API & Integrations - Google Threat Intelligence Integration

Updated

The Google Threat Intelligence (GTI) integration ingests Indicators of Compromise (IoCs) such as File Hashes, URLs, and Domains from VirusTotal's threat intelligence (GTI) into Mimecast for email protection. This guide describes how the integration works and how to configure it.

Overview

The integration pulls IoCs from GTI Threat Lists and pushes them into Mimecast. Different indicator types are enforced differently in Mimecast (e.g., File Hashes via Bring Your Own Threat Intelligence (BYOTI), URLs via Managed URLs, Domains via Blocked Senders). The integration runs on a schedule and uses checkpoints so only new data is processed after the first run.

During each run, the integration can:

  • File Hashes: Fetches SHA256 hashes from selected GTI Threat Lists (e.g., ransomware, malware) and pushes them to Mimecast BYOTI.
  • URLs: Fetches URLs from selected threat lists and adds them to Mimecast Managed URLs.
  • Domains: Fetches domains from selected Threat Lists and adds them to Mimecast (Blocked Senders and optionally, Managed URLs).

The integration keeps a checkpoint (timestamp and last record in case of partial success) per Threat List so the next run continues from where it left off. Data is limited to the last 7 days (configurable lookback from Fetch From Duration). Optionally, you can enable Remediation so Mimecast finds and remediates messages that match the imported file hashes, URLs, or domains.

Benefits:

  • Automates ingestion of GTI into Mimecast for email protection.
  • Reduces manual effort to maintain BYOTI, Managed URLs, and Blocked Senders lists from threat feeds.
  • Lets you choose which indicator types to import and refine data with Query, Verdicts, and Severities.
  • Uses checkpointing so only new data is processed after the first run.
  • Supports notifications when the integration hits permanent errors (e.g., invalid credentials).

This integration is available from the Integrations Hub.

Details

File Hash Indicators (BYOTI)

When File Hashes from Threat Lists to BYOTI is selected under Import Malicious Indicators, the integration fetches File Hash IoCs (SHA256) from GTI Threat Lists (subject to your threat lists selection) and pushes them to the Mimecast BYOTI. Data is requested in hourly buckets. Checkpoints are stored per threat list so the next run continues from the last processed hour and record.

URL Indicators (Managed URLs)

When URLs from Threat Lists to Managed URLs is selected, the integration fetches URLs and blocks them to Mimecast Managed URLs. Processing is by hour and Threat List, with checkpoints so runs resume correctly.

Domain Indicators (Block Senders/Managed URLs)

When Domains from Threat Lists to Blocked Senders is enabled, the integration fetches domains from the selected Threat List categories and adds them to Mimecast Blocked Senders. If Domains from Threat Lists to Managed URLs is enabled, the same domains will be blocked in Managed URLs. Checkpoints are maintained per threat list. Optional domain remediation can be enabled.

Notification Configuration

  • In Notification Settings, User Emails accepts up to 5 addresses or distribution lists (type an entry and press Enter to add each one).
  • Recipients are notified when the integration needs attention (for example, permanent errors such as invalid GTI API key or insufficient BYOTI quota), which may pause the schedule until the issue is resolved.

Considerations

  • Checkpoint data: The integration stores checkpoint data (per Threat List and indicator type) so it can resume.
  • 7-day lookback: GTI Threat List data is only fetched for the last 7 days. Checkpoints older than 7 days are automatically cleared so the next run does not request out-of-range data.
  • Filter changes: If you change which Threat List categories or indicator types are enabled, the integration clears checkpoints for excluded categories so that the next run uses a consistent view of "what's selected".
  • Credential: You need a valid GTI (VirusTotal) API key.
  • BYOTI quota: File Hash ingestion consumes Mimecast BYOTI quota. Ensure sufficient quota; the integration can warn when usage is high (e.g., 90%).
  • Remediation: Occurs when imported indicators are detected, but only if Mimecast Remediation is enabled and Mode is automatic. Ensure proper permissions and licensing.

Prerequisites

Google Threat Intelligence

  • You have access to the Google Threat Intelligence (GTI) platform and an API key with access to Threat Lists (see GTI documentation: https://gtidocs.virustotal.com/reference/get-hourly-threat-list).
  • The API key must be valid and not revoked.
  • You know which Threat List categories you want to use for File Hashes, URLs, and Domains (see configuration options below).

Mimecast

  • You have access to the Mimecast Administration Console with rights to configure integrations. Required permissions for:
  • BYOTI (if using File Hashes).
  • Managed URLs (if using URLs or Domains as Managed URLs).
  • Blocked Senders and Managed URLs (if using Domains).
  • Remediation APIs (if you enable remediation for any indicator type).
  • For File Hashes, BYOTI quota is sufficient for the volume of hashes you plan to push.

Configuring the Integration

Step 1: Open the integration

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Integrations | Integrations Hub.
  3. Locate Google Threat Intelligence and click Configure New.

Step 2: Details

  1. Name (required). Enter a unique name for this integration configuration.
  2. Description (required). Briefly describe what this integration is used for.

Step 3: Activate

  1. Follow the instructions to obtain your API key:
  • Log in to the Google Threat Intelligence.
  • Navigate to Username | API key.
  • Copy and paste the returned API key in Mimecast.
  1. Fetch From Duration (required). Select how far back to start fetching data (e.g., Last 24 hours or Last 7 days). This works with checkpointing and the 7-day GTI window.

Step 4: Send to Mimecast

  1. Read the information box at the top of the section. It explains that:
  • Indicators are blocked in Mimecast according to their type (BYOTI, Managed URLs, Blocked Senders).
  • Automatic remediation incidents can be created when Remediation is added to your Mimecast account and set to automatic mode.
  1. Import Malicious Indicators. Select one or more of:
  • File Hashes from Threat Lists to BYOTI.
  • URLs from Threat Lists to Managed URLs.
  • Domains from Threat Lists to Blocked Senders.

Import Malicious Indicators:

Enable each indicator type you want to import. You can choose Categories and optional remediation.

  1. File Hashes from Threat Lists to BYOTI: Enable checkbox. Use Categories to select GTI Threat Lists (e.g., ransomware, malware). Optionally, enable Remediate Messages when imported indicators are detected so Mimecast remediates messages that match import hashes (requires remediation in automatic mode).
  2. URLs from Threat Lists to Managed URLs: Enable checkbox: Use Categories to select GTI Threat List. Optionally, enable Remediate Messages when imported indicators are detected for URLs.
  3. Domains from Threat Lists to Blocked Senders: Enable checkbox. Use Categories to select GTI Threat Lists. Optionally, enable Remediate Messages when imported indicators are detected for domains. Optionally, enable Domains from Threat Lists to Manage URLs if you also want the same domains to be blocked as Managed URLs.

You can enable multiple indicator types at once. Each enabled type is processed according to its Categories and checkpointing rules.

Threat List Filter:

These filters apply globally to all indicator types you enabled above:

  1. Query: Optional GTI search query. Use the official documentation for syntax and examples.
  2. Verdicts: Dropdown to filter by threat confidence (e.g., Malicious).
  3. Severities: Dropdown to filter by potential impact (e.g., High).

Step 5: Notification Settings

  1. User Emails: Add recipients who should receive integration notifications:
  • Type an email address or distribution list and press Enter to add it. You can add up to 5 entries.

Step 6: Save

  1. Review Details, Activate, Send to Mimecast, and Notification Settings.
  2. Click Save to save and activate the integration, or Cancel to discard changes.

After saving, the integration runs on the schedule defined in the Integrations Hub and uses checkpoints between runs.

See Also...

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.