Google Threat Intelligence
GoogleThreatIntelligence Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.10.0 and later.
#
Google Threat IntelligenceThis integration analyzes suspicious hashes, URLs, domains, and IP addresses.
#
Configure Google Threat Intelligence in CortexParameter | Description | Required |
---|---|---|
API Key | See Acquiring your API key | True |
Use system proxy settings | False | |
Trust any certificate (not secure) | False | |
Source Reliability | Reliability of the source providing the intelligence data | |
GTI Malicious Verdict. Check Google Threat Intelligence verdict to consider the file malicious. | False | |
GTI Suspicious Verdict. Check Google Threat Intelligence verdict to consider the file suspicious. | False | |
File Malicious Threshold. Minimum number of positive results from GoogleThreatIntelligence scanners to consider the file malicious. | See Indicator Thresholds. | False |
File Suspicious Threshold. Minimum number of positive and suspicious results from GoogleThreatIntelligence scanners to consider the file suspicious. | See Indicator Thresholds. | False |
IP Malicious Threshold. Minimum number of positive results from GoogleThreatIntelligence scanners to consider the IP malicious. | See Indicator Thresholds. | False |
IP Suspicious Threshold. Minimum number of positive and suspicious results from GoogleThreatIntelligence scanners to consider the IP suspicious. | See Indicator Thresholds. | False |
Disable reputation lookups for private IP addresses | To reduce the number of lookups made to the GoogleThreatIntelligence API, this option can be selected to gracefully skip enrichment of any IP addresses allocated for private networks. | False |
URL Malicious Threshold. Minimum number of positive results from GoogleThreatIntelligence scanners to consider the URL malicious. | See Indicator Thresholds. | False |
URL Suspicious Threshold. Minimum number of positive and suspicious results from GoogleThreatIntelligence scanners to consider the URL suspicious. | See Indicator Thresholds. | False |
Domain Malicious Threshold. Minimum number of positive results from GoogleThreatIntelligence scanners to consider the domain malicious. | See Indicator Thresholds. | False |
Domain Suspicious Threshold. Minimum number of positive and suspicious results from GoogleThreatIntelligence scanners to consider the domain suspicious. | See Indicator Thresholds. | False |
Preferred Vendors List. CSV list of vendors who are considered more trustworthy. | See Indicator Thresholds. | False |
Preferred Vendor Threshold. The minimum number of highly trusted vendors required to consider a domain, IP address, URL, or file as malicious. | See Indicator Thresholds. | False |
Enable score analyzing by Crowdsourced Yara Rules, Sigma, and IDS | See Rules Threshold. | False |
Crowdsourced Yara Rules Threshold | See Rules Threshold. | False |
Sigma and Intrusion Detection Rules Threshold | See Rules Threshold. | False |
Domain Popularity Ranking Threshold | See Rules Threshold. | False |
#
Acquiring your API keyYour API key can be found in your GoogleThreatIntelligence account user menu, clicking on your avatar: Your API key carries all your privileges, so keep it secure and don't share it with anyone.
#
DBot Score / Reputation scoresThe following information describes DBot Score which is new for this version.
#
Indicator ThresholdsConfigure the default threshold for each indicator type in the instance settings. You can also specify the threshold as an argument when running relevant commands.
- Indicators with positive results from preferred vendors equal to or higher than the threshold will be considered malicious.
- Indicators with positive results equal to or higher than the malicious threshold will be considered malicious.
- Indicators with positive results equal to or higher than the suspicious threshold value will be considered suspicious.
- Domain popularity ranks: GoogleThreatIntelligence is returning a popularity ranks for each vendor. The integration will calculate its average and will compare it to the threshold.
#
Rules ThresholdIf the YARA rules analysis threshold is enabled:
- Indicators with positive results, the number of found YARA rules results, Sigma analysis, or IDS equal to or higher than the threshold, will be considered suspicious.
- If both the the basic analysis and the rules analysis is suspicious, the indicator will be considered as malicious. If the indicator was found to be suspicious only by the rules thresholds, the indicator will be considered suspicious.
- Domain popularity ranks: GoogleThreatIntelligence is returning a popularity ranks for each vendor. The integration will calculate its average and will compare it to the threshold.
The DbotScore calculation process can be seen on the "description" field in any malicious/suspicious DBot score. You can aquire those calculation on all of the indicators also from the debug log.
Example of a GoogleThreatIntelligence DBot score log:
#
Reputation commands (ip, url, domain, and file)Removed output paths: Due to changes in GoogleThreatIntelligence, the following output paths are no longer supported:
IP.GoogleThreatIntelligence
Domain.GoogleThreatIntelligence
URL.GoogleThreatIntelligence
File.GoogleThreatIntelligence
Instead, you can use the following output paths that return concrete indicator reputations.
GoogleThreatIntelligence.IP
GoogleThreatIntelligence.Domain
GoogleThreatIntelligence.File
GoogleThreatIntelligence.URL
The following commands will no longer analyze the file/url sent to it, but will get the information stored in GoogleThreatIntelligence.
- GoogleThreatIntelligence.Domain
- GoogleThreatIntelligence.IP
To analyze (detonate) the indicator, you can use the following playbooks:
- Detonate File - GoogleThreatIntelligence
- Detonate URL - GoogleThreatIntelligence
Each reputation command will use at least 1 API call. For advanced reputation commands, use the Premium API flag.
For each reputation command there is the new extended_data argument . When set to "true", the results returned by the commands will contain additional information as last_analysis_results which contains the service name and its specific analysis.
Reputation commands can return relationships of the indicator. The relationships that are supported are defined as part of the instance configuration. For more information regarding URL relationships, see: https://gtidocs.virustotal.com/reference/url-info For more information regarding IP relationships, see: https://gtidocs.virustotal.com/reference/ip-info For more information regarding Domain relationships, see: https://gtidocs.virustotal.com/reference/domain-info For more information regarding File relationships, see: https://gtidocs.virustotal.com/reference/file-info
Starting with XSOAR version 6.9.0, You may monitor API usage via the GoogleThreatIntelligence Execution Metrics dashboard.
#
CommentsIn GoogleThreatIntelligence you can now add comments to all indicator types (IP, Domain, File and URL) so each command now has the resource_type argument. If supplied, the command will use the resource type to add a comment. If not, the command will determine if the given input is a hash or a URL. This arguments is available in the following commands:
- gti-comments-get
- gti-comments-add
#
gti-comments-get- Added the resource_type argument. If not supplied, will try to determine if the resource argument is a hash or a URL.
- Added the limit argument. Gets the latest comments within the given limit.
- New output path: GoogleThreatIntelligence.Comments.
#
Detonation (scan) CommandsRemoved the gtiLink output from all commands as it does no longer return from the API. To easily use the scan commands we suggest using the following playbooks:
- Detonate File - GoogleThreatIntelligence
- Detonate URL - GoogleThreatIntelligence
Use the gti-analysis-get command to get the report from the scans.
#
fileChecks the file reputation of the specified hash.
#
Base Commandfile
#
InputArgument Name | Description | Required |
---|---|---|
file | Hash of the file to query. Supports MD5, SHA1, and SHA256. | Required |
extended_data | Whether to return extended data (last_analysis_results). Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
File.MD5 | String | Bad MD5 hash. |
File.SHA1 | String | Bad SHA1 hash. |
File.SHA256 | String | Bad SHA256 hash. |
File.Relationships.EntityA | String | The source of the relationship. |
File.Relationships.EntityB | String | The destination of the relationship. |
File.Relationships.Relationship | String | The name of the relationship. |
File.Relationships.EntityAType | String | The type of the source of the relationship. |
File.Relationships.EntityBType | String | The type of the destination of the relationship. |
File.Malicious.Vendor | String | For malicious files, the vendor that made the decision. |
File.Malicious.Detections | Number | For malicious files, the total number of detections. |
File.Malicious.TotalEngines | Number | For malicious files, the total number of engines that checked the file hash. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | unknown | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
GoogleThreatIntelligence.File.attributes.type_description | String | Description of the type of the file. |
GoogleThreatIntelligence.File.attributes.tlsh | String | The locality-sensitive hashing. |
GoogleThreatIntelligence.File.attributes.exiftool.MIMEType | String | MIME type of the file. |
GoogleThreatIntelligence.File.attributes.names | String | Names of the file. |
GoogleThreatIntelligence.File.attributes.javascript_info.tags | String | Tags of the JavaScript. |
GoogleThreatIntelligence.File.attributes.exiftool.FileType | String | The file type. |
GoogleThreatIntelligence.File.attributes.exiftool.WordCount | String | Total number of words in the file. |
GoogleThreatIntelligence.File.attributes.exiftool.LineCount | String | Total number of lines in file. |
GoogleThreatIntelligence.File.attributes.crowdsourced_ids_stats.info | Number | Number of IDS that marked the file as "info". |
GoogleThreatIntelligence.File.attributes.crowdsourced_ids_stats.high | Number | Number of IDS that marked the file as "high". |
GoogleThreatIntelligence.File.attributes.crowdsourced_ids_stats.medium | Number | Number of IDS that marked the file as "medium". |
GoogleThreatIntelligence.File.attributes.crowdsourced_ids_stats.low | Number | Number of IDS that marked the file as "low". |
