Google Threat Intelligence Migration Guide - for former Mandiant users

This guide is designed to help Mandiant Advantage Threat Intelligence users seamlessly transition to and effectively utilize the new Google Threat Intelligence platform.

Former Mandiant Advantage Threat Intelligence users now also have access to the Threat Intelligence community data from VirusTotal and to Google's unparalleled threat visibility.

Crowdsource community and industry threat knowledge within VirusTotal adds breadth to Mandiant's existing knowledge, empowering users with almost real-time actionable insights, ensuring immediate preparedness for potential imminent attacks.

Keeping previous configurations and roles

Retaining your existing Mandiant organization in your Google Threat Intelligence account is essential for a seamless transition and uninterrupted access to your data and configurations. Our provisioning team will handle the necessary permission updates.

By doing so, all your configurations and settings from Mandiant Advantage Threat Intelligence accounts will be automatically inherited and accessible within Google Threat Intelligence.

This will ensure service continuity and access to your previously created:

Additionally, when it comes to roles, users existing only in Mandiant platform will be invited to their new Google Threat Intelligence group inheriting admin or common user privileges from Mandiant platform.

Please note that in Google Threat Intelligence premium users will continue to be mainly split in two global flavors: regular users or "Members" and administrators or "Admins".

Find familiar or discover new tools

Google Threat Intelligence integrates the power of VirusTotal's community-driven data with Mandiant Advantage Threat Intelligence's curated insights, all enhanced by Google's unparalleled visibility.

Depending on your Google Threat Intelligence subscription, you can access these resources through the new left navigation menu, where some of the tools and services are grouped by different topics for effortless exploration and navigation:

  • Threat Landscape - groups together all the features around threat intelligence at a strategic level.
  • IoC Investigation - contains all the tools for Indicators of Compromise investigations.
  • Reports & Analysis - groups together all curated and crowdsourced reports.

In the next table you can see all the tools available in Google Threat Intelligence:

Menu group Tool Status Description
Threat Landscape Threat Actors (curated) - Curated threat actors followed by Mandiant analysts
Threat Actors (crowdsourced) NEW Threat actors IoCs from the VirusTotal community
Malware families - Curated malware families followed by Mandiant analysts
Campaigns - Curated malware campaigns followed by Mandiant analysts
IoC Collections NEW Malware families and campaigns IoCs from the VirusTotal community
My Threat Profile - Curated inputs tailored to your organization profile
TTP Analysis - To explore curated Threat Actors and Malware families on the basis of the MITRE ATT&CK Framework
IoC Investigation Check with VirusTotal NEW Previously known as VirusTotal Intelligence, the IoCs search engine where you can also submit files for analysis
Livehunt NEW Yara rules running against new IoCs submitted to the platform
Retrohunt NEW Yara rules running against the already existing files database
IoC Stream NEW The community notifications hub (Livehunt, Retrohunt, community Collections and Threat Actors subscriptions notifications)
Diff NEW The assistant for creating files-based Yara rules
Reports & Analysis Mandiant Reports - Curated reports, created by Mandiant analysts
Community References NEW Crowdsourced reports, ingested from community trusted sources
Threat Graph NEW Previously known as VT Graph
Private Scanning NEW VirusTotal Private Scanning for files and URLs that cannot be shared with the rest of the community
Vulnerability Intelligence - Vulnerability Intelligence database
Attack Surface Management - ASM for assets and issues discovery
Digital Threat Monitoring - DTM to ​​explore open-source and dark web info

Integrations and automations with Google Threat Intelligence API

Google Threat Intelligence Endpoints

With Google Threat Intelligence, developers can leverage a comprehensive suite of API v3 endpoints for building custom integrations. These endpoints provide access to an extensive range of tools, features and functionalities that mirror those available in the web interface.

A unique server URL is used globally, https://www.virustotal.com/api/v3/, and a unique Google Threat Intelligence user or service account API key is required for requests authentication and authorization.

Legacy Endpoints

To maintain uninterrupted service, you can still access Mandiant's legacy API endpoints using either bearer authentication or basic authentication using your existing API key ID and API key Secret.

⚠️

However, for new jobs requiring the use of the legacy API, basic authentication should be performed against a unique Google Threat Intelligence API key, as follows:

  • Replacing in the request the Mandiant API key ID by “gti-user” string
  • Replacing in the request the Mandiant API key Secret by Google Threat Intelligence user's API key or by Google Threat Intelligence service account's API key

Check out the "Authentication" section to see where you can get your Google Threat Intelligence API key.

⚠️

Please note that we highly recommend you to migrate all your API integrations to the new Google Threat Intelligence endpoints which will incorporate all the improvements and new features. Feel free to contact us for assistance!

Authentication

API authentication in Google Threat intelligence endpoints can be done at 2 levels:

1. User level

As a Google Threat Intelligence user you can access your personal API key for API authentication/authorization purposes as follows:

User menu -> API key option

User menu -> API key option

Left menu bar -> API key option

Left menu bar -> API key option

On the user's API key interface, you will be able to see several sections based on what you are inheriting from your previous Mandiant account.

