Skip to main content

GoogleThreatIntelligence

Download With Dependencies

Analyze suspicious hashes, URLs, domains and IP addresses

What. Google Threat Intelligence provides unparalleled visibility into the global threat landscape. We offer deep insights from Mandiant’s leading incident response and threat research team, and combine them with our massive user and device footprint and VirusTotal’s broad crowdsourced malware database.

Why. Security teams are often confronted with an unknown file/URL/domain/IP address and asked to make sense of an attack. Without further context, it is virtually impossible to determine attribution, build effective defenses against other strains of the attack, or understand the impact of a given threat in your organization. Through API and web based interaction with Google Threat Intelligence, security analysts can rapidly build a picture of an incident and then use those insights to neutralize other attacks.

Outcome. Faster, more confident, more accurate and more cost-effective security operations.

Where. On-premise, in the cloud, in your hosting, in your corporate network, everywhere.

What we solve for leaders.

Security team challenges Solving with Google Threat Intelligence + XSOAR
Alert fatigue + quality & speed of IR handling. PANW survey data shows that SOC analysts are only able to handle 14% of alerts generated by security tools. Eradicate analyst burnout through automation. Automate false positive discarding and alert prioritization, optimize SOC resources. Malicious+Benign info.
Lack of context & missed threats. Reliance on reactive threat feeds. Only information about internal systems and users, no in-the-wild contextual details. Improved and early detection. Track threats going forward with YARA. Crowdsourced threat reputation for files/hashes, domains, IPs and URLs coming from over 90 security vendors.
Finding and maintaining security talent. There is a shortage of qualified security candidates; recruiting + retaining these is an endemic challenge Juniors operating as advanced threat hunters. Automate repetitive tasks with playbooks, elevate SOC Level 1 effectiveness. Faster, more confident and more accurate decisions. Greater productivity.
Budget constraints. Cybersecurity isn’t top of mind at many organizations when budget line items are getting funded. Difficult to prove ROI. Condense & lower costs + Increase toolset ROI. One-stop-shop for everything threat intelligence related (domains, IPs, URLs, files). Take your SIEM, IDS, EDR, Firewall, etc. to the next level.

Use cases.

  • Automatic security telemetry enrichment. Event contextualization. Alert prioritization. False positive discarding. True positive confirmation. Automated hunting.
  • Incident response & forensic analysis. Blast radius identification. Generation of remediative IoCs. Context expansion beyond your internal network.
  • Threat Intelligence & advanced hunting. Unknown threat discovery. Campaign & adversary monitoring. Preventative IoCs.
  • Brand & corporate infrastructure monitoring. Phishing campaign tracking. Brand impersonation alerts. Attack surface compromise identification.
  • Vulnerability prioritization. Smart risk-driven patching. Vulnerability weaponization monitoring. Vulnerability landscape exploration.
  • Red teaming & ethical hacking. Automatic reconnaissance/passive fingerprinting operations. Breach & attack simulation. Security stack validation.

Example questions we answer.

  • Is a given {file, hash, domain, IP, URL} malicious according to the security industry? How widely known and detected is it?
  • Has a given IP address been part of a given threat campaign? What domains have resolved historically to such IP (passive DNS)? Who owns the IP? etc.
  • Is a given domain part of a threat’s network infrastructure? Are there any other domains registered by the same threat actor? What types of threats are connected with the given domain? How does the industry categorize the domain (CnC, exploit, phishing, …)? etc.
  • Is a given URL part of a phishing attack? Does it deliver malware? Does the server side setup exhibit any commonalities that allow me to pivot to other setups operated by the same attacker?
  • Are there any IoCs that can be used to block or hunt for a given malware file or variants of its family/campaign? What does the file do when executed in a sandbox? etc.
  • Is some fake/malicious mobile application making use of my logo/brand? What are the latest set of newly registered domains that seem to be typosquatting my site? Are there any potential phishing websites making use of my site’s title/favicon?
  • Is a vulnerability (CVE) that appeared in my environment being currently leveraged by malware? How popular is it?

