Skip to content

Commit acaa5c9

Browse files
v-prasadbokev-prasadboke
authored
Merge pull request #11795 from VirusTotal/GoogleThreatIntelligence
Feat Threat Intelligence Ingestion
2 parents 40b7ad3 + e9f4f6f commit acaa5c9

File tree

15 files changed

+1340
-301
lines changed

15 files changed

+1340
-301
lines changed

Solutions/Google Threat Intelligence/Data/Solution_GoogleThreatIntelligence.json

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,10 +15,11 @@
1515
"Playbooks/GTIEnrichment/GTI-EnrichEntity/GTI-EnrichIP/azuredeploy.json",
1616
"Playbooks/GTIEnrichment/GTI-EnrichEntity/GTI-EnrichURL/azuredeploy.json",
1717
"Playbooks/GTIEnrichment/GTI-EnrichEntity/GTI-EnrichFilehash/azuredeploy.json",
18-
"Playbooks/GTIEnrichment/GTI-EnrichEntity/GTI-EnrichDomain/azuredeploy.json"
18+
"Playbooks/GTIEnrichment/GTI-EnrichEntity/GTI-EnrichDomain/azuredeploy.json",
19+
"Playbooks/GTIThreatList/azuredeploy.json"
1920
],
2021
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Google Threat Intelligence",
21-
"Version": "3.0.0",
22+
"Version": "3.1.0",
2223
"Metadata": "SolutionMetadata.json",
2324
"TemplateSpec": true,
2425
"StaticDataConnectorIds": []

Solutions/Google Threat Intelligence/Package/3.1.0.zip

16 KB
Binary file not shown.

Solutions/Google Threat Intelligence/Package/createUiDefinition.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
"config": {
77
"isWizard": false,
88
"basics": {
9-
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/GoogleThreatIntelligence.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Google%20Threat%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThis Google Threat Intelligence Solution contains Playbooks that can help enrich incident information with threat information and intelligence for IPs, file hashes and URLs from Google Threat Intelligence. Enriched information can help drive focused investigations in Security Operations.\n\n**Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 6\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
9+
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/GoogleThreatIntelligence.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Google%20Threat%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThis Google Threat Intelligence Solution contains Playbooks that can help enrich incident information with threat information and intelligence for IPs, file hashes and URLs from Google Threat Intelligence. Enriched information can help drive focused investigations in Security Operations.\n\n**Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
1010
"subscription": {
1111
"resourceProviders": [
1212
"Microsoft.OperationsManagement/solutions",

Solutions/Google Threat Intelligence/Package/mainTemplate.json

Lines changed: 730 additions & 154 deletions
Large diffs are not rendered by default.

Solutions/Google Threat Intelligence/Playbooks/CustomConnector/GTICustomConnector/azuredeploy.json

