| get_collection_report | At Google Threat Intelligence, threats are modeled as "collections". This tool retrieves them from the platform. They have different collections types like: "malware-family" "threat-actor" "campaign" "report" "collection".
You can find the collection type in the "collection_type" field. Args:
id (required): Google Threat Intelligence identifier.
Returns:
A collection object. Put attention to the collection type to correctly understand what it represents. |
| get_entities_related_to_a_collection | Retrieve entities related to the the given collection ID. The following table shows a summary of available relationships for collection objects. Relationship | Description | Return type | associations | List of associated threats | collection | attack_techniques | List of attack techniques | attack_technique | domains | List of Domains | domain | files | List of Files | file | ip_addresses | List of IP addresses | ip_address | urls | List of URLs | url | threat_actors | List of related threat actors | collection | malware_families | List of related malware families | collection | software_toolkits | List of related tools | collection | campaigns | List of related campaigns | collection | vulnerabilities | List of related vulnerabilities | collection | reports | List of reports | collection | suspected_threat_actors | List of related suspected threat actors | collection | hunting_rulesets | Google Threat Intelligence Yara rules that identify the given collection | hunting_ruleset |
Note on descriptors_only: When True, returns basic descriptors. When False, returns
detailed attributes.
IMPORTANT: descriptors_only must be False for the 'attack_techniques' relationship. Args:
id (required): Collection identifier.
relationship_name (required): Relationship name.
limit (optional): Limit the number of collections to retrieve. 10 by default.
descriptors_only (optional)): Bool. Default True. Must be False when the target object type is 'attack_techniques'.
Returns:
List of objects related to the collection. |
| search_threats | Search threats in the Google Threat Intelligence platform. Threats are modeled as collections. Once you get collections from this tool, you can use get_collection_report to fetch the full reports and their relationships. IMPORTANT CONTEXT CLUE: Pay close attention to the user's request. If their request mentions specific kinds of threats such as "threat actor", "malware family", "campaign", "report", or "vulnerability", treat this as a strong signal that you must use the collection_type filter in your query to ensure relevant results. Using this filter significantly improves search precision. Filtering by Type:
To filter your search results to a specific type of threat, include the collection_type modifier within your query string.
Syntax: collection_type:"<type>"
Available <type> values: "threat-actor": Use when the user asks about specific actors, groups, or APTs. "malware-family": Use when the user asks about malware, trojans, viruses, ransomware families. "software-toolkit": Use when the user asks about legit tools usually related to malware. "campaign": Use when the user asks about specific attack campaigns. "report": Use when the user is looking for analysis reports. "vulnerability": Use when the user asks about specific CVEs or vulnerabilities. "collection": A generic type, use only if no other type fits or if the user explicitly asks for generic "collections".
You can use order_by to sort the results by: "relevance", "creation_date". You can use the sign "+" to make it order ascending, or "-" to make it descending. By default is "relevance-" When asked for latest threats, prioritize campaigns or vulnerabilities over reports. Args:
query (required): Search query to find threats.
collection_type: Filter your search results to a specific type of threat
limit: Limit the number of threats to retrieve. 5 by default.
order_by: Order results by the given order key. "relevance-" by default. Returns:
List of collections, aka threats. They are full collection objects, you do not need to retrieve themusing the get_collection_reporttool. You may need to extend with relationships usingget_entities_related_to_a_collection` tool. |
| search_campaigns | Search threat campaigns in the Google Threat Intelligence platform. Campaigns are modeled as collections. Once you get collections from this tool, you can use get_collection_report to fetch the full reports and their relationships. You can use order_by to sort the results by: "relevance", "creation_date". You can use the sign "+" to make it order ascending, or "-" to make it descending. By default is "relevance-" Args:
query (required): Search query to find threats.
limit: Limit the number of threats to retrieve. 10 by default.
order_by: Order results by the given order key. "relevance-" by default. Returns:
List of collections, aka threats. |
| search_threat_actors | Search threat actors in the Google Threat Intelligence platform. Threat actors are modeled as collections. Once you get collections from this tool, you can use get_collection_report to fetch the full reports and their relationships. You can use order_by to sort the results by: "relevance", "creation_date". You can use the sign "+" to make it order ascending, or "-" to make it descending. By default is "relevance-" Args:
query (required): Search query to find threats.
limit: Limit the number of threats to retrieve. 10 by default.
