I love the idea, but what is the point?

hi ​@cincyohio 

Thank you for being a part of our community and sharing your feedback. I can see how it might be confusing if you aren’t currently using the tools we discuss most frequently.

To clarify, the Google Cloud Security Community is a specialized hub specifically designed to support the adoption, deployment, and day-to-day use of Google Cloud Security products, including Mandiant solutions. Our goal is to provide a structured environment where security professionals and practitioners can find expert guidance, share best practices, and collaborate on technical challenges.

We talk about these tools because the community serves as:

• A Technical Resource: Providing quick answers for product enablement and troubleshooting.
• An Adoption Engine: Offering step-by-step onboarding and adoption guides to help users strengthen their security posture.
• A Feedback Loop: Allowing members to submit product ideas directly to our engineering teams.

Even if you aren't currently using these tools in a production environment, there are other ways to get involved:

• Learning & Training: You can explore our Community Blog for deep-dives
• Join our Technical Webinar series to see how these tools operate in real-world scenarios.
• Check out our Cloud Security Podcast series 

Thanks, but you didn't answer anything I asked.

To be specific: I am a Google Cloud Security Partner. I have active API credentials scoped to VirusTotal Enterprise / Google Threat Intelligence (GTI). I am not an evaluation user. I am not asking what the community is for.

My actual questions:

1. The GTI API and the VirusTotal API share overlapping IOC enrichment surfaces but diverge on threat actor attribution, YARA rulesets, and Mandiant-sourced intelligence. Which endpoint hierarchy is authoritative for partner-tier access, and where is that documented outside of the generic VT API v3 reference?
2. Google SecOps (Chronicle SIEM) has a documented GTI enrichment integration. Is that integration available to partners who are building outside of a Chronicle deployment, or is the enrichment pipeline only accessible through the SOAR/SIEM layer?
3. Where in this community are threads scoped to partners with existing API access doing active integration work, rather than onboarding content targeting net-new evaluators?

I have the access. I have the credentials. I need implementation-depth answers, not a feature overview.

Regarding question 1:

You are correct on the architecture and overlap. Google Threat Intelligence API endpoints sit on top of the VirusTotal domain. The same API endpoints for “Get Files” in VT will be the same for GTI. 

There isn't a competing endpoint hierarchy for the data you're looking for.

Instead, the distinction is entirely handled at the authentication and licensing layer. When you authenticate using your GTI API key (and x-tool header), the response payload automatically expands to include advanced GTI-specific attributes—such as gti_assessment verdicts and threat scores, threat actor context, etc. 

Of course, there are additional API endpoints for GTI as there are more features / dataset that GTI provides - eg, DTM, Threat Profile, Threat Actors, etc, but both API endpoints are correct - the one you use will depend on which license bundle you have. In short; VT api key, VT only data, GTI api key, GTI data. 

As reference, the GTI API docs are here: https://gtidocs.virustotal.com/reference/api-overview



Regarding question 2: 

The enrichment pipeline exists outside of Google SecOps. We maintain native, co-developed integrations for 3rd party platforms such as Splunk and Microsoft Sentinel, amongst many others. A list of integrations can be found here: https://gtidocs.virustotal.com/docs/technology-integrations-list 

In addition, since the APIs are publicly available, one can write a script to do the enrichment from other sources, eg, CSV files, JSON, etc, and/or hook it up to automation and orchestration tools. 

It’s important to take note that for a Google SecOps Enterprise Plus customer, this enrichment is bundled natively inside the SecOps SIEM platform without consuming external API quota. If you choose to query the raw GTI API externally for a third-party tool, those queries will count against your standalone VT/GTI tier API limits.

Hope this helps for Q1 and Q2.