Documentation

Google Threat Intelligence for MSFT Sentinel

Configuration and use guide

Overview

Google Threat Intelligence for Sentinel integrates Google Threat Intelligence to enrich your security investigations with valuable context and threat information. It achieves this by deploying playbooks designed to automatically gather intelligence on indicators like IPs, file hashes and URLs from Google's extensive threat database.

Installation

Prerrequisites

This integration depends on a custom connector, this can be deployed by using the template located at https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Google Threat Intelligence/Playbooks/CustomConnectors/GTICustomConnector/azuredeploy.json

Deploy to Azure

If deploy button does not work, you should deploy the custom connector by using Template Specs in Sentinel.

  1. Download azuredeploy.json of the Custom Connector.
  2. Open Template Specs in Sentinel.
  3. Select Import Template and select azuredeploy.json.
Template Specs Field
  1. Fill in the fields and click on Review + Create.
Deploy custom connector
  1. Click on Deploy.

Installing Playbooks

To install the Google Threat Intelligence playbooks, use the Content Hub and the provided templates.

Content Hub

  1. Navigate to the Content Hub.
  2. In the search bar, type and select Google Threat Intelligence.
  3. Click Install.

Now you have Google Threat Intelligence playbook templates ready to use it.

Creating and Configuring Playbooks

Creating Playbooks

  1. Navigate to the Automation Dashboard, which you can access from the Sentinel side panel.
  2. Click the Playbook Templates tab.
  3. Search for Google Threat Intelligence in the search bar.
  4. Click the playbook you want to use and click Create Playbook.

Automation Dashboard

  1. Follow the steps to create a playbook.
Create Playbook
  1. And click on Create Playbook.

Now the playbook is created, but we need to configure it.

Configuring a Playbook

Connections
  1. Navigate to the Active Playbooks tab and select the one you want to configure.
  2. Click on it and select Edit. You will see all the nodes of the playbook.
Edit Playbook
  1. Nodes with warnings/invalids should be configured, click on each one and configure the connection to the GTI API.

Connection

Connection
  1. Click Change Connection.
  2. Create a new connection.
Create New Connection
  1. Fill in the fields and click Create New.

You will need a Google Threat Intelligence API key.

  1. Use this new connection for the rest of the nodes in the playbook that have an Invalid GTI API connection.
Sentinel Permissions

The created playbook needs Sentinel Contributor permissions to be able to edit incidents.

To install and authorize playbooks in Microsoft Sentinel, you need specific resource group permissions. While the Microsoft Sentinel Contributor and Logic App Contributor roles provide access to Sentinel features, they don't provide the necessary resource group-level permissions.

Microsoft recommends using managed identity for playbook authorization. This method requires the user performing the installation to have either the Owner role or the Role Based Access Control Administrator role for the resource group. This approach increases security by allowing playbooks to run without relying on user credentials.

  1. In the Log Analysis workspace of your instance.
  2. Navigate to Access Control (IAM).
  3. Add > Add Role Assignment.

Access Control

  1. Select the Microsoft Sentinel Contributor role.
  2. Select your playbook as member (Search by playbook name).

Add Role Assignment

  1. Review + Assign.

Now your playbook has the permissions for the resource group.

Using playbooks

Google Threat Intelligence playbooks can be divided in:

  • Enrichment

    • Entity triggered
    • Alert triggered
    • Incident Triggered

  • Threat Intelligence Ingestion

    • Threat Lists
    • IoC Stream

Threat Intelligence Ingestion Playbooks

These playbooks add Google Threat Intelligence to your Sentinel instance. Use the Sentinel Threat Intelligence panel to view the threats.

Threat Lists

The Threat Lists playbook ingests specific categories of threat intelligence from Google Threat Intelligence into your Microsoft Sentinel instance. To use this playbook:

  1. Configure Categories: When setting up the playbook, you will need to specify which threat list categories you want to ingest. This allows you to tailor the intelligence feed to your specific needs.
  2. Enable Automation: Once configured and enabled, the playbook will automatically trigger every hour. It will fetch the latest threat intelligence from the selected categories.
  3. View Ingested Threats: The ingested threat intelligence data can be viewed and analyzed within the Microsoft Sentinel Threat Intelligence panel. This provides a centralized location to see the threats that have been imported from Google Threat Intelligence.