GoogleThreatIntelligence.File.attributes.sigma_analysis_stats.critical | Number | Number of Sigma analysis that marked the file as "critical". |
GoogleThreatIntelligence.File.attributes.sigma_analysis_stats.high | Number | Number of Sigma analysis that marked the file as "high". |
GoogleThreatIntelligence.File.attributes.sigma_analysis_stats.medium | Number | Number of Sigma analysis that marked the file as "medium". |
GoogleThreatIntelligence.File.attributes.sigma_analysis_stats.low | Number | Number of Sigma analysis that marked the file as "low". |
GoogleThreatIntelligence.File.attributes.exiftool.MIMEEncoding | String | The MIME encoding. |
GoogleThreatIntelligence.File.attributes.exiftool.FileTypeExtension | String | The file type extension. |
GoogleThreatIntelligence.File.attributes.exiftool.Newlines | String | Number of newlines signs. |
GoogleThreatIntelligence.File.attributes.trid.file_type | String | The TrID file type. |
GoogleThreatIntelligence.File.attributes.trid.probability | Number | The TrID probability. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.description | String | Description of the YARA rule. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.source | String | Source of the YARA rule. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.author | String | Author of the YARA rule. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.ruleset_name | String | Rule set name of the YARA rule. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.rule_name | String | Name of the YARA rule. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.ruleset_id | String | ID of the YARA rule. |
GoogleThreatIntelligence.File.attributes.names | String | Name of the file. |
GoogleThreatIntelligence.File.attributes.last_modification_date | Number | The last modification date in epoch format. |
GoogleThreatIntelligence.File.attributes.type_tag | String | Tag of the type. |
GoogleThreatIntelligence.File.attributes.total_votes.harmless | Number | Total number of harmless votes. |
GoogleThreatIntelligence.File.attributes.total_votes.malicious | Number | Total number of malicious votes. |
GoogleThreatIntelligence.File.attributes.size | Number | Size of the file. |
GoogleThreatIntelligence.File.attributes.popular_threat_classification.suggested_threat_label | String | Suggested thread label. |
GoogleThreatIntelligence.File.attributes.popular_threat_classification.popular_threat_name | Number | The popular thread name. |
GoogleThreatIntelligence.File.attributes.times_submitted | Number | Number of times the file was submitted. |
GoogleThreatIntelligence.File.attributes.last_submission_date | Number | Last submission date in epoch format. |
GoogleThreatIntelligence.File.attributes.downloadable | Boolean | Whether the file is downloadable. |
GoogleThreatIntelligence.File.attributes.sha256 | String | SHA-256 hash of the file. |
GoogleThreatIntelligence.File.attributes.type_extension | String | Extension of the type. |
GoogleThreatIntelligence.File.attributes.tags | String | File tags. |
GoogleThreatIntelligence.File.attributes.last_analysis_date | Number | Last analysis date in epoch format. |
GoogleThreatIntelligence.File.attributes.unique_sources | Number | Unique sources. |
GoogleThreatIntelligence.File.attributes.first_submission_date | Number | First submission date in epoch format. |
GoogleThreatIntelligence.File.attributes.ssdeep | String | SSDeep hash of the file. |
GoogleThreatIntelligence.File.attributes.md5 | String | MD5 hash of the file. |
GoogleThreatIntelligence.File.attributes.sha1 | String | SHA-1 hash of the file. |
GoogleThreatIntelligence.File.attributes.magic | String | Identification of file by the magic number. |
GoogleThreatIntelligence.File.attributes.last_analysis_stats.harmless | Number | The number of engines that found the indicator to be harmless. |
GoogleThreatIntelligence.File.attributes.last_analysis_stats.type-unsupported | Number | The number of engines that found the indicator to be of type unsupported. |
GoogleThreatIntelligence.File.attributes.last_analysis_stats.suspicious | Number | The number of engines that found the indicator to be suspicious. |
GoogleThreatIntelligence.File.attributes.last_analysis_stats.confirmed-timeout | Number | The number of engines that confirmed the timeout of the indicator. |
GoogleThreatIntelligence.File.attributes.last_analysis_stats.timeout | Number | The number of engines that timed out for the indicator. |
GoogleThreatIntelligence.File.attributes.last_analysis_stats.failure | Number | The number of failed analysis engines. |
GoogleThreatIntelligence.File.attributes.last_analysis_stats.malicious | Number | The number of engines that found the indicator to be malicious. |
GoogleThreatIntelligence.File.attributes.last_analysis_stats.undetected | Number | The number of engines that could not detect the indicator. |
GoogleThreatIntelligence.File.attributes.meaningful_name | String | Meaningful name of the file. |
GoogleThreatIntelligence.File.attributes.reputation | Number | The reputation of the file. |
GoogleThreatIntelligence.File.type | String | Type of the indicator (file). |
GoogleThreatIntelligence.File.id | String | Type ID of the indicator. |
GoogleThreatIntelligence.File.links.self | String | Link to the response. |
GoogleThreatIntelligence.File.attributes.gti_assessment.verdict.value | String | GTI verdict of the file. |
GoogleThreatIntelligence.File.attributes.gti_assessment.severity.value | String | GTI severity of the file. |
GoogleThreatIntelligence.File.attributes.gti_assessment.threat_score.value | Number | GTI threat score of the file. |
#
Command Example!file file=0000000000000000000000000000000000000000000000000000000000000000
#
Context Example#
Human Readable Output#
Results of file hash 0000000000000000000000000000000000000000000000000000000000000000
Sha1 Sha256 Md5 MeaningfulName TypeExtension Last Modified Reputation Positives 0000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000 brokencert.exe txt 2021-03-30 07:22:44Z 0 7/74
#
url-scan- New output path: GoogleThreatIntelligence.Submission
- Preserved output: gtiScanID
- Removed output path: gtiLink - The V3 API does not returns a link to the GUI anymore.
#
gti-file-scan-upload-url- New output path: GoogleThreatIntelligence.FileUploadURL
- Preserved output: gtiUploadURL
#
New Commands- gti-search
- gti-ip-passive-dns-data
- gti-file-sandbox-report
- gti-comments-get-by-id
- gti-analysis-get
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
ipChecks the reputation of an IP address.
#
Base Commandip
#
InputArgument Name | Description | Required |
---|---|---|
ip | IP address to check. | Required |
extended_data | Whether to return extended data (last_analysis_results). Possible values are: true, false. | Optional |
override_private_lookup | When set to "true", enrichment of private IP addresses will be conducted even if it has been disabled at the integration level. Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IP.Address | unknown | Bad IP address. |
IP.ASN | unknown | Bad IP ASN. |
IP.Geo.Country | unknown | Bad IP country. |
IP.Relationships.EntityA | string | The source of the relationship. |
IP.Relationships.EntityB | string | The destination of the relationship. |
IP.Relationships.Relationship | string | The name of the relationship. |
IP.Relationships.EntityAType | string | The type of the source of the relationship. |
IP.Relationships.EntityBType | string | The type of the destination of the relationship. |
IP.Malicious.Vendor | unknown | For malicious IPs, the vendor that made the decision. |
IP.Malicious.Description | unknown | For malicious IPs, the reason that the vendor made the decision. |
IP.ASOwner | String | The autonomous system owner of the IP. |
DBotScore.Indicator | unknown | The indicator that was tested. |
DBotScore.Type | unknown | The indicator type. |
DBotScore.Vendor | unknown | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
GoogleThreatIntelligence.IP.attributes.regional_internet_registry | String | Regional internet registry (RIR). |
GoogleThreatIntelligence.IP.attributes.jarm | String | JARM data. |
GoogleThreatIntelligence.IP.attributes.network | String | Network data. |
GoogleThreatIntelligence.IP.attributes.country | String | The country where the IP is located. |
GoogleThreatIntelligence.IP.attributes.as_owner | String | IP owner. |
GoogleThreatIntelligence.IP.attributes.last_analysis_stats.harmless | Number | The number of engines that found the domain to be harmless. |
GoogleThreatIntelligence.IP.attributes.last_analysis_stats.malicious | Number | The number of engines that found the indicator to be malicious. |
GoogleThreatIntelligence.IP.attributes.last_analysis_stats.suspicious | Number | The number of engines that found the indicator to be suspicious. |
GoogleThreatIntelligence.IP.attributes.last_analysis_stats.undetected | Number | The number of engines that could not detect the indicator. |
GoogleThreatIntelligence.IP.attributes.last_analysis_stats.timeout | Number | The number of engines that timed out for the indicator. |
GoogleThreatIntelligence.IP.attributes.asn | Number | ASN data. |
GoogleThreatIntelligence.IP.attributes.whois_date | Number | Date of the last update of the whois record. |
GoogleThreatIntelligence.IP.attributes.reputation | Number | IP reputation. |
GoogleThreatIntelligence.IP.attributes.last_modification_date | Number | Last modification date in epoch format. |
GoogleThreatIntelligence.IP.attributes.total_votes.harmless | Number | Total number of harmless votes. |
GoogleThreatIntelligence.IP.attributes.total_votes.malicious | Number | Total number of malicious votes. |
GoogleThreatIntelligence.IP.attributes.continent | String | The continent where the IP is located. |
GoogleThreatIntelligence.IP.attributes.whois | String | whois data. |
GoogleThreatIntelligence.IP.type | String | Indicator IP type. |
GoogleThreatIntelligence.IP.id | String | ID of the IP. |
GoogleThreatIntelligence.IP.attributes.gti_assessment.verdict.value | String | GTI verdict of the IP address. |
GoogleThreatIntelligence.IP.attributes.gti_assessment.severity.value | String | GTI severity of the IP address. |
GoogleThreatIntelligence.IP.attributes.gti_assessment.threat_score.value | Number | GTI threat score of the IP address. |
#
Command example!ip ip=1.1.1.1
#
Context Example#
Human Readable Output#
IP reputation of 1.1.1.1
Id Network Country AsOwner LastModified Reputation Positives 1.1.1.1 1.1.1.0/24 CLOUDFLARENET 2022-08-29 15:15:41Z 134 4/94
#
urlChecks the reputation of a URL.
