
Google Threat Intelligence
Threat Intelligence- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The Google Threat Intelligence connector integrates with the VirusTotal platform to synchronize real-time vulnerability threat data and ASM (Attack Surface Management) search issue findings and entity assets into the Brinqa platform. It uses the VirusTotal API v3 to retrieve CVE records from vulnerability collections, security issues from the ASM search issues endpoint, and asset entities from the ASM search entities endpoint.
The connector synchronizes the following categories of data:
- CVE Records — Vulnerability intelligence from the
/api/v3/collectionsendpoint (collection_type: vulnerability) - Vulnerability Findings (ASM) — Search issues with category
vulnerability, along with their definitions - Violation Findings (ASM) — Search issues with categories other than
vulnerability,threat, andleak, along with their definitions - Alert Findings (ASM) — Search issues with categories
threatandleak, along with their definitions - ASM Entity Assets — 27 asset entity types from the
/api/v3/asm/search/entities/endpoint, filtered byscoped:true hidden:false
Data retrieved from Google Threat Intelligence
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Alert (ASM) | Yes | Alert |
| Alert Definition (ASM) | Yes | Alert Definition |
| Api Endpoint | Yes | Api Endpoint |
| App Endpoint | Yes | Site |
| Autonomous System | Yes | Cloud Resource |
| Aws EC2 Instance | Yes | Host |
| Aws Rds Db Instance | Yes | Host |
| Aws S3 Bucket | Yes | Cloud Resource |
| Azure Storage Account | Yes | Cloud Resource |
| Azure Virtual Machine | Yes | Host |
| CveRecord | Yes | Cve Record |
| Dns Record | Yes | Site |
| Domain | Yes | Site |
| Email Address | Yes | Person |
| GCP API Gateway | Yes | Cloud Resource |
| GCP App Engine Application | Yes | Cloud Resource |
| GCP Cloud Function | Yes | Cloud Resource |
| GCP Cloud SQL Instance | Yes | Host |
| GCP Compute Engine Instance | Yes | Host |
| GCP Storage Bucket | Yes | Cloud Resource |
| Github Account | Yes | Cloud Resource |
| Github Repository | Yes | Code Project |
| Ip Address | Yes | Host |
| Nameserver | Yes | Site |
| Net Block | Yes | Ip Range |
| Network Service | Yes | Host |
| Ssl Certificate | Yes | Site Certificate |
| Unique Keyword | Yes | Cloud Resource |
| Unique Token | Yes | Cloud Resource |
| Uri | Yes | Site |
| Violation (ASM) | Yes | Violation |
| Violation Definition (ASM) | Yes | Violation Definition |
| Vulnerability (ASM) | Yes | Vulnerability |
| Vulnerability Definition (ASM) | Yes | Vulnerability Definition |
Model relationships
For detailed steps on how to view the data retrieved from Google Threat Intelligence in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Google Threat Intelligence from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | Yes | https://www.virustotal.com | Google Threat Intelligence API URL |
| API key | Yes | — | Google Threat Intelligence API Key |
| Page size | No | 1000 | Maximum number of records to get per API request |
| Max retries | No | 5 | Maximum number of retry attempts before giving up a request |
Authentication
The connector authenticates using an API Key provided by VirusTotal / Google Threat Intelligence.
Usage
All API requests include the API key as a custom header:
X-APIKEY: <your-api-key>
Sync Behavior
The connector supports incremental (delta) syncs. When a sync duration is configured, it passes a since (Instant) value to the API and retrieves only records changed since the previous run: ASM search issues and entities are filtered by last_seen_after, and CVE records by last_modification_date. When no since value is supplied, the connector performs a full sync and retrieves all available records.
