Google Threat Intelligence Integration

Google Threat Intelligence sources, such as Mandiant and VirusTotal, can be integrated with the Resolution Intelligence Cloud. You can choose either Mandiant or VirusTotal as the source for ingesting threat intelligence data.

The threat intelligence from the selected source is sent to Chronicle, where it is applied through detection rules—such as YARA-L—to scan incoming telemetry data for known security threat indicators.

A scheduled job ensures that the latest threat intelligence from the selected source is consistently pushed to Chronicle. Once ingested, this intelligence is applied using detection rules, such as YARA-L—a rule-based language used to identify and classify malware and other security threats within telemetry data.

These rules define patterns of malicious behavior or indicators of compromise (IOCs) and are used to scan incoming telemetry for matches. When a rule match occurs, it indicates a potential security threat based on known threat intelligence.

The resulting detections are then forwarded to the Resolution Intelligence Cloud, where they undergo further analysis, correlation with other signals, and automated or manual response actions, helping security teams quickly identify and mitigate threats across the environment.

Prerequisites

• Enable Chronicle and configure a Chronicle instance
• Mandiant API key and secret key

Enabling Google Threat Intelligence (GTI) Integration

Use this procedure to enable GTI Integration to sync threat intelligence data into the Resolution Intelligence Cloud. 

1. Click Configurations to navigate to the Configurations options.
2. Select Integrations, under the Data Ingestion section to see all the data sources and monitoring tools that you want to integrate.
3. Select Monitoring from the list to see only the Monitoring sources available to integrate with the platform.
4. Search for Google Threat Intelligence integration in the search box.
5. Click on the Google Threat Intelligence card to open. This takes you to the Google Threat Intelligence Integration page.
6. Click Add and select New Integration to add a new integration to the platform. This enables Mandiant Integration. The authentication section will be enabled. Note: Authentication functionality is visible only when you enable the Mandiant integration.
7. Under Configurations, click Authentication. You will be navigated to the authentication page, where you can enter the following details:
   • To use VirusTotal as the source:
     • Select VirusTotal from the source list.
     • Enter the API key to fetch threat intelligence from VirusTotal and send it to Chronicle.
   • To use Google Threat Intelligence as the source:
     • Select Google Threat Intelligence from the source list.
     • Enter the Username and Secret to establish a connection with Google Threat Intelligence.
8. Click Save to apply the configuration.