order_by: Order results by the given order key. "relevance-" by default. Returns:
List of collections, aka threats. |
| search_malware_families | Search malware families in the Google Threat Intelligence platform. Malware families are modeled as collections. Once you get collections from this tool, you can use get_collection_report to fetch the full reports and their relationships. You can use order_by to sort the results by: "relevance", "creation_date". You can use the sign "+" to make it order ascending, or "-" to make it descending. By default is "relevance-" Args:
query (required): Search query to find threats.
limit: Limit the number of threats to retrieve. 10 by default.
order_by: Order results by the given order key. "relevance-" by default. Returns:
List of collections, aka threats. |
| search_software_toolkits | Search software toolkits (or just tools) in the Google Threat Intelligence platform. Software toolkits are modeled as collections. Once you get collections from this tool, you can use get_collection_report to fetch the full reports and their relationships. You can use order_by to sort the results by: "relevance", "creation_date". You can use the sign "+" to make it order ascending, or "-" to make it descending. By default is "relevance-" Args:
query (required): Search query to find threats.
limit: Limit the number of threats to retrieve. 10 by default.
order_by: Order results by the given order key. "relevance-" by default. Returns:
List of collections, aka threats. |
| search_threat_reports | Search threat reports in the Google Threat Intelligence platform. Google Threat Intelligence provides continuously updated reports and analysis of threat actors, campaigns, vulnerabilities, malware, and tools Threat reports are modeled as collections. Once you get collections from this tool, you can use get_collection_report to fetch the full reports and their relationships. You can use order_by to sort the results by: "relevance", "creation_date". You can use the sign "+" to make it order ascending, or "-" to make it descending. By default is "relevance-" Args:
query (required): Search query to find threats.
limit: Limit the number of threats to retrieve. 10 by default.
order_by: Order results by the given order key. "relevance-" by default. Returns:
List of collections, aka threats. |
| search_vulnerabilities | Search vulnerabilities (CVEs) in the Google Threat Intelligence platform. Vulnerabilities are modeled as collections. Once you get collections from this tool, you can use get_collection_report to fetch the full reports and their relationships. You can use order_by to sort the results by: "relevance", "creation_date". You can use the sign "+" to make it order ascending, or "-" to make it descending. By default is "relevance-" Args:
query (required): Search query to find threats.
limit: Limit the number of threats to retrieve. 10 by default.
order_by: Order results by the given order key. "relevance-" by default. Returns:
List of collections, aka threats. |
| get_collection_timeline_events | Retrieves timeline events from the given collection, when available. This is super valuable curated information produced by security analysits at Google Threat Intelligence. We should fetch this information for campaigns and threat actors always. It's common to display the events grouped by the "event_category" field. Args:
id (required): Collection identifier
Return:
List of events related to the given collection. |
| get_collection_mitre_tree | Retrieves the Mitre tactics and techniques associated with a threat. Args:
id (required): Collection identifiers.
Return:
A dictionary including the tactics and techniques associated to the given threat. |
| create_collection | Creates a new collection in Google Threat Intelligence.
Ask for the collection's privacy (public or private) if the user doesn't specify. Args:
name (required): The name of the collection.
description (required): A description of the collection.
iocs (required): Indicators of Compromise (IOCs) to include in the
collection. The items in the list can be domains, files, ip_addresses, or urls.
At least one IOC must be provided.
private: Indicates whether the collection should be private.
Returns:
A dictionary representing the newly created collection. |
| update_collection_attributes | Allows updating a collection's attributes (such as name or description)
Args:
id (required): The ID of the collection to update.
attributes: Available attributes in a collection:
* name: string
* description: string
* private: boolean
* tags: array of strings
* alt_names: array of strings
Returns:
A dictionary representing the updated collection. |
| update_iocs_in_collection | Updates (add or remove) Indicators of Compromise (IOCs) to a collection.
Args:
id (required): The ID of the collection to update.
relationship (required): The type of relationship to add. Can be "domains", "files",
"ip_addresses", or "urls".
iocs (required): List of IOCs to add to the collection. For "urls", these
are the full URLs. For other types, they are the identifiers (hashes for
files, domain names for domains, etc.).
operation (required): The operation to perform. Can be "add" or "remove". Returns:
A string indicating the success or failure of the operation. |
| get_collection_feature_matches | Retrieves Indicators of Compromise (IOCs) from a collection that match a specific feature. This tool allows pivoting from a commonality to the specific IOCs within a collection that exhibit that feature.