How to obtain Google Threat Intelligence credentials
Obtain the required credentials (url, apiKey) from your Google Threat Intelligence administrator or the Google Threat Intelligence admin console, then enter them in the connection settings above.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Alert (ASM)
| Source Field Name | SDM Attribute |
|---|---|
| Current timestamp | LAST_CAPTURED |
issue.description | RESULTS |
issue.entity_name | TARGET_NAME |
issue.entity_type | TARGET_TYPE |
issue.entity_uid | TARGETS |
issue.first_seen | SOURCE_CREATED_DATE |
issue.last_seen | SOURCE_LAST_MODIFIED |
issue.pretty_name (fallback: issue.name, issue.uid) | TYPE |
issue.pretty_name (fallback: issue.uid) | NAME |
issue.summary.category | CATEGORIES |
issue.summary.status_new | PROVIDER_STATUS |
issue.tags | TAGS |
issue.uid | UID |
normalizeFindingStatus(issue.summary.status_new) | SOURCE_STATUS |
Alert Definition (ASM)
| Source Field Name | SDM Attribute |
|---|---|
| Current timestamp | LAST_CAPTURED |
getFindingSeverityScore(normalizedSeverity) | SEVERITY_SCORE |
issue.description | DESCRIPTION |
issue.description | RECOMMENDATION |
issue.pretty_name | NAME |
issue.pretty_name (fallback: issue.name, issue.uid) | UID |
issue.summary.category | CATEGORIES |
issue.summary.confidence | CONFIDENCE |
issue.summary.severity | SOURCE_SEVERITY |
issue.tags | TAGS |
normalizeFindingSeverity(issue.summary.severity) | SEVERITY |
Api Endpoint
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_API_ENDPOINT | CATEGORIES |
Extracted from entity.name | IP_ADDRESSES |
Extracted from entity.name | PUBLIC_IP_ADDRESSES |
Extracted from entity.name | PRIVATE_IP_ADDRESSES |
Extracted from entity.name | DNS_NAMES |
Extracted from entity.name | PUBLIC_DNS_NAMES |
Extracted from entity.name | PRIVATE_DNS_NAMES |
Extracted from entity.name | HOSTNAMES |
App Endpoint
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_API_ENDPOINT | CATEGORIES |
Extracted from entity.name | IP_ADDRESSES |
Extracted from entity.name | PUBLIC_IP_ADDRESSES |
Extracted from entity.name | PRIVATE_IP_ADDRESSES |
Extracted from entity.name | DNS_NAMES |
Extracted from entity.name | PUBLIC_DNS_NAMES |
Extracted from entity.name | PRIVATE_DNS_NAMES |
Extracted from entity.name | HOSTNAMES |
Autonomous System
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
Aws EC2 Instance
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_HOST | CATEGORIES |
Extracted from entity.name | IP_ADDRESSES |
Extracted from entity.name | PUBLIC_IP_ADDRESSES |
Extracted from entity.name | PRIVATE_IP_ADDRESSES |
Extracted from entity.name | DNS_NAMES |
Extracted from entity.name | PUBLIC_DNS_NAMES |
Extracted from entity.name | PRIVATE_DNS_NAMES |
Extracted from entity.name | HOSTNAMES |
Aws Rds Db Instance
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_HOST | CATEGORIES |
Extracted from entity.name | IP_ADDRESSES |
Extracted from entity.name | PUBLIC_IP_ADDRESSES |
Extracted from entity.name | PRIVATE_IP_ADDRESSES |
Extracted from entity.name | DNS_NAMES |
Extracted from entity.name | PUBLIC_DNS_NAMES |
Extracted from entity.name | PRIVATE_DNS_NAMES |
Extracted from entity.name | HOSTNAMES |
Aws S3 Bucket
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
Azure Storage Account
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
Azure Virtual Machine
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_HOST | CATEGORIES |
CveRecord
| Source Field Name | SDM Attribute |
|---|---|
attributes.available_mitigation | AVAILABLE_MITIGATIONS |
attributes.cisa_known_exploited.added_date | CISA_ADDED_DATE |
attributes.cisa_known_exploited.due_date | CISA_DUE_DATE |
attributes.cisa_known_exploited.ransomware_use | RANSOMWARE_USE |
attributes.collection_type | CATEGORIES |
attributes.creation_date | SOURCE_CREATED_DATE |
attributes.cve_id (fallback: data.id) | NAME |
attributes.cvss.cvssV2.base_score | CVSS_V2_BASE_SCORE |
attributes.cvss.cvssV2.temporal_score | CVSS_V2_TEMPORAL_SCORE |
attributes.cvss.cvssV2.vector | CVSS_V2_VECTOR |
attributes.cvss.cvssV3.base_score | CVSS_V3_BASE_SCORE |
attributes.cvss.cvssV3.temporal_score | CVSS_V3_TEMPORAL_SCORE |
attributes.cvss.cvssV3.vector | CVSS_V3_VECTOR |
attributes.cvss.cvssV4.base_score | CVSS_V4_BASE_SCORE |
attributes.cvss.cvssV4.threat.exploit_maturity | EXPLOIT_MATURITY |
