GoogleThreatIntelligence v3.0.0
Analyzes suspicious hashes, URLs, domains, and IP addresses, and fetch incidents as DTM Alerts or ASM Issues from the Google Threat Intelligence platform.
- Author:
- Support:
- partner
- Default data source:
- GoogleThreatIntelligenceDTMAlerts
Classifiers (3)
Incident fields (95)
- GTI ASM Issue Alias Group
- GTI ASM Issue Category
- GTI ASM Issue Collection
- GTI ASM Issue Collection Type
- GTI ASM Issue Collection UUID
- GTI ASM Issue Confidence
- GTI ASM Issue Dynamic ID
- GTI ASM Issue Entity Name
- GTI ASM Issue Entity Type
- GTI ASM Issue Entity UID
- GTI ASM Issue First Seen
- GTI ASM Issue Identifiers
- GTI ASM Issue Last Seen
- GTI ASM Issue Name
- GTI ASM Issue Organization UUID
- GTI ASM Issue Scoped
- GTI ASM Issue Status
- GTI ASM Issue Status New
- GTI ASM Issue Status New Detailed
- GTI ASM Issue Ticket List
- GTI ASM Issue UID
- GTI ASM Issue UUID
- GTI ASM Issue Upstream
- GTI DTM Alert AI Doc Summary
- GTI DTM Alert Aggregation ID
- GTI DTM Alert Analysis
- GTI DTM Alert Attachments
- GTI DTM Alert Confidence Score
- GTI DTM Alert Created At
- GTI DTM Alert Doc Body
- GTI DTM Alert Doc Description
- GTI DTM Alert Doc Details
- GTI DTM Alert Doc Domain
- GTI DTM Alert Doc ID
- GTI DTM Alert Doc Ingested Time
- GTI DTM Alert Doc Item Type
- GTI DTM Alert Doc Language
- GTI DTM Alert Doc Message ID
- GTI DTM Alert Doc Paste ID
- GTI DTM Alert Doc Post Date
- GTI DTM Alert Doc Raw Text
- GTI DTM Alert Doc Similar Domains
- GTI DTM Alert Doc Source
- GTI DTM Alert Doc Subject
- GTI DTM Alert Doc Timestamp
- GTI DTM Alert Doc Title
- GTI DTM Alert Doc Topic ID
- GTI DTM Alert Doc Type
- GTI DTM Alert Email Sent At
- GTI DTM Alert Has Analysis
- GTI DTM Alert Indicator Malicious Score
- GTI DTM Alert Labels
- GTI DTM Alert Monitor ID
- GTI DTM Alert Monitor Name
- GTI DTM Alert Monitor Version
- GTI DTM Alert Similarity Score
- GTI DTM Alert Status
- GTI DTM Alert Summary
- GTI DTM Alert Topics
- GTI DTM Alert Type
- GTI DTM Alert Updated At
- GTI RS Alert AI Summary
- GTI RS Alert Audit Create Time
- GTI RS Alert Audit Creator
- GTI RS Alert Audit Update Time
- GTI RS Alert Audit Updater
- GTI RS Alert Configurations
- GTI RS Alert Data Leak Discovery Document IDs
- GTI RS Alert Data Leak Severity
- GTI RS Alert Detail Type
- GTI RS Alert Display Name
- GTI RS Alert Duplicate Of
- GTI RS Alert Duplicated By
- GTI RS Alert ETag
- GTI RS Alert External ID
- GTI RS Alert Finding Count
- GTI RS Alert Findings
- GTI RS Alert Initial Access Broker Discovery Document IDs
- GTI RS Alert Initial Access Broker Severity
- GTI RS Alert Insider Threat Discovery Document IDs
- GTI RS Alert Insider Threat Severity
- GTI RS Alert Name
- GTI RS Alert Priority Analysis Confidence
- GTI RS Alert Priority Analysis Level
- GTI RS Alert Priority Analysis Reasoning
- GTI RS Alert Relevance Common Themes
- GTI RS Alert Relevance Confidence
- GTI RS Alert Relevance Distinct Themes
- GTI RS Alert Relevance Level
- GTI RS Alert Relevance Reasoning
- GTI RS Alert Relevance Relevant
- GTI RS Alert Severity Analysis Confidence
- GTI RS Alert Severity Analysis Level
- GTI RS Alert Severity Analysis Reasoning
- GTI RS Alert State
Incident types (3)
Indicator fields (3)
- GTI Severity
- GTI Threat Score
- GTI Verdict
Integrations (6)
Layouts (3)
Playbooks (12)
- ASM Issue Incident Response - Google Threat Intelligence
- CVE Ticket Creation - Google Threat Intelligence
- DTM Alert Incident Response - Google Threat Intelligence
- Email Collection by Enriched Domain - Google Threat Intelligence
- File Private Scanning - Google Threat Intelligence
- IOC Curated Enrichment - Google Threat Intelligence
- IOC Enrichment and Blocking - Google Threat Intelligence
- IOCs Curated Threat Intelligence Enrichment - Google Threat Intelligence
- Phishing Triage and Response - Google Threat Intelligence
- URL Private Scanning - Google Threat Intelligence
- URL Scan - Google Threat Intelligence
- Vulnerability Enrichment and Ticket Creation - Google Threat Intelligence
README
What. Google Threat Intelligence provides unparalleled visibility into the global threat landscape. We offer deep insights from Mandiant’s leading incident response and threat research team, and combine them with our massive user and device footprint and VirusTotal’s broad crowdsourced malware database.
