Google Threat Intelligence

Integration Overview

Google Threat Intelligence provides comprehensive threat intelligence data through its IoC Stream — a near real-time feed of Indicators of Compromise pulled from the collections you follow. Panther integrates with the Google Threat Intelligence IoC Stream API to continuously ingest and match incoming log events against IP addresses, domains, file hashes, and URLs flagged across your subscribed collections. Enrichment data is stored as a Panther-managed Lookup Table, automatically matched against events before they reach the detection engine, and surfaced under the p_enrichment field for use in detection logic and investigation.

Google Threat Intelligence enrichment requires a Premium API key and active IoC stream subscriptions in your Google Threat Intelligence account.

Use Cases

Panther's Google Threat Intelligence enrichment integration helps security teams:

• Automatically flag log events containing known malicious IPs, domains, file hashes, or URLs from your subscribed GTI collections

• Reduce investigation time by surfacing high-fidelity threat context directly within alerts and detection logic

• Stay current with emerging threats through hourly IoC refreshes that add new indicators incrementally without losing historical context

How it Works

Google Threat Intelligence enrichment runs against every log source in your Panther environment by default. When an incoming event contains an indicator that matches a GTI IoC entry, enrichment data is automatically appended under the p_enrichment field and is immediately available in detections and searches. Panther pulls new IoCs from your subscribed collections every hour, retaining previously ingested indicators and filtering out those older than your configured TTL.

You can check out our product documentation for more information.