  • Google Threat Intelligence API key (1)

    • This is your main and unique Google Threat Intelligence API key that works with all Google Threat Intelligence API endpoints.
    • Additionally, please note that you can authenticate to legacy Mandiant endpoints using this API key as mentioned in the "Legacy Endpoints" section.
  • MATI API Key ID (3) and MATI API Key Secret (2)

    • This is your previous API key and Secret for Mandiant Threat Intelligence which includes also the Digital Threat Monitoring module and the Vulnerability Intelligence module. This API key that you may have used in your previous script and integrations that have not yet been migrated to Google Threat Intelligence, is shown to you for informational purposes only. Please refrain from utilizing this key in any new projects and migrate existing ones to the new Google Threat Intelligence endpoints.
  • ASM API Key IDs (4)

    • These are the previous Mandiant Attack Surface Management API key IDs that you may have used in your previous scripts and integrations that have not yet been migrated to Google Threat Intelligence. These keys are shown for informational purposes only. Please refrain from utilizing these keys in any new projects and migrate existing ones to the new Google Threat Intelligence endpoints.
Left menu bar -> API key option

A. Google Threat Intelligence user's API information.

2. Service Account level

In Google Threat Intelligence administrators are able to create new service accounts and use their automatically assigned Google Threat Intelligence API keys for new tasks automation and integrations with other tools, without being tied to any individuals.

Google Threat Intelligence service accounts can be accessed and managed from the User menu -> My Group option -> USERS tab.

Left menu bar -> API key option

B. Google Threat Intelligence Service Accounts accessible by administrators from User menu -> My Group option

Authentication Summary

Server URL Credentials Comments
https://www.virustotal.com/api/v3/
Google Threat Intelligence
  • User
    • API key (A.1)
  • Service Account
    • API key (B.1)
All Google Threat Intelligence endpoints including Attack Surface Management, Digital Threat Monitoring and Vulnerability Intelligence modules
API example - raw Python request
import requests

urls = ["http://www.virustotal.com/api/v3/asm/projects",
        "http://www.virustotal.com/api/v3/dtm/alerts"]
headers = {
  "accept": "application/json",
  "x-apikey": "{gti_api_key}"
}
for url in urls:
  response = requests.get(url, headers=headers)
  print(response.text)
Server URL Credentials Comments
https://api.intelligence.mandiant.com/v4/
Google Threat Intelligence
  • User
    • "gti-user" + API key (A.1)
  • Service Account
    • "gti-user"+ API key (B.1)
Google Threat Intelligence
  • User
    • Mati API key ID (A.2) + Mati API key Secret (A.3) (*)
Legacy Threat Intelligence endpoints including Digital Threat Monitoring and Vulnerability Intelligence
API example - raw Python request
import requests
from requests.auth import HTTPBasicAuth

urls =["https://api.intelligence.mandiant.com/v4/dtm/alerts",
       "https://api.intelligence.mandiant.com/v4/vulnerability/CVE-2024-20399"]
headers = {
   "accept": "application/json"
}
for url in urls:
	response = requests.get(url, auth=HTTPBasicAuth("gti-user", "{gti_api_key}"), headers=headers)
	print(response.text)

⚠️

(*) Please refrain from utilizing legacy keys in any new projects and migrate existing ones to the new Google Threat Intelligence endpoints. Feel free to contact us for assistance!

While legacy endpoints continue to work with bearer authentication too, we highly recommend you to transition to Google Threat Intelligence endpoints.

Out of the box integrations

While legacy out-of-the-box (OOTB) integrations are not being impacted and you can still use them to get curated IoCs for proactive detection use cases, we have introduced new Google Threat Intelligence integrations that can help you in event/indicator enrichment use cases.

We are actively developing new integrations to enhance the experience across a wider range of security tools and you can get the list of already available Google TI integrations from the Technology Integration left navigation menu option, where you can easily identify the integrations that are "compatible with Google Threat Intelligence".

⚠️

We strongly advise prioritizing the migration to Google Threat Intelligence integrations to ensure all your events benefit from Google Threat Intelligence's rich threat context.

Documentation, contact portal and in-app notifications

Documentation portal

Explore our new documentation portal to discover everything you need to know about Google Threat Intelligence. You'll find in-depth information on features and services, plus helpful guides and walkthroughs to accelerate your learning journey.

To automate your workflows, we've compiled a comprehensive list of all API v3 endpoints, each with detailed descriptions to help you get started.

Contact portal

On our new contact portal you can ask for platform technical support or commercial inquiries. Additionally, if you need immediate assistance for an incident from here you can contact our Incident Response Team which will be happy to help you.

In-app notifications

The In-app notification allows users to stay up to date with everything happening in Google Threat Intelligence. This tool will be used to inform you about new blog posts, webinars and workshops as well as new enhancements of the platform.