Why. Security teams are often confronted with an unknown file/URL/domain/IP address and asked to make sense of an attack. Without further context, it is virtually impossible to determine attribution, build effective defenses against other strains of the attack, or understand the impact of a given threat in your organization. Through API and web based interaction with Google Threat Intelligence, security analysts can rapidly build a picture of an incident and then use those insights to neutralize other attacks.
Outcome. Faster, more confident, more accurate and more cost-effective security operations.
Where. On-premise, in the cloud, in your hosting, in your corporate network, everywhere.
What we solve for leaders.
| Security team challenges | Solving with Google Threat Intelligence + XSOAR |
|---|---|
| Alert fatigue + quality & speed of IR handling. PANW survey data shows that SOC analysts are only able to handle 14% of alerts generated by security tools. | Eradicate analyst burnout through automation. Automate false positive discarding and alert prioritization, optimize SOC resources. Malicious+Benign info. |
| Lack of context & missed threats. Reliance on reactive threat feeds. Only information about internal systems and users, no in-the-wild contextual details. | Improved and early detection. Track threats going forward with YARA. Crowdsourced threat reputation for files/hashes, domains, IPs and URLs coming from over 90 security vendors. |
| Finding and maintaining security talent. There is a shortage of qualified security candidates; recruiting + retaining these is an endemic challenge | Juniors operating as advanced threat hunters. Automate repetitive tasks with playbooks, elevate SOC Level 1 effectiveness. Faster, more confident and more accurate decisions. Greater productivity. |
| Budget constraints. Cybersecurity isn’t top of mind at many organizations when budget line items are getting funded. Difficult to prove ROI. | Condense & lower costs + Increase toolset ROI. One-stop-shop for everything threat intelligence related (domains, IPs, URLs, files). Take your SIEM, IDS, EDR, Firewall, etc. to the next level. |
Use cases.
- Automatic security telemetry enrichment. Event contextualization. Alert prioritization. False positive discarding. True positive confirmation. Automated hunting.
- Incident response & forensic analysis. Blast radius identification. Generation of remediative IoCs. Context expansion beyond your internal network.
- Threat Intelligence & advanced hunting. Unknown threat discovery. Campaign & adversary monitoring. Preventative IoCs.
- Brand & corporate infrastructure monitoring. Phishing campaign tracking. Brand impersonation alerts. Attack surface compromise identification.
- Vulnerability prioritization. Smart risk-driven patching. Vulnerability weaponization monitoring. Vulnerability landscape exploration.
- Red teaming & ethical hacking. Automatic reconnaissance/passive fingerprinting operations. Breach & attack simulation. Security stack validation.
Example questions we answer.
- Is a given {file, hash, domain, IP, URL} malicious according to the security industry? How widely known and detected is it?
- Has a given IP address been part of a given threat campaign? What domains have resolved historically to such IP (passive DNS)? Who owns the IP? etc.
- Is a given domain part of a threat’s network infrastructure? Are there any other domains registered by the same threat actor? What types of threats are connected with the given domain? How does the industry categorize the domain (CnC, exploit, phishing, …)? etc.
- Is a given URL part of a phishing attack? Does it deliver malware? Does the server side setup exhibit any commonalities that allow me to pivot to other setups operated by the same attacker?
- Are there any IoCs that can be used to block or hunt for a given malware file or variants of its family/campaign? What does the file do when executed in a sandbox? etc.
- Is some fake/malicious mobile application making use of my logo/brand? What are the latest set of newly registered domains that seem to be typosquatting my site? Are there any potential phishing websites making use of my site’s title/favicon?