Lines changed: 158 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -335,6 +335,8 @@
335335
"name": "x-tool",
336336
"type": "string",
337337
"required": true,
338+
"x-ms-summary": "Tool",
339+
"description": "Name of the tool",
338340
"default": "MSFTSentinel"
339341
}
340342
]
@@ -580,6 +582,8 @@
580582
"in": "header",
581583
"name": "x-tool",
582584
"type": "string",
585+
"x-ms-summary": "Tool",
586+
"description": "Name of the tool",
583587
"required": true,
584588
"default": "MSFTSentinel"
585589
}
@@ -814,6 +818,8 @@
814818
{
815819
"in": "header",
816820
"name": "x-tool",
821+
"x-ms-summary": "Tool",
822+
"description": "Name of the tool",
817823
"type": "string",
818824
"required": true,
819825
"default": "MSFTSentinel"
@@ -1053,6 +1059,8 @@
10531059
{
10541060
"in": "header",
10551061
"name": "x-tool",
1062+
"x-ms-summary": "Tool",
1063+
"description": "Name of the tool",
10561064
"type": "string",
10571065
"required": true,
10581066
"default": "MSFTSentinel"
@@ -1206,6 +1214,8 @@
12061214
{
12071215
"in": "header",
12081216
"name": "x-tool",
1217+
"x-ms-summary": "Tool",
1218+
"description": "Name of the tool",
12091219
"type": "string",
12101220
"required": true,
12111221
"default": "MSFTSentinel"
@@ -1261,12 +1271,160 @@
12611271
{
12621272
"in": "header",
12631273
"name": "x-tool",
1274+
"x-ms-summary": "Tool",
1275+
"description": "Name of the tool",
12641276
"type": "string",
12651277
"required": true,
12661278
"default": "MSFTSentinel"
12671279
}
12681280
]
12691281
}
1282+
},
1283+
"/threat_lists/{category}/{timestamp}": {
1284+
"get": {
1285+
"summary": "Get threat list",
1286+
"description": "Obtain list of threats given the category of the threats and the timestamp of the desired hour.",
1287+
"responses": {
1288+
"200": {
1289+
"description": "default",
1290+
"schema": {
1291+
"type": "object",
1292+
"properties": {
1293+
"sourcesystem": {
1294+
"type": "string",
1295+
"description": "sourcesystem"
1296+
},
1297+
"indicators": {
1298+
"type": "array",
1299+
"items": {
1300+
"type": "object",
1301+
"properties": {
1302+
"spec_version": {
1303+
"type": "string",
1304+
"description": "spec_version"
1305+
},
1306+
"created_by_ref": {
1307+
"type": "string",
1308+
"description": "created_by_ref"
1309+
},
1310+
"id": {
1311+
"type": "string",
1312+
"description": "id"
1313+
},
1314+
"type": {
1315+
"type": "string",
1316+
"description": "type"
1317+
},
1318+
"created": {
1319+
"type": "string",
1320+
"description": "created"
1321+
},
1322+
"modified": {
1323+
"type": "string",
1324+
"description": "modified"
1325+
},
1326+
"name": {
1327+
"type": "string",
1328+
"description": "name"
1329+
},
1330+
"valid_from": {
1331+
"type": "string",
1332+
"description": "valid_from"
1333+
},
1334+
"pattern_type": {
1335+
"type": "string",
1336+
"description": "pattern_type"
1337+
},
1338+
"pattern": {
1339+
"type": "string",
1340+
"description": "pattern"
1341+
},
1342+
"extensions": {
1343+
"type": "object",
1344+
"properties": {
1345+
"entension-definition--d4ff44e6-a017-5b6d-ac64-3d18ba052642": {
1346+
"type": "object",
1347+
"properties": {
1348+
"verdict": {
1349+
"type": "object",
1350+
"properties": {
1351+
"value": {
1352+
"type": "string",
1353+
"description": "value"
1354+
}
1355+
},
1356+
"description": "verdict"
1357+
},
1358+
"threat_score": {
1359+
"type": "object",
1360+
"properties": {
1361+
"value": {
1362+
"type": "integer",
1363+
"format": "int32",
1364+
"description": "value"
1365+
}
1366+
},
1367+
"description": "threat_score"
1368+
},
1369+
"severity": {
1370+
"type": "object",
1371+
"properties": {
1372+
"value": {
1373+
"type": "string",
1374+
"description": "value"
1375+
}
1376+
},
1377+
"description": "severity"
1378+
}
1379+
},
1380+
"description": "entension-definition--d4ff44e6-a017-5b6d-ac64-3d18ba052642"
1381+
}
1382+
},
1383+
"description": "extensions"
1384+
}
1385+
}
1386+
},
1387+
"description": "indicators"
1388+
}
1389+
}
1390+
}
1391+
},
1392+
"default": {
1393+
"description": "default"
1394+
}
1395+
},
1396+
"operationId": "get_threat_list",
1397+
"parameters": [
1398+
{
1399+
"name": "category",
1400+
"in": "path",
1401+
"required": true,
1402+
"type": "string",
1403+
"x-ms-summary": "category",
1404+
"description": "Name of the category",
1405+
"x-ms-url-encoding": "single"
1406+
},
1407+
{
1408+
"name": "timestamp",
1409+
"in": "path",
1410+
"required": true,
1411+
"type": "string",
1412+
"x-ms-summary": "timestamp",
1413+
"description": "Timestamp in format YYYYMMDDHH",
1414+
"x-ms-url-encoding": "single"
1415+
},
1416+
{
1417+
"name": "format",
1418+
"in": "query",
1419+
"required": false,
1420+
"type": "string",
1421+
"default": "stix-sentinel-api",
1422+
"x-ms-visibility": "internal",
1423+
"x-ms-summary": "format",
1424+
"description": "Format of the response"
1425+
}
1426+
]
1427+
}
12701428
}
12711429
},
12721430
"definitions": {},

Solutions/Google Threat Intelligence/Playbooks/CustomConnector/GTICustomConnector/readme.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,15 @@ This document provides detailed descriptions of all actions available in the Goo
9292
* **Input:** Analysis ID (string).
9393
* **Output:** Analysis information (object) including status and results.
9494

95+
### Threat List
96+
97+
* **Get Threat List**
98+
99+
* **Description:** Retrieval of all google threat information for the last hour in a specific category.
100+
* **Input:** Category (string).
101+
* **Output:** JSON bundle with indicators in STIX format.
102+
103+
95104
**Note:** All actions require an API key for authentication. Please refer to the "Pre-requisites" section in the `readme.md` file for instructions on obtaining and using your API key.
96105

97106

0 commit comments

Comments
 (0)