Collect Intel 471 Malware Intelligence logs

Supported in:

This document explains how to ingest Intel 471 Malware Intelligence logs into Google Security Operations using Google Cloud Storage V2.

Intel 471 is a threat intelligence platform that provides malware indicators, threat actor tracking, and underground forum monitoring. The parser maps JSON-formatted indicator data to the Unified Data Model (UDM), extracting file hashes, threat metadata, confidence scores, and MITRE ATT&CK context.

Before you begin

Make sure you have the following prerequisites:

  • A Google SecOps instance
  • A GCP project with Cloud Storage API enabled
  • Permissions to create and manage GCS buckets and IAM policies
  • An Intel 471 Titan account with API access to the Malware Intelligence module

Create a Google Cloud Storage bucket

  1. Go to the Google Cloud Console.
  2. Select your project or create a new one.
  3. In the navigation menu, go to Cloud Storage > Buckets.
  4. Click Create bucket.

  5. Provide the following configuration details:

    Setting Value
    Name your bucket Enter a globally unique name (for example, intel471-malware-intel-logs)
    Location type Choose based on your needs (Region, Dual-region, Multi-region)
    Location Select the location (for example, us-central1)
    Storage class Standard (recommended for frequently accessed logs)
    Access control Uniform (recommended)
    Protection tools Optional: Enable object versioning or retention policy

  6. Click Create.

Export Intel 471 IOC feed to Google Cloud Storage

Intel 471 provides malware indicator data through the Titan API. Use a scheduled process to export indicators and upload them to GCS in JSON format.

  1. Sign in to the Intel 471 Titan portal.
  2. Go to Settings > API and generate an API key if you do not already have one.
  3. Copy and save the API key. Authentication uses your registered email and API key via HTTP Basic Auth.
  4. Use a scheduled script or Cloud Run function to call the Intel 471 Indicators Stream API and write the results to GCS in JSON format:
    • /v1/indicators/stream for streaming malware indicators (file hashes, URLs, domains)
  5. Ensure that the exported files are in JSON format.
  6. Schedule the export to run at regular intervals (for example, every hour) to maintain up-to-date indicator coverage.

Retrieve the Google SecOps service account

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Feeds.
  3. Click Add New Feed.
  4. Click Configure a single feed.
  5. Select Google Cloud Storage V2 as the Source type.
  6. Select Intel 471 Malware Intelligence as the Log type.

  7. Click Get Service Account. A unique service account email will be displayed, for example:

    chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.com

  8. Copy this email address. You will use it in the next step.

Grant IAM permissions to the Google SecOps service account

  1. Go to Cloud Storage > Buckets.
  2. Click your bucket name.
  3. Go to the Permissions tab.
  4. Click Grant access.
  5. Provide the following configuration details:
    • Add principals: Paste the Google SecOps service account email.
    • Assign roles: Select Storage Object Viewer.
  6. Click Save.

Configure a feed in Google SecOps to ingest Intel 471 Malware Intelligence logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. Click Configure a single feed.
  4. In the Feed name field, enter a name for the feed (for example, Intel 471 Malware Intelligence logs).
  5. Select Google Cloud Storage V2 as the Source type.
  6. Select Intel 471 Malware Intelligence as the Log type.
  7. Click Next.

  8. Specify values for the following input parameters:

    Field Value
    Storage bucket URI gs://intel471-malware-intel-logs/intel471/indicators/
    Source Deletion Option Select the deletion option according to your preference
    Maximum File Age (Days) Default is 180 days
    Asset namespace The asset namespace
    Ingestion labels The label to be applied to the events from this feed
    • Replace intel471-malware-intel-logs with your actual GCS bucket name.
    • Always include the trailing slash (/) at the end of the URI.

  9. Click Next.

  10. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM mapping table

Log Field UDM Mapping Logic
data.uid additional.fields Additional fields for custom data
data.threat.uid additional.fields Additional fields for custom data
data.context.description metadata.description Description of the event
metadata.event_type Type of event (e.g., USER_LOGIN, NETWORK_CONNECTION)
meta.version metadata.product_version Product version
data.indicator_data.file.md5 principal.file.md5 MD5 hash of the file
data.indicator_data.file.type principal.file.mime_type MIME type of the file
data.indicator_data.file.sha1 principal.file.sha1 SHA1 hash of the file
data.indicator_data.file.sha256 principal.file.sha256 SHA256 hash of the file
data.indicator_data.file.size principal.file.size Size of the file in bytes
data.indicator_data.file.download_url principal.url URL associated with the principal
data.confidence security_result.confidence Confidence level of the security result
data.indicator_type, data.intel_requirements, data.mitre_tactics, data.source_id, data.threat.data.family, data.threat.data.malware_family_profile_uid security_result.detection_fields Additional detection fields
data.threat.type security_result.threat_name Name of the threat
metadata.product_name Product name
metadata.vendor_name Vendor/company name

Need more help? Get answers from Community members and Google SecOps professionals.