#
Base Commandurl
#
InputArgument Name | Description | Required |
---|---|---|
url | URL to check. | Required |
extended_data | Whether to return extended data (last_analysis_results). Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
URL.Data | unknown | Bad URLs found. |
URL.Relationships.EntityA | String | The source of the relationship. |
URL.Relationships.EntityB | String | The destination of the relationship. |
URL.Relationships.Relationship | String | The name of the relationship. |
URL.Relationships.EntityAType | String | The type of the source of the relationship. |
URL.Relationships.EntityBType | String | The type of the destination of the relationship. |
URL.Malicious.Vendor | unknown | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | unknown | For malicious URLs, the reason that the vendor made the decision. |
DBotScore.Indicator | unknown | The indicator that was tested. |
DBotScore.Type | unknown | The indicator type. |
DBotScore.Vendor | unknown | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
GoogleThreatIntelligence.URL.attributes.favicon.raw_md5 | String | The MD5 hash of the URL. |
GoogleThreatIntelligence.URL.attributes.favicon.dhash | String | Difference hash. |
GoogleThreatIntelligence.URL.attributes.last_modification_date | Number | Last modification date in epoch format. |
GoogleThreatIntelligence.URL.attributes.times_submitted | Number | The number of times the url has been submitted. |
GoogleThreatIntelligence.URL.attributes.total_votes.harmless | Number | Total number of harmless votes. |
GoogleThreatIntelligence.URL.attributes.total_votes.malicious | Number | Total number of malicious votes. |
GoogleThreatIntelligence.URL.attributes.threat_names | String | Name of the threats found. |
GoogleThreatIntelligence.URL.attributes.last_submission_date | Number | The last submission date in epoch format. |
GoogleThreatIntelligence.URL.attributes.last_http_response_content_length | Number | The last HTTPS response length. |
GoogleThreatIntelligence.URL.attributes.last_http_response_headers.date | Date | The last response header date. |
GoogleThreatIntelligence.URL.attributes.last_http_response_headers.x-sinkhole | String | DNS sinkhole from last response. |
GoogleThreatIntelligence.URL.attributes.last_http_response_headers.content-length | String | The content length of the last response. |
GoogleThreatIntelligence.URL.attributes.last_http_response_headers.content-type | String | The content type of the last response. |
GoogleThreatIntelligence.URL.attributes.reputation | Number | Reputation of the indicator. |
GoogleThreatIntelligence.URL.attributes.last_analysis_date | Number | The date of the last analysis in epoch format. |
GoogleThreatIntelligence.URL.attributes.has_content | Boolean | Whether the url has content in it. |
GoogleThreatIntelligence.URL.attributes.first_submission_date | Number | The first submission date in epoch format. |
GoogleThreatIntelligence.URL.attributes.last_http_response_content_sha256 | String | The SHA-256 hash of the content of the last response. |
GoogleThreatIntelligence.URL.attributes.last_http_response_code | Number | Last response status code. |
GoogleThreatIntelligence.URL.attributes.last_final_url | String | Last final URL. |
GoogleThreatIntelligence.URL.attributes.url | String | The URL itself. |
GoogleThreatIntelligence.URL.attributes.title | String | Title of the page. |
GoogleThreatIntelligence.URL.attributes.last_analysis_stats.harmless | Number | The number of engines that found the domain to be harmless. |
GoogleThreatIntelligence.URL.attributes.last_analysis_stats.malicious | Number | The number of engines that found the indicator to be malicious. |
GoogleThreatIntelligence.URL.attributes.last_analysis_stats.suspicious | Number | The number of engines that found the indicator to be suspicious. |
GoogleThreatIntelligence.URL.attributes.last_analysis_stats.undetected | Number | The number of engines that could not detect the indicator. |
GoogleThreatIntelligence.URL.attributes.last_analysis_stats.timeout | Number | The number of engines that timed out for the indicator. |
GoogleThreatIntelligence.URL.attributes.outgoing_links | String | Outgoing links of the URL page. |
GoogleThreatIntelligence.URL.type | String | Type of the indicator (url). |
GoogleThreatIntelligence.URL.id | String | ID of the indicator. |
GoogleThreatIntelligence.URL.links.self | String | Link to the response. |
GoogleThreatIntelligence.URL.attributes.gti_assessment.verdict.value | String | GTI verdict of the URL. |
GoogleThreatIntelligence.URL.attributes.gti_assessment.severity.value | String | GTI severity of the URL. |
GoogleThreatIntelligence.URL.attributes.gti_assessment.threat_score.value | Number | GTI threat score of the URL. |
#
Command Example!url url=https://example.com
#
Context Example#
Human Readable Outputhttps://example.com"#
URL data of "
Url Title LastModified HasContent LastHttpResponseContentSha256 Positives Reputation https://example.com Welcome page 2021-03-16 13:17:00Z false f2ddbc5b5468c2cd9c28ae820420d32c4f53d088e4a1cc31f661230e4893104a 8/86 0
#
domainChecks the reputation of a domain.
#
Base Commanddomain
\
#
InputArgument Name | Description | Required |
---|---|---|
domain | Domain name to check. | Required |
extended_data | Whether to return extended data (last_analysis_results). Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Domain.Name | unknown | Bad domain found. |
Domain.Relationships.EntityA | String | The source of the relationship. |
Domain.Relationships.EntityB | String | The destination of the relationship. |
Domain.Relationships.Relationship | String | The name of the relationship. |
Domain.Relationships.EntityAType | String | The type of the source of the relationship. |
Domain.Relationships.EntityBType | String | The type of the destination of the relationship. |
Domain.Malicious.Vendor | unknown | For malicious domains, the vendor that made the decision. |
Domain.Malicious.Description | unknown | For malicious domains, the reason that the vendor made the decision. |
DBotScore.Indicator | unknown | The indicator that was tested. |
DBotScore.Type | unknown | The indicator type. |
DBotScore.Vendor | unknown | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
GoogleThreatIntelligence.Domain.attributes.last_dns_records.type | String | The type of the last DNS records. |
GoogleThreatIntelligence.Domain.attributes.last_dns_records.value | String | The value of the last DNS records. |
GoogleThreatIntelligence.Domain.attributes.last_dns_records.ttl | Number | The time To live (ttl) of the last DNS records. |
GoogleThreatIntelligence.Domain.attributes.jarm | String | JARM data. |
GoogleThreatIntelligence.Domain.attributes.whois | String | whois data. |
GoogleThreatIntelligence.Domain.attributes.last_dns_records_date | Number | The last DNS records date in epoch format. |
GoogleThreatIntelligence.Domain.attributes.last_analysis_stats.harmless | Number | The number of engines that found the domain to be harmless. |
GoogleThreatIntelligence.Domain.attributes.last_analysis_stats.malicious | Number | The number of engines that found the indicator to be malicious. |
GoogleThreatIntelligence.Domain.attributes.last_analysis_stats.suspicious | Number | The number of engines that found the indicator to be suspicious. |
GoogleThreatIntelligence.Domain.attributes.last_analysis_stats.undetected | Number | The number of engines that could not detect the indicator. |
GoogleThreatIntelligence.Domain.attributes.last_analysis_stats.timeout | Number | The number of engines that timed out for the indicator. |
GoogleThreatIntelligence.Domain.attributes.favicon.raw_md5 | String | MD5 hash of the domain. |
GoogleThreatIntelligence.Domain.attributes.favicon.dhash | String | Difference hash. |
GoogleThreatIntelligence.Domain.attributes.reputation | Number | Reputation of the indicator. |
GoogleThreatIntelligence.Domain.attributes.registrar | String | Registrar information. |
GoogleThreatIntelligence.Domain.attributes.last_update_date | Number | Last updated date in epoch format. |
GoogleThreatIntelligence.Domain.attributes.last_modification_date | Number | Last modification date in epoch format. |
GoogleThreatIntelligence.Domain.attributes.creation_date | Number | Creation date in epoch format. |
GoogleThreatIntelligence.Domain.attributes.total_votes.harmless | Number | Total number of harmless votes. |
GoogleThreatIntelligence.Domain.attributes.total_votes.malicious | Number | Total number of malicious votes. |
GoogleThreatIntelligence.Domain.type | String | Type of indicator (domain). |
GoogleThreatIntelligence.Domain.id | String | ID of the domain. |
GoogleThreatIntelligence.Domain.links.self | String | Link to the domain investigation. |
GoogleThreatIntelligence.Domain.attributes.gti_assessment.verdict.value | String | GTI verdict of the domain. |
GoogleThreatIntelligence.Domain.attributes.gti_assessment.severity.value | String | GTI severity of the domain. |
GoogleThreatIntelligence.Domain.attributes.gti_assessment.threat_score.value | Number | GTI threat score of the domain. |
#
Command Example!domain domain=example.com
#
Context Example#
Human Readable Output#
Domain data of example.com
Id Registrant Country LastModified LastAnalysisStats example.com PA 2021-03-16 13:17:13Z harmless: 66malicious: 8
suspicious: 0
undetected: 8
timeout: 0
#
url-scanScans a specified URL. Use the gti-analysis-get command to get the scan results.
#
Base Commandurl-scan
#
InputArgument Name | Description | Required |
---|---|---|
url | The URL to scan. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
GoogleThreatIntelligence.Submission.Type | String | The type of the submission (analysis). |
GoogleThreatIntelligence.Submission.id | String | The ID of the submission. |
GoogleThreatIntelligence.Submission.hash | String | The indicator sent to rescan. |
#
Command Example!url-scan url=https://example.com
#
Context Example#
Human Readable Output#
New url submission
id url u-0f115db062b7c0dd030b16878c99dea5c354b49dc37b38eb8846179c7783e9d7-1617088890 https://example.com
#
gti-comments-addAdds comments to files and URLs.