- Is a vulnerability (CVE) that appeared in my environment being currently leveraged by malware? How popular is it?
Technical capabilities
- Threat reputation for {files, hashes, domains, IPs, URLs} coming from over 90 security vendors (antivirus solutions, nextgen EDRs, domain blocklists, network perimeter solutions, etc.).
- Multi-angular detection for files via crowdsourced {YARA, SIGMA, IDS} rules.
- Allowlist (benign) information through the aggregation of goodware indicators and provenance details.
- Dynamic analysis for files through detonation in multiple home-grown and 3rd-party partner sandbox solutions.
- Extended file context and metadata through static analysis tools such as sigcheck’s authenticode signature extractor, MS Office macro VBA dissectors, Didier S PDF tools, etc.
- Community comments and assessments coming from over 2M monthly users of the free www.virustotal.com public site.
- Threat graph schema tying together the files, domains, IPs and URLs in the dataset through relationships such as downloaded files, communicating files, passive DNS resolutions, etc.
- Passive DNS information listing historical domains seen behind a given IP address and detailing all infrastructure changes for a given domain.
- Whois lookup information for domains and IP addresses, including pivoting based on Whois properties such as registrant details (if available).
- Historical SSL certificate information for domains and IPs.
- Vulnerability intelligence by tagging files with CVEs that they might be exploiting and allowing searches and alerts based on CVEs.
- Custom threat intelligence feeds (ransomware, APTs, first stage delivery vectors, OS X malware, IoT, etc.) by filtering Google Threat Intelligence real-time file flux with VT HUNTING Livehunt YARA rules.
- Operational and strategic intelligence through crowdsourcing of OSINT sources digging into threat campaigns and threat actors.
- Advanced faceted/elastic searches over the {file, domain, IP, URL} corpus to identify IoCs that match certain criteria, e.g. list all MS Office documents that when opened launch a powershell script and end up exhibiting network communication.
- Download any file in the Google Threat Intelligence corpus and reroute it to other analysis systems you own.
- Analysis and listing of Digital Threat Monitoring alerts (DTM Alerts) and Attack Surface Management issues (ASM Issues).
- Enable outgoing mirroring for DTM Alerts, maintaining synchronized alert status and tags with Cortex XSOAR.
- Enable outgoing mirroring for ASM Issues, maintaining synchronized status, tags, and notes with Cortex XSOAR.
- Enable bi-directional mirroring for Relevance System (RS) Alerts to maintain synchronized alert status with Cortex XSOAR.
- Fetch DTM Alerts using filter parameters supported by the Google Threat Intelligence API.
- Fetch ASM Issues into Cortex XSOAR as incidents for centralized incident management.
- Fetch RS Alerts into Cortex XSOAR as incidents using the filter parameters supported by the Google Threat Intelligence API.
Popular tasks
- Enrich (context + reputation) IoCs (domains, IPs, URLs, attachments) found in suspicious emails entering your organization, escalate to the pertinent SOC function.
- Scan suspicious files seen in your organization and get a second opinion that complements your corporate security stack.
- Automatically discard false positive alerts recorded in your organization’s SIEM, sparing SOC resources.
- Automatically confirm true positive alerts recorded in your organization’s SIEM.
- Rank and prioritize SOC alerts based on severity and threat categories (trojan > adware > PUA).
- Append an additional layer of context to your alert/incident tickets so that SOC analysts can perform faster and more confident decision making.
- Feed your network perimeter defenses (Firewall, IDS, web proxy, etc.) with additional IoCs related to an incident or tracked via YARA rules.
- Create custom IoC feeds (ransomware, APTs, IoT, etc.) with VT HUNTING Livehunt (YARA) and automatically match them against your security logs/SIEM/etc.
- Cover blindspots in your EDR by feeding it lists of highly relevant and undetected threats identified through the use of YARA in Google Threat Intelligence.
- Derive scores based on malicious observations and relationships for IPs transacting with your business.
- Assign a severity score to issues identified in a vulnerability scan of your networks.
- Enrich Digital Threat Monitoring alerts (DTM Alerts) and Attack Surface Management issues (ASM Issues).
- Ingest DTM Alerts into Cortex XSOAR as incidents with supported outgoing mirroring of status and tags.
- Ingest ASM Issues into Cortex XSOAR as incidents with supported outgoing mirroring of status, tags, and notes.
- Ingest RS Alerts into Cortex XSOAR as incidents with supported bi-directional mirroring for alert status synchronization.
Additional information