Google Threat Intelligence Migration Guide - for former VirusTotal users
This guide is designed to help VirusTotal users seamlessly transition to and effectively utilize the new Google Threat Intelligence platform.
Former VirusTotal users now also have access to Mandiant's curated threat intelligence data.
This integration of Mandiant's frontline expertise and analyst insights adds depth to VirusTotal's existing knowledge base, empowering users to make more informed and reliable decisions.
Keeping previous configurations and roles
Retaining your existing VirusTotal group ID in your Google Threat Intelligence account is essential for a seamless transition and uninterrupted access to your data and configurations. Our provisioning team will handle the necessary permission updates.
By doing so, all your configurations and settings from VirusTotal accounts will remain intact and accessible within Google Threat Intelligence.
This will ensure service continuity and access to your previously created:
(*) Replace {user_id} and {group_id} in the links by your values.
Additionally, when it comes to users' roles, VirusTotal members will maintain their original privileges if VirusTotal group ID is maintained in Google Threat Intelligence.
Please note that in Google Threat Intelligence premium users will continue to be mainly split in two global flavors: regular users or "Members" and administrators or "Admins".
Find familiar or discover new tools
Google Threat Intelligence integrates the power of VirusTotal's community-driven data with Mandiant Advantage Threat Intelligence's curated insights, all enhanced by Google's unparalleled visibility.
Depending on your Google Threat Intelligence subscription, you can access these resources through the new left navigation menu, where some of the tools and services are grouped by different topics for effortless exploration and navigation:
- Threat Landscape - groups together all the features around threat intelligence at a strategic level.
- IoC Investigation - contains all the tools for Indicators of Compromise investigations.
- Reports & Analysis - groups together all curated and crowdsourced reports.
In the next table you can see all the tools available in Google Threat Intelligence:
| Menu group | Tool | Status | Description |
|---|---|---|---|
| Threat Landscape | Threat Actors (curated) | NEW | Curated threat actors followed by Mandiant analysts |
| Threat Actors (crowdsourced) | - | Threat actors IoCs from the VirusTotal community | |
| Malware families | NEW | Curated malware families followed by Mandiant analysts | |
| Campaigns | NEW | Curated malware campaigns followed by Mandiant analysts | |
| IoC Collections | - | Malware families and campaigns IoCs from the VirusTotal community | |
| My Threat Profile | NEW | Curated inputs tailored to your organization profile | |
| TTP Analysis | NEW | To explore curated Threat Actors and Malware families on the basis of the MITRE ATT&CK Framework | |
| IoC Investigation | Check with VirusTotal (*) | - | (*) Previously known as VirusTotal Intelligence, the IoCs search engine where you can also submit files for analysis |
| Livehunt | - | Yara rules running against new IoCs submitted to the platform | |
| Retrohunt | - | Yara rules running against the already existing files database | |
| IoC Stream | - | The community notifications hub (Livehunt, Retrohunt, community Collections and Threat Actors subscriptions notifications) | |
| Diff | - | The assistant for creating files-based Yara rules | |
| Reports & Analysis | Mandiant Reports | NEW | Curated reports, created by Mandiant analysts |
| Community References | - | Crowdsourced reports, ingested from community trusted sources | |
| Threat Graph | - | Previously known as VT Graph | |
| Private Scanning | - | VirusTotal Private Scanning for files and URLs that cannot be shared with the rest of the community | |
| Vulnerability Intelligence | NEW | Vulnerability Intelligence database | |
| Attack Surface Management | NEW | ASM for assets and issues discovery | |
| Digital Threat Monitoring | NEW | DTM to explore open-source and dark web info |
(*) In IoCs reports that are searchable from previous VirusTotal Intelligence feature and now from Check with VirusTotal, a new scoring indicator has been created. The new Google Threat Intelligence Indicator Score takes into consideration several factors of IoCs reports to help SecOps teams prioritize the most significant security threat.
Integrations and automations with Google Threat Intelligence API
Already existing custom integrations or API automated processes of former VirusTotal users won't be impacted.
Aside from the already known VirusTotal's endpoints, new ones have been introduced to cover all recently added features listed in the "Keeping previous configurations and roles" section. For detailed information, refer to the complete official API v3 documentation here.
Moreover, the gti_assessment field is integrated into all IoCs' (files, URLs, domains, IP addresses) reports, so if you wish to incorporate this new parameter into your automations, you can access it through the same endpoints as usual:
- Get a file report -
/files/{id} - Get a domain report -
/domains/{domain} - Get a URL analysis report -
/urls/{id} - Get an IP address report -
/ip_addresses/{ip}
Here's an example of retrieving the Google Threat Intelligence score (gti_assessment) from a particular file:
import os
from pprint import pprint
import requests
FILE_SHA256_HASH = '7203e2e674817c3cc2080d810a2e09323100163a1bd8f8d4ffbf5b9b1729b9c1'
def get_file_gti_score(file_hash):
url = f'https://www.virustotal.com/api/v3/files/{file_hash}'
headers = {'Accept': 'application/json', 'x-apikey': os.environ['VT_APIKEY']}
res = requests.get(url, headers=headers)
res.raise_for_status()
return res.json()['data']['attributes'].get('gti_assessment',None)
file_gti_score = get_file_gti_score(FILE_SHA256_HASH)
pprint(file_gti_score)
Out of the box integrations
Already existing out-of-the-box (OOTB) integrations won’t be impacted.
While we are actively developing new integrations for Google Threat Intelligence, you can get the list of available ones from the Technology Integration left navigation menu option, where you can easily identify the integrations that are "compatible with Google Threat Intelligence".
We strongly advise prioritizing the migration to Google Threat Intelligence integrations to ensure all your events benefit from Google Threat Intelligence's rich threat context. Check out our extended OOTB Migrate from VirusTotal guide which will incorporate every new integration.
Documentation and contact portal
Documentation portal
Explore our new documentation portal to discover everything you need to know about Google Threat Intelligence. You'll find in-depth information on features and services, plus helpful guides and walkthroughs to accelerate your learning journey.
To automate your workflows, we've compiled a comprehensive list of all API v3 endpoints, each with detailed descriptions to help you get started.
Contact portal
On our new contact portal you can ask for platform technical support or commercial inquiries. Additionally, if you need immediate assistance for an incident, from here you can contact our Incident Response Team which will be happy to help you.
Updated about 1 month ago