Team Cymru Scout Integration for Google SecOps SIEM
From Indicators to Intelligence: Transforming Team Cymru's Threat Data into Actionable Insights with Google SecOps SIEM
Home > Case Studies > Team Cymru Scout Integration for Google SecOps SIEM
Executive Summary
Crest Data developed end-to-end integration between Team Cymru's Scout platform and Google SecOps SIEM,
enabling the organization's security team to enhance their threat detection capabilities within Google SecOps using Team Cymru's comprehensive threat intelligence. This integration allows organization's security teams to perform use cases such as automatic enrichment, manual analyst-driven enrichment of security telemetry with IP and domain intelligence, improving detection accuracy and accelerating investigations in Google SecOps using Team Cymru’s threat intelligence data.
The Team Cymru Scout Platform helps Analysts, SOC, and IR teams gain immediate insights into IPs and domains for faster threat investigations and incident response. Powered by Pure Signal data, it enables quick triage, deeper risk analysis, and stronger visibility into potential threats. Their Scout platform delivers real-time intelligence on malicious IPs, domains, and network communications. Google SecOps users can directly leverage TeamCymru threat intelligence ingested through this Integration.
Business Challenge
Insufficient context: Security analysts encountered unfamiliar IPs, domains, and hashes in telemetry but lacked the enriched metadata needed for rapid triage and investigation.
Format inconsistency: Although TeamCymru supplies high-value indicators, varying formats and inconsistent metadata prevented direct ingestion into Google SecOps's Unified Data Model (UDM).
Manual processing overhead: Without standardized mapping and automated normalization, analysts wasted valuable time manually cleaning and cross-referencing indicators before enrichment.
Limited visualization: There was no dedicated visualization capability to surface indicator trends and patterns across the threat landscape.
Organizations needed a standardized way to transform TeamCymru's high-value threat intelligence into actionable context within Google SecOps SIEM, enabling rapid triage and investigation of unfamiliar IPs, domains, and hashes regardless of their original format.
Customer Solution
Crest Data developed a comprehensive integration between Team Cymru Scout and Google SecOps SIEM with the following key components:
TeamCymru Threat Indicator Feed : Scheduled and on-demand feed pulls indicator to ensure fresh, relevant indicators. Analysts can configure which indicator types (IP, domain, URL, hash) or feed subsets to ingest, reducing noise and focusing on relevant threat types.
Normalization : Raw TeamCymru fields are translated into Google SecOps’s Unified Data Model. When an indicator references an asset, the integration creates entity artifacts in Google SecOps. So analysts can pivot from an indicator to the asset’s historical telemetry.
Enrichment : Analysts can put indicator lists into a Google SecOps data table or reference list, these inputs trigger the enrichment pipeline, enabling ad-hoc research and bulk lookups.
Real-time correlation : Ingested indicators are automatically matched against incoming telemetry (logs, network events) in Google SecOps, when a match occurs it is surfaced as an indicator-hit event and displayed in IOC Matches in Google SecOps.
Visualization : Dashboard that surfaces ingestion volume, top indicators, timeline views for investigations.
Note: The above solution could be easily migrated to the Content pack once it is GA.
The Crest Difference
Threat Intelligence, Made Actionable: This solution brings TeamCymru intelligence directly into Google SecOps UDM - fully normalized, enriched, and instantly usable for investigations and detections, not just ingested as raw data.
Beyond Ingestion with UDM Expertise: We layered IOC and entity data models to enable seamless automatic correlation, reliable search and detection experience across Google SecOps.
Deep Google SecOps & Security Operations Expertise: Our profound understanding of how security teams actually use these platforms ensures that the integrations we build are not just technically sound but intuitively useful and highly effective in real-world scenarios.