Skip to main content
Question

Integrating Custom IOC Collection from Google Threat Intelligence into SecOps

  • February 17, 2026
  • 3 replies
  • 4 views
desertfalcon
Forum|alt.badge.img+3

Hi Team,

I’m looking for guidance on integrating custom Indicators of Compromise (IOCs) collected from Google Threat Intelligence into Google SecOps.

Specifically, I would like to understand:

  • Is there a supported method to import or sync custom IOC feeds from Google Threat Intelligence into SecOps?

  • Can this be automated (e.g., via API or scheduled ingestion)?

  • Are there recommended best practices for managing and correlating custom threat indicators within SecOps?

  • Does this require a specific license tier or additional configuration?

If anyone has experience with this setup or can point me to relevant documentation, it would be greatly appreciated.

    3 replies

    Asura
    Forum|alt.badge.img
    • Asura
    • February 17, 2026

    Hello ​@desertfalcon,

     

    I am not sure starting at which Secops license it is working, but for Ent+ I know that we have logs enrichment for file hash (under principal,src,target,observer fields) based on VT (https://docs.cloud.google.com/chronicle/docs/event-processing/data-enrichment#enrich-events-with-VirusTotal-file-metadata). This enrichment is automatically done during log ingestion process.

     

    If you  want to use a custom threat indicators to enrich your logs it is also possible.

    You will have to configure your log source feed with your TI source and if not existing, do a parser that will map the data from your TI to the relevant UDM using entity graph.

    kentphelps
    Staff
    Forum|alt.badge.img+11
    • kentphelps
    • Staff
    • February 17, 2026

    It is dependent on the tier of Secops you are using:

    For Enterprise+ it is automatic, take a look here: Applied Threat Intelligence Overview

    For Standard and Enterprise take a look here: GTI BYOL Integration Guide

    desertfalcon
    Forum|alt.badge.img+3
    • desertfalconBronze 1
    • Author
    • Bronze 1
    • February 17, 2026

    HI ​@kentphelps , Thank you for your response. My question is specifically related to custom IOC collections we made inside google threat intelligence solution. Custom IOC collections include the IOCs we manually add inside google threat intelligence solution. My question is do we have a option to integrate those custom IOCs collections ?

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.