Get started with Threat Graph

Google Threat Intelligence Graph is a visualization tool built on top of Google Threat Intelligence data set. It understands the relationship between files, URLs, domains, IP addresses and other items encountered in an ongoing investigation. With it, you can pivot intelligently over any of the malware artifacts in your graph and synthesize your findings into a threat map that you can share with your colleagues.

Google Threat Intelligence Graph Overview
Google Threat Intelligence Graph search and start new investigation
Google Threat Intelligence Graph management
Google Threat Intelligence Graph nodes
Google Threat Intelligence Graph Commonalities and Hunting
Quick access to relevant graphs to you
Toolbar
Google Threat Intelligence Graph API

Getting Started: Key Steps

  1. Understanding Nodes and Relationships
    The Google Threat Intelligence backend maps over 30 types of relationships between files, URLs, domains, and more. Explore this network in an interactive graph, following the links between nodes and arcs to discover new infrastructure and artifacts used by your adversaries
  2. How to Search and Start a New Graph Investigation
    1. Search For Threat Graphs: Using the search functionality, you can search for other graphs that have been published publicly by the security community, or search for ones published by your team. You are also able to search for files or hashes to see Threat Graphs for those entities.
    2. You can start a new graph from the Graph tab, clicking on the New graph button, or from a file report clicking on More > Explore in Threat Graph
  3. Find Commonalities and Start Hunting in Your Threat Graphs
    Commonalities and Hunting: Accelerate your investigations with Google Threat Intelligence Commonalities feature. By identifying common patterns within your selected nodes or relationships, you'll gain critical insights into the tactics, techniques, and procedures (TTPs) of your adversaries.

Quick access to relevant graphs to you

This overview page shows different list of graphs:

  • Your graphs: It includes your saved graphs and those graphs where you are editor or viewer

VTGraph yours graphs list

  • All graphs: It includes the public graphs
  • My group graphs: It includes the graphs from my group

VTGraph latest graphs list

Toolbar

For any of the list of graphs you are able to

VTGraph sort criteria:  Sort by different criteria

VTGraph graphs list view/VTGraph yours graphs list : Switch between list and grid views

Google Threat Intelligence Graph API

As most of our other products, Google Threat Intelligence Graph is getting a restful API. The documentation can be found here and a Python library to reduce the learning curve; it is available in our Github repository.