For more detailed information on available threat list categories and their specifics, please refer to the Threat Lists Documentation.

Configure Threat Lists

IoC Stream

The IoC Stream playbook continuously ingests Indicators of Compromise (IoCs) from Google Threat Intelligence into your Microsoft Sentinel Threat Intelligence. Due to the continuous nature and potential volume of data, this playbook has specific prerequisites and configuration considerations.

Prerequisites:

  • Azure Storage Account: You must have an Azure Storage Account prepared.
    • Purpose: This storage account is used by the playbook to save the timestamp of its last execution. This ensures that in subsequent runs, it only fetches new IoCs since the last successful ingestion, preventing duplication and data gaps.
    • Table Name: The playbook will store this timestamp in a table named GoogleThreatIntelligence within the specified storage account.
  • Storage Table Data Contributor This playbook will need this role to read/write in Table Storage

Playbook Configuration:

  1. Storage Account Configuration:

    • During the playbook setup, you will need to provide the name of your Azure Storage Account.
    • The playbook is designed to automatically create the GoogleThreatIntelligence table within that storage account if it doesn't already exist.

  2. Recurrence Interval (Recurrence Node):

    • The playbook includes a "Recurrence" node that determines how frequently it runs to fetch new IoCs. This can be configured to suit your needs.
    • Important Consideration for High-Volume Streams: If you are ingesting IoC streams known for high data volume, it is crucial not to set a very wide interval between playbook runs (e.g., once every 24 hours for a very active stream).
    • Reasoning: A long interval for a high-volume stream can result in the playbook attempting to fetch an extremely large dataset in a single request. This may lead to timeouts, request failures, or potential loss of IoC information due to the sheer volume. Shorter, more frequent intervals are recommended for such streams to ensure reliable ingestion.
Configure Threat Lists

Once all connections are validated and the necessary configurations (like the Storage Account name and appropriate recurrence) are set, and the playbook is enabled, it will begin ingesting IoCs. These will then be available in the Microsoft Sentinel Threat Intelligence panel.

Enrichment Playbooks

These playbooks add comments to incidents with information about the IoCs. All enrichment comments are added to the incident comments section.

Incident triggered

  1. In the Incidents panel, select the incident you want to enrich.
  2. Click Actions > Run Playbook.

Incident Dashboard

Here you will see all the entity triggered playbooks that you have deployed.

  1. Select the playbook you want to use and click the Run button.
Run Incident Trigger Playbook

Alert triggered

Cannot be triggered manually, only for automation.

Entity triggered

If you only want to enrich 1 IoC:

  1. In the Incident dashboard, select the incident that contains the IoC you want to enrich.
  2. Click View All in the Entities panel.
  3. Select the IoC you want to enrich.
Run Entity Trigger Playbook
  1. Click Run Playbook.

Automation

Incident Trigger and Alert Trigger playbooks can be used in an automation process.

An automation process can be found [here] (https://learn.microsoft.com/en-us/azure/sentinel/automation/run-playbooks?tabs=after-onboarding%2Cincidents%2Cazure%2Cincident-details-new).

Automation Example

Creating an Automation Rule

  1. Create an automation rule in the Automation Dashboard.

Automation Dashboard
This rule will be triggered when an incident is created and the GTI-IOCEnrichmentIncident playbook is run.

  1. Configure the rule with the desired behavior.
  2. Click Apply.

Analytic query rule

  1. In the Analytics dashboard, choose Create > Scheduled Query Rule.
Create Scheduled Query 1
  1. Enter the rule name and the severity of incidents generated by this rule.
Create Scheduled Query 2
  1. In Set rule logic we will write a KQL query with our desired logic, in this example our query will match all rows in the IngestIoc_CL table.
  2. In the Alert Enhancement section, we define the mapping between Sentinel entities and the columns in our table.
Create Scheduled Query 3
  1. In Query Scheduling you can select the frequency of this rule and the date of the data included in the query.
  2. Once you have configured all the incident settings, in the Automated Response tab you will see the automation rules that you have created and that will be triggered by this rule.

Create Scheduled Query 4

  1. Once selected, simply click Review + Create.

Release Notes

Version 3.0.0

  • Added Custom Connector to connect to GTI API.
  • Added enrichment playbooks to add comments to the incidents with IoC information.

Support

Copyright (c) 2025 Google. All rights reserved.

Updated 15 days ago