Commonalities are shared characteristics and hidden relationships between various Indicators of Compromise (e.g., files, URLs, domains, IPs). Available feature types by entity type:
Files: android_certificates, android_main_activities, android_package_names, attributions, behash,
collections, compressed_parents, contacted_domains, contacted_ips, contacted_urls,
crowdsourced_ids_results, crowdsourced_yara_results, elfhash, email_parents,
embedded_domains, embedded_ips, embedded_urls, execution_parents, imphash,
itw_domains, itw_urls, mutexes_created, mutexes_opened, pcap_parents,
registry_keys_deleted, registry_keys_opened, registry_keys_set, tags, vhash, file_types,
crowdsourced_sigma_results, deb_info_packages, debug_codeview_guids, debug_codeview_names,
debug_timestamps, dropped_files_path, dropped_files_sha256, elfinfo_exports,
elfinfo_imports, exiftool_authors, exiftool_companies, exiftool_create_dates,
exiftool_creators, exiftool_last_modified, exiftool_last_printed, exiftool_producers,
exiftool_subjects, exiftool_titles, filecondis_dhash, main_icon_dhash,
main_icon_raw_md5, netassembly_mvid, nsrl_info_filenames, office_application_names,
office_authors, office_creation_datetimes, office_last_saved, office_macro_names,
permhash, pe_info_imports, pe_info_exports, pe_info_section_md5,
pe_info_section_names, pwdinfo_values, sandbox_verdicts, signature_info_comments,
signature_info_copyrights, signature_info_descriptions, signature_info_identifiers,
signature_info_internal_names, signature_info_original_names, signature_info_products,
symhash, trusted_verdict_filenames, rich_pe_header_hash, telfhash, tlshhash,
email_senders, email_subjects, popular_threat_category, popular_threat_name,
suggested_threat_label, attack_techniques, malware_config_family_name,
malware_config_campaign_id, malware_config_campaign_group, malware_config_dga_seed,
malware_config_dns_server, malware_config_service, malware_config_registry_key,
malware_config_event, malware_config_pipe, malware_config_mutex, malware_config_folder,
malware_config_file, malware_config_process_inject_target, malware_config_crypto_key,
malware_config_displayed_message, malware_config_c2_url, malware_config_download_url,
malware_config_misc_url, malware_config_decoy_url, malware_config_c2_user_agent,
malware_config_download_user_agent, malware_config_misc_user_agent,
malware_config_decoy_user_agent, malware_config_c2_password,
malware_config_misc_username, malware_config_misc_password,
malware_config_host_port, malware_config_dropped_file,
malware_config_dropped_file_path, malware_config_registry_value,
malware_config_download_password, malware_config_c2_username,
malware_config_download_username, malware_config_exfiltration_username,
malware_config_exfiltration_password, malware_config_exfiltration_url,
malware_config_exfiltration_user_agent, malware_config_pivot_hash,
memory_pattern_urls
Domains: attributions, collections, communicating_files, downloaded_files,
favicon_dhash, favicon_raw_md5, urls, registrant_names
IP Addresses: attributions, collections, communicating_files, downloaded_files, urls
URLs: attributions, http_response_contents, collections, contacted_domains,
communicating_files, cookie_names, cookie_values, downloaded_files,
domains, embedded_js, favicon_dhash, favicon_raw_md5, html_titles,
ip_addresses, memory_patterns, outgoing_links, path, prefix_paths,
suffix_paths, ports, users, passwords, user_passwords, query_strings,
query_param_keys, query_param_values, query_param_key_values,
referring_files, tags, tracker_ids
Args:
collection_id (required): The ID of the collection to search within.
feature_type (required): The type of feature to search for (e.g., 'attack_techniques').
feature_id (required): The specific value of the feature (e.g., 'T1497.001').
entity_type (required):
search_space (required): The scope of the search. Use 'collection' to search only within the specified collection, or 'corpus' to search across the entire VirusTotal dataset.
entity_type_plural (required): The plural of 'entity_type'.
descriptors_only (optional): Returns only the descriptors.
Returns:
A dictionary containing the list of matching IOCs. |
| get_collections_commonalities | Retrieve the common characteristics or features (attributes / relationships) of the indicators of compromise (IoC) within a collection, identified by its ID.
Args:
collection_id (required): Collection identifier.
Returns:
Markdown-formatted string with the commonalities of the collection. |
| get_collection_rules | Retrieve top N community rules and all curated hunting rules for a specific collection. Note:
The rule_types argument filters the types of rules returned. Available types are: Example: rule_types=['crowdsourced_yara']: Only crowdsourced YARA rules.
rule_types=['crowdsourced_ids', 'curated_yara_rule']: Crowdsourced IDS and curated YARA rules.