#
Base Commandgti-comments-add
#
InputArgument Name | Description | Required |
---|---|---|
resource | The file hash (MD5, SHA1, orSHA256), Domain, URL or IP on which you're commenting on. If not supplied, will try to determine if it's a hash or a url. | Required |
resource_type | The type of the resource on which you're commenting. Possible values are: ip, url, domain, hash. | Optional |
comment | The actual review that you can tag by using the "#" twitter-like syntax, for example, #disinfection #zbot, and reference users using the "@" syntax, for example, @GoogleThreatIntelligenceTeam. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
GoogleThreatIntelligence.Comments.comments.attributes.date | Number | The date of the comment in epoch format. |
GoogleThreatIntelligence.Comments.comments.attributes.text | String | The text of the comment. |
GoogleThreatIntelligence.Comments.comments.attributes.votes.positive | Number | Number of positive votes. |
GoogleThreatIntelligence.Comments.comments.attributes.votes.abuse | Number | Number of abuse votes. |
GoogleThreatIntelligence.Comments.comments.attributes.votes.negative | Number | Number of negative votes. |
GoogleThreatIntelligence.Comments.comments.attributes.html | String | The HTML content. |
GoogleThreatIntelligence.Comments.comments.type | String | The type of the comment. |
GoogleThreatIntelligence.Comments.comments.id | String | ID of the comment. |
GoogleThreatIntelligence.Comments.comments.links.self | String | Link to the request. |
#
Command Example!gti-comments-add resource=paloaltonetworks.com resource_type=domain comment="this is a comment"
#
Context Example#
Human Readable Output#
Comment has been added
Date Text Positive Votes Abuse Votes Negative Votes 2021-03-30 07:21:34Z this is a comment 0 0 0
#
gti-file-scan-upload-urlPremium API. Get a special URL for files larger than 32 MB.
#
Base Commandgti-file-scan-upload-url
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
GoogleThreatIntelligence.FileUploadURL | unknown | The special upload URL for large files. |
#
Command Example!gti-file-scan-upload-url
#
Context Example#
Human Readable Output#
New upload url acquired
Upload url https://www.virustotal.com/_ah/upload/**upload-hash**/
#
gti-comments-deleteDelete a comment.
#
Base Commandgti-comments-delete
#
InputArgument Name | Description | Required |
---|---|---|
id | Comment ID. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!gti-comments-delete id=d-paloaltonetworks.com-7886a33c
#
Human Readable OutputComment d-paloaltonetworks.com-7886a33c has been deleted!
#
gti-comments-getRetrieves comments for a given resource.
#
Base Commandgti-comments-get
#
InputArgument Name | Description | Required |
---|---|---|
resource | The file hash (MD5, SHA1, orSHA256), Domain, URL or IP on which you're commenting on. If not supplied, will try to determine if it's a hash or a url. | Required |
resource_type | The type of the resource on which you're commenting. If not supplied, will determine if it's a url or a file. Possible values are: ip, url, domain, file. | Optional |
limit | Maximum comments to fetch. Default is 10. | Optional |
before | Fetch only comments before the given time. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
GoogleThreatIntelligence.Comments.id | String | ID that contains the comment (the given hash, domain, url, or ip). |
GoogleThreatIntelligence.Comments.comments.attributes.date | Number | The date of the comment in epoch format. |
GoogleThreatIntelligence.Comments.comments.attributes.text | String | The text of the comment. |
GoogleThreatIntelligence.Comments.comments.attributes.votes.positive | Number | Number of positive votes. |
GoogleThreatIntelligence.Comments.comments.attributes.votes.abuse | Number | Number of abuse votes. |
GoogleThreatIntelligence.Comments.comments.attributes.votes.negative | Number | Number of negative votes. |
GoogleThreatIntelligence.Comments.comments.attributes.html | String | The HTML content. |
GoogleThreatIntelligence.Comments.comments.type | String | The type of the comment. |
GoogleThreatIntelligence.Comments.comments.id | String | ID of the commented. |
GoogleThreatIntelligence.Comments.comments.links.self | String | Link to the request |
#
Command Example!gti-comments-get resource=https://paloaltonetworks.com
#
Context Example#
Human Readable Outputhttps://paloaltonetworks.com"#
GoogleThreatIntelligence comments of url: "
Date Text Positive Votes Abuse Votes Negative Votes 2021-03-21 11:21:13Z another comment 0 0 0 2021-03-21 11:21:13Z another comment 0 0 0 2021-03-21 07:51:41Z a new comment 0 0 0 2021-03-21 07:51:07Z a comment 0 0 0
#
gti-comments-get-by-idRetrieves a comment by comment ID.
#
Base Commandgti-comments-get-by-id
#
InputArgument Name | Description | Required |
---|---|---|
id | The comment's ID. Can be retrieved using the gti-comments-get command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
GoogleThreatIntelligence.Comments.comments.id | String | ID of the comment. |
GoogleThreatIntelligence.Comments.comments.attributes.date | Number | The date of the comment in epoch format. |
GoogleThreatIntelligence.Comments.comments.attributes.text | String | The text of the comment. |
GoogleThreatIntelligence.Comments.comments.attributes.votes.positive | Number | Number of positive votes. |
GoogleThreatIntelligence.Comments.comments.attributes.votes.abuse | Number | Number of abuse votes. |
GoogleThreatIntelligence.Comments.comments.attributes.votes.negative | Number | Number of negative votes. |
GoogleThreatIntelligence.Comments.comments.attributes.html | String | The HTML content. |
GoogleThreatIntelligence.Comments.comments.type | String | The type of the comment. |
GoogleThreatIntelligence.Comments.comments.links.self | String | Link to the request. |
#
Command Example!gti-comments-get-by-id id=d-paloaltonetworks.com-64591897
#
Context Example#
Human Readable Output#
Comment of ID d-paloaltonetworks.com-64591897
Date Text Positive Votes Abuse Votes Negative Votes 2021-03-08 09:29:11Z a new comment! 0 0 0
#
gti-searchSearch for an indicator in GoogleThreatIntelligence.
#
Base Commandgti-search
#
InputArgument Name | Description | Required |
---|---|---|
query | This endpoint searches any of the following: A file hash, URL, domain, IP address, tag comments. | Required |
extended_data | Whether to return extended data (last_analysis_results). Possible values are: true, false. | Optional |
limit | Maximum number of results to fetch. Default is 10. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
GoogleThreatIntelligence.SearchResults.attributes.last_analysis_stats.harmless | Number | Number of engines that found the indicator to be harmless. |
GoogleThreatIntelligence.SearchResults.attributes.last_analysis_stats.malicious | Number | Number of engines that found the indicator to be malicious. |
GoogleThreatIntelligence.SearchResults.attributes.last_analysis_stats.suspicious | Number | Number of engines that found the indicator to be suspicious. |
GoogleThreatIntelligence.SearchResults.attributes.last_analysis_stats.undetected | Number | Number of engines that could not detect the indicator. |
GoogleThreatIntelligence.SearchResults.attributes.last_analysis_stats.timeout | Number | Number of engines that timed out. |
GoogleThreatIntelligence.SearchResults.attributes.reputation | Number | The indicator's reputation |
GoogleThreatIntelligence.SearchResults.attributes.last_modification_date | Number | The last modification date in epoch format. |
GoogleThreatIntelligence.SearchResults.attributes.total_votes.harmless | Number | Total number of harmless votes. |
GoogleThreatIntelligence.SearchResults.attributes.total_votes.malicious | Number | Total number of malicious votes. |
GoogleThreatIntelligence.SearchResults.type | String | The type of the indicator (ip, domain, url, file). |
GoogleThreatIntelligence.SearchResults.id | String | ID of the indicator. |
GoogleThreatIntelligence.SearchResults.links.self | String | Link to the response. |
#
Command Example!gti-search query=paloaltonetworks.com
#
Context Example#
Human Readable Output#
Search result of query paloaltonetworks.com
Categories CreationDate LastAnalysisStats Forcepoint ThreatSeeker: information technology
sophos: information technology
BitDefender: marketing
alphaMountain.ai: Business/Economy, Information Technology1108953730 harmless: 75
malicious: 0
suspicious: 0
undetected: 7
timeout: 0
#
gti-file-sandbox-reportRetrieves a behavioral relationship of the given file hash.
