--- title: "Google Threat Intelligence Integration User Guide | ThreatConnect" slug: "google-threat-intelligence-integration-user-guide" description: "This article is a user guide for the Google Threat Intelligence app in ThreatConnect." updated: 2026-05-01T19:30:52Z published: 2026-05-01T19:30:52Z stale: true --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # Google Threat Intelligence Integration User Guide NoteThis guide applies to the **Google Threat Intelligence** app version 1.0.1. ## Overview The **Google Threat Intelligence** [feed API service](https://knowledge.threatconnect.com/docs/feed-api-services) app ingests Collections via Threat Landscape and their associated Indicators of Compromise (IoCs) from Google® Threat Intelligence (Google TI) and creates corresponding objects in ThreatConnect® with select Google TI metadata: - Reports are created as Report Groups in ThreatConnect. Where possible, ThreatConnect also adds [ATT&CK Tags](https://knowledge.threatconnect.com/docs/attack-tags) representing MITRE ATT&CK® techniques and sub-techniques to the Report Groups. - Malware Families are created as Malware Groups in ThreatConnect. - Software Toolkits are created as Tool Groups in ThreatConnect. - Threat Actors are created as Intrusion Set Groups in ThreatConnect. - Campaigns are created as Campaign Groups in ThreatConnect. - Vulnerabilities are created as Vulnerability Groups in ThreatConnect. - Indicators associated to Reports, Malware Families, Software Toolkits, Threat Actors, Campaigns, and Vulnerabilities are created as Address, File, Host, or URL Indicators and associated to the corresponding Group object in ThreatConnect. ## Dependencies ### ThreatConnect Dependencies - ThreatConnect instance with version 7.11.2 or newer installed NoteAll ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the **Account Settings**screen within their ThreatConnect instance. ### Google Threat Intelligence Dependencies - Enterprise or Enterprise+ subscription - Service account for Google TI - Active API key for Google TI service account ## Application Setup and Configuration The **Google Threat Intelligence** app leverages the [Feed Deployer](https://knowledge.threatconnect.com/docs/the-feed-deployer) to create a [Source](https://knowledge.threatconnect.com/docs/ownership-in-threatconnect) for data ingestion from Google Threat Intelligence in an Organization and to configure the corresponding [service](https://knowledge.threatconnect.com/docs/playbook-services)’s ingestion and authentication parameters. After you install the **Google Threat Intelligence** app on your ThreatConnect instance, you can deploy it to any Organization. It must be deployed separately for each Organization in which you want to create a Source for data ingestion and a corresponding service. ### Install the Google Threat Intelligence App Follow these steps to install the **Google Threat Intelligence** app on your ThreatConnect instance: 1. Log into ThreatConnect with a System Administrator account. 2. From the **Settings**![Settings icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)menu on the top navigation bar, select **TC Exchange Settings**. 3. Select the **Catalog** tab on the **TC Exchange™ Settings** screen. 4. Locate the **Google Threat Intelligence** app on the **Catalog** tab. 5. Click **Install**![Plus icon_Dark blue](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Plus%20icon_Dark%20blue.png)in the **Options** column to install the app. 6. Click **INSTALL** in the app’s **Release Notes** window. 7. After you install the **Google Threat Intelligence** app, the [Feed Deployer](https://knowledge.threatconnect.com/docs/the-feed-deployer) opens automatically. Follow the procedure in the “[Deploy the Google Threat Intelligence App to an Organization”](/v1/docs/google-threat-intelligence-integration-user-guide#deploy-the-google-threat-intelligence-app-to-an-organization) section to deploy the **Google Threat Intelligence** app to a Source in an Organization and configure the corresponding service. ### Deploy the Google Threat Intelligence App to an Organization Follow these steps to deploy the **Google Threat Intelligence** app to an Organization: NoteSkip to the fourth step in the procedure if you just [installed the **Google Threat Intelligence** app](/v1/docs/google-threat-intelligence-integration-user-guide#install-the-google-threat-intelligence-app) and are already viewing the **Feed Deployer** window. 1. Log into ThreatConnect with a System Administrator account. 2. From the **Settings**![Settings icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)menu on the top navigation bar, select **TC Exchange Settings**. 3. Locate the **Google Threat Intelligence** app on the **Installed** tab. Then select **Deploy** from the **Options****⋮** dropdown. 