Args:
collection_id (required): The ID of the collection.
top_n (optional): The number of top community rules to return from each category. Defaults to 4.
rule_types (optional): List of rule types to fetch. Returns:
A list of dictionaries, where each dictionary contains a rule and its metadata, or an error dictionary. |
| get_file_report | Get a comprehensive file analysis report using its hash (MD5/SHA-1/SHA-256). Returns a concise summary of key threat details including
detection stats, threat classification, and important indicators.
Parameters:
hash (required): The MD5, SHA-1, or SHA-256 hash of the file to analyze.
Example: '8ab2cf...', 'e4d909c290d0...', etc. |
| get_entities_related_to_a_file | Retrieve entities related to the the given file hash. The following table shows a summary of available relationships for file objects. Relationship | Description | Return type | analyses | Analyses for the file | analysis | associations | File's associated objects (reports, campaigns, IoC collections, malware families, software toolkits, vulnerabilities, threat-actors), without filtering by the associated object type. | collection | behaviours | Behaviour reports for the file. | file-behaviour | attack_techniques | Returns the Attack Techniques of the File. | attack_technique | bundled_files | Files bundled within the file. | file | campaigns | Campaigns associated to the file. | collection | carbonblack_children | Files derived from the file according to Carbon Black. | file | carbonblack_parents | Files from where the file was derived according to Carbon Black. | file | collections | IoC Collections associated to the file. | collection | comments | Comments for the file. | comment | compressed_parents | Compressed files that contain the file. | file | contacted_domains | Domains contacted by the file. | domain | contacted_ips | IP addresses contacted by the file. | ip_address | contacted_urls | URLs contacted by the file. | url | dropped_files | Files dropped by the file during its execution. | file | email_attachments | Files attached to the email. | file | email_parents | Email files that contained the file. | file | embedded_domains | Domain names embedded in the file. | domain | embedded_ips | IP addresses embedded in the file. | ip_address | embedded_urls | URLs embedded in the file. | url | execution_parents | Files that executed the file. | file | graphs | Graphs that include the file. | graph | itw_domains | In the wild domain names from where the file has been downloaded. | domain | itw_ips | In the wild IP addresses from where the file has been downloaded. | ip_address | itw_urls | In the wild URLs from where the file has been downloaded. | url | malware_families | Malware families associated to the file. | collection | memory_pattern_domains | Domain string patterns found in memory during sandbox execution. | domain | memory_pattern_ips | IP address string patterns found in memory during sandbox execution. | ip_address | memory_pattern_urls | URL string patterns found in memory during sandbox execution. | url | overlay_children | Files contained by the file as an overlay. | file | overlay_parents | File that contain the file as an overlay. | file | pcap_children | Files contained within the PCAP file. | file | pcap_parents | PCAP files that contain the file. | file | pe_resource_children | Files contained by a PE file as a resource. | file | pe_resource_parents | PE files containing the file as a resource. | file | related_attack_techniques | Returns the Attack Techniques of the Collections containing this File. | attack_technique | related_reports | Reports that are directly and indirectly related to the file. | collection | related_threat_actors | File's related threat actors. | collection | reports | Reports directly associated to the file. | collection | screenshots | Screenshots related to the sandbox execution of the file. | screenshot | similar_files | Files that are similar to the file. | file | software_toolkits | Software and Toolkits associated to the file. | collection | submissions | Submissions for the file. | submission | urls_for_embedded_js | URLs where this (JS) file is embedded. | url | user_votes | File's votes made by current signed-in user. | vote | votes | Votes for the file. | vote | vulnerabilities | Vulnerabilities associated to the file. | collection |
Args:
hash (required): MD5/SHA1/SHA256) hash that identifies the file.
relationship_name (required): Relationship name.
descriptors_only (required): Bool. Must be True when the target object type is one of file, domain, url, ip_address or collection.
limit: Limit the number of files to retrieve. 10 by default.
Returns:
List of objects related to the given file. |
| get_file_behavior_report | Retrieve the file behaviour report of the given file behaviour identifier. You can get all the file behaviour of a given a file by calling get_entities_related_to_a_file as the file hash and the behaviours as relationship name. The file behaviour ID is composed using the following pattern: "{file hash}_{sandbox name}". Args:
file_behaviour_id (required): File behaviour ID.
Returns:
The file behaviour report. |
| get_file_behavior_summary | Retrieve a summary of all the file behavior reports from all the sandboxes. Args:
hash (required): MD5/SHA1/SHA256) hash that identifies the file.
Returns:
The file behavior summary. |
| analyse_file | Upload and analyse the file in VirusTotal. The file will be uploaded to VirusTotal and shared with the community. Args:
file_path (required): Path to the file for analysis. Use absolute path.