#
Base Commandgti-file-sandbox-report
#
InputArgument Name | Description | Required |
---|---|---|
file | Hash of the file to query. Supports MD5, SHA1, and SHA256. | Required |
limit | Maximum number of results to fetch. Default is 10. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SandboxReport.attributes.analysis_date | Number | The date of the analysis in epoch format. |
SandboxReport.attributes.behash | String | Behash of the attribute. |
SandboxReport.attributes.command_executions | String | Which command were executed. |
SandboxReport.attributes.dns_lookups.hostname | String | Host names found in the lookup. |
SandboxReport.attributes.dns_lookups.resolved_ips | String | The IPs that were resolved. |
SandboxReport.attributes.files_attribute_changed | String | The file attributes that were changed. |
SandboxReport.attributes.has_html_report | Boolean | Whether there is an HTML report. |
SandboxReport.attributes.has_pcap | Boolean | Whether the IP has a PCAP file. |
SandboxReport.attributes.http_conversations.request_method | String | The request method of the HTTP conversation. |
SandboxReport.attributes.http_conversations.response_headers.Cache-Control | String | The cache-control method of the response header. |
SandboxReport.attributes.http_conversations.response_headers.Connection | String | The connection of the response header. |
SandboxReport.attributes.http_conversations.response_headers.Content-Length | String | THe Content-Length of the response header. |
SandboxReport.attributes.http_conversations.response_headers.Content-Type | String | The Content-Type of the response header. |
SandboxReport.attributes.http_conversations.response_headers.Pragma | String | The pragma of the response header. |
SandboxReport.attributes.http_conversations.response_headers.Server | String | The server of the response header. |
SandboxReport.attributes.http_conversations.response_headers.Status-Line | String | The Status-Line of the response header. |
SandboxReport.attributes.http_conversations.response_status_code | Number | The response status code. |
SandboxReport.attributes.http_conversations.url | String | The conversation URL. |
SandboxReport.attributes.last_modification_date | Number | Last modified data in epoch format. |
SandboxReport.attributes.modules_loaded | String | Loaded modules. |
SandboxReport.attributes.mutexes_created | String | The mutexes that were created. |
SandboxReport.attributes.mutexes_opened | String | The mutexes that were opened. |
SandboxReport.attributes.processes_created | String | The processes that were created. |
SandboxReport.attributes.processes_tree.name | String | The name of the process tree. |
SandboxReport.attributes.processes_tree.process_id | String | The ID of the process. |
SandboxReport.attributes.registry_keys_deleted | String | Deleted registry keys. |
SandboxReport.attributes.registry_keys_set.key | String | Key of the registry key. |
SandboxReport.attributes.registry_keys_set.value | String | Value of the registry key. |
SandboxReport.attributes.sandbox_name | String | The name of the sandbox. |
SandboxReport.attributes.services_started | String | The services that were started. |
SandboxReport.attributes.verdicts | String | The verdicts. |
SandboxReport.id | String | The IP analyzed. |
SandboxReport.links.self | String | Link to the response. |
SandboxReport.attributes.files_dropped.path | String | Path of the file dropped. |
SandboxReport.attributes.files_dropped.sha256 | String | SHA-256 hash of the dropped files. |
SandboxReport.attributes.files_opened | String | The files that were opened. |
SandboxReport.attributes.files_written | String | The files that were written. |
SandboxReport.attributes.ip_traffic.destination_ip | String | Destination IP in the traffic. |
SandboxReport.attributes.ip_traffic.destination_port | Number | Destination port in the traffic. |
SandboxReport.attributes.ip_traffic.transport_layer_protocol | String | Transport layer protocol in the traffic. |
SandboxReport.attributes.registry_keys_opened | String | The registry keys that were opened. |
SandboxReport.attributes.tags | String | The tags of the DNS data. |
SandboxReport.attributes.files_copied.destination | String | Destination of the files copied. |
SandboxReport.attributes.files_copied.source | String | Source of the files copied. |
SandboxReport.attributes.permissions_requested | String | The permissions that where requested. |
SandboxReport.attributes.processes_injected | String | The processes that were injected. |
SandboxReport.attributes.processes_terminated | String | The processes that were terminated. |
SandboxReport.attributes.processes_tree.children.name | String | The name of the children of the process. |
SandboxReport.attributes.processes_tree.children.process_id | String | The ID of the children of the process. |
SandboxReport.attributes.services_opened | String | The services that were opened. |
SandboxReport.attributes.text_highlighted | String | The text that was highlighted. |
SandboxReport.attributes.calls_highlighted | String | The calls that were highlighted. |
SandboxReport.attributes.processes_tree.children.time_offset | Number | The time offset of the children in the process. |
SandboxReport.links.self | String | The link to the response. |
SandboxReport.meta.count | Number | The number of objects that were found in the attributes. |
#
Command Example!gti-file-sandbox-report file=2b294b3499d1cce794badffc959b7618
#
Context Example#
Human Readable Output#
Sandbox Reports for file hash: 2b294b3499d1cce794badffc959b7618
AnalysisDate LastModificationDate SandboxName Link 1558429832 1588377117 Lastline https://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_Lastline 1561405459 1563272815 SNDBOX https://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_SNDBOX 1601545446 1601545448 Tencent HABO https://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_Tencent HABO 1592373137 1592373137 GoogleThreatIntelligence Jujubox https://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_GoogleThreatIntelligence Jujubox
#
gti-passive-dns-dataReturns passive DNS records by indicator.
#
Base Commandgti-passive-dns-data
#
InputArgument Name | Description | Required |
---|---|---|
id | IP or domain for which to get its DNS data. | Optional |
ip | IP for which to get its DNS data. | Optional |
domain | Domain for which to get its DNS data. | Optional |
limit | Maximum number of results to fetch. Default is 10. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
GoogleThreatIntelligence.PassiveDNS.attributes.date | Number | Date of the DNS analysis in epoch format. |
GoogleThreatIntelligence.PassiveDNS.attributes.host_name | String | The DNS host name. |
GoogleThreatIntelligence.PassiveDNS.attributes.ip_address | String | The DNS IP address. |
GoogleThreatIntelligence.PassiveDNS.attributes.resolver | String | The name of the resolver. |
GoogleThreatIntelligence.PassiveDNS.id | String | The ID of the resolution. |
GoogleThreatIntelligence.PassiveDNS.links.self | String | The link to the resolution. |
GoogleThreatIntelligence.PassiveDNS.type | String | The type of the resolution. |
#
Command Example!gti-passive-dns-data ip=1.1.1.1
#
Context Example#
Human Readable Output#
Passive DNS data for IP 1.1.1.1
Id Date HostName IpAddress Resolver 1.1.1.1muhaha.xyz 1617085962 muhaha.xyz 1.1.1.1 GoogleThreatIntelligence
#
gti-analysis-getRetrieves resolutions of the given IP.
#
Base Commandgti-analysis-get
#
InputArgument Name | Description | Required |
---|---|---|
id | ID of the analysis (from file-scan, file-rescan, or url-scan). | Required |
extended_data | Whether to return extended data (last_analysis_results). | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
GoogleThreatIntelligence.Analysis.data.attributes.date | Number | Date of the analysis in epoch format. |
GoogleThreatIntelligence.Analysis.data.attributes.stats.harmless | Number | Number of engines that found the indicator to be harmless. |
GoogleThreatIntelligence.Analysis.data.attributes.stats.malicious | Number | Number of engines that found the indicator to be malicious. |
GoogleThreatIntelligence.Analysis.data.attributes.stats.suspicious | Number | Number of engines that found the indicator to be suspicious. |
GoogleThreatIntelligence.Analysis.data.attributes.stats.timeout | Number | he number of engines that timed out for the indicator. |
GoogleThreatIntelligence.Analysis.data.attributes.stats.undetected | Number | Number of engines the found the indicator to be undetected. |
GoogleThreatIntelligence.Analysis.data.attributes.status | String | Status of the analysis. |
GoogleThreatIntelligence.Analysis.data.id | String | ID of the analysis. |
GoogleThreatIntelligence.Analysis.data.type | String | Type of object (analysis). |
GoogleThreatIntelligence.Analysis.meta.file_info.sha256 | String | SHA-256 hash of the file (if it is a file). |
GoogleThreatIntelligence.Analysis.meta.file_info.sha1 | String | SHA-1 hash of the file (if it is a file). |
GoogleThreatIntelligence.Analysis.meta.file_info.md5 | String | MD5 hash of the file (if it is a file). |
GoogleThreatIntelligence.Analysis.meta.file_info.name | unknown | Name of the file (if it is a file). |
GoogleThreatIntelligence.Analysis.meta.file_info.size | String | Size of the file (if it is a file). |
GoogleThreatIntelligence.Analysis.meta.url_info.id | String | ID of the url (if it is a URL). |
GoogleThreatIntelligence.Analysis.meta.url_info.url | String | The URL (if it is a URL). |
GoogleThreatIntelligence.Analysis.id | String | The analysis ID. |
#
Command Example!gti-analysis-get id=u-20694f234fbac92b1dcc16f424aa1c85e9dd7af75b360745df6484dcae410853-1613980758
#
Context Example#
Human Readable Output#
Analysis results
Id Stats Status u-20694f234fbac92b1dcc16f424aa1c85e9dd7af75b360745df6484dcae410853-1613980758 harmless: 69
malicious: 7
suspicious: 0
undetected: 7
timeout: 0completed
#
gti-file-sigma-analysisRetrieves result of the last Sigma analysis.
#
Base Commandgti-file-sigma-analysis
#
InputArgument Name | Description | Required |
---|---|---|
file | File hash (md5, sha1, sha256). | Required |
only_stats | Print only Sigma analysis summary stats. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
GoogleThreatIntelligence.SigmaAnalysis.data.attributes.last_modification_date | Number | Date of the last update in epoch format. |
GoogleThreatIntelligence.SigmaAnalysis.data.attributes.analysis_date | Number | Date of the last update in epoch format. |
GoogleThreatIntelligence.SigmaAnalysis.data.attributes.stats.rule_matches.match_context | String | Matched strings from the log file. |
GoogleThreatIntelligence.SigmaAnalysis.data.attributes.stats.rule_matches.rule_author | String | Rule authors separated by commas. |
GoogleThreatIntelligence.SigmaAnalysis.data.attributes.stats.rule_matches.rule_description | String | Brief summary about what the rule detects. |
GoogleThreatIntelligence.SigmaAnalysis.data.attributes.stats.rule_matches.rule_id | String | Rule ID in GoogleThreatIntelligence's database. |
GoogleThreatIntelligence.SigmaAnalysis.data.attributes.stats.rule_matches.rule_level | String | Rule severity. Can be "low", "medium", "high" or "critical". |
GoogleThreatIntelligence.SigmaAnalysis.data.attributes.stats.rule_matches.rule_source | String | Ruleset where the rule belongs. |
GoogleThreatIntelligence.SigmaAnalysis.data.attributes.stats.rule_matches.rule_title | String | Rule title. |
GoogleThreatIntelligence.SigmaAnalysis.data.attributes.stats.severity_stats.critical | Number | Number of matched rules having a "critical" severity. |
GoogleThreatIntelligence.SigmaAnalysis.data.attributes.stats.severity_stats.high | Number | Number of matched rules having a "high" severity. |
GoogleThreatIntelligence.SigmaAnalysis.data.attributes.stats.severity_stats.low | Number | Number of matched rules having a "low" severity. |
GoogleThreatIntelligence.SigmaAnalysis.data.attributes.stats.severity_stats.medium | Number | Number of matched rules having a "medium" severity. |
GoogleThreatIntelligence.SigmaAnalysis.data.attributes.stats.source_severity_stats | unknown | Same as severity_stats but grouping stats by ruleset. Keys are ruleset names as string and values are stats in a dictionary. |
GoogleThreatIntelligence.SigmaAnalysis.data.id | String | ID of the analysis. |
#
Command Example!gti-file-sigma-analysis file=f912398cb3542ab704fe917af4a60d4feee21ac577535b10453170f10c6fd6de
#
Context Example#
Human Readable Output#
Last Sigma analysis results
MatchContext RuleLevel RuleDescription RuleSource RuleTitle RuleId RuleAuthor $EventID: '1117' high Detects all actions taken by Windows Defender malware detection engines Sigma Integrated Rule Set (GitHub) Windows Defender Threat Detected 693c36f61ac022fd66354b440464f490058c22b984ba1bef05ca246aba210ed1 Ján Trenčanský
#
gti-privatescanning-fileChecks the file reputation of the specified private hash.
