Google Threat Intelligence Migration Guide - for former Mandiant users
This guide is designed to help Mandiant Advantage Threat Intelligence users seamlessly transition to and effectively utilize the new Google Threat Intelligence platform.
Former Mandiant Advantage Threat Intelligence users now also have access to the Threat Intelligence community data from VirusTotal and to Google's unparalleled threat visibility.
Crowdsource community and industry threat knowledge within VirusTotal adds breadth to Mandiant's existing knowledge, empowering users with almost real-time actionable insights, ensuring immediate preparedness for potential imminent attacks.
Keeping previous configurations and roles
Retaining your existing Mandiant organization in your Google Threat Intelligence account is essential for a seamless transition and uninterrupted access to your data and configurations. Our provisioning team will handle the necessary permission updates.
By doing so, all your configurations and settings from Mandiant Advantage Threat Intelligence accounts will be automatically inherited and accessible within Google Threat Intelligence.
This will ensure service continuity and access to your previously created:
- Attack Surface Management projects and collections including discovered entities, technologies and issues along with their tags and notes
- Digital Threat Monitoring monitors
- My Threat Profile configurations and inputs
Additionally, when it comes to roles, users existing only in Mandiant platform will be invited to their new Google Threat Intelligence group inheriting admin or common user privileges from Mandiant platform.
Please note that in Google Threat Intelligence premium users will continue to be mainly split in two global flavors: regular users or "Members" and administrators or "Admins".
Find familiar or discover new tools
Google Threat Intelligence integrates the power of VirusTotal's community-driven data with Mandiant Advantage Threat Intelligence's curated insights, all enhanced by Google's unparalleled visibility.
Depending on your Google Threat Intelligence subscription, you can access these resources through the new left navigation menu, where some of the tools and services are grouped by different topics for effortless exploration and navigation:
- Threat Landscape - groups together all the features around threat intelligence at a strategic level.
- IoC Investigation - contains all the tools for Indicators of Compromise investigations.
- Reports & Analysis - groups together all curated and crowdsourced reports.
In the next table you can see all the tools available in Google Threat Intelligence:
| Menu group | Tool | Status | Description |
|---|---|---|---|
| Threat Landscape | Threat Actors (curated) | - | Curated threat actors followed by Mandiant analysts |
| Threat Actors (crowdsourced) | NEW | Threat actors IoCs from the VirusTotal community | |
| Malware families | - | Curated malware families followed by Mandiant analysts | |
| Campaigns | - | Curated malware campaigns followed by Mandiant analysts | |
| IoC Collections | NEW | Malware families and campaigns IoCs from the VirusTotal community | |
| My Threat Profile | - | Curated inputs tailored to your organization profile | |
| TTP Analysis | - | To explore curated Threat Actors and Malware families on the basis of the MITRE ATT&CK Framework | |
| IoC Investigation | Check with VirusTotal | NEW | Previously known as VirusTotal Intelligence, the IoCs search engine where you can also submit files for analysis |
| Livehunt | NEW | Yara rules running against new IoCs submitted to the platform | |
| Retrohunt | NEW | Yara rules running against the already existing files database | |
| IoC Stream | NEW | The community notifications hub (Livehunt, Retrohunt, community Collections and Threat Actors subscriptions notifications) | |
| Diff | NEW | The assistant for creating files-based Yara rules | |
| Reports & Analysis | Mandiant Reports | - | Curated reports, created by Mandiant analysts |
| Community References | NEW | Crowdsourced reports, ingested from community trusted sources | |
| Threat Graph | NEW | Previously known as VT Graph | |
| Private Scanning | NEW | VirusTotal Private Scanning for files and URLs that cannot be shared with the rest of the community | |
| Vulnerability Intelligence | - | Vulnerability Intelligence database | |
| Attack Surface Management | - | ASM for assets and issues discovery | |
| Digital Threat Monitoring | - | DTM to explore open-source and dark web info |
Integrations and automations with Google Threat Intelligence API
Google Threat Intelligence Endpoints
With Google Threat Intelligence, developers can leverage a comprehensive suite of API v3 endpoints for building custom integrations. These endpoints provide access to an extensive range of tools, features and functionalities that mirror those available in the web interface.
A unique server URL is used globally, https://www.virustotal.com/api/v3/, and a unique Google Threat Intelligence user or service account API key is required for requests authentication and authorization.
Legacy Endpoints
To maintain uninterrupted service, you can still access Mandiant's legacy API endpoints using either bearer authentication or basic authentication using your existing API key ID and API key Secret.
However, for new jobs requiring the use of the legacy API, basic authentication should be performed against a unique Google Threat Intelligence API key, as follows:
- Replacing in the request the Mandiant API key ID by “gti-user” string
- Replacing in the request the Mandiant API key Secret by Google Threat Intelligence user's API key or by Google Threat Intelligence service account's API key
Check out the "Authentication" section to see where you can get your Google Threat Intelligence API key.