Returns:
The analysis report. |
| search_digital_threat_monitoring | Search for historical data in Digital Threat Monitoring (DTM) using Lucene syntax. Digital theat monitoring is a collection of documents from surface, deep, and dark web sources. To filter by document type or threat type, include the conditions within the query string
using the fields __type and label_threat, respectively. Combine multiple conditions
using Lucene boolean operators (AND, OR, NOT). Examples of filtering in the query: Single document type: (__type:forum_post) AND (body:security) Multiple document types: (__type:(forum_post OR paste)) AND (body:security) Single threat type: (label_threat:information-security/malware) AND (body:exploit) Multiple threat types: (label_threat:(information-security/malware OR information-security/phishing)) AND (body:exploit) Combined: (__type:document_analysis) AND (label_threat:information-security/information-leak/credentials) AND (body:password)
Important Considerations for Effective Querying: Date/Time Filtering (: Input parameters since and until filter documents by their creation/modification time. These must be strings in RFC3339 format, specifically ending with 'Z' to denote UTC. Example: '2025-04-23T00:00:00Z' Pagination for More Than 25 Results: A single API call returns at most size results (maximum 25). To retrieve more results, you must paginate: Make your initial search request. The response dictionary will contain a key named page. If this page key holds a non-empty string value, there are more results available. To fetch the next page, make a subsequent API call. This call MUST include the exact same parameters as your original request (query, size, since, until, doc_type, etc.), PLUS the page parameter set to the token value received in the previous response's page field. Continue this process, using the new page token from each response, until the page field is absent or empty in the response, indicating the end of the results.
Tokenization: DTM breaks documents into tokens. Example: "some-domain.com" -> "some", "domain", "com". Wildcard/Regex queries match single tokens, not phrases.
Special Characters: Escape with : + - & | ! ( ) { } [ ] ^ " ~ * ? : / and space. Example: To find "(1+1):2", query (1+1):2
Case Sensitivity: DTM entity values are often lowercased. Boolean operators (AND, OR, NOT) MUST be UPPERCASE.
Domain Search Nuances: Use wildcards/regex on fields like doc.domain. Example: doc.domain:google.*.dev Avoid pattern searches on group_network.
Performance Limit: Searches timeout after 60 seconds. For broad or complex queries, it is highly recommended to use the since and until parameters to add time delimiters. This narrows the search scope and helps prevent timeouts.
Noise Reduction: Use typed entities for higher precision. Example: organization:"Acme Corp" Prefer typed entities over free text searches.
The following fields and their meanings can be used to compose a query using Lucene syntax (including combining them with AND, OR, and NOT operators along with parentheses): author.identity.name - The handle used by the forum post author subject - The subject line of the forum post body - The body text of the content inet_location.url - What URL content was found language - The content language title - The title of the web page channel.name - The Telegram channel name domain - A DNS domain name cve - A CVE entry by ID
__type: one of the following web_content_publish - General website content domain_discovery - Newly discovered domain names forum_post - Darkweb forum posts message - Chat messages like Telegram paste - Paste site content like Pastebin shop_listing - Items for sale on the dark web email_analysis - Suspicious emails tweet - Tweets from Twitter on cybersecurity topics. document_analysis - Documents (PDF, Office, text) from VirusTotal, including malicious and corporate confidential files.
label_threat: one of the following information-security/anonymization - Anonymization information-security/apt - Advanced Persistent Threat information-security/botnet - Botnet information-security/compromised - Compromised Infrastructure information-security/doxing - Personal Information Disclosure information-security/exploit - Exploits information-security/phishing - Phishing information-security/information-leak - Information Leak information-security/information-leak/confidential - Confidential Information Leak information-security/information-leak/credentials - Credential Leak information-security/information-leak/payment-cards - Credit Card Leak information-security/malicious-activity - Malicious Activity information-security/malicious-infrastructure - Malicious Infrastructure information-security/malware - Malware information-security/malware/ransomware - Ransomware information-security/malware/ransomware-victim-listing - Ransomware Victim Listing information-security/security-research - Security Research information-security/spam - Spam
Args:
query (required): The Lucene-like query string for your document search.
size (optional): The number of results to return in each page (0 to 25). Defaults to 10.
since (optional): The timestamp to search for documents since (RFC3339 format).
until (optional): The timestamp to search for documents from (RFC3339 format).
page (optional): The page ID to fetch the page for. This is only used when paginating through pages greater than the first page of results.
truncate (optional): The number of characters (as a string) to truncate all documents fields in the response (e.g., '500').
