IoC Collections
A collection is a live report which contains a title, a group of IoCs (file hashes, URLs, domains and IP addresses) and an optional description. Collections are open to our Google Threat Intelligence Community (registered users) and they will be enhanced with Google Threat Intelligence (Google TI) analysis metadata providing the latest information we have for the IoCs, along with some aggregated tags.
IoC collection creation
Create an IoC collection
You can create a collection through the home view by clicking on the "Smart Search" button as shown below:
You need to add a name (1), a list of IoCs (2) (file hashes, URLs, domains and IP addresses) and then click on Create collection (3).
You can also write a summary of what is the collection about in "Collection description" and setup visibility settings in "Visibility" section.
If you are in the IoC collections tab you can click on "Create IoC Collection" button, and you will be presented with the same options mentioned.
Other places from where you can create IoC collections in the same way are:
- From the Threat Landscape module, on the IoC Collections tab you will find the Create IoC Collection button
- From the user Profile, on the COLLECTIONS tab you will find the Create IoC Collection button
Create an IoC collection from a list of IoCs
You can create a collection directly with a list of IOCs from a result page, click on "Tools" and "Add to Collection" and "Add to a new collection"
IoC collection report
After your collection is created, you'll see a report that looks like this.
We've numbered the elements in the screenshot above for easy reference. They are:
- Follow the collection for get notifications on new IoCs added.
- You can share the collection permanent link or post it to Twitter.
- The collection provides exporting capabilities in STIX, JSON and CSV formats.
- Open the IOCs in a Graph.
- You can add more IOCs.
- Delete the collection.
- See commonalities between all the IoCs of the collection.
- See telemetry of all the IoCs of the collection.
- You can search for IOCs of an specific type to filter the results.
- You can sort the IOCs by several attributes.
- Edit IOCs of an specific type: you can add more IOCs or delete selected ones.
- You can export IOCs of an specific type in STIX, JSON and CSV formats. You can also copy to clipboard. For files you can Download a selection of them.
- Different Tools for the selected IoCs depending on the IOC type: Send to Diff, Open in Graph, Calculate commonalities or add to Another collection.
Add more IoCs directly from a result page
When you get a list of IOCs, as a result page, you can select some or all of these IOCs and add them to an already existant collection.
- Check the IOCs you want to add
- Click on Tools
- Click on Add to collection
- Select the collection you want these IOCs to be added to.
Own IoC collection dashboard
Users can see their created collections in their profile page, as they currently do for graphs and comments.
IoC collections visibility
You can set the visibility of your collections so they can be stablished as:
- Public
- Private - only you see the collection
- Private - with expanded visibility
- Internally accessible - only you and the members of your group see the collection
- Externally accessible - shared with external groups or other selected members
Note only IoC collection owners can change the visibility.
Setting IoC collections visibility
On creation
You can select the visibility when creating an IoC collection using this dropdown in the bottom of the creation dialog:
From IoC collection report
You can modify the visibility of an IoC collection owned by you, by clicking on the Share & Visibility icon of your collection:
As you can see, you can control the users / groups you establish as editors / viewers, also set the private / public status of the collection, so this gives the collections owner full control on visibility.
Collaborator types
Collaborators can be groups or users playing one of the following roles:
- Viewer: Can see the collection, but cannot modify
- Editor: Can see the collection, also add / delete IoCs and description.
Collaborators cannot delete collections, neither modify the visibility. Only the owner can perform those actions.
Public IoC collections
All public collections are available in Google TI under the Associations section, also the Threat Landscape section. This way our users benefit from other analysis investigations.
X Integration
Security community is very active using X to promote their investigations. Public IoC collections can be shared on X using the share link in the collections report header:
The IoC collection report shows the following card on X.
Private IoC collections
Private IoC collections can be found in Google TI on the Threat Landscape section or listed on the "Associations" tab of IoCs reports, and they can be identified through the "Private" tag.
A private IoC collection will usually be accessible to its owner or users who belong to the same Google TI group, as configured at creation time.
However, private collections can be shared with external groups or specific members while maintaining their private status.
Tipically, they are used for work-in-progress collections, then these collections may be shared with the desired scope. Check the Collections Visibility section for more details on how to create a private collection.
Unlike with public collections, IoCs added to a private collection will not automatically generate a report if they are not already part of our existing database.
To provide the IoC report, the IoC must be scanned then made searchable and its report available to all Google TI users. So users must scan those IoCs separately to prevent potential leaks.
On quota exceeded
Public users will have a quota of 20 Collections per month, if you reach the limit you would find the following message.
API usage
As usual we have also most of the functionality available using our API v3. You can check the API documentation in our API Reference page.
Updated 7 days ago