|
| 1 | +# Google Threat Intelligence |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +[Google Threat Intelligence](https://gtidocs.virustotal.com/) is a security solution that helps organizations detect, analyze, and mitigate threats. It leverages Google's global telemetry, advanced analytics, and vast infrastructure to provide actionable insights. Key features include threat detection, malware and phishing analysis, and real-time threat alerts. |
| 6 | + |
| 7 | +Google Threat Intelligence uses the **[Threat List API](https://gtidocs.virustotal.com/reference/get-hourly-threat-list)** to deliver hourly data chunks. The Threat Lists feature allows customers to consume **Indicators of Compromise (IOCs)** categorized by various threat types. |
| 8 | + |
| 9 | +## Threat List API Feeds |
| 10 | + |
| 11 | +The Threat List API provides the following types of threat feeds: |
| 12 | + |
| 13 | +- **Cryptominers** |
| 14 | +- **First Stage Delivery Vectors** |
| 15 | +- **Infostealers** |
| 16 | +- **Internet of Things (IoT)** |
| 17 | + |
| 18 | +## GTI Subscription Tiers |
| 19 | + |
| 20 | +Customers can access a subset of the available threat lists based on their **Google Threat Intelligence (GTI) tier**: |
| 21 | + |
| 22 | +- **GTI Standard**: Ransomware, Malicious Network Infrastructure |
| 23 | +- **GTI Enterprise**: Ransomware, Malicious Network Infrastructure, Malware, Threat Actor, Daily Top Trending |
| 24 | +- **GTI Enterprise+**: Access to all available threat lists |
| 25 | + |
| 26 | +## Data Streams |
| 27 | + |
| 28 | +Data collection is available for four feed types: `cryptominer`, `first_stage_delivery_vectors`, `infostealer`, and `iot`, each provided through a separate data stream. Users can enable data streams based on their GTI subscription tier. If a user enables data collection for a data stream they do not have access to, it will result in an error log on the **Discover** page. |
| 29 | + |
| 30 | +## Requirements |
| 31 | + |
| 32 | +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). |
| 33 | + |
| 34 | +## Setup |
| 35 | + |
| 36 | +### To collect logs through REST API, follow the below steps: |
| 37 | + |
| 38 | +- VirusTotal URL will work as the base URL for this integration: https://www.virustotal.com |
| 39 | +- An API key will be used to authenticate your request. |
| 40 | +- **Time Selection of Initial Interval and Interval**: |
| 41 | + - Users need to specify the **initial interval** and **interval** in an hourly format, such as **2h**, **3h**, etc. |
| 42 | +**Note:** Please make sure both initial interval and interval are in hours and greater than 1 hour. |
| 43 | + |
| 44 | +### Enabling the integration in Elastic: |
| 45 | + |
| 46 | +1. In Kibana, go to **Management > Integrations**. |
| 47 | +2. In the "Search for integrations" search bar, type **Google Threat Intelligence**. |
| 48 | +3. Click on the **Google Threat Intelligence** integration from the search results. |
| 49 | +4. Click on the **Add Google Threat Intelligence** button to add the integration. |
| 50 | +5. While adding the integration, to collect logs via REST API, provide the following details: |
| 51 | + - Enable the type of data stream you have access to. |
| 52 | + - Access Token |
| 53 | + - Initial Interval |
| 54 | + - Interval |
| 55 | + - (Optional) Query to add custom query filtering on relationship, GTI score, and positives. |
| 56 | +6. Click on **Save and Continue** to save the integration. |
| 57 | +**Note:** Please make only the threat feed types you have the privilege to access are enabled. |
| 58 | + |
| 59 | +## Transforming Data for Up-to-Date Insights |
| 60 | + |
| 61 | +To keep the collected data up to date, **Transforms** are used. |
| 62 | + |
| 63 | +Users can view the transforms by navigating to **Management > Stack Management > Transforms**. |
| 64 | + |
| 65 | +Follow **Steps to enable transforms** to enable transforms and populate `Threat Feed Overview` dashboard. |
| 66 | + |
| 67 | +Here, users can see continuously running transforms and also view the latest transformed GTI data in the **Discover** section. |
| 68 | + |
| 69 | +The `labels.is_transform_source` field indicates log origin: |
| 70 | +- **False** for transformed index |
| 71 | +- **True** for source index |
| 72 | + |
| 73 | +Currently, four transforms are available across all 4 data streams. |
| 74 | + |
| 75 | +The following are four transforms along with their associated pipelines: |
| 76 | + |
| 77 | +| Transform Name | Description | |
| 78 | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------- | |