sanitize (optional): If true (default), any HTML content in the document fields are sanitized to remove links, scripts, etc. Returns:
A dictionary containing the list of documents found and search metadata. |
| search_iocs | Search Indicators of Compromise (IOC) in the Google Threat Intelligence platform. You can search by for different IOC types using the entity modifier. Below, the different IOC types and the supported orders: | Entity type | Supported orders | Default order |
| ------------- | ---------------- | ------------- |
| file | first_submission_date, last_submission_date, positives, times_submitted, size | last_submission_date- |
| url | first_submission_date, last_submission_date, positives, times_submitted, status | last_submission_date- |
| domain | creation_date, last_modification_date, last_update_date, positives | last_modification_date- |
| ip | ip, last_modification_date, positives | last_modification_date- | Note: The entity modifier can only be used ONCE per query. You can find all available modifers at: Files: https://gtidocs.virustotal.com/docs/file-search-modifiers URLs: https://gtidocs.virustotal.com/docs/url-search-modifiers Domains: https://gtidocs.virustotal.com/docs/domain-search-modifiers IP Addresses: https://gtidocs.virustotal.com/docs/ip-address-search-modifiers
With integer modifers, use the - and + characters to indicate: Greater than: p:60+ Less than: p:60- Equal to: p:60
Args
query (required): Search query to find IOCs.
limit: Limit the number of IoCs to retrieve. 10 by default.
order_by: Order the results. "last_submission_date-" by default. Returns:
List of Indicators of Compromise (IoCs). |
| get_hunting_ruleset | Get a Hunting Ruleset object from Google Threat Intelligence. A Hunting Ruleset object describes a user's hunting ruleset. It may contain multiple
Yara rules. The content of the Yara rules is in the rules attribute. Some important object attributes: creation_date: creation date as UTC timestamp. modification_date (int): last modification date as UTC timestamp. name (str): ruleset name. rule_names (list[str]): contains the names of all rules in the ruleset. number_of_rules (int): number of rules in the ruleset. rules (str): rule file contents. tags (list[str]): ruleset's custom tags.
Args:
ruleset_id (required): Hunting ruleset identifier. Returns:
Hunting Ruleset object. |
| get_entities_related_to_a_hunting_ruleset | Retrieve entities related to the the given Hunting Ruleset. The following table shows a summary of available relationships for Hunting ruleset objects. Relationship | Return object type | hunting_notification_files | Files that matched with the ruleset filters |
Args:
ruleset_id (required): Hunting ruleset identifier.
relationship_name (required): Relationship name.
limit: Limit the number of entities to retrieve. 10 by default.
Returns:
List of objects related to the Hunting ruleset. |
| get_domain_report | Get a comprehensive domain analysis report from Google Threat Intelligence. Args:
domain (required): Domain to analyse.
Returns:
Report with insights about the domain. |
| get_entities_related_to_a_domain | Retrieve entities related to the the given domain. The following table shows a summary of available relationships for domain objects. Relationship | Description | Return type | associations | Domain's associated objects (reports, campaigns, IoC collections, malware families, software toolkits, vulnerabilities, threat-actors), without filtering by the associated object type. | Everyone. | List of reports, campaigns, IoC collections, malware families, software toolkits, vulnerabilities, threat-actors objecs. | collection | caa_records | Records CAA for the domain. | domain | campaigns | Campaigns associated to the domain. | collection | cname_records | Records CNAME for the domain. | domain | collections | IoC Collections associated to the domain. | collection | comments | Community posted comments about the domain. | comment | communicating_files | Files that communicate with the domain. | file | downloaded_files | Files downloaded from that domain. | file | graphs | Graphs including the domain. | graph | historical_ssl_certificates | SSL certificates associated with the domain. | ssl-cert | historical_whois | WHOIS information for the domain. | whois | immediate_parent | Domain's immediate parent. | domain | malware_families | Malware families associated to the domain. | collection | memory_pattern_parents | Files having a domain as string on memory during sandbox execution. | file | mx_records | Records MX for the domain. | domain | ns_records | Records NS for the domain. | domain | parent | Domain's top parent. | domain | referrer_files | Files containing the domain. | file | related_comments | Community posted comments in the domain's related objects. | comment | related_reports | Reports that are directly and indirectly related to the domain. | collection | related_threat_actors | Threat actors related to the domain. | collection | reports | Reports directly associated to the domain. | collection | resolutions | DNS resolutions for the domain. | resolution | siblings | Domain's sibling domains. | domain | soa_records | Records SOA for the domain. | domain | software_toolkits | Software and Toolkits associated to the domain. | collection | subdomains | Domain's subdomains. | domain | urls | URLs having this domain. | url | user_votes | Current user's votes. | vote | votes | Domain's votes. | vote | vulnerabilities | Vulnerabilities associated to the domain. | collection |
Args:
domain (required): Domain to analyse.
relationship_name (required): Relationship name.
descriptors_only (required): Bool. Must be True when the target object type is one of file, domain, url, ip_address or collection.
limit: Limit the number of entities to retrieve. 10 by default.
