Google Threat Intelligence for MSFT Sentinel

Overview

Google Threat Intelligence for Sentinel integrates Google Threat Intelligence to enrich your security investigations with valuable context and threat information. It achieves this by deploying playbooks designed to automatically gather intelligence on indicators like IPs, file hashes and URLs from Google's extensive threat database.

Installation

Prerrequisites

This integration depends on a custom connector, this can be deployed by using the template located at https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Google Threat Intelligence/Playbooks/CustomConnectors/GTICustomConnector/azuredeploy.json

If deploy button does not work, you should deploy the custom connector by using Template Specs in Sentinel.

1. Download azuredeploy.json of the Custom Connector.
2. Open Template Specs in Sentinel.
3. Select Import Template and select azuredeploy.json.

4. Fill in the fields and click on Review + Create.

5. Click on Deploy.

Installing Playbooks

To install the Google Threat Intelligence playbooks, use the Content Hub and the provided templates.

1. Navigate to the Content Hub.
2. In the search bar, type and select Google Threat Intelligence.
3. Click Install.

Now you have Google Threat Intelligence playbook templates ready to use it.

Creating and Configuring Playbooks

Creating Playbooks

1. Navigate to the Automation Dashboard, which you can access from the Sentinel side panel.
2. Click the Playbook Templates tab.
3. Search for Google Threat Intelligence in the search bar.
4. Click the playbook you want to use and click Create Playbook.

5. Follow the steps to create a playbook.

6. And click on Create Playbook.

Now the playbook is created, but we need to configure it.

Configuring a Playbook

Connections

1. Navigate to the Active Playbooks tab and select the one you want to configure.
2. Click on it and select Edit. You will see all the nodes of the playbook.

3. Nodes with warnings/invalids should be configured, click on each one and configure the connection to the GTI API.

4. Click Change Connection.
5. Create a new connection.

6. Fill in the fields and click Create New.

You will need a Google Threat Intelligence API key.

7. Use this new connection for the rest of the nodes in the playbook that have an Invalid GTI API connection.

Sentinel Permissions

The created playbook needs Sentinel Contributor permissions to be able to edit incidents.

To install and authorize playbooks in Microsoft Sentinel, you need specific resource group permissions. While the Microsoft Sentinel Contributor and Logic App Contributor roles provide access to Sentinel features, they don't provide the necessary resource group-level permissions.

Microsoft recommends using managed identity for playbook authorization. This method requires the user performing the installation to have either the Owner role or the Role Based Access Control Administrator role for the resource group. This approach increases security by allowing playbooks to run without relying on user credentials.

1. In the Log Analysis workspace of your instance.
2. Navigate to Access Control (IAM).
3. Add > Add Role Assignment.

4. Select the Microsoft Sentinel Contributor role.
5. Select your playbook as member (Search by playbook name).

6. Review + Assign.

Now your playbook has the permissions for the resource group.

Using playbooks

Google Threat Intelligence playbooks can be divided in:

• Enrichment

  • Entity triggered
  • Alert triggered
  • Incident Triggered

• Threat Lists

Enrichment Playbooks

These playbooks add comments to incidents with information about the IoCs. All enrichment comments are added to the incident comments section.

Incident triggered

1. In the Incidents panel, select the incident you want to enrich.
2. Click Actions > Run Playbook.

Here you will see all the entity triggered playbooks that you have deployed.

3. Select the playbook you want to use and click the Run button.

Alert triggered

Cannot be triggered manually, only for automation.

Entity triggered

If you only want to enrich 1 IoC:

1. In the Incident dashboard, select the incident that contains the IoC you want to enrich.
2. Click View All in the Entities panel.
3. Select the IoC you want to enrich.

4. Click Run Playbook.

Automation

Incident Trigger and Alert Trigger playbooks can be used in an automation process.

An automation process can be found [here] (https://learn.microsoft.com/en-us/azure/sentinel/automation/run-playbooks?tabs=after-onboarding%2Cincidents%2Cazure%2Cincident-details-new).

Automation Example

Creating an Automation Rule

1. Create an automation rule in the Automation Dashboard.

This rule will be triggered when an incident is created and the GTI-IOCEnrichmentIncident playbook is run.

2. Configure the rule with the desired behavior.
3. Click Apply.

Analytic query rule

1. In the Analytics dashboard, choose Create > Scheduled Query Rule.

2. Enter the rule name and the severity of incidents generated by this rule.

3. In Set rule logic we will write a KQL query with our desired logic, in this example our query will match all rows in the IngestIoc_CL table.
4. In the Alert Enhancement section, we define the mapping between Sentinel entities and the columns in our table.

5. In Query Scheduling you can select the frequency of this rule and the date of the data included in the query.
6. Once you have configured all the incident settings, in the Automated Response tab you will see the automation rules that you have created and that will be triggered by this rule.

7. Once selected, simply click Review + Create.

Release Notes

Version 3.0.0

• Added Custom Connector to connect to GTI API.
• Added enrichment playbooks to add comments to the incidents with IoC information.

Support

• Contact https://www.virustotal.com/gui/contact-us/technical-support

Copyright (c) 2025 Google. All rights reserved.