Google Threat Intelligence (GTI) Integration SKUs
Overview
Google Threat Intelligence (GTI) Integration SKUs allow you to enhance your third-party products ("Customer Product(s)") using Google threat intelligence. The following documentation provides additional details and requirements in connection with your use of the GTI Integration SKUs.
Your use of GTI Integration SKUs to enhance Customer Product(s) is subject to and governed by the agreement under which Google has agreed to provide you with GTI, including the additional GTI Integration SKU Services Terms at https://cloud.google.com/terms/secops/service-terms?hl=en (the “Agreement”). Capitalized terms used but not defined in this documentation have the meaning given to them in the Agreement.
GTI Integration SKUs
The GTI Integration SKUs, as more fully described at https://assets.virustotal.com/google-ti-integration-packages.pdf, include the following:
| SKU Name | Features |
|---|---|
| GTI-INT-Core | ✅ Enhance your Customer Products using information available through GTI ❌ Integration with GTI Widget ❌ Display GTI Widget Data to your end users ❌ Display GTI Platform Security Content to your end users |
| GTI-INT-Advanced | ✅ Enhance your Customer Products using information available through GTI ✅ Integration with GTI Widget ✅ Display GTI Widget Data to your end users ✅ Display summaries or aggregations of GTI Widget Data instances to your end users ❌ Dynamic / custom pricing ❌ End-user data display customizations ❌ Go-to-Market plans |
| GTI-INT-Custom | ✅ Enhance your Customer Products using information available through GTI ✅ Integration with GTI Widget ✅ Display GTI Widget Data to your end users ✅ Display summaries or aggregations of GTI Widget Data instances to your end users ✅ Dynamic / custom pricing ✅ End-user data display customizations ✅ Joint go-to-market campaigns |
GTI Widget
For the GTI-INT-Advanced and GTI-INT-Custom SKUs only, to integrate the GTI Widget into your Customer Product(s), you must identify each Customer Product by setting up a specific HTTP header ("X-Tool") in the API request to the Google API. Failure to do so within ninety (90) days of Google's request will result in suspension of your GTI access.
GTI Widget Data
For the GTI-INT-Advanced and GTI-INT-Custom SKUs only, the table below identifies the scope of permissible event artifact enrichment field data (collectively, "GTI Widget Data") that you may use to enhance Customer Product End User data and display via the GTI Widget. GTI Widget Data may only be displayed through UI/web display as opposed to programmatic API access by any third-party end users.
| Data category | Event artifact enrichment details |
|---|---|
| Technical identification | Hashes, URL/domain/IP address identifiers, CVEs, file type, file size. |
| Reputational information | GTI {verdict, severity, score, assessment explanation}, {YARA, SIGMA, IDS} rule matches, number of antivirus vendors detecting the given IoC. |
| Provenance details | File signature information, National Software Reference Library index, Whois information for domains and IP addresses, IP address subnet, IP address autonomous system, IP address geolocation, last HTTPs certificate for domains and IP addresses. |
| In-the-wild context | first seen/last seen dates, file names, download URLs. |
| Attribution & associations | Threat actor along with brief actor description Malware family/toolkit along with brief family description Campaigns along with brief campaign summary Any other related significant event in the form of GTI (knowledge) collections/campaigns, along with the summary. Related CVEs and the corresponding summaries. |
| Threat graph relationships | Contacted URLs (by a file) Contacted domains (by a file) Contacted IPs (by a file) Execution parents (of a file) Passive DNS resolutions (for IP addresses and domains) Downloaded files (from a URL) Referer files (files including a given domain/IP in their bodies) URLs seen behind a domain Subdomains (of a domain) Compressed parents (bundles containing a given file) Embedded URLs (contained within a file) Embedded domains (contained within a file) Dropped files (created by a file upon detonation) |
Territory restrictions
In connection with your use of the GTI Integration SKUs, you will comply with the territory restrictions described at gtidocs.readme.io/page/territory-restrictions-for-google-threat-intelligence-integration-skus.