Returns:
List of entities related to the domain. |
| get_ip_address_report | Get a comprehensive IP Address analysis report from Google Threat Intelligence. Args:
ip_address (required): IP Address to analyze. It can be IPv4 or IPv6.
Returns:
Report with insights about the IP address. |
| get_entities_related_to_an_ip_address | Retrieve entities related to the the given IP Address. The following table shows a summary of available relationships for IP Address objects. Relationship | Description | Return type | associations | IP's associated objects (reports, campaigns, IoC collections, malware families, software toolkits, vulnerabilities, threat-actors), without filtering by the associated object type. | collection | campaigns | Campaigns associated to the IP address. | collection | collections | IoC Collections associated to the IP address. | collection | comments | Comments for the IP address. | comment | communicating_files | Files that communicate with the IP address. | file | downloaded_files | Files downloaded from the IP address. | file | graphs | Graphs including the IP address. | graph | historical_ssl_certificates | SSL certificates associated with the IP. | ssl-cert | historical_whois | WHOIS information for the IP address. | whois | malware_families | Malware families associated to the IP address. | collection | memory_pattern_parents | Files having an IP as string on memory during sandbox execution. | file | referrer_files | Files containing the IP address. | file | related_comments | Community posted comments in the IP's related objects. | comment | related_reports | Reports that are directly and indirectly related to the IP. | collection | related_threat_actors | Threat actors related to the IP address. | collection | reports | Reports directly associated to the IP. | collection | resolutions | IP address' resolutions | resolution | software_toolkits | Software and Toolkits associated to the IP address. | collection | urls | URLs related to the IP address. | url | user_votes | IP's votes made by current signed-in user. | vote | votes | IP's votes. | vote | vulnerabilities | Vulnerabilities associated to the IP address. | collection |
Args:
ip_address (required): IP Addres to analyse.
relationship_name (required): Relationship name.
descriptors_only (required): Bool. Must be True when the target object type is one of file, domain, url, ip_address or collection.
limit: Limit the number of entities to retrieve. 10 by default.
Returns:
List of entities related to the IP Address. |
| list_threat_profiles | List your Threat Profiles at Google Threat Intelligence. Threat Profiles filter all of Google TI's threat intelligence
so you can focus only on the threats that matter most
to your organization. Threat Profiles let you apply top-level filters
for Target Industries and Target Regions to immediately provide
a more focused view of relevant threats. When searching for threats, we must use this tool first to check
if there is any Threat Profile that matches the user query
before peforming a general search using the search_threats tool. Recommendations from Threat Profiles are more relevants to users
than generic search threats. Use them as long as
they match user's query. Returns:
List of Threat Profiles. |
| get_threat_profile | Get Threat Profile object. A threat profile object contains the following attributes: enable_recommendations (bool): whether or not Recommendations automatically
generated by our ML are enabled. interests (dict): Threat Profile's configured interests such as industries, target regions,
source regions, malware roles and actor motivations
to recommend the most relevant threats. INTEREST_TYPE_TARGETED_INDUSTRY (list[str]): List of targeted industries. INTEREST_TYPE_TARGETED_REGION (list[str]): list of targeted regions (ISO-3166 country code). INTEREST_TYPE_SOURCE_REGION (list[str]): list of source regions (ISO-3166 country code). INTEREST_TYPE_MALWARE_ROLE (list[str]): list of malware roles. INTEREST_TYPE_ACTOR_MOTIVATION: (list[str]): list of threat actors motivations.
last_modification_date: Threat Profile's last modification date (UTC timestamp). name (str): Threat Profile's name. creation_date (int): Threat Profile's creation date (UTC timestamp). aliases (list[str]): alternative names by which the threat actor is known. description (str): description / context about the threat actor. first_seen_date (int): estimated threat actor's first seen date of activity (UTC timestamp). last_seen_date (int): estimated threat actor's last seen date of activity (UTC timestamp). last_modification_date (int): last time when the threat actor was updated (UTC timestamp). related_entities_count (int): estimated number of related IOCs to the threat actor. source_region (str): threat actor's source region. sponsor_region (str): region sponsoring the threat actor. targeted_industries (list[str]): list of industries the threat actor has targeted. targeted_regions (list[str]): list of regions the threat actor has targeted.