attributes.cvss.cvssV4.vector | CVSS_V4_VECTOR |
attributes.cwe.id | WEAKNESSES |
attributes.cwe.id | CWE_IDS |
attributes.date_of_disclosure | DISCLOSED_DATE |
attributes.description | DESCRIPTION |
attributes.epss.percentile | EPSS_PERCENTILE |
attributes.epss.score | EPSS_SCORE |
attributes.executive_summary | EXECUTIVE_SUMMARY |
attributes.exploit_availability | EXPLOIT_AVAILABILITY |
attributes.exploitation.exploit_release_date | EXPLOIT_RELEASE_DATE |
attributes.exploitation.first_exploitation | FIRST_EXPLOITATION |
attributes.exploitation.tech_details_release_date | TECH_DETAILS_RELEASE_DATE |
attributes.exploitation_consequence | EXPLOITATION_CONSEQUENCE |
attributes.exploitation_state | EXPLOITATION_STATE |
attributes.exploitation_vectors | EXPLOITATION_VECTORS |
attributes.last_modification_date | SOURCE_LAST_MODIFIED |
attributes.mve_id | MVE_ID |
attributes.priority | PRIORITY |
attributes.risk_factors | RISK_FACTORS |
attributes.risk_rating | SOURCE_SEVERITY |
attributes.risk_rating | SOURCE_RISK_RATING |
attributes.sources[].url | REFERENCES |
attributes.tags | TAGS |
| Current timestamp | LAST_CAPTURED |
data.id | UID |
getFindingSeverityScore(normalizedSeverity) | SEVERITY_SCORE |
normalizeFindingSeverity(attributes.risk_rating) | SEVERITY |
Dns Record
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_WEB_APPLICATION | CATEGORIES |
Domain
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_WEB_APPLICATION | CATEGORIES |
Extracted from entity.name | IP_ADDRESSES |
Extracted from entity.name | PUBLIC_IP_ADDRESSES |
Extracted from entity.name | PRIVATE_IP_ADDRESSES |
Extracted from entity.name | DNS_NAMES |
Extracted from entity.name | PUBLIC_DNS_NAMES |
Extracted from entity.name | PRIVATE_DNS_NAMES |
Extracted from entity.name | HOSTNAMES |
Email Address
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_PERSON | CATEGORIES |
GCP API Gateway
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
GCP App Engine Application
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
GCP Cloud Function
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
GCP Cloud SQL Instance
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_HOST | CATEGORIES |
GCP Compute Engine Instance
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_HOST | CATEGORIES |
GCP Storage Bucket
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
Github Account
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
Github Repository
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_CODE_REPOSITORY | CATEGORIES |
Ip Address
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_HOST | CATEGORIES |
Extracted from entity.name | IP_ADDRESSES |
Extracted from entity.name | PUBLIC_IP_ADDRESSES |
Extracted from entity.name | PRIVATE_IP_ADDRESSES |
Extracted from entity.name | DNS_NAMES |
Extracted from entity.name | PUBLIC_DNS_NAMES |
Extracted from entity.name | PRIVATE_DNS_NAMES |
Extracted from entity.name | HOSTNAMES |
Nameserver
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_WEB_APPLICATION | CATEGORIES |
Net Block
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_NETWORK | CATEGORIES |
Network Service
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_HOST | CATEGORIES |
Extracted from entity.name | IP_ADDRESSES |
Extracted from entity.name | PUBLIC_IP_ADDRESSES |
Extracted from entity.name | PRIVATE_IP_ADDRESSES |
Extracted from entity.name | DNS_NAMES |
Extracted from entity.name | PUBLIC_DNS_NAMES |
Extracted from entity.name | PRIVATE_DNS_NAMES |
Extracted from entity.name | HOSTNAMES |
Ssl Certificate
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_CERTIFICATE | CATEGORIES |
Unique Keyword
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
Unique Token
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
Uri
| Source Field Name | SDM Attribute |
|---|---|
| ASSET_CATEGORY_WEB_APPLICATION | CATEGORIES |
Extracted from entity.name | IP_ADDRESSES |
Extracted from entity.name | PUBLIC_IP_ADDRESSES |
Extracted from entity.name | PRIVATE_IP_ADDRESSES |
Extracted from entity.name | DNS_NAMES |
Extracted from entity.name | PUBLIC_DNS_NAMES |
Extracted from entity.name | PRIVATE_DNS_NAMES |
Extracted from entity.name | HOSTNAMES |
Violation (ASM)
| Source Field Name | SDM Attribute |
|---|---|
| Current timestamp | LAST_CAPTURED |