Technical capabilities

  • Threat reputation for {files, hashes, domains, IPs, URLs} coming from over 90 security vendors (antivirus solutions, nextgen EDRs, domain blocklists, network perimeter solutions, etc.).
  • Multi-angular detection for files via crowdsourced {YARA, SIGMA, IDS} rules.
  • Allowlist (benign) information through the aggregation of goodware indicators and provenance details.
  • Dynamic analysis for files through detonation in multiple home-grown and 3rd-party partner sandbox solutions.
  • Extended file context and metadata through static analysis tools such as sigcheck’s authenticode signature extractor, MS Office macro VBA dissectors, Didier Stevens’ PDF tools, etc.
  • Community comments and assessments coming from over 2M monthly users of the free www.virustotal.com public site.
  • Threat graph schema tying together the files, domains, IPs and URLs in the dataset through relationships such as downloaded files, communicating files, passive DNS resolutions, etc.
  • Passive DNS information listing historical domains seen behind a given IP address and detailing all infrastructure changes for a given domain.
  • Whois lookup information for domains and IP addresses, including pivoting based on Whois properties such as registrant details (if available).
  • Historical SSL certificate information for domains and IPs.
  • Vulnerability intelligence by tagging files with CVEs that they might be exploiting and allowing searches and alerts based on CVEs.
  • Custom threat intelligence feeds (ransomware, APTs, first stage delivery vectors, OS X malware, IoT, etc.) by filtering Google Threat Intelligence real-time file flux with VT HUNTING Livehunt YARA rules.
  • Operational and strategic intelligence through crowdsourcing of OSINT sources digging into threat campaigns and threat actors.
  • Advanced faceted/elastic searches over the {file, domain, IP, URL} corpus to identify IoCs that match certain criteria, e.g. list all MS Office documents that when opened launch a powershell script and end up exhibiting network communication.
  • Download any file in the Google Threat Intelligence corpus and reroute it to other analysis systems you own.

Popular tasks

  • Enrich (context + reputation) IoCs (domains, IPs, URLs, attachments) found in suspicious emails entering your organization, escalate to the pertinent SOC function.
  • Scan suspicious files seen in your organization and get a second opinion that complements your corporate security stack.
  • Automatically discard false positive alerts recorded in your organization’s SIEM, sparing SOC resources.
  • Automatically confirm true positive alerts recorded in your organization’s SIEM.
  • Rank and prioritize SOC alerts based on severity and threat categories (trojan > adware > PUA).
  • Append an additional layer of context to your alert/incident tickets so that SOC analysts can perform faster and more confident decision making.
  • Feed your network perimeter defenses (Firewall, IDS, web proxy, etc.) with additional IoCs related to an incident or tracked via YARA rules.
  • Create custom IoC feeds (ransomware, APTs, IoT, etc.) with VT HUNTING Livehunt (YARA) and automatically match them against your security logs/SIEM/etc.
  • Cover blindspots in your EDR by feeding it lists of highly relevant and undetected threats identified through the use of YARA in Google Threat Intelligence.
  • Derive scores based on malicious observations and relationships for IPs transacting with your business.
  • Assign a severity score to issues identified in a vulnerability scan of your networks.

Additional information

Pack Contributors:


  • Google Threat Intelligence Team

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

What. Google Threat Intelligence provides unparalleled visibility into the global threat landscape. We offer deep insights from Mandiant’s leading incident response and threat research team, and combine them with our massive user and device footprint and VirusTotal’s broad crowdsourced malware database.

Why. Security teams are often confronted with an unknown file/URL/domain/IP address and asked to make sense of an attack. Without further context, it is virtually impossible to determine attribution, build effective defenses against other strains of the attack, or understand the impact of a given threat in your organization. Through API and web based interaction with Google Threat Intelligence, security analysts can rapidly build a picture of an incident and then use those insights to neutralize other attacks.

Outcome. Faster, more confident, more accurate and more cost-effective security operations.

Where. On-premise, in the cloud, in your hosting, in your corporate network, everywhere.

What we solve for leaders.

Security team challenges Solving with Google Threat Intelligence + XSOAR
Alert fatigue + quality & speed of IR handling. PANW survey data shows that SOC analysts are only able to handle 14% of alerts generated by security tools. Eradicate analyst burnout through automation. Automate false positive discarding and alert prioritization, optimize SOC resources. Malicious+Benign info.
Lack of context & missed threats. Reliance on reactive threat feeds. Only information about internal systems and users, no in-the-wild contextual details. Improved and early detection. Track threats going forward with YARA. Crowdsourced threat reputation for files/hashes, domains, IPs and URLs coming from over 90 security vendors.
Finding and maintaining security talent. There is a shortage of qualified security candidates; recruiting + retaining these is an endemic challenge Juniors operating as advanced threat hunters. Automate repetitive tasks with playbooks, elevate SOC Level 1 effectiveness. Faster, more confident and more accurate decisions. Greater productivity.
Budget constraints. Cybersecurity isn’t top of mind at many organizations when budget line items are getting funded. Difficult to prove ROI. Condense & lower costs + Increase toolset ROI. One-stop-shop for everything threat intelligence related (domains, IPs, URLs, files). Take your SIEM, IDS, EDR, Firewall, etc. to the next level.

Use cases.