| 79 | +| IP Transform (ID: `logs-ti_google_threat_intelligence.ip_ioc`, Pipeline: `ti_google_threat_intelligence-latest_ip_ioc-transform-pipeline`) | Keeps IP entity type data up to date. | |
| 80 | +| URL Transform (ID: `logs-ti_google_threat_intelligence.url_ioc`, Pipeline: `ti_google_threat_intelligence-latest_url_ioc-transform-pipeline`) | Keeps URL entity type data up to date. | |
| 81 | +| Domain Transform (ID: `logs-ti_google_threat_intelligence.domain_ioc`, Pipeline: `ti_google_threat_intelligence-latest_domain_ioc-transform-pipeline`) | Keeps Domain entity type data up to date. | |
| 82 | +| File Transform (ID: `logs-ti_google_threat_intelligence.file_ioc`, Pipeline: `ti_google_threat_intelligence-latest_file_ioc-transform-pipeline`) | Keeps File entity type data up to date. | |
| 83 | + |
| 84 | +For example: |
| 85 | + |
| 86 | +- The query `event.module: ti_google_threat_intelligence and labels.is_transform_source: true` indicates that the logs originate from the **source index**. |
| 87 | +- The query `event.module: ti_google_threat_intelligence and labels.is_transform_source: false` indicates that the logs originate from the **transformed index**. |
| 88 | + |
| 89 | +A **retention policy** is used to remove data older than the default retention period. For more details, refer to the [Retention Policy Documentation](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-transform-put-transform#operation-transform-put-transform-body-application-json-retention_policy). |
| 90 | + |
| 91 | +In this integration, all data streams have a **retention period of 30 days**. |
| 92 | + |
| 93 | +### Enrichment with Detection Rules |
| 94 | + |
| 95 | +Detection Rules match the user's Elastic environment data with GTI data, generating an alert if a match is found. To access detection rules: |
| 96 | + |
| 97 | +1. Navigate to **Security > Rules > Detection Rules** and click on **Add Elastic Rules**. |
| 98 | +2. Search for **Google Threat Intelligence** to find prebuilt Elastic detection rules. |
| 99 | +3. Four detection rules are available for **IP, URL, File, and Domain**. Users can install one or more rules as needed. |
| 100 | + |
| 101 | +To tailor a rule based on Elastic environment: |
| 102 | + |
| 103 | +1. Click the three dots on the right side of any detection rule. |
| 104 | +2. Select **Duplicate Rule**. |
| 105 | +3. Modify the duplicated rule to tailor it to your Elastic environment: |
| 106 | + - **Index Pattern**: Add the index pattern relevant to your data. Keeping this specific ensures optimal performance. |
| 107 | + - **Custom Query**: Further refine rule conditions. |
| 108 | + - **Indicator Mapping**: Map relevant fields from your Elastic environment to GTI fields. Do not modify the **indicator index field**. |
| 109 | + - **Schedule Rules**: |
| 110 | + - **Set Runs Every** - Defines how frequently the rule runs. |
| 111 | + - **Additional Lookback Time** - Specifies how far back to check for matches. |
| 112 | + |
| 113 | +Once saved, successfully executed rules will generate alerts. Users can view these alerts in the **Alerts** section. |
| 114 | + |
| 115 | +**Note:** A transform runs in the background to filter relevant data from alerts. The `data_stream.dataset: ti_google_threat_intelligence.enriched_ioc` field represents logs for enriched threat intelligence data, which can be analyzed in the **Discover** section. |
| 116 | + |
| 117 | +The following are the names of the four sample rules: |
| 118 | + |
| 119 | +| Sample Rule Name | Description | |
| 120 | +| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | |
| 121 | +| Google Threat Intelligence URL IOC Correlation | Detects and alerts on matches between URL IOCs collected by GTI data with user's selected Elastic environment data. | |
| 122 | +| Google Threat Intelligence Domain IOC Correlation | Detects and alerts on matches between Domain IOCs collected by GTI data with user's selected Elastic environment data. | |
| 123 | +| Google Threat Intelligence File IOC Correlation | Detects and alerts on matches between File IOCs collected by GTI data with user's selected Elastic environment data. | |
| 124 | +| Google Threat Intelligence IP Address IOC Correlation | Detects and alerts on matches between IP Address IOCs collected by GTI data with user's selected Elastic environment data. | |
| 125 | + |
| 126 | +The following transform and its associated pipelines are used to filter relevant data from alerts. Follow **Steps to enable transforms** to enable these transforms and populate `Threat Intelligence` and `Adversary Intelligence` dashboards. |
| 127 | + |
| 128 | +| Transform Name | Description | |
