Google Threat Intelligence Now Available in Panther Detections

Threat intel is only useful if it reaches your detections

Most security teams already pay for threat intelligence. The problem isn't the feed, it's the plumbing. Indicators sit in a TIP, in a CSV in someone's Drive, or in an analyst's browser tab. They almost never make it into detection logic in time to matter. And when they do, the implementation is brittle: scheduled scripts, lookup tables that go stale, custom code that breaks the first time a vendor changes a JSON field.

The result is a quiet but expensive failure mode. The IoC for the campaign you read about Monday morning is still not in your SOC platform Friday afternoon and by then, the adversary has already rotated infrastructure. Threat intel becomes a content marketing exercise rather than an operational input.

With Panther and Google Threat Intelligence, this gap closes.

Google Threat Intelligence + Panther AI SOC

Google Threat Intelligence (GTI) brings together VirusTotal's crowdsourced detection telemetry, Mandiant's frontline incident-response research, and Google's own threat visibility into one of the broadest sources of malware, IP, domain, URL, and file-hash intelligence in the industry. Panther's new GTI enrichment uses the Google Threat Intelligence IoC Stream API to ingest a near real-time feed of IoCs from the GTI collections you follow, and matches them against every log event flowing through Panther, before the detection engine runs.

When Panther identifies a match between a log event and a GTI indicator, the full IoC record is appended to the event. That means GTI context is available to every detection, every search, and every alert, without an API call, a lookup table refresh, or a single line of glue code.

How it works under the hood

It's a stream, not a snapshot. Panther pulls new IoCs from your subscribed GTI collections every hour. Each pull is incremental — we only fetch what's new since the last successful run — and previously pulled IoCs are retained in the lookup table, deduplicated by IoC ID. Indicators older than the TTL you configure are filtered out automatically.

Enrichment happens before detection. Matching runs on the ingest path, ahead of the detection engine. Your Python rules don't have to call out to an external service or join against a lookup table — the GTI payload is already on the event when the rule fires.

Every log source, every indicator type. By default, GTI enrichment runs against every log type in your environment, and matches on the standard Panther indicator fields (p_any_ip_addresses, p_any_domain_names, p_any_md5_hashes, p_any_sha1_hashes, p_any_sha256_hashes, p_any_urls). You can disable it per log type, or customize the selectors if you want to constrain matching to specific fields.

You control the intel. IoC streams are scoped to the Google Threat Intelligence user who owns the API key. You decide which collections to follow — APT campaigns, malware families, ransomware infrastructure, regional threats — and Panther mirrors those choices into your enrichment table.

What's in a match

Every IoC that lands in Panther brings the full GTI metadata with it. A single IP-address match, for example, can include:

• A confidence score and reputation from the GTI community

• A threat severity rating (LOW / MEDIUM / HIGH)

• The last_analysis_stats breakdown — how many engines flagged it malicious, suspicious, harmless, or undetected

• The popular_threat_classification — suggested threat label, name, and category

• Tags (malware, c2, phishing, etc.) and the originating collections

• Network context: ASN, AS owner, country, regional internet registry

• A direct link back to the indicator's page in Google Threat Intelligence for the analyst to pivot into

Hashes carry file-specific metadata — size, names, type, capabilities tags, popular threat classification. Domains and URLs carry WHOIS, redirection chains, response codes, and DNS observations. All of it is available in detection logic the moment the event is ingested.

Setting it up

The setup is two steps, and both are documented in the Panther docs:

1. In Google Threat Intelligence, follow the IoC collections you want to subscribe to and toggle on the IoC stream for each. A Premium API key is required, and the key must belong to the same GTI user who is following the collections.

2. In Panther, navigate to Configure → Enrichments → Create New → Google Threat Intelligence. Provide a name, paste the API token, and set an Indicator TTL.

That's it. Subscribe to IoC collections in your Google Threat Intelligence account, drop your Premium API key into Panther, and every log event we ingest is automatically checked against your live IoC stream — no API calls in detection code, no manual list maintenance, no separate enrichment pipeline.

If you're already a Panther customer, the docs will get you live in under ten minutes. If you're not yet, the easiest way is to book a demo to see what high-fidelity, enrichment-driven detection looks like on your own data.