  • Automatic security telemetry enrichment. Event contextualization. Alert prioritization. False positive discarding. True positive confirmation. Automated hunting.
  • Incident response & forensic analysis. Blast radius identification. Generation of remediative IoCs. Context expansion beyond your internal network.
  • Threat Intelligence & advanced hunting. Unknown threat discovery. Campaign & adversary monitoring. Preventative IoCs.
  • Brand & corporate infrastructure monitoring. Phishing campaign tracking. Brand impersonation alerts. Attack surface compromise identification.
  • Vulnerability prioritization. Smart risk-driven patching. Vulnerability weaponization monitoring. Vulnerability landscape exploration.
  • Red teaming & ethical hacking. Automatic reconnaissance/passive fingerprinting operations. Breach & attack simulation. Security stack validation.

Example questions we answer.

  • Is a given {file, hash, domain, IP, URL} malicious according to the security industry? How widely known and detected is it?
  • Has a given IP address been part of a given threat campaign? What domains have resolved historically to such IP (passive DNS)? Who owns the IP? etc.
  • Is a given domain part of a threat’s network infrastructure? Are there any other domains registered by the same threat actor? What types of threats are connected with the given domain? How does the industry categorize the domain (CnC, exploit, phishing, …)? etc.
  • Is a given URL part of a phishing attack? Does it deliver malware? Does the server side setup exhibit any commonalities that allow me to pivot to other setups operated by the same attacker?
  • Are there any IoCs that can be used to block or hunt for a given malware file or variants of its family/campaign? What does the file do when executed in a sandbox? etc.
  • Is some fake/malicious mobile application making use of my logo/brand? What are the latest set of newly registered domains that seem to be typosquatting my site? Are there any potential phishing websites making use of my site’s title/favicon?
  • Is a vulnerability (CVE) that appeared in my environment being currently leveraged by malware? How popular is it?

Technical capabilities

  • Threat reputation for {files, hashes, domains, IPs, URLs} coming from over 90 security vendors (antivirus solutions, nextgen EDRs, domain blocklists, network perimeter solutions, etc.).
  • Multi-angular detection for files via crowdsourced {YARA, SIGMA, IDS} rules.
  • Allowlist (benign) information through the aggregation of goodware indicators and provenance details.
  • Dynamic analysis for files through detonation in multiple home-grown and 3rd-party partner sandbox solutions.
  • Extended file context and metadata through static analysis tools such as sigcheck’s authenticode signature extractor, MS Office macro VBA dissectors, Didier Stevens’ PDF tools, etc.
  • Community comments and assessments coming from over 2M monthly users of the free www.virustotal.com public site.
  • Threat graph schema tying together the files, domains, IPs and URLs in the dataset through relationships such as downloaded files, communicating files, passive DNS resolutions, etc.
  • Passive DNS information listing historical domains seen behind a given IP address and detailing all infrastructure changes for a given domain.
  • Whois lookup information for domains and IP addresses, including pivoting based on Whois properties such as registrant details (if available).
  • Historical SSL certificate information for domains and IPs.
  • Vulnerability intelligence by tagging files with CVEs that they might be exploiting and allowing searches and alerts based on CVEs.
  • Custom threat intelligence feeds (ransomware, APTs, first stage delivery vectors, OS X malware, IoT, etc.) by filtering Google Threat Intelligence real-time file flux with VT HUNTING Livehunt YARA rules.
  • Operational and strategic intelligence through crowdsourcing of OSINT sources digging into threat campaigns and threat actors.
  • Advanced faceted/elastic searches over the {file, domain, IP, URL} corpus to identify IoCs that match certain criteria, e.g. list all MS Office documents that when opened launch a powershell script and end up exhibiting network communication.
  • Download any file in the Google Threat Intelligence corpus and reroute it to other analysis systems you own.

Popular tasks

  • Enrich (context + reputation) IoCs (domains, IPs, URLs, attachments) found in suspicious emails entering your organization, escalate to the pertinent SOC function.
  • Scan suspicious files seen in your organization and get a second opinion that complements your corporate security stack.
  • Automatically discard false positive alerts recorded in your organization’s SIEM, sparing SOC resources.
  • Automatically confirm true positive alerts recorded in your organization’s SIEM.
  • Rank and prioritize SOC alerts based on severity and threat categories (trojan > adware > PUA).
  • Append an additional layer of context to your alert/incident tickets so that SOC analysts can perform faster and more confident decision making.
  • Feed your network perimeter defenses (Firewall, IDS, web proxy, etc.) with additional IoCs related to an incident or tracked via YARA rules.
  • Create custom IoC feeds (ransomware, APTs, IoT, etc.) with VT HUNTING Livehunt (YARA) and automatically match them against your security logs/SIEM/etc.
  • Cover blindspots in your EDR by feeding it lists of highly relevant and undetected threats identified through the use of YARA in Google Threat Intelligence.
  • Derive scores based on malicious observations and relationships for IPs transacting with your business.
  • Assign a severity score to issues identified in a vulnerability scan of your networks.

Additional information

Pack Contributors:


  • Google Threat Intelligence Team

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByPartner
CreatedMay 30, 2024
Last ReleaseOctober 10, 2024
WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.