Google Threat Intelligence
Google Threat Intelligence integrates with the VirusTotal platform to synchronize real-time vulnerability threat data and Attack Surface Management (ASM) findings and entity assets into the Brinqa Platform. You can bring CVE records, vulnerability findings, violation findings, alert findings, and 27 types of ASM entity assets from Google Threat Intelligence into Brinqa to gain a unified view of your attack surface, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Google Threat Intelligence and how to obtain that information from Google. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Google Threat Intelligence from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Google Threat Intelligence with Brinqa:
-
URL: The Google Threat Intelligence API URL. The default URL is
https://www.virustotal.com. -
API Key: The API key for authenticating with the VirusTotal / Google Threat Intelligence API.
Obtain the API key from Google Threat Intelligence
The connector authenticates using an API key provided by VirusTotal / Google Threat Intelligence. All API requests include the API key as a custom header:
X-APIKEY: <your-api-key>
To obtain the API key, log in to your VirusTotal account and navigate to your profile settings to find or generate your API key.
Additional settings
The Google Threat Intelligence connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Google Threat Intelligence API before giving up and reporting a failure. The default setting is 5.
Types of data to retrieve
The Google Threat Intelligence connector can retrieve the following types of data from the VirusTotal API:
Table 1: Data retrieved from Google Threat Intelligence
| Category | Connector Object | Required | Maps to Data Model |
|---|---|---|---|
| Alert Management | Alert | Yes | Alert |
| Alert Definition | Yes | Alert Definition | |
| ASM Entity Assets | Api Endpoint | No | API Endpoint |
| App Endpoint | No | Site | |
| Autonomous System | No | Cloud Resource | |
| Aws EC2 Instance | No | Host | |
| Aws Rds Db Instance | No | Host | |
| Aws S3 Bucket | No | Cloud Resource | |
| Azure Storage Account | No | Cloud Resource | |
| Azure Virtual Machine | No | Host | |
| Dns Record | No | Site | |
| Domain | No | Site | |
| Email Address | No | Person | |
| GCP API Gateway | No | Cloud Resource | |
| GCP App Engine Application | No | Cloud Resource | |
| GCP Cloud Function | No | Cloud Resource | |
| GCP Cloud SQL Instance | No | Host | |
| GCP Compute Engine Instance | No | Host | |
| GCP Storage Bucket | No | Cloud Resource | |
| Github Account | No | Cloud Resource | |
| Github Repository | No | Code Project | |
| Ip Address | No | Host | |
| Nameserver | No | Site | |
| Net Block | No | IP Range | |
| Network Service | No | Host | |
| Ssl Certificate | No | Site Certificate | |
| Unique Keyword | No | Cloud Resource | |
| Unique Token | No | Cloud Resource | |
| Uri | No | Site | |
| Compliance Monitoring | Violation | Yes | Violation |
| Violation Definition | Yes | Violation Definition | |
| Vulnerability Intelligence | CveRecord | Yes | CVE Record |
| Vulnerability Management | Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
This diagram shows how Alert, Violation, and Vulnerability connector objects relate to their definitions, CVE Records, and the ASM entity assets they are found in.
Figure 1: Connector object relationships
For detailed steps on how to view the data retrieved from Google Threat Intelligence in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Alert Management
Alert
Table 2: Alert attribute mappings
| Source Field | Attribute Name |
|---|---|
| issue.summary.category | CATEGORIES |
| Current timestamp | LAST_CAPTURED |
| issue.pretty_name (fallback: issue.uid) | NAME |
| issue.summary.status_new | PROVIDER_STATUS |
| issue.description | RESULTS |
| issue.first_seen | SOURCE_CREATED_DATE |
| issue.last_seen | SOURCE_LAST_MODIFIED |
| normalizeFindingStatus(issue.summary.status_new) | SOURCE_STATUS |
| issue.tags | TAGS |
| issue.entity_name | TARGET_NAME |
| issue.entity_type | TARGET_TYPE |
| issue.entity_uid | TARGETS |
| issue.pretty_name (fallback: issue.name, issue.uid) | TYPE |
| issue.uid | UID |
Alert Definition
Table 3: Alert Definition attribute mappings
| Source Field | Attribute Name |
|---|---|
| issue.summary.category | CATEGORIES |
| issue.summary.confidence | CONFIDENCE |
| issue.description | DESCRIPTION |
| Current timestamp | LAST_CAPTURED |
| issue.pretty_name | NAME |
| issue.description | RECOMMENDATION |
| normalizeFindingSeverity(issue.summary.severity) | SEVERITY |
| getFindingSeverityScore(normalizedSeverity) | SEVERITY_SCORE |
| issue.summary.severity | SOURCE_SEVERITY |
| issue.tags | TAGS |
| issue.pretty_name (fallback: issue.name, issue.uid) | UID |
ASM Entity Assets
Common Asset Attributes
The following attributes are shared across all 27 ASM entity asset connector objects.