4. Follow the instructions in Table 1 to fill out the fields in the **Feed Deployer** window for a deployment of the **Google Threat Intelligence**app. | Name | Description | Required? | | --- | --- | --- | | **Source** Tab | | Sources to Create | Enter the name of the Source for the feed.NoteUnless you are redeploying the feed to an existing Source in an Organization, the name of the Source must be unique on your ThreatConnect instance. It is recommended to add the Organization’s name to the end of the default Source name (e.g., **Google Threat Intelligence – Demo Organization**) for easy identification of the Source’s owner. | Required | | Owner | Select the Organization in which the Source will be created. | Required | | Activate Deprecation | Select this checkbox to allow [confidence deprecation](https://knowledge.threatconnect.com/docs/indicator-confidence-deprecation) rules to be created and applied to Indicators in the Source. | Optional | | Create Attributes | Select this checkbox to allow [custom attribute types](https://knowledge.threatconnect.com/docs/creating-custom-attribute-types) for the **Google Threat Intelligence**app to be created on the System level of your ThreatConnect instance.ImportantIt is recommended that you keep this checkbox selected. If you deselect it, data from the **Google Threat Intelligence** app mapped to those attribute types will not be ingested. | Optional | | **Parameters**Tab | | Launch Server | Select **tc-job**as the launch server for the feed API service. | Required | | Origin | Select the origin(s) to ingest Threat Landscape data from. Available choices include the following: - Crowdsourced - Partner NoteBy default, the highly curated origin of `Google Threat Intelligence` is implicitly selected and is not included as an option in the dropdown.WarningSelecting options from this dropdown will allow ingestion of lower-fidelity intelligence into your ThreatConnect instance and create a higher volume of Groups and Indicators, which may impact system performance and increase API token utilization. It is recommended not to select either option unless there are specific requirements to include them. In addition, when data from multiple origins are ingested, the **Google Threat Intelligence** app may create multiple copies of some Group objects to maintain integrity of the data provided by each origin and align with Google TI’s data model. Please see the [“Google TI Origin Configuration”](/v1/docs/google-threat-intelligence-integration-user-guide#google-ti-origin-configuration) section for more information. | Optional | | Indicator Threat Rating | Select the [threat rating](https://knowledge.threatconnect.com/docs/setting-indicator-threat-and-confidence-ratings) to assign to all Indicators ingested from Google TI. You can select a specific threat rating (0–5 skulls) or **Inherit from Google TI**, which maps each Indicator’s [Google TI score](https://docs.cloud.google.com/chronicle/docs/detection/understand-ic-score) as described in the [“Threat Rating Mapping”](/v1/docs/google-threat-intelligence-integration-user-guide#threat-rating-mapping) section. NoteIt is recommended to retain the default selection of **Inherit from Google TI**, as this option assigns a customized threat rating to each Indicator based on Google TI analytics. | Required | | Indicator Confidence Rating | Select the [confidence rating](https://knowledge.threatconnect.com/docs/setting-indicator-threat-and-confidence-ratings) to assign to all Indicators ingested from Google TI. You can select a specific confidence rating (0–100) or **Inherit from Google TI**, which maps each Indicator’s [Google TI confidence score](https://security.googlecloudcommunity.com/google-threat-intelligence-3/obtaining-google-threat-intelligence-s-unique-attributes-from-the-api-6320#:~:text=gti_confidence_score)to the same confidence rating in ThreatConnect.NoteIt is recommended to retain the default selection of **Inherit from Google TI**, as this option assigns a customized confidence rating to each Indicator based on Google TI analytics. | Required | | Advanced Settings | There are no advanced settings to configure.WarningLeave this field blank, as entering values may result in unintended consequences. | Optional | | **Variables**Tab | | Google TI API Key | Enter the API key for your organization’s service account in Google TI. | Required | | **Confirm**Tab | | Run Feeds after deployment | Select this checkbox to run the **Google Threat Intelligence** service immediately after you click **DEPLOY** on the **Feed Deployer** window. | Optional | | Confirm Deployment Over Existing Source | This checkbox and a warning message are displayed on the **Confirm** tab if the Source name entered on the **Source** tab is already used by a Source owned by the selected Organization. To confirm redeploying the app to the existing Source, select the checkbox. This will activate the **DEPLOY** button. Otherwise, you must return to the **Source**tab and either change the Source name or select a different Organization.WarningWhen you redeploy a feed API service to a Source, existing data in the Source may be overwritten. Redeployment will also create a new service for the feed API service app**.