See files through the eyes of GoogleThreatIntelligence without uploading them to the main threat corpus, keeping them entirely private. Static, dynamic, network and similarity analysis included, as well as automated threat intel enrichment, but NOT multi-antivirus analysis.
#
Base Commandgti-privatescanning-file
#
InputArgument Name | Description | Required |
---|---|---|
file | File hash (md5, sha1, sha256). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
GoogleThreatIntelligence.File.attributes.type_description | String | Description of the type of the file. |
GoogleThreatIntelligence.File.attributes.tlsh | String | The locality-sensitive hashing. |
GoogleThreatIntelligence.File.attributes.exiftool.MIMEType | String | MIME type of the file. |
GoogleThreatIntelligence.File.attributes.names | String | Names of the file. |
GoogleThreatIntelligence.File.attributes.javascript_info.tags | String | Tags of the JavaScript. |
GoogleThreatIntelligence.File.attributes.exiftool.FileType | String | The file type. |
GoogleThreatIntelligence.File.attributes.exiftool.WordCount | Number | Total number of words in the file. |
GoogleThreatIntelligence.File.attributes.exiftool.LineCount | Number | Total number of lines in file. |
GoogleThreatIntelligence.File.attributes.exiftool.MIMEEncoding | String | The MIME encoding. |
GoogleThreatIntelligence.File.attributes.exiftool.FileTypeExtension | String | The file type extension. |
GoogleThreatIntelligence.File.attributes.exiftool.Newlines | Number | Number of newlines signs. |
GoogleThreatIntelligence.File.attributes.crowdsourced_ids_stats.info | Number | Number of IDS that marked the file as "info". |
GoogleThreatIntelligence.File.attributes.crowdsourced_ids_stats.high | Number | Number of IDS that marked the file as "high". |
GoogleThreatIntelligence.File.attributes.crowdsourced_ids_stats.medium | Number | Number of IDS that marked the file as "medium". |
GoogleThreatIntelligence.File.attributes.crowdsourced_ids_stats.low | Number | Number of IDS that marked the file as "low". |
GoogleThreatIntelligence.File.attributes.trid.file_type | String | The TrID file type. |
GoogleThreatIntelligence.File.attributes.trid.probability | Number | The TrID probability. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.description | String | Description of the YARA rule. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.source | String | Source of the YARA rule. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.author | String | Author of the YARA rule. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.ruleset_name | String | Rule set name of the YARA rule. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.rule_name | String | Name of the YARA rule. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.ruleset_id | String | ID of the YARA rule. |
GoogleThreatIntelligence.File.attributes.names | String | Name of the file. |
GoogleThreatIntelligence.File.attributes.type_tag | String | Tag of the type. |
GoogleThreatIntelligence.File.attributes.size | Number | Size of the file. |
GoogleThreatIntelligence.File.attributes.sha256 | String | SHA-256 hash of the file. |
GoogleThreatIntelligence.File.attributes.type_extension | String | Extension of the type. |
GoogleThreatIntelligence.File.attributes.tags | String | File tags. |
GoogleThreatIntelligence.File.attributes.last_analysis_date | Number | Last analysis date in epoch format. |
GoogleThreatIntelligence.File.attributes.ssdeep | String | SSDeep hash of the file. |
GoogleThreatIntelligence.File.attributes.md5 | String | MD5 hash of the file. |
GoogleThreatIntelligence.File.attributes.sha1 | String | SHA-1 hash of the file. |
GoogleThreatIntelligence.File.attributes.magic | String | Identification of file by the magic number. |
GoogleThreatIntelligence.File.attributes.meaningful_name | String | Meaningful name of the file. |
GoogleThreatIntelligence.File.attributes.threat_severity.threat_severity_level | String | Threat severity level of the file. |
GoogleThreatIntelligence.File.attributes.threat_severity.threat_severity_data.popular_threat_category | String | Popular threat category of the file. |
GoogleThreatIntelligence.File.attributes.threat_verdict | String | Threat verdict of the file. |
GoogleThreatIntelligence.File.type | String | Type of the file. |
GoogleThreatIntelligence.File.id | String | ID of the file. |
GoogleThreatIntelligence.File.links.self | String | Link to the response. |
#
Command Example!gti-privatescanning-file file=example-file-hash
#
Context Example#
Human Readable Output#
Results of file hash Example_sha256
Sha1 Sha256 Md5 Meaningful Name Threat Severity Level Popular Threat Category Threat Verdict Example_sha1 Example_sha256 Example_md5 private HIGH trojan MALICIOUS
#
gti-privatescanning-file-scanSubmits a file for private scanning. Use the gti-privatescanning-analysis-get command to get the scan results.
#
Base Commandgti-privatescanning-file-scan
#
InputArgument Name | Description | Required |
---|---|---|
entryID | The file entry ID to submit. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
GoogleThreatIntelligence.Submission.type | String | The type of the submission (analysis). |
GoogleThreatIntelligence.Submission.id | String | The ID of the submission. |
GoogleThreatIntelligence.Submission.EntryID | String | The entry ID of the file detonated. |
GoogleThreatIntelligence.Submission.Extension | String | File extension. |
GoogleThreatIntelligence.Submission.Info | String | File info. |
GoogleThreatIntelligence.Submission.MD5 | String | MD5 hash of the file. |
GoogleThreatIntelligence.Submission.Name | String | Name of the file. |
GoogleThreatIntelligence.Submission.SHA1 | String | SHA-1 of the file. |
GoogleThreatIntelligence.Submission.SHA256 | String | SHA-256 of the file. |
GoogleThreatIntelligence.Submission.SHA512 | String | SHA-512 of the file. |
GoogleThreatIntelligence.Submission.SSDeep | String | SSDeep of the file. |
GoogleThreatIntelligence.Submission.Size | String | Size of the file. |
GoogleThreatIntelligence.Submission.Type | String | Type of the file. |
#
Command Example!gti-privatescanning-file-scan entryID=example-entry-id
#
Context Example#
Human Readable Output#
The file has been submitted "Testing.txt"
id EntryID MD5 SHA1 SHA256 example-analysis-id example-entry-id Example_md5 Example_sha1 Example_sha256
#
gti-privatescanning-analysis-getGet analysis of a private file submitted to GoogleThreatIntelligence.
#
Base Commandgti-privatescanning-analysis-get
#
InputArgument Name | Description | Required |
---|---|---|
id | ID of the analysis. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
GoogleThreatIntelligence.Analysis.data.attributes.date | Number | Date of the analysis in epoch format. |
GoogleThreatIntelligence.Analysis.data.attributes.status | String | Status of the analysis. |
GoogleThreatIntelligence.Analysis.data.attributes.threat_severity_level | String | Threat severity level of the private file. |
GoogleThreatIntelligence.Analysis.data.attributes.popular_threat_category | String | Popular threat category of the private file. |
GoogleThreatIntelligence.Analysis.data.attributes.threat_verdict | String | Threat verdict of the private file. |
GoogleThreatIntelligence.Analysis.data.id | String | ID of the analysis. |
GoogleThreatIntelligence.Analysis.data.type | String | Type of object (analysis). |
GoogleThreatIntelligence.Analysis.meta.file_info.sha256 | String | SHA-256 hash of the file (if it is a file). |
GoogleThreatIntelligence.Analysis.meta.file_info.sha1 | String | SHA-1 hash of the file (if it is a file). |
GoogleThreatIntelligence.Analysis.meta.file_info.md5 | String | MD5 hash of the file (if it is a file). |
GoogleThreatIntelligence.Analysis.meta.file_info.size | Number | Size of the file (if it is a file). |
GoogleThreatIntelligence.Analysis.id | String | The analysis ID. |
#
Command Example!gti-privatescanning-analysis-get id=example-analysis-id
#
Context Example#
Human Readable Output#
Analysis results
Id Threat Severity Level Popular Threat Category Threat Verdict Status example-analysis-id HIGH trojan MALICIOUS completed #
gti-curated-threat-actors-get
Retrieves GTI curated threat actors for a given resource.
#
Base Commandgti-curated-threat-actors-get
#
InputArgument Name | Description | Required |
---|---|---|
resource | The file hash (MD5, SHA1, or SHA256), Domain, URL or IP. | Required |
resource_type | The type of the resource. If not supplied, will determine it's a file. Possible values are: ip, url, domain, file, hash. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
GoogleThreatIntelligence.Collection.id | String | ID that contains the assessment (the given hash, domain, url, or ip). |
GoogleThreatIntelligence.Collection.collections.id | String | ID of the curated threat actors. |
GoogleThreatIntelligence.Collection.collections.attributes.name | String | Name of the curated threat actors. |
GoogleThreatIntelligence.Collection.collections.attributes.description | String | Description of the curated threat actors. |
GoogleThreatIntelligence.Collection.collections.attributes.last_modification_date | String | Last modification date of the curated threat actors. |
GoogleThreatIntelligence.Collection.collections.attributes.targeted_regions | list | Targeted regions of the curated threat actors. |
GoogleThreatIntelligence.Collection.collections.attributes.targeted_industries | list | Targeted industries of the curated threat actors. |
#
gti-curated-malware-families-getRetrieves GTI curated malware families for a given resource.
#
Base Commandgti-curated-malware-families-get
#
InputArgument Name | Description | Required |
---|---|---|
resource | The file hash (MD5, SHA1, or SHA256), Domain, URL or IP. | Required |
resource_type | The type of the resource. If not supplied, will determine it's a file. Possible values are: ip, url, domain, file, hash. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
GoogleThreatIntelligence.Collection.id | String | ID that contains the assessment (the given hash, domain, url, or ip). |
GoogleThreatIntelligence.Collection.collections.id | String | ID of the curated malware families. |
GoogleThreatIntelligence.Collection.collections.attributes.name | String | Name of the curated malware families. |
GoogleThreatIntelligence.Collection.collections.attributes.description | String | Description of the curated malware families. |
GoogleThreatIntelligence.Collection.collections.attributes.last_modification_date | String | Last modification date of the curated malware families. |
GoogleThreatIntelligence.Collection.collections.attributes.targeted_regions | list | Targeted regions of the curated malware families. |
GoogleThreatIntelligence.Collection.collections.attributes.targeted_industries | list | Targeted industries of the curated malware families. |
#
gti-curated-campaigns-getRetrieves GTI curated campaigns for a given resource.