Table 4: Common asset attribute mappings
| Source Field | Attribute Name |
|---|---|
| entity.alias_group | ALIAS_GROUP |
| entity.summary.geolocation.city | CITY |
| entity.summary.technology.cloud_providers | CLOUD_PROVIDER |
| entity.collection | COLLECTION_NAME |
| entity.summary.geolocation.country_code | COUNTRY_CODE |
| entity.type | ENTITY_TYPE |
| entity.exfil_lookup_identifier | EXFIL_LOOKUP_IDENTIFIER |
| entity.first_seen | FIRST_SEEN |
| Current timestamp | LAST_CAPTURED |
| entity.last_seen | LAST_SEEN |
| entity.summary.geolocation.latitude | LATITUDE |
| entity.summary.geolocation.country_name | LOCATION |
| entity.summary.geolocation.longitude | LONGITUDE |
| entity.name (fallback: entity.uid) | NAME |
| entity.summary.network.asn | NETWORK_ASN |
| entity.summary.network.name | NETWORK_NAME |
| entity.summary.network.route | NETWORK_ROUTE |
| entity.summary.network.type | NETWORK_TYPE |
| entity.summary.resolutions | RESOLUTIONS |
| entity.summary.scoped | SCOPED |
| entity.seed | SEED |
| Hardcoded ACTIVE | STATUS |
| entity.tags | TAGS |
| entity.summary.ports.tcp | TCP_PORTS |
| entity.summary.technology.technologies | TECHNOLOGIES |
| entity.summary.ports.udp | UDP_PORTS |
| entity.uid | UID |
Api Endpoint
Includes all Common Asset Attributes plus:
Table 5: Api Endpoint attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_API_ENDPOINT | CATEGORIES |
| Extracted from entity.name | DNS_NAMES |
| Extracted from entity.name | HOSTNAMES |
| Extracted from entity.name | IP_ADDRESSES |
| Extracted from entity.name | PRIVATE_DNS_NAMES |
| Extracted from entity.name | PRIVATE_IP_ADDRESSES |
| Extracted from entity.name | PUBLIC_DNS_NAMES |
| Extracted from entity.name | PUBLIC_IP_ADDRESSES |
App Endpoint
Includes all Common Asset Attributes plus:
Table 6: App Endpoint attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_API_ENDPOINT | CATEGORIES |
| Extracted from entity.name | DNS_NAMES |
| Extracted from entity.name | HOSTNAMES |
| Extracted from entity.name | IP_ADDRESSES |
| Extracted from entity.name | PRIVATE_DNS_NAMES |
| Extracted from entity.name | PRIVATE_IP_ADDRESSES |
| Extracted from entity.name | PUBLIC_DNS_NAMES |
| Extracted from entity.name | PUBLIC_IP_ADDRESSES |
Autonomous System
Includes all Common Asset Attributes plus:
Table 7: Autonomous System attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
Aws EC2 Instance
Includes all Common Asset Attributes plus:
Table 8: Aws EC2 Instance attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_HOST | CATEGORIES |
| Extracted from entity.name | DNS_NAMES |
| Extracted from entity.name | HOSTNAMES |
| Extracted from entity.name | IP_ADDRESSES |
| Extracted from entity.name | PRIVATE_DNS_NAMES |
| Extracted from entity.name | PRIVATE_IP_ADDRESSES |
| Extracted from entity.name | PUBLIC_DNS_NAMES |
| Extracted from entity.name | PUBLIC_IP_ADDRESSES |
Aws Rds Db Instance
Includes all Common Asset Attributes plus:
Table 9: Aws Rds Db Instance attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_HOST | CATEGORIES |
| Extracted from entity.name | DNS_NAMES |
| Extracted from entity.name | HOSTNAMES |
| Extracted from entity.name | IP_ADDRESSES |
| Extracted from entity.name | PRIVATE_DNS_NAMES |
| Extracted from entity.name | PRIVATE_IP_ADDRESSES |
| Extracted from entity.name | PUBLIC_DNS_NAMES |
| Extracted from entity.name | PUBLIC_IP_ADDRESSES |
Aws S3 Bucket
Includes all Common Asset Attributes plus:
Table 10: Aws S3 Bucket attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
Azure Storage Account
Includes all Common Asset Attributes plus:
Table 11: Azure Storage Account attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
Azure Virtual Machine