** It is recommended that you delete the previous service for the feed API service app after the new one is created. | Optional | 5. Click **DEPLOY** on the **Confirm** tab of the **Feed Deployer** window to deploy the **Google Threat Intelligence** app in the Organization, which will create a Source for the feed in the Organization and a corresponding feed API service. ## Google Threat****Intelligence UI After [installing](/v1/docs/google-threat-intelligence-integration-user-guide#install-the-google-threat-intelligence-app) the **Google Threat Intelligence** app and [deploying it to an Organization](/v1/docs/google-threat-intelligence-integration-user-guide#deploy-the-google-threat-intelligence-app-to-an-organization), you can access the **Google Threat Intelligence**user interface (UI), where you can manage data ingestion from Google TI into the Source created in the Organization. Follow these steps to access the **Google Threat Intelligence** UI: 1. Log into ThreatConnect with a System Administrator account or a user account in the Organization with an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of Organization Administrator. 2. From the **Automation & Feeds** dropdown on the top navigation bar, select **Services.** 3. Locate the row for the **Google Threat Intelligence**feed API service.HintSelect **Feed Service** from the **Service Type** dropdown at the upper right to filter the screen to show only feed API services. If there are multiple services for the **Google Threat Intelligence** app, you can identify the one configured for your Organization by clicking the row for a service to view its **Details** drawer, which includes an **Organization** field showing the Organization that owns the Source for that service. 4. Turn on the toggle in the **Enable** column if the service is not already enabled. 5. Click the link in the Service’s **API Path**field to open the **Google Threat Intelligence** UI. The following screens are available in the **Google Threat Intelligence** service UI: - [**Dashboard**](/v1/docs/google-threat-intelligence-integration-user-guide#dashboard) - [**Jobs**](/v1/docs/google-threat-intelligence-integration-user-guide#jobs) - [**Tasks**](/v1/docs/google-threat-intelligence-integration-user-guide#tasks) - [**Download**](/v1/docs/google-threat-intelligence-integration-user-guide#download) - [**Batch Errors**](/v1/docs/google-threat-intelligence-integration-user-guide#batch-errors) - [**Attachment Status**](/v1/docs/google-threat-intelligence-integration-user-guide#attachment-status) ### Dashboard The **Dashboard**screen (Figure 1) provides an overview of the total number of each object type ingested from Google TI. ![Figure 1_Google Threat Intelligence Integration User Guide_Software Version 1.0.1](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_Google%20Threat%20Intelligence%20Integration%20User%20Guide_Software%20Version%201.0.1.png) ### Jobs The **Jobs**screen (Figure 2) breaks down the ingestion of Google TI data into manageable job-like tasks, displaying all processes that are pending, in progress, complete, and failed. The **⋯** menu in a job’s row provides the following options: - **Details**: View details for the job, such as download, convert, and upload start and complete times and counts of downloaded and batched Groups and Indicators. - **Download Files**: Download metadata files for all jobs and data (convert, download, and upload) files for completed jobs. - **Batch Errors**: View errors that have occurred for the job on the [**Batch Errors**](/v1/docs/google-threat-intelligence-integration-user-guide#batch-errors) screen. ![Figure 2_Google Threat Intelligence Integration User Guide_Software Version 1.0.1](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_Google%20Threat%20Intelligence%20Integration%20User%20Guide_Software%20Version%201.0.1.png) You can filter **Google Threat Intelligence** service jobs by the following elements: - **Job ID**: Enter text into this box to search for a job by its job ID. - **Job Type**: Select job types to display on the **Jobs** screen. - **Status**: Select job statuses to display on the **Jobs** screen. #### Add a Job You can add ad hoc jobs on the **Jobs** screen. Follow these steps to create a request for an ad hoc Job for the **Google Threat Intelligence** service: 1. Click **Add Job** (Figure 2). 