Google Threat Intelligence Migration Guide - for former VirusTotal users

This guide is designed to help VirusTotal users seamlessly transition to and effectively utilize the new Google Threat Intelligence platform.

Former VirusTotal users now also have access to Mandiant's curated threat intelligence data.

This integration of Mandiant's frontline expertise and analyst insights adds depth to VirusTotal's existing knowledge base, empowering users to make more informed and reliable decisions.

Keeping previous configurations and roles

Retaining your existing VirusTotal group ID in your Google Threat Intelligence account is essential for a seamless transition and uninterrupted access to your data and configurations. Our provisioning team will handle the necessary permission updates.

By doing so, all your configurations and settings from VirusTotal accounts will remain intact and accessible within Google Threat Intelligence.

This will ensure service continuity and access to your previously created:

⚠️

(*) Replace {user_id} and {group_id} in the links by your values.

Additionally, when it comes to users' roles, VirusTotal members will maintain their original privileges if VirusTotal group ID is maintained in Google Threat Intelligence.

Please note that in Google Threat Intelligence premium users will continue to be mainly split in two global flavors: regular users or "Members" and administrators or "Admins".

Find familiar or discover new tools

Google Threat Intelligence integrates the power of VirusTotal's community-driven data with Mandiant Advantage Threat Intelligence's curated insights, all enhanced by Google's unparalleled visibility.

Depending on your Google Threat Intelligence subscription, you can access these resources through the new left navigation menu, where some of the tools and services are grouped by different topics for effortless exploration and navigation:

  • Threat Landscape - groups together all the features around threat intelligence at a strategic level.
  • IoC Investigation - contains all the tools for Indicators of Compromise investigations.
  • Reports & Analysis - groups together all curated and crowdsourced reports.

In the next table you can see all the tools available in Google Threat Intelligence:

Menu group Tool Status Description
Threat Landscape Threat Actors (curated) NEW Curated threat actors followed by Mandiant analysts
Threat Actors (crowdsourced) - Threat actors IoCs from the VirusTotal community
Malware families NEW Curated malware families followed by Mandiant analysts
Campaigns NEW Curated malware campaigns followed by Mandiant analysts
IoC Collections - Malware families and campaigns IoCs from the VirusTotal community
My Threat Profile NEW Curated inputs tailored to your organization profile
TTP Analysis NEW To explore curated Threat Actors and Malware families on the basis of the MITRE ATT&CK Framework
IoC Investigation Check with VirusTotal (*) - (*) Previously known as VirusTotal Intelligence, the IoCs search engine where you can also submit files for analysis
Livehunt - Yara rules running against new IoCs submitted to the platform
Retrohunt - Yara rules running against the already existing files database
IoC Stream - The community notifications hub (Livehunt, Retrohunt, community Collections and Threat Actors subscriptions notifications)
Diff - The assistant for creating files-based Yara rules
Reports & Analysis Mandiant Reports NEW Curated reports, created by Mandiant analysts
Community References - Crowdsourced reports, ingested from community trusted sources
Threat Graph - Previously known as VT Graph
Private Scanning - VirusTotal Private Scanning for files and URLs that cannot be shared with the rest of the community
Vulnerability Intelligence NEW Vulnerability Intelligence database
Attack Surface Management NEW ASM for assets and issues discovery
Digital Threat Monitoring NEW DTM to ​​explore open-source and dark web info

⚠️

(*) In IoCs reports that are searchable from previous VirusTotal Intelligence feature and now from Check with VirusTotal, a new scoring indicator has been created. The new Google Threat Intelligence Indicator Score takes into consideration several factors of IoCs reports to help SecOps teams prioritize the most significant security threat.

Integrations and automations with Google Threat Intelligence API

Already existing custom integrations or API automated processes of former VirusTotal users won't be impacted.

Aside from the already known VirusTotal's endpoints, new ones have been introduced to cover all recently added features listed in the "Keeping previous configurations and roles" section. For detailed information, refer to the complete official API v3 documentation here.

Moreover, the gti_assessment field is integrated into all IoCs' (files, URLs, domains, IP addresses) reports, so if you wish to incorporate this new parameter into your automations, you can access it through the same endpoints as usual:

Here's an example of retrieving the Google Threat Intelligence score (gti_assessment) from a particular file:

import os
from pprint import pprint
import requests

FILE_SHA256_HASH = '7203e2e674817c3cc2080d810a2e09323100163a1bd8f8d4ffbf5b9b1729b9c1'

def get_file_gti_score(file_hash):
 url = f'https://www.virustotal.com/api/v3/files/{file_hash}'
 headers = {'Accept': 'application/json', 'x-apikey': os.environ['VT_APIKEY']}
 res = requests.get(url, headers=headers)
 res.raise_for_status()
 return res.json()['data']['attributes'].get('gti_assessment',None)


file_gti_score = get_file_gti_score(FILE_SHA256_HASH)
pprint(file_gti_score)

Out of the box integrations

Already existing out-of-the-box (OOTB) integrations won’t be impacted.

While we are actively developing new integrations for Google Threat Intelligence, you can get the list of available ones from the Technology Integration left navigation menu option, where you can easily identify the integrations that are "compatible with Google Threat Intelligence".

⚠️

We strongly advise prioritizing the migration to Google Threat Intelligence integrations to ensure all your events benefit from Google Threat Intelligence's rich threat context. Check out our extended OOTB Migrate from VirusTotal guide which will incorporate every new integration.

Documentation and contact portal

Documentation portal

Explore our new documentation portal to discover everything you need to know about Google Threat Intelligence. You'll find in-depth information on features and services, plus helpful guides and walkthroughs to accelerate your learning journey.

To automate your workflows, we've compiled a comprehensive list of all API v3 endpoints, each with detailed descriptions to help you get started.

Contact portal

On our new contact portal you can ask for platform technical support or commercial inquiries. Additionally, if you need immediate assistance for an incident, from here you can contact our Incident Response Team which will be happy to help you.