issue.description | RESULTS |
issue.entity_name | TARGET_NAME |
issue.entity_type | TARGET_TYPE |
issue.entity_uid | TARGETS |
issue.first_seen | FIRST_FOUND |
issue.last_seen | LAST_FOUND |
issue.pretty_name (fallback: issue.name, issue.uid) | TYPE |
issue.pretty_name (fallback: issue.uid) | NAME |
issue.summary.category | CATEGORIES |
issue.summary.status_new | PROVIDER_STATUS |
issue.tags | TAGS |
issue.uid | UID |
normalizeFindingStatus(issue.summary.status_new) | SOURCE_STATUS |
Violation Definition (ASM)
| Source Field Name | SDM Attribute |
|---|---|
| Current timestamp | LAST_CAPTURED |
getFindingSeverityScore(normalizedSeverity) | SEVERITY_SCORE |
issue.description | DESCRIPTION |
issue.description | RECOMMENDATION |
issue.pretty_name | NAME |
issue.pretty_name (fallback: issue.name, issue.uid) | UID |
issue.summary.category | CATEGORIES |
issue.summary.confidence | CONFIDENCE |
issue.summary.severity | SOURCE_SEVERITY |
issue.tags | TAGS |
normalizeFindingSeverity(issue.summary.severity) | SEVERITY |
Vulnerability (ASM)
| Source Field Name | SDM Attribute |
|---|---|
| Current timestamp | LAST_CAPTURED |
issue.alias_group | ALIAS_GROUP |
issue.collection | COLLECTION_NAME |
issue.description | DESCRIPTION |
issue.description | RESULTS |
issue.dynamic_id | DYNAMIC_ID |
issue.entity_name | TARGET_NAME |
issue.entity_type | TARGET_TYPE |
issue.entity_uid | TARGETS |
issue.first_seen | FIRST_FOUND |
issue.last_seen | LAST_FOUND |
issue.pretty_name (fallback: issue.name, issue.uid) | NAME |
issue.pretty_name (fallback: issue.name, issue.uid) | TYPE |
issue.summary.category | CATEGORIES |
issue.summary.severity | SOURCE_RISK_RATING |
issue.summary.status_new | PROVIDER_STATUS |
issue.uid | UID |
normalizeFindingStatus(issue.summary.status_new) | SOURCE_STATUS |
Vulnerability Definition (ASM)
| Source Field Name | SDM Attribute |
|---|---|
| Current timestamp | LAST_CAPTURED |
getFindingSeverityScore(normalizedSeverity) | SEVERITY_SCORE |
issue.description | DESCRIPTION |
issue.description | RECOMMENDATION |
issue.pretty_name | NAME |
issue.pretty_name (fallback: issue.name, issue.uid) | UID |
issue.summary.category | CATEGORIES |
issue.summary.confidence | CONFIDENCE |
issue.summary.identifiers[].name (filtered by type == "CVE") | CVE_IDS |
issue.summary.identifiers[].name (filtered by type == "CVE") | CVE_RECORDS |
issue.summary.severity | SOURCE_SEVERITY |
issue.tags | TAGS |
normalizeFindingSeverity(issue.summary.severity) | SEVERITY |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Alert (ASM)
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Alert (ASM) on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/issues/severity_gte:1
Alert Definition (ASM)
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Alert Definition (ASM) on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/issues/severity_gte:1
Api Endpoint
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Api Endpoint on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:ApiEndpoint scoped:true hidden:false
App Endpoint
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of App Endpoint on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:AppEndpoint scoped:true hidden:false
Autonomous System
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Autonomous System on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:AutonomousSystem scoped:true hidden:false
Aws EC2 Instance
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Aws EC2 Instance on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:AwsEC2Instance scoped:true hidden:false
Aws Rds Db Instance
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Aws Rds Db Instance on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:AwsRdsDbInstance scoped:true hidden:false
Aws S3 Bucket
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Aws S3 Bucket on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:AwsS3Bucket scoped:true hidden:false
Azure Storage Account
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Azure Storage Account on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:AzureStorageAccount scoped:true hidden:false
Azure Virtual Machine
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Azure Virtual Machine on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:AzureVirtualMachine scoped:true hidden:false
