Collect ThreatConnect IOC logs

Supported in:

Google secops Siem

This parser extracts IOC data from ThreatConnect JSON logs and transforms it into the UDM format. It handles various IOC types such as Host, Address, File, and URL, mapping fields like confidence scores, descriptions, and entity details to their corresponding UDM equivalents, and categorizes threats based on keywords within the log data.

Before you begin

Ensure that you have the following prerequisites:

Google Security Operations instance.
Privileged access to ThreatConnect.

Configure API User on ThreatConnect

Sign in to ThreatConnect.
Go to Settings > Org Settings.
Go to the Membership tab in the Organization Settings.
Click Create API User.
Fill out the fields on the API User Administration window:
- First Name: enter the API user's first name.
- Last Name: enter the API user's last name
- System Role: select the Api User or Exchange Admin System role.
Note: Available System roles for API users include the following:
Api User: API users with this role can use all ThreatConnect v2 and v3 API endpoints, with the exception of the v3 API TC Exchange™ administration endpoints.
Exchange Admin: API users with this role can use all ThreatConnect v2 and v3 API endpoints, including the v3 AP.
- Organization Role: select the API user's Organization role.
- Include in Observations and False Positives: select the checkbox to allow data provided by the API user to be included in observation and false-positive counts.
- Disabled: click the checkbox to disable an API user's account in the event that the Administrator wants to retain log integrity.
- Copy and save the Access ID and Secret Key.
Click Save.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

SIEM Settings > Feeds
Content Hub > Content Packs

Set up feeds from SIEM Settings > Feeds

To configure a feed, follow these steps:

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed; for example, ThreatConnect Logs.
Select Third Party API as the Source type.
Select the ThreatConnect as the log type.
Click Next.
Specify values for the following input parameters:
- Username: enter the ThreatConnect Access ID to authenticate as.
- Secret: enter the ThreatConnect Secret Key for the specified user.
- API Hostname: Fully Qualified Domain Name (FQDN) of your ThreatConnect instance (for example, <myinstance>.threatconnect.com).
- Owners: all owner names, where the owner identifies a collection of IOCs.
Click Next.
Review the feed configuration in the Finalize screen, and then click Submit.

Set up feeds from the Content Hub

Specify values for the following fields:

Username: enter the ThreatConnect Access ID to authenticate as.
Secret: enter the ThreatConnect Secret Key for the specified user.
API Hostname: Fully Qualified Domain Name (FQDN) of your ThreatConnect instance (for example, <myinstance>.threatconnect.com).
Owners: all owner names, where the owner identifies a collection of IOCs.

Advanced options

Feed Name: A prepopulated value that identifies the feed.
Source Type: Method used to collect logs into Google SecOps.
Asset Namespace: Namespace associated with the feed.
Ingestion Labels: Labels applied to all events from this feed.

Need more help? Get answers from Community members and Google SecOps professionals.