Collect COVID-19 Cyber Threat Coalition IOC logs

This document explains how to ingest COVID-19 Cyber Threat Coalition IOC logs to Google Security Operations using Google Cloud Storage V2.

The COVID-19 Cyber Threat Coalition (CTC) was a community-driven threat intelligence initiative that aggregated indicators of compromise (IOCs) related to COVID-19 themed cyber threats, including phishing domains, malicious URLs, and suspicious IP addresses. The CTC distributed IOC feeds as downloadable files. To ingest these files, you must upload them to a Google Cloud Storage (GCS) bucket and then configure a Google SecOps feed.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance
• A Google Cloud project with Cloud Storage API enabled
• Permissions to create and manage GCS buckets
• Permissions to manage IAM policies on GCS buckets
• Access to previously downloaded COVID-19 Cyber Threat Coalition IOC feed files or historical data from AlienVault OTX

Create Google Cloud Storage bucket

1. Go to the the Google Cloud console.
2. Select your project or create a new one.
3. In the navigation menu, go to Cloud Storage > Buckets.
4. Click Create bucket.

5. Provide the following configuration details:

   Setting	Value
   Name your bucket	Enter a globally unique name (for example, covid-ctc-ioc-logs)
   Location type	Choose based on your needs (Region, Dual-region, Multi-region)
   Location	Select the location closest to your Google SecOps instance (for example, us-central1)
   Storage class	Standard (recommended for frequently accessed logs)
   Access control	Uniform (recommended)
   Protection tools	Optional: Enable object versioning or retention policy

6. Click Create.

Upload IOC files to GCS

Obtain IOC data (historical)

The CTC originally distributed IOC data through the following channels:

• CTC Blocklist: A curated list of COVID-19 themed malicious domains and URLs, previously available at cyberthreatcoalition.org/blocklist (now discontinued).
• AlienVault OTX: The CTC community contributed IOC data to AlienVault Open Threat Exchange (OTX). Some historical IOC data may still be accessible through the AlienVault OTX platform.
• Direct file downloads: IOC files were distributed in CSV and text formats through the CTC website and community channels.

Upload historical IOC files using the Google Cloud console

Since the CTC IOC data is no longer actively produced, a one-time or infrequent upload is the most appropriate approach.

1. Go to the the Google Cloud console.
2. In the navigation menu, go to Cloud Storage > Buckets.
3. Click on your bucket name (for example, covid-ctc-ioc-logs).
4. Click Create folder.
5. Enter ioc-data as the folder name.
6. Click Create.
7. Navigate into the ioc-data folder.
8. Click Upload files.
9. Select the CTC IOC files from your local machine and upload them.

Alternative: Storage Transfer Service (for bulk uploads)

If you have a large number of historical IOC files stored on an on-premise file system, use Storage Transfer Service with a Transfer Agent.

1. In the GCP Console, go to Storage Transfer Service.
2. Click Create transfer job.
3. Select POSIX filesystem as the source.
4. Follow the instructions to install the Storage Transfer Agent on the machine with the IOC files.

5. Configure the transfer job:

   Setting	Value
   Source directory	Path to the directory containing CTC IOC files
   Destination bucket	covid-ctc-ioc-logs
   Destination path	ioc-data/
   Schedule	Run once (or as needed)

6. Click Create.

Retrieve the Google SecOps service account

Google SecOps uses a unique service account to read data from your GCS bucket. You must grant this service account access to your bucket.

Get the service account email

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. Click Configure a single feed.
4. In the Feed name field, enter a name for the feed (for example, COVID CTC IOC Feed).
5. Select Google Cloud Storage V2 as the Source type.
6. Select COVID-19 Cyber Threat Coalition as the Log type.
7. Click Get Service Account.

8. A unique service account email will be displayed, for example:

   chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.com
   

9. Copy this email address for use in the next step.

10. Click Next.

11. Specify values for the following input parameters:

    • Storage bucket URL: Enter the GCS bucket URI with the prefix path:

      gs://covid-ctc-ioc-logs/ioc-data/
      

      • Replace:
        • covid-ctc-ioc-logs: Your GCS bucket name.
        • ioc-data: Optional prefix/folder path where IOC files are stored.

    • Source deletion option: Select the deletion option according to your preference:

      • Never: Never deletes any files after transfers (recommended for testing).
      • Delete transferred files: Deletes files after successful transfer.

      • Delete transferred files and empty directories: Deletes files and empty directories after successful transfer.

    • Maximum File Age: Include files modified in the last number of days (default is 180 days)

    • Asset namespace: The asset namespace

    • Ingestion labels: The label to be applied to the events from this feed

12. Click Next.

13. Review your new feed configuration in the Finalize screen, and then click Submit.

Grant IAM permissions to the Google SecOps service account

The Google SecOps service account needs Storage Object Viewer role on your GCS bucket.

1. Go to Cloud Storage > Buckets.
2. Click on your bucket name.
3. Go to the Permissions tab.
4. Click Grant access.
5. Provide the following configuration details:
   • Add principals: Paste the Google SecOps service account email
   • Assign roles: Select Storage Object Viewer
6. Click Save.

UDM mapping table

Need more help? Get answers from Community members and Google SecOps professionals.