GoogleThreatIntelligence#
README
Google Threat Intelligence App for TheHive#
Overview#
Google Threat Intelligence (GTI) combines Mandiant’s frontline expertise, Google’s extensive data resources, and VirusTotal’s crowdsourced intelligence to deliver real-time, contextual threat insights including reputation data for files, hashes, domains, IPs, and URLs, as well as detailed static and dynamic analysis. The Google Threat Intelligence App for TheHive brings this rich intelligence directly into the investigation workflow, enabling analysts to manually enrich observables with severity assessments, relationships, MITRE ATT&CK mappings, sandbox behaviour, and historical activity drawn from Google’s global threat ecosystem. By eliminating the need for external lookups and providing immediate, high-value context for indicators of compromise, the integration streamlines investigations, reduces operational overhead, and empowers security teams to shift from reactive triage to proactive, intelligence-driven defence, ultimately strengthening overall security posture.
Key Features#
- IOC Enrichment: Retrieve the latest Google Threat Intelligence report for any observable—including files, hashes, URLs, domains, and IP addresses providing immediate context and threat assessment.
- Public File Analysis: Fetch detailed intelligence for files that have been publicly submitted to Google Threat Intelligence for analysis, including behavioural insights and verdicts.
- Private File Analysis: Obtain the latest intelligence report for files submitted privately, ensuring sensitive samples are analyzed securely without public exposure.
- Public URL Analysis: Access comprehensive intelligence for URLs that have been publicly scanned by Google Threat Intelligence, including categorization, risk assessment, and related threat indicators.
- Private URL Analysis: Retrieve intelligence reports for URLs scanned privately, enabling secure investigation of internal or sensitive links without sharing them publicly.
Prerequisites#
To use this integration, you will need:
- A valid Google Threat Intelligence (GTI) API Key.
Analyzer Configuration (in Cortex)#
Configure the analyzers within the Cortex interface. A dedicated configuration page is available for the Google Threat Intelligence integration.
Important Note: In Cortex, password or API key fields are shown as plain text. They are not hidden with dots or asterisks.
1. GTI_GetIOCReport#
Get the latest Google Threat Intelligence report for a file, hash, url, domain or an IP address.
- gti_api_key: Paste your GTI API key here.
2. GTI_ScanFile#
Get the latest Google Threat Intelligence report for a file that was submitted for public scanning.
- gti_api_key: Paste your GTI API key here.
- password: (Optional) Default password to decompress and scan a file contained in a protected ZIP file. This can be overridden per job.
3. GTI_ScanPrivateFile#
Get the latest Google Threat Intelligence report for a file that was submitted for private scanning. This analyzer provides additional privacy and sandbox controls.
- gti_api_key: Paste your GTI API key here.
- password: (Optional) Default password to decompress a protected ZIP file. Can be overridden per job.
- command_line: (Optional) Command line arguments to use when running the file in sandboxes.
- disable_sandbox: (Optional) Set to
trueto skip sandbox detonation for sensitive or non-executable files. - enable_internet: (Optional) Set to
trueif the file should have internet access when running in sandboxes. - retention_period_days: (Optional) Number of days the report and file are kept (between 1 and 28). Defaults to the group's retention policy.
- interaction_sandbox: (Optional) Select the sandbox for interactive use.
- Allowed:
cape_win,cape_linux
- Allowed:
- interaction_timeout: (Optional) Interaction timeout in seconds.
- Min:
60(1 minute) - Max:
1800(30 minutes)
- Min:
- locale: (Optional) Preferred sandbox locale to match the file's expected environment.
- Allowed:
EN_US,AR_SA,DE_DE,ES_ES,PT_BR
- Allowed:
- storage_region: (Optional) Storage region for the file, based on data residency requirements. Defaults to the group's preference.
- Allowed:
US,CA,EU,GB
- Allowed:
4. GTI_ScanURL#
Get the latest Google Threat Intelligence report for a URL that was submitted for public scanning.
- gti_api_key: Paste your GTI API key here.
5. GTI_ScanPrivateURL#
Get the latest Google Threat Intelligence report for a URL that was submitted for private scanning. This analyzer provides additional privacy and sandbox controls.
- gti_api_key: Paste your GTI API key here.
- user_agent: (Optional) Specify a custom user agent string for the scan.
- sandboxes: (Optional) Comma-separated list of sandboxes for analysis.
- Possible values:
chrome_headless_linux,cape_win,zenbox_windows
- Possible values:
- retention_period_days: (Optional) Number of days the report and URL are kept (between 1 and 28). Defaults to the group's retention policy.
- storage_region: (Optional) Storage region for the URL, based on data residency requirements. Defaults to the group's preference.
- Allowed:
US,CA,EU,GB
- Allowed:
- interaction_timeout: (Optional) Interaction timeout in seconds.