Includes all Common Asset Attributes plus:
Table 12: Azure Virtual Machine attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_HOST | CATEGORIES |
Dns Record
Includes all Common Asset Attributes plus:
Table 13: Dns Record attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_WEB_APPLICATION | CATEGORIES |
Domain
Includes all Common Asset Attributes plus:
Table 14: Domain attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_WEB_APPLICATION | CATEGORIES |
| Extracted from entity.name | DNS_NAMES |
| Extracted from entity.name | HOSTNAMES |
| Extracted from entity.name | IP_ADDRESSES |
| Extracted from entity.name | PRIVATE_DNS_NAMES |
| Extracted from entity.name | PRIVATE_IP_ADDRESSES |
| Extracted from entity.name | PUBLIC_DNS_NAMES |
| Extracted from entity.name | PUBLIC_IP_ADDRESSES |
Email Address
Includes all Common Asset Attributes plus:
Table 15: Email Address attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_PERSON | CATEGORIES |
GCP API Gateway
Includes all Common Asset Attributes plus:
Table 16: GCP API Gateway attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
GCP App Engine Application
Includes all Common Asset Attributes plus:
Table 17: GCP App Engine Application attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
GCP Cloud Function
Includes all Common Asset Attributes plus:
Table 18: GCP Cloud Function attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
GCP Cloud SQL Instance
Includes all Common Asset Attributes plus:
Table 19: GCP Cloud SQL Instance attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_HOST | CATEGORIES |
GCP Compute Engine Instance
Includes all Common Asset Attributes plus:
Table 20: GCP Compute Engine Instance attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_HOST | CATEGORIES |
GCP Storage Bucket
Includes all Common Asset Attributes plus:
Table 21: GCP Storage Bucket attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
Github Account
Includes all Common Asset Attributes plus:
Table 22: Github Account attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
Github Repository
Includes all Common Asset Attributes plus:
Table 23: Github Repository attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_CODE_REPOSITORY | CATEGORIES |
Ip Address
Includes all Common Asset Attributes plus:
Table 24: Ip Address attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_HOST | CATEGORIES |
| Extracted from entity.name | DNS_NAMES |
| Extracted from entity.name | HOSTNAMES |
| Extracted from entity.name | IP_ADDRESSES |
| Extracted from entity.name | PRIVATE_DNS_NAMES |
| Extracted from entity.name | PRIVATE_IP_ADDRESSES |
| Extracted from entity.name | PUBLIC_DNS_NAMES |
| Extracted from entity.name | PUBLIC_IP_ADDRESSES |
Nameserver
Includes all Common Asset Attributes plus:
Table 25: Nameserver attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_WEB_APPLICATION | CATEGORIES |
Net Block
Includes all Common Asset Attributes plus:
Table 26: Net Block attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_NETWORK | CATEGORIES |
Network Service
Includes all Common Asset Attributes plus:
Table 27: Network Service attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_HOST | CATEGORIES |
| Extracted from entity.name | DNS_NAMES |
| Extracted from entity.name | HOSTNAMES |
| Extracted from entity.name | IP_ADDRESSES |
| Extracted from entity.name | PRIVATE_DNS_NAMES |
| Extracted from entity.name | PRIVATE_IP_ADDRESSES |
| Extracted from entity.name | PUBLIC_DNS_NAMES |
| Extracted from entity.name | PUBLIC_IP_ADDRESSES |
Ssl Certificate
Includes all Common Asset Attributes plus:
Table 28: Ssl Certificate attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_CERTIFICATE | CATEGORIES |