2. Fill out the fields on the **Add Job** drawer (Figure 3) as follows:![Figure 3_Google Threat Intelligence Integration User Guide_Software Version 1.0.1](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_Google%20Threat%20Intelligence%20Integration%20User%20Guide_Software%20Version%201.0.1.png) - **Start Time**: (Optional) Enter the time at which the job should start. - **End Time**: (Optional) Enter the time by which the job should end. 3. Click **Submit** to submit the request for the ad hoc job. ### Tasks The **Tasks** screen (Figure 4) displays all tasks that may be part of a job, including each step of the download, convert, and upload processes, as well as tasks for the **Google Threat Intelligence** service, such as monitor, scheduler, and cleaner. The current status (**Idle**, **Paused**, or **Running**), name, description, and heartbeat timeout length, in minutes, are displayed for each task. The **⋯** menu in a task’s row provides the following options, depending on the task’s status: - **Run** (idle and paused tasks only) - **Pause** (idle and running tasks only) - **Resume** (paused tasks only) - **Kill** (running tasks only) Under the table is a dashboard where you can view runtime analytics. ![Figure 4_Google Threat Intelligence Integration User Guide_Software Version 1.0.1](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%204_Google%20Threat%20Intelligence%20Integration%20User%20Guide_Software%20Version%201.0.1.png) ### Download The **Download**screen (Figure 5) lets you download JavaScript® Object Notation (JSON) data for Google TI objects and then upload the data into ThreatConnect. ![Figure 5_Google Threat Intelligence Integration User Guide_Software Version 1.0.1](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%205_Google%20Threat%20Intelligence%20Integration%20User%20Guide_Software%20Version%201.0.1.png) Follow these steps to download JSON data for a Google TI object on the **Download** screen and then upload the data into ThreatConnect: 1. **Indicator Types**: Select a Google TI intel type to download.NoteAlthough the dropdown’s label is **Indicator Types**, you can select all Collection object types that the **Google Threat Intelligence** app ingests, including Group types. 2. **External ID**: Enter one or more Google TI IDs for the objects to download, separating each ID with a comma. For Group objects (Campaign, Malware Family, Report, Software Toolkit, Threat Actor, and Vulnerability), the Google TI ID can be found after the last slash (`/`) in the object’s Google TI URL. For Indicators (IP Address, Domain, File, and URL), the Google TI ID is the Indicator itself. 3. Click **Download**. The JSON data will be displayed in two columns: **Results** (raw JSON data) and **Converted** (JSON data in ThreatConnect batch format) (Figure 6).![Figure 6_Google Threat Intelligence Integration User Guide_Software Version 1.0.1](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%206_Google%20Threat%20Intelligence%20Integration%20User%20Guide_Software%20Version%201.0.1.png) 4. Click **Upload** to submit the converted threat intelligence data via the [ThreatConnect Batch API](https://docs.threatconnect.com/en/latest/rest_api/v2/batch_api/batch_api.html). ### Batch Errors The **Batch Errors** screen (Figure 7) displays an overview of the batch error types that have occurred for job requests. You can enter keywords to filter by job ID. ![Figure 7_Google Threat Intelligence Integration User Guide_Software Version 1.0.1](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%207_Google%20Threat%20Intelligence%20Integration%20User%20Guide_Software%20Version%201.0.1.png) Select an error type to open a drawer with details on all batch errors of that type. ### Attachment Status The **Attachment Status**screen (Figure 8) displays a table with details on ThreatConnect's attempts to download Report Group attachments from Google TI. You can enter Google TI IDs for Groups to filter the table by Group ID, which can be useful if you do not see a Google TI attachment in ThreatConnect as expected, or by status. ![Figure 8_Google Threat Intelligence Integration User Guide_Software Version 1.0.1](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%208_Google%20Threat%20Intelligence%20Integration%20User%20Guide_Software%20Version%201.0.1.png) ## Data Mappings The data mappings in Table 2 through Table 11 illustrate how data are mapped from Google TI API endpoints to the [ThreatConnect data model](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model). ### Campaign ThreatConnect object type: Campaign Group | Google TI API Field | ThreatConnect Field | | --- | --- | | id | - Attribute: "External ID" - Attribute: "Source"NoteThe URL in the default Source attribute includes the Group’s Google TI ID after the last slash (`/`). - xid | | attributes.alt_names_details[].value | Attribute: "Aliases" | | attributes.description | Attribute: "Description" | | attributes.targeted_industries_tree[].industry_group | Attribute: "Targeted Industry Sector" | | attributes.motivations[].value | Attribute: "Adversary Motivation Type" | | attributes.creation_date | External Date Added | | attributes.last_modification_date | External Last Modified | | attributes.last_seen | Attribute: "Last Seen" | | attributes.name | - Name/summary - Attribute: "Name" | | attributes.autogenerated_tags[?starts_with(@, 'cve')] | Tag: "Vulnerability: **" | | attributes.autogenerated_tags[?!starts_with(@, 'cve')] | Tag | | attributes.alt_names_details[].value | Tag: "Intrusion Set: **" | | attack_techniques[].id | [ATT&CK Tags](https://knowledge.threatconnect.com/docs/attack-tags) | ### Domain ThreatConnect object type: Host Indicator | Google TI API Field | ThreatConnect Field | | --- | --- | | id | - Name/summary - Attribute: "Source"NoteThe URL in the default Source attribute includes the Indicator’s Google TI ID after the last slash (`/`). | | attributes.gti_assessment.threat_score.value | - Threat rating (if inheriting from Google TI; see the [“Threat Rating Mapping”](/v1/docs/google-threat-intelligence-integration-user-guide#threat-rating-mapping) section) - Attribute: "External Score"NoteThe value of this attribute is an integer from 0–100, mapped directly to the Indicator’s Google TI score. | | attributes.gti_assessment.severity.value | Attribute: "Threat Level" | | attributes.gti_assessment.verdict.value | Attribute: "Verdict" | | attributes.gti_assessment.description | Attribute: "Description" | | attributes.last_https_certificate.thumbprint_sha256 | Attribute: "SSL Certificate Fingerprint" | | attributes.whois | Attribute: "Whois Record" | | attributes.gti_assessment.contributing_factors.gti_confidence_score | Confidence rating | | attributes.creation_date | External Date Added | | attributes.expiration_date | External Date Expires | | attributes.last_modification_date | External Last Modified | | attributes.mandiant_ic_score | Attribute: "Mscore" | | attributes.tags[] | Tag | | attributes.gti_assessment.contributing_factors.normalised_categories[] | Tag | ### File ThreatConnect object type: File Indicator | Google TI API Field | ThreatConnect Field | | --- | --- | | id | - Name/summary - Attribute: "Source"NoteThe URL in the default Source attribute includes the Indicator’s Google TI ID after the last slash (`/`). - MD5, SHA1, and/or SHA256 | | attributes.gti_assessment.threat_score.value | - Threat rating (if inheriting from Google TI; see the [“Threat Rating Mapping”](/v1/docs/google-threat-intelligence-integration-user-guide#threat-rating-mapping) section) - Attribute: "External Score"NoteThe value of this attribute is an integer from 0–100, mapped directly to the Indicator’s [Google TI score](https://docs.cloud.google.com/chronicle/docs/detection/understand-ic-score). | | attributes.ssdeep | Attribute: "ssdeep Hash" | | attributes.mandiant_ic_score | Attribute: "Mscore" | | attributes.names[] | Attribute: "File Name" | | attributes.exiftool.FileType | Attribute: "File Type" | | attributes.pe_info.entry_point | Attribute: "Entry Point" | | attributes.packers | Attribute: "Packer" | | attributes.last_analysis_date | Attribute: "AV Scan Timestamp" | | attributes.malware_config.families[].family | Attribute: "Malware Family" | | attributes.malware_config.families[].configs[].net_info.connections[].port | Attribute: "Port" | | attributes.gti_assessment.verdict.value | Attribute: "Verdict" | | attributes.gti_assessment.contributing_factors.gti_confidence_score | Confidence rating | | attributes.creation_date | External Date Added | | attributes.last_modification_date | External Last Modified | | attributes.first_seen_itw_date | First Seen | | attributes.last_seen_itw_date | Last Seen | | attributes.tags[?starts_with(@, 'cve') \|\| starts_with(@, 'CVE')] | Tag: "Vulnerability: **" | | attributes.tags[?!starts_with(@, 'cve') \|\| starts_with(@, 'CVE')] | Tag | | attributes.malware_config.families[].family | Tag: "Malware families: **" | ### IP Address ThreatConnect object type: Address Indicator | Google TI API Field | ThreatConnect Field | | --- | --- | | id | - Name/summary - Attribute: "Source"NoteThe URL in the default Source attribute includes the Indicator’s Google TI ID after the last slash (`/`). | | attributes.gti_assessment.threat_score.value | - Threat rating (if inheriting from Google TI; see the [“Threat Rating Mapping”](/v1/docs/google-threat-intelligence-integration-user-guide#threat-rating-mapping) section) - Attribute: "External Score"NoteThe value of this attribute is an integer from 0–100, mapped directly to the Indicator’s [Google TI score](https://docs.cloud.google.com/chronicle/docs/detection/understand-ic-score). | | attributes.last_https_certificate.thumbprint_sha256 | Attribute: "SSL Certificate Fingerprint" | | attributes.gti_assessment.description | Attribute: "Description" | | attributes.gti_assessment.verdict.value | Attribute: "Verdict" | | attributes.gti_assessment.severity.value | Attribute: "Threat Level" | | attributes.whois | Attribute: "Whois Record" | | attributes.gti_assessment.contributing_factors.gti_confidence_score | Confidence rating | | attributes.first_seen_itw_date | External Date Added | | attributes.last_modification_date | External Last Modified | | attributes.mandiant_ic_score | Attribute: "Mscore" | | attributes.tags[] | Tag | | attributes.gti_assessment.contributing_factors.normalised_categories[] | Tag | ### Malware Family ThreatConnect object type: Malware Group | Google TI API Field | ThreatConnect Field | | --- | --- | | id | - Attribute: "External ID" - Attribute: "Source"NoteThe URL in the default Source attribute includes the Group’s Google TI ID after the last slash (`/`). - xid | | attributes.alt_names_details[].value | Attribute: "Aliases" | | attributes.description | Attribute: "Description" | | attributes.operating_systems[].value | Attribute: "Operating System" | | attributes.malware_roles[].value | Attribute: "Malware Type" | | attributes.targeted_industries_tree[].industry_group | Attribute: "Targeted Industry Sector" | | attributes.creation_date | External Date Added | | attributes.last_modification_date | External Last Modified | | attributes.last_seen | Last Seen | | attributes.name | Name/summary | | attributes.autogenerated_tags[?starts_with(@, 'cve')] | Tag: "Vulnerability: **" | | attributes.autogenerated_tags[?!starts_with(@, 'cve')] | Tag | | attributes.alt_names_details[].value | Tag: "Intrusion Set: **" | | attack_techniques[].id | [ATT&CK Tags](https://knowledge.threatconnect.com/docs/attack-tags) | ### Report ThreatConnect object type: Report Group | Google TI API Field | ThreatConnect Field | | --- | --- | | id | - Attribute: "External ID" - Attribute: "Source"NoteThe URL in the default Source attribute includes the Group’s Google TI ID after the last slash (`/`). - xid - File Name (Report attachment) | | attributes.targeted_industries_tree[].industry_group | Attribute: "Targeted Industry Sector" | | attributes.targeted_regions_hierarchy[].region | Attribute: "Target Region" | | attributes.targeted_regions_hierarchy[].sub_region | Attribute: "Target Sub-region" | | attributes.targeted_regions_hierarchy[].country | Attribute: "Target Country" | | attributes.targeted_regions_hierarchy[].country_iso2 | Attribute: "Target Country Code" | | attributes.content | Attribute: "Description" | | attributes.source_regions_hierarchy[].region | Attribute: "Source Region" | | attributes.source_regions_hierarchy[].sub_region | Attribute: "Source Sub-region" | | attributes.source_regions_hierarchy[].country | Attribute: "Source Country" | | attributes.source_regions_hierarchy[].country_iso2 | Attribute: "Source Country Code" | | attributes.executive_summary | Attribute: "Executive Summary" | | attributes.link | Attribute: "Additional Analysis and Context" | | attributes.report_type | Attribute: "Report Type" | | attributes.motivations[].value | Attribute: "Adversary Motivation Type" | | attributes.analyst_comment | Attribute: "Analyst Notes" | | attributes.creation_date | External Date Added | | attributes.last_modification_date | External Last Modified | | attributes.name | Name/summary | | attributes.autogenerated_tags[?starts_with(@, 'cve')] | Tag: "Vulnerability: **" | | attributes.autogenerated_tags[?!starts_with(@, 'cve')] | Tag | | attack_techniques[].id | [ATT&CK Tags](https://knowledge.threatconnect.com/docs/attack-tags) | ### Software Toolkit ThreatConnect object type: Tool Group | Google TI API Field | ThreatConnect Field | | --- | --- | | id | - Attribute: "External ID" - Attribute: "Source"NoteThe URL in the default Source attribute includes the Group’s Google TI ID after the last slash (`/`). - xid | | attributes.alt_names_details[].value | Attribute: "Aliases" | | attributes.description | Attribute: "Description" | | attributes.operating_systems[].value | Attribute: "Operating System" | | attributes.malware_roles[].value | Attribute: "Malware Type" | | attributes.targeted_industries_tree[].industry_group | Attribute: "Targeted Industry Sector" | | attributes.creation_date | External Date Added | | attributes.last_modification_date | External Last Modified | | attributes.last_seen | Last Seen | | attributes.name | Name/summary | | attributes.autogenerated_tags[?starts_with(@, 'cve')] | Tag: "Vulnerability: **" | | attributes.autogenerated_tags[?!starts_with(@, 'cve')] | Tag | | attributes.alt_names_details[].value | Tag: "Intrusion Set: **" | | attack_techniques[].id | [ATT&CK Tags](https://knowledge.threatconnect.com/docs/attack-tags) | ### Threat Actor ThreatConnect object type: Intrusion Set Group | Google TI API Field | ThreatConnect Field | | --- | --- | | id | - Attribute: "External ID" - Attribute: "Source"NoteThe URL in the default Source attribute includes the Group’s Google TI ID after the last slash (`/`). - xid | | attributes.alt_names_details[].value | Attribute: "Aliases" | | attributes.targeted_industries_tree[].industry_group | Attribute: "Targeted Industry Sector" | | attributes.targeted_regions_hierarchy[].region | Attribute: "Target Region" | | attributes.targeted_regions_hierarchy[].sub_region | Attribute: "Target Sub-region" | | attributes.targeted_regions_hierarchy[].country | Attribute: "Target Country" | | attributes.targeted_regions_hierarchy[].country_iso2 | Attribute: "Target Country Code" | | attributes.description | Attribute: "Description" | | attributes.source_regions_hierarchy[].region | Attribute: "Source Region" | | attributes.source_regions_hierarchy[].sub_region | Attribute: "Source Sub-region" | | attributes.source_regions_hierarchy[].country | Attribute: "Source Country" | | attributes.source_regions_hierarchy[].country_iso2 | Attribute: "Source Country Code" | | attributes.first_seen | First Seen | | attributes.last_seen | Last Seen | | attributes.name | Name/summary | | attributes.alt_names_details[].value | Tag: "Intrusion Set: **" | | attack_techniques[].id | [ATT&CK Tags](https://knowledge.threatconnect.com/docs/attack-tags) | ### URL ThreatConnect object type: URL Indicator | Google TI API Field | ThreatConnect Field | | --- | --- | | id | - Name/summary - Attribute: "Source"NoteThe URL in the default Source attribute includes the Indicator’s Google TI ID after the last slash (`/`). | | attributes.gti_assessment.threat_score.value | - Threat rating (if inheriting from Google TI; see the [“Threat Rating Mapping”](/v1/docs/google-threat-intelligence-integration-user-guide#threat-rating-mapping) section) - Attribute: "External Score"NoteThe value of this attribute is an integer from 0–100, mapped directly to the Indicator’s [Google TI score](https://docs.cloud.google.com/chronicle/docs/detection/understand-ic-score). | | attributes.categories | Attribute: "Category" | | attributes.gti_assessment.severity.value | Attribute: "Threat Level" | | attributes.gti_assessment.verdict.value | Attribute: "Verdict" | | attributes.gti_assessment.description | Attribute: "Description" | | attributes.gti_assessment.contributing_factors.gti_confidence_score | Confidence rating | | attributes.first_seen_itw_date | External Date Added | | attributes.last_modification_date | External Last Modified | | attributes.mandiant_ic_score | Attribute: "Mscore" | | attributes.tags[] | [ATT&CK Tags](https://knowledge.threatconnect.com/docs/attack-tags) | | attributes.threat_names[] | Tag: "Malware: **" | ### Vulnerability ThreatConnect object type: Vulnerability Group | Google TI API Field | ThreatConnect Field | | --- | --- | | id | - Attribute: "External ID" - Attribute: "Source"NoteThe URL in the default Source attribute includes the Group’s Google TI ID after the last slash (`/`). - xid | | attributes.cvss.cvssv3_x.temporal_score | Attribute: "CVSS Temporal Score v3" | | attributes.cvss.cvssv3_x.base_score | Attribute: "CVSS v3 Score" | | attributes.cvss.cvssv3_x.vector | Attribute: "CVSS v3 Vector String" | | attributes.predicted_risk_rating | Attribute: "Severity" | | attributes.exploit_availability | Attribute: "Exploitation State" | | attributes.priority | Attribute: "Vulnerability Priority" | | attributes.description | Attribute: "Description" | | attributes.sources[].url | Attribute: "Additional Analysis and Context" | | attributes.cwe | Attribute: "CWE" | | attributes.exploitation_consequence | Attribute: "Exploitation Consequence" | | attributes.available_mitigation[] | Attribute: "Mitigations" | | attributes.executive_summary | Attribute: "Executive Summary" | | attributes.vendor_fix_references[].url | Attribute: "Vendor Fix URL" | | attributes.cpes[] | Attribute: "Vulnerable Product" | | attributes.cpes[].end_cpe.uri | Attribute: "CPE" | | attributes.mve_id | Attribute: "MVE ID" | | attributes.sources[].name | Attribute: "Data Source Name" | | attributes.cpes[] | Attribute: "Vulnerable Vendor" | | attributes.cpes[] | Attribute: "Product Version" | | attributes.creation_date | External Date Added | | attributes.last_modification_date | External Last Modified | | attributes.name | Name/summary | | attributes.autogenerated_tags[?!starts_with(@, 'cve')] | Tag | | attributes.name | Tag: "Vulnerability: **" | | attack_techniques[].id | [ATT&CK Tags](https://knowledge.threatconnect.com/docs/attack-tags) | ### Threat Rating Mapping If a **Google Threat Intelligence** service is configured to inherit Indicator [threat rating](https://knowledge.threatconnect.com/docs/setting-indicator-threat-and-confidence-ratings) from Google TI, then each ingested Indicator’s threat rating will be mapped to the Indicator’s [Google TI score](https://docs.cloud.google.com/chronicle/docs/detection/understand-ic-score) as shown in Table 12. | Google TI Score | ThreatConnect Threat Rating | | --- | --- | | 0–20 | 1 skull | | 21–40 | 2 skulls | | 41–60 | 3 skulls | | 61–80 | 4 skulls | | 81–100 | 5 skulls | ## Google TI Origin Configuration When configuring the **Origin** parameter in the Feed Deployer, it is recommended to leave both checkboxes (**Crowdsourced** and **Partner**) unselected so that only data from the Google Threat Intelligence origin are ingested. This section provides information on what to expect if you select at least one of these additional origins. ### API Rate Limits Adding data ingestion sources will cause you to reach the API rate limit of your organization’s Google TI license more quickly and for longer periods of time. As a baseline, if you have the lowest-tier Enterprise license and you configure the **Google Threat Intelligence** app to ingest data only from the Google Threat Intelligence origin, you will exhaust the license’s API rate limit of 30,000 API calls per day for approximately one to two days as the app downloads historical data. After that, the API utilization should level out to nominal usage. If you configure the **Google Threat Intelligence** app to ingest crowdsourced or partner data, you