Data Source
The GTI Relevance System is a Google Threat Intelligence platform feature that surfaces actor-driven alerts categorized by threat type (data leak, initial access broker activity, insider threat, ransomware, etc.). This connector pulls these alerts via the GTI REST API and ingests them into a custom table (RelevanceSystemAlerts_CL).
Ingestion Mechanism
- Type: Azure Function App (timer trigger, Python)
- Authentication: GTI API key stored in Azure Key Vault, retrieved via a managed identity + Key Vault secret reference
- Table: RelevanceSystemAlerts_CL
- Pagination: Cursor-based pagination via next_page_token with checkpoint state persisted to Azure Blob Storage; graceful 9:30-minute timeout guard to prevent orphaned runs
- Filtering: Optional GTI_FILTER_EXPRESSION app setting for server-side alert filtering (e.g., by severity level or state); the connector enforces audit.update_time > checkpoint regardless of user filter to prevent re-ingesting old data
- Parser: GTIRelevanceSystemAlerts (KQL workspace function normalising RelevanceSystemAlerts_CL fields)
Detection Surface Unlocked
Six new Scheduled Analytic Rules (all querying GTIRelevanceSystemAlerts_CL via the parser, 5-minute query period, trigger threshold 0):
| Rule | Severity | Primary MITRE Focus |
|---|---|---|
| GTI High Relevance Alerts | High | Broad – high relevance score threshold |
| GTI High and Critical Priority Alerts | High | Broad – priority-based |
| GTI Data Leak Alerts | High | T1530 (Data from Cloud Storage), T1567 (Exfiltration Over Web Service) |
| GTI Initial Access Broker Alerts | High | T1190 (Exploit Public-Facing App), T1133 (External Remote Services), T1566 (Phishing), T1078 (Valid Accounts) |
| GTI Insider Threat Alerts | Medium | T1552 (Unsecured Credentials), T1078 (Valid Accounts) |
| GTI Relevance System Alerts – Incident by Alert ID | High | Deduplication rule – correlates alerts by GTI Alert ID to suppress duplicate incidents |
All rules map the following entities: IP (SrcIP), URL (AlertUrl), and Account where applicable.
MITRE Coverage
Extracted from PR metadata (T1068, T1078, T1133, T1190, T1485, T1486, T1530, T1552, T1566, T1567, T1595). Note: individual rule YAML files declare empty relevantTechniques arrays – the techniques listed are from the PR-level metadata, not from parsed YAML fields. Verify MITRE mappings in the rule YAML before relying on ATT&CK coverage claims.
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/GTIRelevanceSystemAlerts.json
.script/tests/KqlvalidationsTests/CustomTables/RelevanceSystemAlerts_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Sample Data/Custom/RelevanceSystemAlerts_CL.csv
Solutions/Google Threat Intelligence/Analytic Rules/RelevanceSystemAlerts/GTI_DataLeakAlerts.yaml
Solutions/Google Threat Intelligence/Analytic Rules/RelevanceSystemAlerts/GTI_HighCriticalPriorityAlerts.yaml
Solutions/Google Threat Intelligence/Analytic Rules/RelevanceSystemAlerts/GTI_HighRelevanceAlerts.yaml
Solutions/Google Threat Intelligence/Analytic Rules/RelevanceSystemAlerts/GTI_InitialAccessBrokerAlerts.yaml
Solutions/Google Threat Intelligence/Analytic Rules/RelevanceSystemAlerts/GTI_InsiderThreatAlerts.yaml
Solutions/Google Threat Intelligence/Analytic Rules/RelevanceSystemAlerts/GTI_RelevanceSystemAlerts_IncidentByAlertId.yaml
Solutions/Google Threat Intelligence/Data Connectors/GTIRelevanceSystemAlerts/GTIRelevanceSystemAlerts_API_FunctionApp.json
Solutions/Google Threat Intelligence/Data Connectors/GTIRelevanceSystemAlerts/RelevanceSystemAlerts/__init__.py
Solutions/Google Threat Intelligence/Data Connectors/GTIRelevanceSystemAlerts/RelevanceSystemAlerts/function.json
Solutions/Google Threat Intelligence/Data Connectors/GTIRelevanceSystemAlerts/RelevanceSystemAlerts/gti_alerts_helper.py
Solutions/Google Threat Intelligence/Data Connectors/GTIRelevanceSystemAlerts/SharedCode/__init__.py
Solutions/Google Threat Intelligence/Data Connectors/GTIRelevanceSystemAlerts/SharedCode/consts.py
Solutions/Google Threat Intelligence/Data Connectors/GTIRelevanceSystemAlerts/SharedCode/exceptions.py
Solutions/Google Threat Intelligence/Data Connectors/GTIRelevanceSystemAlerts/SharedCode/gti_client.py
Solutions/Google Threat Intelligence/Data Connectors/GTIRelevanceSystemAlerts/SharedCode/keyvault_secrets_management.py
Solutions/Google Threat Intelligence/Data Connectors/GTIRelevanceSystemAlerts/SharedCode/logger.py
Solutions/Google Threat Intelligence/Data Connectors/GTIRelevanceSystemAlerts/SharedCode/sentinel.py
Solutions/Google Threat Intelligence/Data Connectors/GTIRelevanceSystemAlerts/SharedCode/state_manager.py
Solutions/Google Threat Intelligence/Data Connectors/GTIRelevanceSystemAlerts/SharedCode/utils.py
Solutions/Google Threat Intelligence/Data Connectors/GTIRelevanceSystemAlerts/azuredeploy_GTIRelevanceSystemAlerts.json
Solutions/Google Threat Intelligence/Data Connectors/GTIRelevanceSystemAlerts/host.json
Solutions/Google Threat Intelligence/Data Connectors/GTIRelevanceSystemAlerts/proxies.json
Solutions/Google Threat Intelligence/Data Connectors/GTIRelevanceSystemAlerts/requirements.txt
Solutions/Google Threat Intelligence/Parsers/GTIRelevanceSystemAlerts.yaml
(packaging artefacts: 3.2.3.zip, GTIRelevanceSystemAlerts.zip, ReleaseNotes.md, Solution_GoogleThreatIntelligence.json, createUiDefinition.json, mainTemplate.json)