Unique Keyword
Includes all Common Asset Attributes plus:
Table 29: Unique Keyword attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
Unique Token
Includes all Common Asset Attributes plus:
Table 30: Unique Token attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
Uri
Includes all Common Asset Attributes plus:
Table 31: Uri attribute mappings
| Source Field | Attribute Name |
|---|---|
| ASSET_CATEGORY_WEB_APPLICATION | CATEGORIES |
| Extracted from entity.name | DNS_NAMES |
| Extracted from entity.name | HOSTNAMES |
| Extracted from entity.name | IP_ADDRESSES |
| Extracted from entity.name | PRIVATE_DNS_NAMES |
| Extracted from entity.name | PRIVATE_IP_ADDRESSES |
| Extracted from entity.name | PUBLIC_DNS_NAMES |
| Extracted from entity.name | PUBLIC_IP_ADDRESSES |
Compliance Monitoring
Violation
Table 32: Violation attribute mappings
| Source Field | Attribute Name |
|---|---|
| issue.summary.category | CATEGORIES |
| issue.first_seen | FIRST_FOUND |
| Current timestamp | LAST_CAPTURED |
| issue.last_seen | LAST_FOUND |
| issue.pretty_name (fallback: issue.uid) | NAME |
| issue.summary.status_new | PROVIDER_STATUS |
| issue.description | RESULTS |
| normalizeFindingStatus(issue.summary.status_new) | SOURCE_STATUS |
| issue.tags | TAGS |
| issue.entity_name | TARGET_NAME |
| issue.entity_type | TARGET_TYPE |
| issue.entity_uid | TARGETS |
| issue.pretty_name (fallback: issue.name, issue.uid) | TYPE |
| issue.uid | UID |
Violation Definition
Table 33: Violation Definition attribute mappings
| Source Field | Attribute Name |
|---|---|
| issue.summary.category | CATEGORIES |
| issue.summary.confidence | CONFIDENCE |
| issue.description | DESCRIPTION |
| Current timestamp | LAST_CAPTURED |
| issue.pretty_name | NAME |
| issue.description | RECOMMENDATION |
| normalizeFindingSeverity(issue.summary.severity) | SEVERITY |
| getFindingSeverityScore(normalizedSeverity) | SEVERITY_SCORE |
| issue.summary.severity | SOURCE_SEVERITY |
| issue.tags | TAGS |
| issue.pretty_name (fallback: issue.name, issue.uid) | UID |
Vulnerability Intelligence
CveRecord
Table 34: CveRecord attribute mappings
| Source Field | Attribute Name |
|---|---|
| attributes.available_mitigation | AVAILABLE_MITIGATIONS |
| attributes.collection_type | CATEGORIES |
| attributes.cisa_known_exploited.added_date | CISA_ADDED_DATE |
| attributes.cisa_known_exploited.due_date | CISA_DUE_DATE |
| attributes.cvss.cvssV2.base_score | CVSS_V2_BASE_SCORE |
| attributes.cvss.cvssV2.temporal_score | CVSS_V2_TEMPORAL_SCORE |
| attributes.cvss.cvssV2.vector | CVSS_V2_VECTOR |
| attributes.cvss.cvssV3.base_score | CVSS_V3_BASE_SCORE |
| attributes.cvss.cvssV3.temporal_score | CVSS_V3_TEMPORAL_SCORE |
| attributes.cvss.cvssV3.vector | CVSS_V3_VECTOR |
| attributes.cvss.cvssV4.base_score | CVSS_V4_BASE_SCORE |
| attributes.cvss.cvssV4.vector | CVSS_V4_VECTOR |
| attributes.cwe.id | CWE_IDS |
| attributes.description | DESCRIPTION |
| attributes.date_of_disclosure | DISCLOSED_DATE |
| attributes.epss.percentile | EPSS_PERCENTILE |
| attributes.epss.score | EPSS_SCORE |
| attributes.executive_summary | EXECUTIVE_SUMMARY |
| attributes.exploit_availability | EXPLOIT_AVAILABILITY |
| attributes.exploitation.exploit_release_date | EXPLOIT_RELEASE_DATE |
| attributes.cvss.cvssV4.threat.exploit_maturity | EXPLOIT_MATURITY |
| attributes.exploitation_consequence | EXPLOITATION_CONSEQUENCE |
| attributes.exploitation_state | EXPLOITATION_STATE |
| attributes.exploitation_vectors | EXPLOITATION_VECTORS |
| attributes.exploitation.first_exploitation | FIRST_EXPLOITATION |
| Current timestamp | LAST_CAPTURED |
| attributes.mve_id | MVE_ID |
| attributes.cve_id (fallback: data.id) | NAME |