Please note that we highly recommend you to migrate all your API integrations to the new Google Threat Intelligence endpoints which will incorporate all the improvements and new features. Feel free to contact us for assistance!
Authentication
API authentication in Google Threat intelligence endpoints can be done at 2 levels:
1. User level
As a Google Threat Intelligence user you can access your personal API key for API authentication/authorization purposes as follows:
User menu -> API key option
Left menu bar -> API key option
On the user's API key interface, you will be able to see several sections based on what you are inheriting from your previous Mandiant account.
-
Google Threat Intelligence API key (1)
- This is your main and unique Google Threat Intelligence API key that works with all Google Threat Intelligence API endpoints.
- Additionally, please note that you can authenticate to legacy Mandiant endpoints using this API key as mentioned in the "Legacy Endpoints" section.
-
MATI API Key ID (3) and MATI API Key Secret (2)
- This is your previous API key and Secret for Mandiant Threat Intelligence which includes also the Digital Threat Monitoring module and the Vulnerability Intelligence module. This API key that you may have used in your previous script and integrations that have not yet been migrated to Google Threat Intelligence, is shown to you for informational purposes only. Please refrain from utilizing this key in any new projects and migrate existing ones to the new Google Threat Intelligence endpoints.
-
ASM API Key IDs (4)
- These are the previous Mandiant Attack Surface Management API key IDs that you may have used in your previous scripts and integrations that have not yet been migrated to Google Threat Intelligence. These keys are shown for informational purposes only. Please refrain from utilizing these keys in any new projects and migrate existing ones to the new Google Threat Intelligence endpoints.
A. Google Threat Intelligence user's API information.
2. Service Account level
In Google Threat Intelligence administrators are able to create new service accounts and use their automatically assigned Google Threat Intelligence API keys for new tasks automation and integrations with other tools, without being tied to any individuals.
Google Threat Intelligence service accounts can be accessed and managed from the User menu -> My Group option -> USERS tab.
B. Google Threat Intelligence Service Accounts accessible by administrators from User menu -> My Group option
Authentication Summary
| Server URL | Credentials | Comments |
|---|---|---|
| https://www.virustotal.com/api/v3/ |
Google Threat Intelligence
|
All Google Threat Intelligence endpoints including Attack Surface Management, Digital Threat Monitoring and Vulnerability Intelligence modules |
| API example - raw Python request | ||
import requests
urls = ["http://www.virustotal.com/api/v3/asm/projects",
"http://www.virustotal.com/api/v3/dtm/alerts"]
headers = {
"accept": "application/json",
"x-apikey": "{gti_api_key}"
}
for url in urls:
response = requests.get(url, headers=headers)
print(response.text)
| Server URL | Credentials | Comments |
|---|---|---|
| https://api.intelligence.mandiant.com/v4/ |
Google Threat Intelligence
Google Threat Intelligence
|
Legacy Threat Intelligence endpoints including Digital Threat Monitoring and Vulnerability Intelligence |
| API example - raw Python request | ||
import requests
from requests.auth import HTTPBasicAuth
urls =["https://api.intelligence.mandiant.com/v4/dtm/alerts",
"https://api.intelligence.mandiant.com/v4/vulnerability/CVE-2024-20399"]
headers = {
"accept": "application/json"
}
for url in urls:
response = requests.get(url, auth=HTTPBasicAuth("gti-user", "{gti_api_key}"), headers=headers)
print(response.text)
(*) Please refrain from utilizing legacy keys in any new projects and migrate existing ones to the new Google Threat Intelligence endpoints. Feel free to contact us for assistance!
While legacy endpoints continue to work with bearer authentication too, we highly recommend you to transition to Google Threat Intelligence endpoints.
Out of the box integrations
While legacy out-of-the-box (OOTB) integrations are not being impacted and you can still use them to get curated IoCs for proactive detection use cases, we have introduced new Google Threat Intelligence integrations that can help you in event/indicator enrichment use cases.
We are actively developing new integrations to enhance the experience across a wider range of security tools and you can get the list of already available Google TI integrations from the Technology Integration left navigation menu option, where you can easily identify the integrations that are "compatible with Google Threat Intelligence".
We strongly advise prioritizing the migration to Google Threat Intelligence integrations to ensure all your events benefit from Google Threat Intelligence's rich threat context.
Documentation, contact portal and in-app notifications
Documentation portal
Explore our new documentation portal to discover everything you need to know about Google Threat Intelligence. You'll find in-depth information on features and services, plus helpful guides and walkthroughs to accelerate your learning journey.
To automate your workflows, we've compiled a comprehensive list of all API v3 endpoints, each with detailed descriptions to help you get started.
Contact portal
On our new contact portal you can ask for platform technical support or commercial inquiries. Additionally, if you need immediate assistance for an incident from here you can contact our Incident Response Team which will be happy to help you.
In-app notifications
The In-app notification allows users to stay up to date with everything happening in Google Threat Intelligence. This tool will be used to inform you about new blog posts, webinars and workshops as well as new enhancements of the platform.
Updated about 1 month ago