Args:
profile_id (str): Threat Profile identifier at Google Threat Intelligence. Returns:
Threat Profile object. |
| get_threat_profile_recommendations | Returns the list of objects associated to a given Threat Profile. Each of these objects has one of the following types: Threat Actors Malware Families Software or Toolkits Campaigns IoC Collections Reports Vulnerabilities
We can distinguish between two other types of objects based on how
they were associated with the Threat Profile: Recommended objects are automatically recommended or assigned to
a Threat Profile based on our proprietary ML that takes into account
the Threat Profile's configured interests such as the targeted industries,
target regions, source regions, malware roles and actor motivations
to recommend the most relevant threats. These objects are identified
by the presence of "source": "SOURCE_RECOMMENDATION"
within the "context_attributes" response parameter below. Added objects are assigned or added by users to a Threat Profile,
when users find other relevant threats not automatically recommended
by our ML module. These objects are identified by the presence of
"source": "SOURCE_DIRECT_FOLLOW" within the "context_attributes"
response parameter below. Args:
profile_id (str): Threat Profile identifier at Google Threat Intelligence.
limit: Limit the number of objects to retrieve. 10 by default. Returns:
List of Threat (collection) objects identifiers associated to
the Threat Profile. Use get_collection_report to retrieve the full objects.
|
| get_threat_profile_associations_timeline | Retrieves the associations timeline for the given Threat Profile. Some important response attributes: event_type (str): the type of the timeline association such as Alias, Motivation,
Malware, Actor, Toolkit, Report, Campaign, etc. event_entity (str): The name or value of the timeline association. first_seen (int): Unix epoch UTC time (seconds) when the association
between the object and the threat profile was made. last_seen (int): Unix epoch UTC time (seconds) of most recent observed
relationship between the object and the threat profile. name (str): name of the object directly associated with the threat profile. link (str): URL of the object directly associated with the threat profile
Returns:
List of dictionaries containing timeline associations. |
| get_url_report | Get a comprehensive URL analysis report from Google Threat Intelligence. Args:
url (required): URL to analyse.
Returns:
Report with insights about the URL. |
| get_entities_related_to_an_url | Retrieve entities related to the the given URL. The following table shows a summary of available relationships for URL objects. Relationship | Description | Return type | analyses | Analyses for the URL. | analyse | associations | URL's associated objects (reports, campaigns, IoC collections, malware families, software toolkits, vulnerabilities, threat-actors), without filtering by the associated object type. | collection | campaigns | Campaigns associated to the URL. | collection | collections | IoC Collections associated to the URL. | collection | comments | Community posted comments about the URL. | comment | communicating_files | Files that communicate with a given URL when they're executed. | file | contacted_domains | Domains from which the URL loads some kind of resource. | domain | contacted_ips | IPs from which the URL loads some kind of resource. | ip_address | downloaded_files | Files downloaded from the URL. | file | embedded_js_files | JS files embedded in a URL. | file | graphs | Graphs including the URL. | graph | http_response_contents | HTTP response contents from the URL. | file | last_serving_ip_address | Last IP address that served the URL. | ip_address | malware_families | Malware families associated to the URL. | collection | memory_pattern_parents | Files having a domain as string on memory during sandbox execution. | file | network_location | Domain or IP for the URL. | domain or ip_address | parent_resource_urls | Returns the URLs where this URL has been loaded as resource. | url | redirecting_urls | URLs that redirected to the given URL. | url | redirects_to | URLs that this url redirects to. | url | referrer_files | Files containing the URL. | file | referrer_urls | URLs referring the URL. | url | related_collections | Returns the Collections of the parent Domains or IPs of this URL. | collection | related_comments | Community posted comments in the URL's related objects. | comment | related_reports | Reports that are directly and indirectly related to the URL. | collection | related_threat_actors | URL's related threat actors. | collection | reports | Reports directly associated to the URL. | collection | software_toolkits | Software and Toolkits associated to the URL. | collection | submissions | URL's submissions. | url | urls_related_by_tracker_id | URLs that share the same tracker ID. | url | user_votes | URL's votes made by current signed-in user. | vote | votes | Votes for the URL. | vote | vulnerabilities | Vulnerabilities associated to the URL. | collection |
Args:
url (required): URL to analyse.
relationship_name (required): Relationship name.
descriptors_only (required): Bool. Must be True when the target object type is one of file, domain, url, ip_address or collection.
limit: Limit the number of objects to retrieve. 10 by default.
Returns:
List of entities related to the URL. |