| attributes.priority | PRIORITY |
| attributes.cisa_known_exploited.ransomware_use | RANSOMWARE_USE |
| attributes.sources[].url | REFERENCES |
| attributes.risk_factors | RISK_FACTORS |
| normalizeFindingSeverity(attributes.risk_rating) | SEVERITY |
| getFindingSeverityScore(normalizedSeverity) | SEVERITY_SCORE |
| attributes.creation_date | SOURCE_CREATED_DATE |
| attributes.last_modification_date | SOURCE_LAST_MODIFIED |
| attributes.risk_rating | SOURCE_RISK_RATING |
| attributes.risk_rating | SOURCE_SEVERITY |
| attributes.tags | TAGS |
| attributes.exploitation.tech_details_release_date | TECH_DETAILS_RELEASE_DATE |
| data.id | UID |
| attributes.cwe.id | WEAKNESSES |
Vulnerability Management
Vulnerability
Table 35: Vulnerability attribute mappings
| Source Field | Attribute Name |
|---|---|
| issue.alias_group | ALIAS_GROUP |
| issue.summary.category | CATEGORIES |
| issue.collection | COLLECTION_NAME |
| issue.description | DESCRIPTION |
| issue.dynamic_id | DYNAMIC_ID |
| issue.first_seen | FIRST_FOUND |
| Current timestamp | LAST_CAPTURED |
| issue.last_seen | LAST_FOUND |
| issue.pretty_name (fallback: issue.name, issue.uid) | NAME |
| issue.summary.status_new | PROVIDER_STATUS |
| issue.description | RESULTS |
| issue.summary.severity | SOURCE_RISK_RATING |
| normalizeFindingStatus(issue.summary.status_new) | SOURCE_STATUS |
| issue.entity_name | TARGET_NAME |
| issue.entity_type | TARGET_TYPE |
| issue.entity_uid | TARGETS |
| issue.pretty_name (fallback: issue.name, issue.uid) | TYPE |
| issue.uid | UID |
Vulnerability Definition
Table 36: Vulnerability Definition attribute mappings
| Source Field | Attribute Name |
|---|---|
| issue.summary.category | CATEGORIES |
| issue.summary.confidence | CONFIDENCE |
| issue.summary.identifiers[].name (filtered by type == "CVE") | CVE_IDS |
| issue.summary.identifiers[].name (filtered by type == "CVE") | CVE_RECORDS |
| issue.description | DESCRIPTION |
| Current timestamp | LAST_CAPTURED |
| issue.pretty_name | NAME |
| issue.description | RECOMMENDATION |
| normalizeFindingSeverity(issue.summary.severity) | SEVERITY |
| getFindingSeverityScore(normalizedSeverity) | SEVERITY_SCORE |
| issue.summary.severity | SOURCE_SEVERITY |
| issue.tags | TAGS |
| issue.pretty_name (fallback: issue.name, issue.uid) | UID |
APIs
The Google Threat Intelligence connector uses the VirusTotal API v3. Specifically, it uses the following endpoints:
Table 37: Google Threat Intelligence API Endpoints
| Connector Object | API Endpoint |
|---|---|
| Alert / Alert Definition | GET {baseUrl}/api/v3/asm/search/issues/severity_gte:1 |
| All ASM Entity Assets | GET {baseUrl}/api/v3/asm/search/entities/type:{EntityType} scoped:true hidden:false |
| CveRecord | GET {baseUrl}/api/v3/collections?filter=collection_type:vulnerability |
| Violation / Violation Definition | GET {baseUrl}/api/v3/asm/search/issues/severity_gte:1 |
| Vulnerability / Vulnerability Definition | GET {baseUrl}/api/v3/asm/search/issues/severity_gte:1 |
Changelog
The Google Threat Intelligence connector has undergone the following changes:
This connector is part of a bundled release with other connectors from the same vendor. If a version shows "No change", it means that the connector version was updated for consistency as part of the bundle, but no functional changes were made to this specific connector. You can update to or skip this version without affecting your existing configuration.
Table 38: Google Threat Intelligence Changelog
| Version | Description | Date Published |
|---|---|---|
| 3.2.16 | Resolved a dependency conflict with Jackson annotations that caused sync failures. | April 30th, 2026 |
| 3.2.13 | Initial Integration+ release. | April 10th, 2026 |