Google Threat Intel Source
The Sumo Logic source for Google Threat Intel enables you to ingest the indicator data from the Google Threat Intelligence API and send it to Sumo Logic as STIX threat indicators. For more information, see About Sumo Logic Threat Intelligence.This integration elevates the value of threat hunting by providing tailored risk profiles, including actors, campaigns, and malware families, to enable proactive threat tracking and mitigation.
Data collected​
| Polling Interval | Data |
|---|---|
| 1 hour | Indicators |
Setup​
Vendor configuration​
Configure Google Threat Intelligence IOC stream​
To ship events to Sumo Logic, you need to configure an IOC stream in Google Threat Intelligence. The Sumo Logic integration exclusively uses the IOC stream to ingest threat intelligence data.
The IOC stream serves as a centralized hub for notifications from your active Livehunt rules and subscriptions to threats and threat profiles. This enables you to create a customized feed of Indicators of Compromise (IOCs) that can then be seamlessly shipped to Sumo Logic.
Set up your IOC stream​
Before integrating with Sumo Logic, ensure that you have an active IOC stream. Your stream can be configured to receive events from one or more of the following GTI sources:
- Threat Profiles
- Threats
- Hunting Rulesets
At least one of these sources must be enabled to populate the IOC stream with data. For more detailed instructions on setting up your IOC stream, refer to the IOC Stream and IOC Stream Subscriptions guides.
Obtain Google Threat Intelligence API key​
The Google Threat Intelligence source requires an API key to interact with the Google Threat Intelligence service.
The IOC stream is directly associated with the user account that configured it. You must use the API key of the user who set up the IOC stream. Using an API key from a different user will prevent Sumo Logic from fetching the correct data.
Follow the steps below to obtain the API key:
- Log in to your Google Threat Intelligence account.
- Select API key under your user name, or visit https://www.virustotal.com/gui/my-apikey.
- Copy your API key from the Google Threat Intelligence API Key section and use it to set up the Sumo Logic source.
Source configuration​
When you create a Google Threat Intel Source, you add it to a Hosted Collector. Before creating the Source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see Configure a Hosted Collector and Source.
To configure the Google Threat Intel Source:
- New UI. In the Sumo Logic main menu select Data Management, and then under Data Collection select Collection. You can also click the Go To... menu at the top of the screen and select Collection.
Classic UI. In the main Sumo Logic menu, select Manage Data > Collection > Collection. - On the Collectors page, click Add Source next to a Hosted Collector.
- Search for and select the Google Threat Intel icon.
- Enter a Name to display for the Source in Sumo Logic. The description is optional.
- (Optional) For Source Category, enter any string to tag the output collected from the Source. Category metadata is stored in a searchable field called
_sourceCategory. - (Optional) Fields. Click the +Add Field link to define the fields you want to associate. Each field needs a name (key) and value.
 A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema.
 An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic that does not exist in the Fields schema it is ignored, known as dropped.
- Enter the API Key collected from the vendor configuration.
- The Polling Interval is set for 1 hour by default. You can adjust it based on your needs.
- When you are finished configuring the Source, click Save.
JSON schema​
Sources can be configured using UTF-8 encoded JSON files with the Collector Management API. See Use JSON to Configure Sources for details.Â
| Parameter | Type | Value | Required | Description |
|---|---|---|---|---|
| schemaRef | JSON Object | {"type":"Google Threat Intel"} | Yes | Define the specific schema type. |
| sourceType | String | "Universal" | Yes | Type of source. |
| config | JSON Object | Configuration object | Yes | Source type specific values. |
Configuration Object​
| Parameter | Type | Required | Default | Description | Example |
|---|---|---|---|---|---|
| name | String | Yes | null | Type a desired name of the source. The name must be unique per Collector. This value is assigned to the metadata field _source. | "mySource" |
| description | String | No | null | Type a description of the source. | "Testing source" |
| category | String | No | null | Type a category of the source. This value is assigned to the metadata field _sourceCategory. See best practices for details. | "mySource/test" |
| fields | JSON Object | No | null | JSON map of key-value fields (metadata) to apply to the Collector or Source. Use the boolean field _siemForward to enable forwarding to SIEM. | {"_siemForward": false, "fieldA": "valueA"} |
| apiKey | String | Yes | null | API key of your account. | |
| userSourceId | String | GoogleThreatIntelligence | null | The Sumo Logic namespace in which the indicators will be stored. | |
| pollingIntervalMin | Integer | Yes | 1 hour | Time interval (in mins) after which the source will check for new data. Default: 1 hour Minimum: 1 hour Maximum: 12 hours |
JSON example​
loading...
Terraform example​
loading...
FAQ​
Click here for more information about Cloud-to-Cloud sources.