- Min:
60(1 minute) - Max:
1800(30 minutes)
- Min:
Using the Analyzers in TheHive#
All analyzers are executed manually from an observable within a TheHive case.
How to Run an Analyzer#
- Open a case in TheHive and navigate to the Observables tab.
- Locate the target observable you wish to analyze.
- Click the three-dot (⋮) menu on the observable row and select "Run analyzers".
- In the sidebar that appears, find and select the desired GTI_ analyzer from the list.
- Click the Run Selected Analyzers button.
- Wait for the job to complete in Cortex (the observable's analyzer list will update).
Analyzer Report Details#
1. GTI_GetIOCReport (Enrich IOC)#
- Use Case: Get the latest Google Threat Intelligence report for a file, hash, url, domain or an IP address.
- Report Summary:
- Full Report Content:
- Extracted Observables: Related IOCs discovered during analysis, which can be imported directly into the case.
- IOC Summary: High-level details about the observable and its attributes.
- GTI Assessment: Shows the verdict, severity, threat score, and other risk indicators for the IOC.
- Threat Severity: Indicates the threat level and classification based on GTI’s evaluation.
- HTTPS Certificate: Associated certificate information (if available).
- Scan Result: Scan details, verdicts, and detection outcomes.
- Relationships: Linked collections, threat actors, malware families, software toolkits, campaigns, reports, vulnerabilities, and other related IOCs.
- MITRE ATT&CK Report: Relevant adversarial tactics and techniques associated with the observable.
- See Full Report
2. GTI_ScanFile (Public File Scan)#
- Use Case: Get the latest Google Threat Intelligence report for a file that was submitted to Google Threat Intelligence for scanning.
- Report Summary:
- Full Report Content:
- Extracted Observables: Related IOCs discovered during analysis, which can be imported directly into the case.
- File Summary: Core metadata and analysis details about the file.
- GTI Assessment: Shows the verdict, severity, threat score, and other risk indicators for the file.
- Threat Severity: Indicates the threat level and classification based on GTI’s evaluation.
- HTTPS Certificate: Associated certificate information (if available).
- Scan Result: Scan details, verdicts, and detection outcomes.
- Relationships: Linked collections, threat actors, malware families, software toolkits, campaigns, reports, vulnerabilities, and other related IOCs.
- MITRE ATT&CK Report: Relevant adversarial tactics and techniques associated with the observable.
- See Full Report
3. GTI_ScanPrivateFile (Private File Scan)#
- Use Case: Get the latest Google Threat Intelligence report for a file that was privately submitted to Google Threat Intelligence for scanning.
- Report Summary:
- Full Report Content:
- File Summary: Displays the file’s metadata and core characteristics.
- GTI Assessment: Shows the verdict, severity, threat score, and other risk indicators for the file.
- Threat Severity Details: Indicates the threat level and classification based on GTI’s evaluation.
- File Hashes: Lists all available file hashes, including MD5, SHA1, and SHA256.
- File Properties: Displays the file’s known names, tags, and classification properties.
- Archive Contents: If the uploaded file is an archive (e.g., ZIP), this section provides details such as archive type, number of files, and other relevant information.
- See Full Report
4. GTI_ScanURL (Public URL Scan)#
- Use Case: Get the latest Google Threat Intelligence report for a URL that was submitted to Google Threat Intelligence for scanning.
- Report Summary:
- Full Report Content:
- Extracted Observables: Related IOCs discovered during analysis, which can be imported directly into the case.
- URL Summary: Core metadata and analysis details about the URL.
- GTI Assessment: Contextual analysis derived from Google’s threat intelligence database.
- Threat Severity: Risk or severity rating associated with the observable.
- HTTPS Certificate: Associated certificate information (if available).
- Scan Result: Scan details, verdicts, and detection outcomes.
- Relationships: Linked collections, threat actors, malware families, software toolkits, campaigns, reports, vulnerabilities, and other related IOCs.
- See Full Report
5. GTI_ScanPrivateURL (Private URL Scan)#
- Use Case: Get the latest Google Threat Intelligence report for a URL that was privately submitted to Google Threat Intelligence for scanning.
- Report Summary:
- Full Report Content:
- URL Summary: Displays key attributes and metadata of the analyzed URL.
- GTI Assessment: Shows the verdict, severity, threat score, and other risk indicators for the URL.
- URL Analysis: Provides insights into URL tags, redirection chain, and outgoing links.
- HTTP Headers: Displays information about HTTP request and response headers.
- Content Analysis: Shows analyzed URL content, including page structure and identified threat patterns.
- See Full Report
Troubleshooting#
- Authentication Failed Error: This almost always indicates an invalid or expired GTI API Key. Verify your key in the Cortex analyzer configuration and ensure it has the correct permissions in your Google Cloud project.
- Jobs Fail Immediately: Ensure the Cortex instance has network connectivity to the Google Threat Intelligence API endpoints. Check for any intervening firewalls or proxies.