| 129 | +| ------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | |
| 130 | +| Detected IOC Transform (ID: `logs-ti_google_threat_intelligence.rule`, Pipeline: `ti_google_threat_intelligence-correlation_detection_rule-pipeline`) | Filters and extracts necessary information from Detected IOCs from threat feed. | |
| 131 | + |
| 132 | +### Steps to enable transforms |
| 133 | + |
| 134 | +1. Navigate to **Stack Management > Transforms** in Kibana. |
| 135 | +2. Locate the transform you want to enable by searching for its **Transform ID**. |
| 136 | +3. Click the **three dots** next to the transform, then select **Edit**. |
| 137 | +4. Under the **Destination configuration** section, set the **Ingest Pipeline**: |
| 138 | + - Each transform in the **Google Threat Intelligence** integration has a corresponding ingest pipeline. |
| 139 | + - Refer to the **Transforms table** above for the appropriate pipeline name associated with transform. |
| 140 | + - Prefix the pipeline name with the integration version. |
| 141 | + For example: |
| 142 | + ``` |
| 143 | + 0.1.0-ti_google_threat_intelligence-latest_ip_ioc-transform-pipeline |
| 144 | + ``` |
| 145 | + - Click **Update** to save the changes. |
| 146 | +5. Click the **three dots** again next to the transform and select **Start** to activate it. |
| 147 | +
|
| 148 | +**Note:** After updating the integration, make sure to update the pipeline prefix accordingly. |
| 149 | +
|
| 150 | +## Limitations |
| 151 | +
|
| 152 | +1. If an event contains multiple matching mappings (e.g., two file hash fields within the same event match GTI data), only one alert per detection rule will be generated for that event. |
| 153 | +2. If an IOC from the user's Elasticsearch index is enriched with GTI information, and the GTI information is updated later, the changes are not reflected in the dashboards because Elastic detection rules only run on live data. |
| 154 | +
|
| 155 | +## Troubleshooting |
| 156 | +
|
| 157 | +1. If you encounter a privilege error for a threat feed type, such as: `You are not authorized to perform the requested operation`, verify your privilege level and enable only the threat feeds you have access to. |
| 158 | +2. If you see an error like `Package 2025031310 is not available until 2025-03-13 at 11:00 UTC because of privacy policy.`, ensure that your initial interval and interval are set in hours and are greater than one hour. |
| 159 | +3. If events are not appearing in the transformed index, check if transforms are running without errors. If you encounter issues, refer to [Troubleshooting transforms](https://www.elastic.co/guide/en/elasticsearch/reference/current/transform-troubleshooting.html). |
| 160 | +4. If detection rules take longer to run, ensure you have specified index patterns and applied queries to make your source events more specific. |
| 161 | + **Note:** More events in index patterns mean more time needed for detection rules to run. |
| 162 | +5. Ensure that relevant fields are correctly mapped in the **Indicator Mapping** section. Verify that fields in the specified index pattern are properly mapped, and ensure entity-specific fields (e.g., IP fields to IP fields, keyword fields like file hash SHA256 to corresponding file hash SHA256 fields) are accurately configured. |
| 163 | +6. If any transform is not in a **Healthy** state, try resetting it: |
| 164 | + - Click the **three dots** next to the transform, then select **Reset**. |
| 165 | + - After resetting, follow the **Steps to enable transforms** above to reconfigure and restart the transform. |
| 166 | +
|
| 167 | +## Logs Reference |
| 168 | +
|
| 169 | +### Cryptominers |
| 170 | +
|
| 171 | +This is the `Cryptominer` dataset. |
| 172 | +
|
| 173 | +#### Example |
| 174 | +
|
| 175 | +{{event "cryptominer"}} |
| 176 | +
|
| 177 | +{{fields "cryptominer"}} |
| 178 | +
|
| 179 | +### First Stage Delivery Vectors |
| 180 | +
|
| 181 | +This is the `First Stage Delivery Vectors` dataset. |
| 182 | +
|
| 183 | +#### Example |
| 184 | +
|
| 185 | +{{event "first_stage_delivery_vectors"}} |
| 186 | +
|
| 187 | +{{fields "first_stage_delivery_vectors"}} |
| 188 | +
|
| 189 | +### Infostealers |
| 190 | +
|
| 191 | +This is the `Infostealers` dataset. |
| 192 | +
|
| 193 | +#### Example |
| 194 | +
|
| 195 | +{{event "infostealer"}} |
| 196 | +
|
| 197 | +{{fields "infostealer"}} |
| 198 | +
|
| 199 | +### Internet of Things |
| 200 | +
|
| 201 | +This is the `Internet of Things` dataset. |
| 202 | +
|
| 203 | +#### Example |
| 204 | +
|
| 205 | +{{event "iot"}} |
| 206 | +
|
| 207 | +{{fields "iot"}} |
0 commit comments