|---|---|---|
Goole Threat Intelligence | Retrieve Domain Detail | 1 | 1 |
Retrieve IP Detail | 1 | 1 | |
Retrieve Vulnerability Detail | 1 | 1 | |
Retrieve Hash Detail | 1 | 1 | |
Retrieve URL Detail | 1 | 1 |
You can configure an enrichment policy to automatically enrich threat data objects using the Google Threat Intelligence enrichment tool. For more information, see Enrichment Policy.
Enrich Threat Data Object
You can use Google Threat Intelligence to enrich Indicator (Domain, IP, URL, Hash) and Vulnerability threat data objects with verdicts, and contextual threat intelligence to support faster and more accurate investigations.
To enrich a threat data object using Google Threat Intelligence, follow these steps:
Go to Main Menu > Collection > Threat Data and filter threat data objects by Indicator object type.
Select the object you want to enrich.
Note
Google Threat Intelligence supports enrichment only for MD5, SHA1, and SHA256 hash indicator types.
In the Enrichment tab, select Google Threat Intelligence under Enrichment Details, then click Enrich.
You can view the enrichment details in Enrichment Payload. You can also click Re-Enrich to enrich the threat data object again.