#
Base Commandgti-curated-campaigns-get
#
InputArgument Name | Description | Required |
---|---|---|
resource | The file hash (MD5, SHA1, or SHA256), Domain, URL or IP. | Required |
resource_type | The type of the resource. If not supplied, will determine it's a file. Possible values are: ip, url, domain, file, hash. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
GoogleThreatIntelligence.Collection.id | String | ID that contains the assessment (the given hash, domain, url, or ip). |
GoogleThreatIntelligence.Collection.collections.id | String | ID of the curated campaign. |
GoogleThreatIntelligence.Collection.collections.attributes.name | String | Name of the curated campaign. |
GoogleThreatIntelligence.Collection.collections.attributes.description | String | Description of the curated campaign. |
GoogleThreatIntelligence.Collection.collections.attributes.last_modification_date | String | Last modification date of the curated campaign. |
GoogleThreatIntelligence.Collection.collections.attributes.targeted_regions | list | Targeted regions of the curated campaign. |
GoogleThreatIntelligence.Collection.collections.attributes.targeted_industries | list | Targeted industries of the curated campaign. |
#
gti-url-scan-and-analysis-getScan and get the analysis of a URL submitted to GoogleThreatIntelligence.
#
Base Commandgti-url-scan-and-analysis-get
#
InputArgument Name | Description | Required |
---|---|---|
url | The URL to scan. | Required |
id | This is an internal argument used for the polling process, not to be used by the user. | Optional |
extended_data | Whether to return extended data. Possible values are: true, false. | Optional |
interval_in_seconds | Interval in seconds between each poll. Default is 60. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
URL.Data | unknown | Bad URLs found. |
URL.Malicious.Vendor | unknown | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | unknown | For malicious URLs, the reason that the vendor made the decision. |
URL.Relationships.EntityA | string | The source of the relationship. |
URL.Relationships.EntityB | string | The destination of the relationship. |
URL.Relationships.Relationship | string | The name of the relationship. |
URL.Relationships.EntityAType | string | The type of the source of the relationship. |
URL.Relationships.EntityBType | string | The type of the destination of the relationship. |
DBotScore.Indicator | unknown | The indicator that was tested. |
DBotScore.Type | unknown | The indicator type. |
DBotScore.Vendor | unknown | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
GoogleThreatIntelligence.URL.attributes.favicon.raw_md5 | String | The MD5 hash of the URL. |
GoogleThreatIntelligence.URL.attributes.favicon.dhash | String | Difference hash. |
GoogleThreatIntelligence.URL.attributes.last_modification_date | Number | Last modification date in epoch format. |
GoogleThreatIntelligence.URL.attributes.times_submitted | Number | The number of times the url has been submitted. |
GoogleThreatIntelligence.URL.attributes.total_votes.harmless | Number | Total number of harmless votes. |
GoogleThreatIntelligence.URL.attributes.total_votes.malicious | Number | Total number of malicious votes. |
GoogleThreatIntelligence.URL.attributes.threat_names | String | Name of the threats found. |
GoogleThreatIntelligence.URL.attributes.last_submission_date | Number | The last submission date in epoch format. |
GoogleThreatIntelligence.URL.attributes.last_http_response_content_length | Number | The last HTTPS response length. |
GoogleThreatIntelligence.URL.attributes.last_http_response_headers.date | Date | The last response header date. |
GoogleThreatIntelligence.URL.attributes.last_http_response_headers.x-sinkhole | String | DNS sinkhole from last response. |
GoogleThreatIntelligence.URL.attributes.last_http_response_headers.content-length | String | The content length of the last response. |
GoogleThreatIntelligence.URL.attributes.last_http_response_headers.content-type | String | The content type of the last response. |
GoogleThreatIntelligence.URL.attributes.reputation | Number | Reputation of the indicator. |
GoogleThreatIntelligence.URL.attributes.last_analysis_date | Number | The date of the last analysis in epoch format. |
GoogleThreatIntelligence.URL.attributes.has_content | Boolean | Whether the url has content in it. |
GoogleThreatIntelligence.URL.attributes.first_submission_date | Number | The first submission date in epoch format. |
GoogleThreatIntelligence.URL.attributes.last_http_response_content_sha256 | String | The SHA-256 hash of the content of the last response. |
GoogleThreatIntelligence.URL.attributes.last_http_response_code | Number | Last response status code. |
GoogleThreatIntelligence.URL.attributes.last_final_url | String | Last final URL. |
GoogleThreatIntelligence.URL.attributes.url | String | The URL itself. |
GoogleThreatIntelligence.URL.attributes.title | String | Title of the page. |
GoogleThreatIntelligence.URL.attributes.last_analysis_stats.harmless | Number | The number of engines that found the domain to be harmless. |
GoogleThreatIntelligence.URL.attributes.last_analysis_stats.malicious | Number | The number of engines that found the indicator to be malicious. |
GoogleThreatIntelligence.URL.attributes.last_analysis_stats.suspicious | Number | The number of engines that found the indicator to be suspicious. |
GoogleThreatIntelligence.URL.attributes.last_analysis_stats.undetected | Number | The number of engines that could not detect the indicator. |
GoogleThreatIntelligence.URL.attributes.last_analysis_stats.timeout | Number | The number of engines that timed out for the indicator. |
GoogleThreatIntelligence.URL.attributes.outgoing_links | String | Outgoing links of the URL page. |
GoogleThreatIntelligence.URL.attributes.gti_assessment.threat_score.value | Number | GTI threat score of the URL. |
GoogleThreatIntelligence.URL.attributes.gti_assessment.severity.value | String | GTI severity of the URL. |
GoogleThreatIntelligence.URL.attributes.gti_assessment.verdict.value | String | GTI verdict of the URL. |
GoogleThreatIntelligence.URL.type | String | Type of the indicator (url). |
GoogleThreatIntelligence.URL.id | String | ID of the indicator. |
GoogleThreatIntelligence.URL.links.self | String | Link to the response. |
GoogleThreatIntelligence.Analysis.data.attributes.date | Number | Date of the analysis in epoch format. |
GoogleThreatIntelligence.Analysis.data.attributes.stats.harmless | Number | Number of engines that found the indicator to be harmless. |
GoogleThreatIntelligence.Analysis.data.attributes.stats.malicious | Number | Number of engines that found the indicator to be malicious. |
GoogleThreatIntelligence.Analysis.data.attributes.stats.suspicious | Number | Number of engines that found the indicator to be suspicious. |
GoogleThreatIntelligence.Analysis.data.attributes.stats.timeout | Number | he number of engines that timed out for the indicator. |
GoogleThreatIntelligence.Analysis.data.attributes.stats.undetected | Number | Number of engines the found the indicator to be undetected. |
GoogleThreatIntelligence.Analysis.data.attributes.status | String | Status of the analysis. |
GoogleThreatIntelligence.Analysis.data.id | String | ID of the analysis. |
GoogleThreatIntelligence.Analysis.data.type | String | Type of object (analysis). |
GoogleThreatIntelligence.Analysis.meta.url_info.id | String | ID of the URL. |
GoogleThreatIntelligence.Analysis.meta.url_info.url | String | The URL. |
GoogleThreatIntelligence.Analysis.id | String | The analysis ID. |
#
gti-file-scan-and-analysis-getScan and get the analysis of a file submitted to GoogleThreatIntelligence.