- Analyzer Not Found in TheHive: This means the analyzer is not enabled or properly configured in the linked Cortex instance. Log in to Cortex, enable the GoogleThreatIntelligence analyzers, and add your API key.
- File/URL Scan Timeouts: Private scans, especially with sandbox interaction, can take several minutes. If jobs consistently time out, check the job logs in Cortex for more detailed error messages.
GTI_ScanURL#
Author: Google
License: AGPL-V3
Version: 1.0
Supported observables types:
- url
Registration required: True
Subscription required: False
Free subscription: N/A
Third party service: https://www.virustotal.com/
Description#
Get the latest Google Threat Intelligence report for a URL that was submitted to Google Threat Intelligence for scanning
Configuration#
| gti_api_key | API key for Google Threat Intelligence. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
Templates samples for TheHive#
GTI_ScanPrivateFile#
Author: Google
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: N/A
Third party service: https://www.virustotal.com/
Description#
Get the latest Google Threat Intelligence report for a file that was privately submitted to Google Threat Intelligence for scanning
Configuration#
| gti_api_key | API key for Google Threat Intelligence. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| password | Password used to decompress and scan files contained within password-protected ZIP archives. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
| command_line | Command-line arguments to be used when executing the file in sandbox environments. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
| disable_sandbox | If true, the file will not be detonated in sandbox environments. |
|---|---|
| Default value if not configured | False |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | False |
| Is required | False |
| enable_internet | Specifies whether the file should have internet access while running in sandbox environments. |
|---|---|
| Default value if not configured | False |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | False |
| Is required | False |
| retention_period_days | Number of days the report and file are retained in VirusTotal (1–28). If not set, the group's retention policy is applied. |
|---|---|
| Default value if not configured | 1 |
| Type of the configuration item | number |
| The configuration item can contain multiple values | False |
| Is required | False |
| interaction_sandbox | Specifies the sandbox to use for interactive analysis. Allowed values: cape_win, cape_linux. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
| interaction_timeout | Timeout for interactive sessions, in seconds. Minimum: 60 (1 minute), Maximum: 1800 (30 minutes). |
|---|---|
| Default value if not configured | 60 |
| Type of the configuration item | number |
| The configuration item can contain multiple values | False |
| Is required | False |
| locale | Preferred sandbox locale. On Windows, this sets the analysis machine’s language and keyboard settings. Allowed values: EN_US, AR_SA, DE_DE, ES_ES, PT_BR. |
|---|---|
| Default value if not configured | EN_US |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
| storage_region | Region where files will be stored. If not provided, uses the group's private_scanning.storage_region setting. Allowed values: US, CA, EU, GB. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
Templates samples for TheHive#
GTI_ScanFile#
Author: Google
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: False
Free subscription: N/A
Third party service: https://www.virustotal.com/
Description#
Get the latest Google Threat Intelligence report for a file that was submitted to Google Threat Intelligence for scanning
Configuration#
| gti_api_key | API key for Google Threat Intelligence. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| password | Password used to decompress and scan files contained within password-protected ZIP archives. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
Templates samples for TheHive#
GTI_GetIOCReport#
Author: Google
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
- hash
- domain
- fqdn
- ip
- url
Registration required: True
Subscription required: False
Free subscription: N/A
Third party service: https://www.virustotal.com/
Description#
Get the latest Google Threat Intelligence report for a file, hash, url, domain or an IP address.
Configuration#
| gti_api_key | API key for Google Threat Intelligence. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
Templates samples for TheHive#
GTI_ScanPrivateURL#
Author: Google
License: AGPL-V3
Version: 1.0
Supported observables types:
- url
Registration required: True
Subscription required: True
Free subscription: N/A
Third party service: https://www.virustotal.com/
Description#
Get the latest Google Threat Intelligence report for a URL that was privately submitted to Google Threat Intelligence for scanning
Configuration#
| gti_api_key | API key for Google Threat Intelligence. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| sandboxes | Comma-separated list of sandbox environments to use. e.g., chrome_headless_linux,cape_win,zenbox_windows. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
| retention_period_days | Number of days the report and URL are retained in VirusTotal (1–28). If not set, the group's retention policy is applied. |
|---|---|
| Default value if not configured | 1 |
| Type of the configuration item | number |
| The configuration item can contain multiple values | False |
| Is required | False |
| storage_region | Region where the URL will be stored. Defaults to the group's private_scanning.storage_region setting. Allowed values: US, CA, EU, GB. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
| interaction_timeout | Timeout for interactive sandbox sessions, in seconds. Minimum: 60 (1 minute), Maximum: 1800 (30 minutes). |
|---|---|
| Default value if not configured | 60 |
| Type of the configuration item | number |
| The configuration item can contain multiple values | False |
| Is required | False |
Templates samples for TheHive#
