search_threats
Search Google Threat Intelligence for threat actors, malware families, campaigns, vulnerabilities, and reports to investigate cybersecurity threats.
Instructions
Search threats in the Google Threat Intelligence platform.
Threats are modeled as collections. Once you get collections from this tool, you can use get_collection_report to fetch the full reports and their relationships.
IMPORTANT CONTEXT CLUE: Pay close attention to the user's request. If their request mentions specific kinds of threats such as "threat actor", "malware family", "campaign", "report", or "vulnerability", treat this as a strong signal that you must use the collection_type filter in your query to ensure relevant results. Using this filter significantly improves search precision.
Filtering by Type:
To filter your search results to a specific type of threat, include the collection_type modifier within your query string.
Syntax: collection_type:"<type>"
Available <type> values:
"threat-actor": Use when the user asks about specific actors, groups, or APTs.
"malware-family": Use when the user asks about malware, trojans, viruses, ransomware families.
"software-toolkit": Use when the user asks about legit tools usually related to malware.
"campaign": Use when the user asks about specific attack campaigns.
"report": Use when the user is looking for analysis reports.
"vulnerability": Use when the user asks about specific CVEs or vulnerabilities.
"collection": A generic type, use only if no other type fits or if the user explicitly asks for generic "collections".
You can use order_by to sort the results by: "relevance", "creation_date". You can use the sign "+" to make it order ascending, or "-" to make it descending. By default is "relevance-"
When asked for latest threats, prioritize campaigns or vulnerabilities over reports.
Args: query (required): Search query to find threats. collection_type: Filter your search results to a specific type of threat limit: Limit the number of threats to retrieve. 5 by default. order_by: Order results by the given order key. "relevance-" by default.
Returns:
List of collections, aka threats. They are full collection objects, you do not need to retrieve themusing the get_collection_reporttool. You may need to extend with relationships usingget_entities_related_to_a_collection` tool.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| query | Yes | ||
| collection_type | No | ||
| limit | No | ||
| order_by | No | relevance- | |
| api_key | No |