will exhaust your organization’s API rate limit for the first few days—or much longer if you select both origins—that the app runs. Data ingested from the Google Threat Intelligence origin have the highest fidelity, followed by data from partners, followed by crowdsourced data. The amount of data ingested, as well as potential noise, increases as those additional origins are selected. ### Ingestion of Duplicate Group Objects If you configure the **Google Threat Intelligence** service to ingest data from the crowdsourced and/or partner origins, the app will create more than one version of some Group objects in the Source for which the service is configured, as in the example in Figure 9. This is because Google TI considers objects directly curated by Google TI research teams to be distinct from corresponding objects curated by other sources, as the origin of each object and the associated metadata are different. ![Figure 9_Google Threat Intelligence Integration User Guide_Software Version 1.0.1](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%209_Google%20Threat%20Intelligence%20Integration%20User%20Guide_Software%20Version%201.0.1.png) The origin of these duplicate Group objects is not currently available on the **Details** screen. However, you can use [ThreatConnect Query Language (TQL)](https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql) to filter on the origin (Google Threat Intelligence, Crowdsourced, or Partner), For example, the following query returns only Groups whose origin is Google Threat Intelligence: ```custom hasAttribute(source = "Google Threat Intelligence") ``` NoteIf using this query as a stand-alone query on the **Search** screen, make sure to run the query on the [**Search: Groups** screen](https://knowledge.threatconnect.com/docs/searching-groups). If using this query as a stand-alone query on the **Legacy Browse**screen, make sure to [filter your view to Groups](https://knowledge.threatconnect.com/docs/the-browse-screen#groups). In addition, you can filter the results in one of the following ways to ensure that only data from the Source for which the **Google Threat Intelligence**service is configured are included: - Select only the Source for which the **Google Threat Intelligence** service is configured from the owners dropdown on the **Search: Groups** screen or in **My Intel Sources** on the **Legacy Browse** screen. - Add the following to the TQL query, replacing `Google Threat Intelligence Source` with the name of the Source for which the **Google Threat Intelligence** service is configured: `and (ownerName in ("Google Threat Intelligence Source"))` ## Frequently Asked Questions (FAQ) **Why isn’t there an option to select the Google Threat Intelligence origin in the Feed Deployer?** By default, the Google Threat Intelligence origin is always selected and cannot be unselected. The **Google Threat Intelligence** app will always ingest data from the Google Threat Intelligence origin. --- **Can I download Google TI Reports as PDFs from my ThreatConnect instance?** You can! When viewing an ingested Report Group’s **Details** screen, click the **Download** button on the **Report File** card on the **Overview** tab to download the Report Group’s PDF file. NoteNot all Report Groups have PDF file attachments. --- **Why do Indicators ingested from the**Google Threat Intelligence**app have multiple scores (threat rating, External Score, and Mscore)?** Each of the Indicator scores provides information on a different scale or different source: - **[Threat rating](https://knowledge.threatconnect.com/docs/setting-indicator-threat-and-confidence-ratings)**: This score ranges from 0 skulls to 5 skulls. It may be statically determined in the app’s configuration, or it may be [mapped](/v1/docs/google-threat-intelligence-integration-user-guide#threat-rating-mapping) to the Indicator’s [Google TI score](https://docs.cloud.google.com/chronicle/docs/detection/understand-ic-score). - **External Score**: This score, provided in the "External Score" Attribute, represents the Indicator’s [Google TI score](https://docs.cloud.google.com/chronicle/docs/detection/understand-ic-score) and ranges from 0–100. - **Mscore**: The Mscore, or Mandiant™ score, is a legacy value that ranges from 0–100. It will likely be discontinued in the future and should be used for reference purposes only. These different options enable you to filter on your score of choice as you build automations and TQL queries. --- **Why are there multiple Group objects with the same name in the Source for the**Google Threat Intelligence**app?** See the [“Ingestion of Duplicate Group Objects”](/v1/docs/google-threat-intelligence-integration-user-guide#ingestion-of-duplicate-group-objects) section. --- *ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc. Google® is a registered trademark, and Mandiant™ is a trademark, of Google LLC. MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation. JavaScript® is a registered trademark of Oracle Corporation.* 30095-01 EN Rev. A