#
Base Commandgti-file-scan-and-analysis-get
#
InputArgument Name | Description | Required |
---|---|---|
entryID | The file entry ID to submit. | Required |
uploadURL | Special upload URL for files larger than 32 MB. Can be acquired from the gti-file-scan-upload-url command. | Optional |
id | This is an internal argument used for the polling process, not to be used by the user. | Optional |
file | This is an internal argument used for the polling process, not to be used by the user. | Optional |
extended_data | Whether to return extended data. Possible values are: true, false. | Optional |
interval_in_seconds | Interval in seconds between each poll. Default is 60. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
File.MD5 | unknown | Bad MD5 hash. |
File.SHA1 | unknown | Bad SHA1 hash. |
File.SHA256 | unknown | Bad SHA256 hash. |
File.Relationships.EntityA | string | The source of the relationship. |
File.Relationships.EntityB | string | The destination of the relationship. |
File.Relationships.Relationship | string | The name of the relationship. |
File.Relationships.EntityAType | string | The type of the source of the relationship. |
File.Relationships.EntityBType | string | The type of the destination of the relationship. |
File.Malicious.Vendor | unknown | For malicious files, the vendor that made the decision. |
File.Malicious.Detections | unknown | For malicious files, the total number of detections. |
File.Malicious.TotalEngines | unknown | For malicious files, the total number of engines that checked the file hash. |
DBotScore.Indicator | unknown | The indicator that was tested. |
DBotScore.Type | unknown | The indicator type. |
DBotScore.Vendor | unknown | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
GoogleThreatIntelligence.File.attributes.type_description | String | Description of the type of the file. |
GoogleThreatIntelligence.File.attributes.tlsh | String | The locality-sensitive hashing. |
GoogleThreatIntelligence.File.attributes.exiftool.MIMEType | String | MIME type of the file. |
GoogleThreatIntelligence.File.attributes.names | String | Names of the file. |
GoogleThreatIntelligence.File.attributes.javascript_info.tags | String | Tags of the JavaScript. |
GoogleThreatIntelligence.File.attributes.exiftool.FileType | String | The file type. |
GoogleThreatIntelligence.File.attributes.exiftool.WordCount | String | Total number of words in the file. |
GoogleThreatIntelligence.File.attributes.exiftool.LineCount | String | Total number of lines in file. |
GoogleThreatIntelligence.File.attributes.crowdsourced_ids_stats.info | Number | Number of IDS that marked the file as "info". |
GoogleThreatIntelligence.File.attributes.crowdsourced_ids_stats.high | Number | Number of IDS that marked the file as "high". |
GoogleThreatIntelligence.File.attributes.crowdsourced_ids_stats.medium | Number | Number of IDS that marked the file as "medium". |
GoogleThreatIntelligence.File.attributes.crowdsourced_ids_stats.low | Number | Number of IDS that marked the file as "low". |
GoogleThreatIntelligence.File.attributes.sigma_analysis_stats.critical | Number | Number of Sigma analysis that marked the file as "critical". |
GoogleThreatIntelligence.File.attributes.sigma_analysis_stats.high | Number | Number of Sigma analysis that marked the file as "high". |
GoogleThreatIntelligence.File.attributes.sigma_analysis_stats.medium | Number | Number of Sigma analysis that marked the file as "medium". |
GoogleThreatIntelligence.File.attributes.sigma_analysis_stats.low | Number | Number of Sigma analysis that marked the file as "low". |
GoogleThreatIntelligence.File.attributes.exiftool.MIMEEncoding | String | The MIME encoding. |
GoogleThreatIntelligence.File.attributes.exiftool.FileTypeExtension | String | The file type extension. |
GoogleThreatIntelligence.File.attributes.exiftool.Newlines | String | Number of newlines signs. |
GoogleThreatIntelligence.File.attributes.trid.file_type | String | The TrID file type. |
GoogleThreatIntelligence.File.attributes.trid.probability | Number | The TrID probability. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.description | String | Description of the YARA rule. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.source | String | Source of the YARA rule. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.author | String | Author of the YARA rule. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.ruleset_name | String | Rule set name of the YARA rule. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.rule_name | String | Name of the YARA rule. |
GoogleThreatIntelligence.File.attributes.crowdsourced_yara_results.ruleset_id | String | ID of the YARA rule. |
GoogleThreatIntelligence.File.attributes.names | String | Name of the file. |
GoogleThreatIntelligence.File.attributes.last_modification_date | Number | The last modification date in epoch format. |
GoogleThreatIntelligence.File.attributes.type_tag | String | Tag of the type. |
GoogleThreatIntelligence.File.attributes.total_votes.harmless | Number | Total number of harmless votes. |
GoogleThreatIntelligence.File.attributes.total_votes.malicious | Number | Total number of malicious votes. |
GoogleThreatIntelligence.File.attributes.size | Number | Size of the file. |
GoogleThreatIntelligence.File.attributes.popular_threat_classification.suggested_threat_label | String | Suggested thread label. |
GoogleThreatIntelligence.File.attributes.popular_threat_classification.popular_threat_name | Number | The popular thread name. |
GoogleThreatIntelligence.File.attributes.times_submitted | Number | Number of times the file was submitted. |
GoogleThreatIntelligence.File.attributes.last_submission_date | Number | Last submission date in epoch format. |
GoogleThreatIntelligence.File.attributes.downloadable | Boolean | Whether the file is downloadable. |
GoogleThreatIntelligence.File.attributes.sha256 | String | SHA-256 hash of the file. |
GoogleThreatIntelligence.File.attributes.type_extension | String | Extension of the type. |
GoogleThreatIntelligence.File.attributes.tags | String | File tags. |
GoogleThreatIntelligence.File.attributes.last_analysis_date | Number | Last analysis date in epoch format. |
GoogleThreatIntelligence.File.attributes.unique_sources | Number | Unique sources. |
GoogleThreatIntelligence.File.attributes.first_submission_date | Number | First submission date in epoch format. |
GoogleThreatIntelligence.File.attributes.ssdeep | String | SSDeep hash of the file. |
GoogleThreatIntelligence.File.attributes.md5 | String | MD5 hash of the file. |
GoogleThreatIntelligence.File.attributes.sha1 | String | SHA-1 hash of the file. |
GoogleThreatIntelligence.File.attributes.magic | String | Identification of file by the magic number. |
GoogleThreatIntelligence.File.attributes.last_analysis_stats.harmless | Number | The number of engines that found the indicator to be harmless. |
GoogleThreatIntelligence.File.attributes.last_analysis_stats.type-unsupported | Number | The number of engines that found the indicator to be of type unsupported. |
GoogleThreatIntelligence.File.attributes.last_analysis_stats.suspicious | Number | The number of engines that found the indicator to be suspicious. |
GoogleThreatIntelligence.File.attributes.last_analysis_stats.confirmed-timeout | Number | The number of engines that confirmed the timeout of the indicator. |
GoogleThreatIntelligence.File.attributes.last_analysis_stats.timeout | Number | The number of engines that timed out for the indicator. |
GoogleThreatIntelligence.File.attributes.last_analysis_stats.failure | Number | The number of failed analysis engines. |
GoogleThreatIntelligence.File.attributes.last_analysis_stats.malicious | Number | The number of engines that found the indicator to be malicious. |
GoogleThreatIntelligence.File.attributes.last_analysis_stats.undetected | Number | The number of engines that could not detect the indicator. |
GoogleThreatIntelligence.File.attributes.meaningful_name | String | Meaningful name of the file. |
GoogleThreatIntelligence.File.attributes.reputation | Number | The reputation of the file. |
GoogleThreatIntelligence.File.attributes.gti_assessment.threat_score.value | Number | GTI threat score of the file. |
GoogleThreatIntelligence.File.attributes.gti_assessment.severity.value | String | GTI severity of the file. |
GoogleThreatIntelligence.File.attributes.gti_assessment.verdict.value | String | GTI verdict of the file. |
GoogleThreatIntelligence.File.type | String | Type of the indicator (file). |
GoogleThreatIntelligence.File.id | String | Type ID of the indicator. |
GoogleThreatIntelligence.File.links.self | String | Link to the response. |
GoogleThreatIntelligence.Analysis.data.attributes.date | Number | Date of the analysis in epoch format. |
GoogleThreatIntelligence.Analysis.data.attributes.stats.harmless | Number | Number of engines that found the indicator to be harmless. |
GoogleThreatIntelligence.Analysis.data.attributes.stats.malicious | Number | Number of engines that found the indicator to be malicious. |
GoogleThreatIntelligence.Analysis.data.attributes.stats.suspicious | Number | Number of engines that found the indicator to be suspicious. |
GoogleThreatIntelligence.Analysis.data.attributes.stats.timeout | Number | he number of engines that timed out for the indicator. |
GoogleThreatIntelligence.Analysis.data.attributes.stats.undetected | Number | Number of engines the found the indicator to be undetected. |
GoogleThreatIntelligence.Analysis.data.attributes.status | String | Status of the analysis. |
GoogleThreatIntelligence.Analysis.data.id | String | ID of the analysis. |
GoogleThreatIntelligence.Analysis.data.type | String | Type of object (analysis). |
GoogleThreatIntelligence.Analysis.meta.file_info.sha256 | String | SHA-256 hash of the file. |
GoogleThreatIntelligence.Analysis.meta.file_info.sha1 | String | SHA-1 hash of the file. |
GoogleThreatIntelligence.Analysis.meta.file_info.md5 | String | MD5 hash of the file. |
GoogleThreatIntelligence.Analysis.meta.file_info.name | unknown | Name of the file. |
GoogleThreatIntelligence.Analysis.meta.file_info.size | Number | Size of the file. |
GoogleThreatIntelligence.Analysis.id | String | The analysis ID. |
#
gti-private-file-scan-and-analysis-getScan and get the analysis of a private file submitted to GoogleThreatIntelligence.
#
Base Commandgti-private-file-scan-and-analysis-get
#
InputArgument Name | Description | Required |
---|---|---|
entryID | The file entry ID to submit. | Required |
id | This is an internal argument used for the polling process, not to be used by the user. | Optional |
extended_data | Whether to return extended data. Possible values are: true, false. | Optional |
interval_in_seconds | Interval in seconds between each poll. Default is 60. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
GoogleThreatIntelligence.Analysis.data.attributes.date | Number | Date of the analysis in epoch format. |
GoogleThreatIntelligence.Analysis.data.attributes.status | String | Status of the analysis. |
GoogleThreatIntelligence.Analysis.data.attributes.threat_severity_level | String | Threat severity level of the private file. |
GoogleThreatIntelligence.Analysis.data.attributes.popular_threat_category | String | Popular threat category of the private file. |
GoogleThreatIntelligence.Analysis.data.attributes.threat_verdict | String | Threat verdict of the private file. |
GoogleThreatIntelligence.Analysis.data.id | String | ID of the analysis. |
GoogleThreatIntelligence.Analysis.data.type | String | Type of object (analysis). |
GoogleThreatIntelligence.Analysis.meta.file_info.sha256 | String | SHA-256 hash of the file. |
GoogleThreatIntelligence.Analysis.meta.file_info.sha1 | String | SHA-1 hash of the file. |
GoogleThreatIntelligence.Analysis.meta.file_info.md5 | String | MD5 hash of the file. |
GoogleThreatIntelligence.Analysis.meta.file_info.size | Number | Size of the file. |
GoogleThreatIntelligence.Analysis.id | String | The analysis ID. |
#
gti-assessment-getRetrieves GTI assessment for a given resource.
#
Base Commandgti-assessment-get
#
InputArgument Name | Description | Required |
---|---|---|
resource | The file hash (MD5, SHA1, or SHA256), Domain, URL or IP. | Required |
resource_type | The type of the resource. If not supplied, will determine it's a file. Possible values are: ip, url, domain, file, hash. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
GoogleThreatIntelligence.Assessment.id | String | ID that contains the assessment (the given hash, domain, url, or ip). |
GoogleThreatIntelligence.Assessment.attributes.gti_assessment.threat_score.value | Number | The threat score of the assessment. |
GoogleThreatIntelligence.Assessment.attributes.gti_assessment.severity.value | String | The severity of the assessment. |
GoogleThreatIntelligence.Assessment.attributes.gti_assessment.verdict.value | String | The verdict of the assessment. |