CveRecord
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of CveRecord on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/collections?filter=collection_type:vulnerability
Dns Record
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Dns Record on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:DnsRecord scoped:true hidden:false
Domain
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Domain on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:Domain scoped:true hidden:false
Email Address
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Email Address on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:EmailAddress scoped:true hidden:false
GCP API Gateway
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of GCP API Gateway on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:GcpApiGateway scoped:true hidden:false
GCP App Engine Application
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of GCP App Engine Application on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:GcpAppEngineApplication scoped:true hidden:false
GCP Cloud Function
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of GCP Cloud Function on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:GcpCloudFunction scoped:true hidden:false
GCP Cloud SQL Instance
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of GCP Cloud SQL Instance on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:GcpCloudSQLInstance scoped:true hidden:false
GCP Compute Engine Instance
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of GCP Compute Engine Instance on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:GcpComputeEngineInstance scoped:true hidden:false
GCP Storage Bucket
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of GCP Storage Bucket on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:GcpStorageBucket scoped:true hidden:false
Github Account
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Github Account on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:GithubAccount scoped:true hidden:false
Github Repository
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Github Repository on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:GithubRepository scoped:true hidden:false
Ip Address
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Ip Address on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:IpAddress scoped:true hidden:false
Nameserver
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Nameserver on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:Nameserver scoped:true hidden:false
Net Block
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Net Block on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:NetBlock scoped:true hidden:false
Network Service
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Network Service on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:NetworkService scoped:true hidden:false
Ssl Certificate
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Ssl Certificate on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:SslCertificate scoped:true hidden:false
Unique Keyword
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Unique Keyword on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:UniqueKeyword scoped:true hidden:false
Unique Token
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Unique Token on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:UniqueToken scoped:true hidden:false
Uri
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Uri on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/entities/type:Uri scoped:true hidden:false
Violation (ASM)
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Violation (ASM) on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/issues/severity_gte:1
Violation Definition (ASM)
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Violation Definition (ASM) on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/issues/severity_gte:1
Vulnerability (ASM)
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Vulnerability (ASM) on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/issues/severity_gte:1
Vulnerability Definition (ASM)
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Vulnerability Definition (ASM) on every run and applies no incremental date filter.
API
- Type: REST — VirusTotal / Google Threat Intelligence API v3 · Endpoint:
GET {baseUrl}/api/v3/asm/search/issues/severity_gte:1
Changelog
The Google Threat Intelligence connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.3.2 | Bug Fixes - Fixed sync failures for all ASM entity and issue models when the GTI API returns no data. The connector now gracefully handles null result responses by returning zero records instead of failing the sync | N/A |
| 3.3.1 | Bug Fixes - Fixed connector failures during Google Cloud operations on certain platform versions. A dependency packaging issue caused the connector to rely on the platform's internal libraries, leading to initialization errors on platforms 11.x and 12.x. The connector now bundles all required dependencies independently. | N/A |
| 3.3.0 | No changes in this release. | N/A |
| 3.2.16 | Bug Fixes - Excluded transitive jackson-annotations, jackson-core, and jackson-databind from google-cloud-bigquery to resolve an InvalidDefinitionException sync failure. | N/A |
| 3.2.15 | No changes in this release. | N/A |
| 3.2.14 | No changes in this release. | N/A |
| 3.2.13 | New Features - Added the Google Threat Intelligence (GTI) connector with full support for vulnerability management, compliance monitoring, alert management, and attack surface discovery - Vulnerability Management — Ingest vulnerabilities, vulnerability definitions, and CVE records with comprehensive enrichment including CVSS scoring (v2, v3, v4), EPSS probability data, CISA Known Exploited Vulnerabilities (KEV) status, and CWE weakness correlation - Compliance Monitoring — Ingest security policy violations and violation definitions to track compliance posture across your attack surface - Alert Management — Ingest threat detection alerts and alert definitions with confidence scoring and severity normalization - Attack Surface Management (ASM) — Discover and ingest 27 asset types across your external attack surface, including: - Network assets: IP Address, Domain, DNS Record, Nameserver, Net Block, Autonomous System, Network Service, SSL Certificate, URI - Application assets: API Endpoint, App Endpoint, Email Address, Unique Keyword, Unique Token - Cloud resources (AWS): EC2 Instance, RDS DB Instance, S3 Bucket - Cloud resources (Azure): Virtual Machine, Storage Account - Cloud resources (GCP): Compute Engine Instance, Cloud SQL Instance, Cloud Function, Storage Bucket, App Engine Application, API Gateway - Code repositories: GitHub Account, GitHub Repository - Delta sync for findings — Finding models support incremental synchronization using last_seen_after timestamp filtering, allowing users to sync only newly detected or updated findings since the last sync - Delta sync for assets — Asset models support incremental synchronization using last_seen_after timestamp filtering, allowing users to sync only newly discovered or updated assets since the last sync - Delta sync for CVE Records — CVE Record model supports incremental synchronization using last_seen_after timestamp filtering, allowing users to sync only newly published or updated CVE records since the last sync - Category-based finding classification — Findings are automatically classified into separate models based on the issue category from the GTI API: - vulnerability → Vulnerability / Vulnerability Definition - threat, leak → Alert / Alert Definition - All other categories (e.g., misconfiguration) → Violation / Violation Definition | N/A |
| 3.2.12 | No changes in this release. | N/A |
| 3.2.11 | No changes in this release. | N/A |
| 3.2.10 | No changes in this release. | N/A |
| 3.2.9 | No changes in this release. | N/A |
| 3.2.8 | No changes in this release. | N/A |
| 3.2.7 | No changes in this release. | N/A |
| 3.2.6 | No changes in this release. | N/A |
| 3.2.5 | No changes in this release. | N/A |
| 3.2.4 | No changes in this release. | N/A |
| 3.2.3 | No changes in this release. | N/A |
| 3.2.2 | No changes in this release. | N/A |
| 3.2.1 | No changes in this release. | N/A |
| 3.2.0 | No changes in this release. | N/A |
| 3.1.3 | No changes in this release. | N/A |
| 3.1.1 | No changes in this release. | N/A |
| 3.1.0 | No changes in this release. | N/A |
| 3.0.10 | No changes in this release. | N/A |
| 3.0.9 | No changes in this release. | N/A |
| 3.0.8 | No changes in this release. | N/A |
| 3.0.7 | No changes in this release. | N/A |
| 3.0.6 | No changes in this release. | N/A |
| 3.0.5 | No changes in this release. | N/A |
| 3.0.4 | No changes in this release. | N/A |
| 3.0.3 | No changes in this release. | N/A |
| 3.0.2 | No changes in this release. | N/A |
| 3.0.1 | No changes in this release. | N/A |
| 3.0.0 | No changes in this release. | N/A |