Documentation

Manage Threat Profile (Beta)

🚧

Public Preview

Threat Profile (Beta) module is provided as a public preview and is subject to change. Use with caution.

Threat Profiles serve as a customized lens through which you can view and analyze Google Threat Intelligence's vast data, by defining specific criteria such as the targeted industries, target regions, source regions, malware roles, and actors motivations. These criteria are then leveraged by our machine learning (ML) module – a sophisticated component that learns patterns from threat data to identify and recommend the most relevant threats (Threat Actors, Campaigns, Malware & Tools, IoC Collections, Vulnerabilities and Reports) and create a personalized Threat Profile tailored to your organization's unique risk profile allowing users to focus on threats that matter most.

Note that all web interface functionalities are also accessible and automatable via our API. Visit the API documentation here.

Creating new Threat Profiles

To create a Threat Profile on Google Threat Intelligence:

  • Navigate to the Manage Threat Profiles (Beta) left menu option -> Create Threat Profile button.
  • First, give your new Threat Profile a name and indicate if you'd like to share it with your Google TI group members as view-only.
  • Then choose your area of focus by selecting the desired Target industries and Targeted regions, and Advanced options such as Source regions, Malware roles and Actor motivations.

After creation, you'll find your new Threat Profile listed with your other accessible profiles under the MANAGE THREAT PROFILE section. You'll have owner permission level for this new Threat Profile, which allows you to fully manage it, control other users' access to it, and handle its Recommendations and associated objects as needed.

Other users and members of groups can get access to a Threat Profile as viewers and editors as described on section Managing existing Threat Profiles - Managing access

Threats Profile card

Once created, a Threat Profile card can be opened directly from the list of Threat Profiles, showing its name and threat-related configuration at the top.

You'll also find a dropdown menu here, labeled with the current Threat Profile's name, for quick navigation to other Threat Profiles you can access.

Apart from this you have other buttons, as in the following image, to:

Recommendations

Recommendations are Threat Actors, Campaigns, Malware & Tools, IoC Collections, Vulnerabilities and Reports objects associated with a Threat Profile by our machine learning (ML) module that uses the configuration settings of a Threat Profile and the huge Google TI database to recommend the most relevant threats.

Relevant threats are listed in the REPORTING tab (for reports only) and the THREAT PROFILE LIST tab (for all other object types). Both tabs offer filters on the left, allowing you to prioritize effectively.

This will allow you to filter for instance by Recommendation Source (objects automatically Recommended by our ML or those Added by users) or by the Origin of the data (curated data from our Google Threat Intelligence analysts or from our Partners, as well as Crowdsourced data from the community), among other filters.

Managing Recommendations - Adding new objects to a Threat Profile

As previously mentioned, owners and editors can manually add relevant Threat objects, Reports, and Vulnerabilities, not suggested by our ML module or previously deleted, to a Threat Profile. You can do this by selecting items from lists such as Threat Actors, Malware & Tools, Campaigns, IoC Collections, Reports and Vulnerabilities and clicking the Follow button, which is also available on individual object cards as follows:

Managing Recommendations - Deleting objects from a Threat Profile

Owners and editors, as mentioned before, have the ability to manually delete objects and recommendations from a given Threat Profile, by simply selecting the objects from REPORTINGS and THREAT PROFILE LIST tabs and then clicking on the "bin" button.

Note that this action will stop new IoC Stream notifications from being generated on deleted objects, but will not automatically delete existing ones; and timeline events are automatically updated.

Activity Timeline

The ACTIVITY TIMELINE tab on a Threat Profile card displays a chronological history of relevant changes to its associated objects, helping you understand threat evolution over time, such as when bad actors shift tactics or when Google surfaces new detection rules (like YARA, SIGMA, or IDS rules from Mandiant or the community) relevant to the threats in your profile.

You can also find this information by navigating to each main object card and checking either the Latest Activity section in its SUMMARY tab or the Associations timeline subtab within the ASSOCIATIONS tab.

Additionally, the date and object type filters allow you to visualize precisely what matters most to you at each moment.

Never miss a tactical behavior pivot with our change event stream via email notifications or API.

Email Notifications

All users can configure email notifications to stay informed about changes within a threat profile and remain updated on the Threat Landscape latest activity.

You can find an Email Notifications button on any tab of a Threat Profile card. Clicking it will take you to your user settings, where a New Notification button within the Email Notifications section allows you to open the notification configuration form.

On this form, you need to select the Threat Profile Digest option, give your digest a Name (email subject), and choose the specific Threat Profile you're interested in from the dropdown menu. You can also select between Daily and Weekly Delivery Preferences.

Once configured, digest will be sent at 9:00 AM UTC to the email address of the user who set it up, allowing the user to track any new activity.

View in IoC Stream

You can automatically convert Indicators of Compromise (IoCs) from a Threat Profile's associated Threat objects, Reports, and Vulnerabilities into a custom IoC stream for quick tactical actions. Simply click the View in IoC Stream button, accessible from any tab of the Threat Profile card, or click the View Profile on IoC Stream button in the ACTIONS tab.

Through IoC Stream, you can get notified any time a new indicator is associated with any of the objects of your Threat Profile, allowing not only visually filtering indicators and processing them with tools for extracting Commonalities, visually explore their relationships with Graphs or collaborate with other teams via creating your own private IoC Collection, but also allowing automatic integration with your SIEM via API and run curated, threat informed retrohunt query to search for those IoCs in your system.

Leverage IoC Stream to get real-time notifications of new indicators linked to your Threat Profile objects. This empowers you to visually filter and analyze indicators for Commonalities, explore their connections with Graphs, and collaborate with other explicitly selected users and groups members through private IoC Collections. Furthermore, it enables automatic SIEM integration via API and the execution of targeted retrohunt queries to find these IoCs in your environment.

Run TTP Analysis

You can analyze the tactics, techniques and procedures utilized by threats from your profile with our MITRE TTP Analysis tool, giving detection engineers a clear action plan to close gaps within your existing detection program.

To do this, you can either click the Run TTP Analysis button in the ACTIONS tab to process your entire Threat Profile, or select specific Reports or threats from the REPORTING or THREAT PROFILE LIST tabs and then click the Run TTP Analysis button.

This action will open a TTP Analysis tool showing the Mitre matrix of tactics, techniques and procedures used by your threats.

Managing existing Threat Profiles

Next to each Threat Profile on the list of Threat Profiles, a 3-dot icon provides access to several management options and some of them can be accessed also from the Threat Profile card:

Managing existing Threat Profiles - Update Configuration

Owners and editors are able to update a Threat Profile's configuration any time they need it. This not only includes the Threat Profile's name and the redefinition of targeted industries, targeted regions, source regions, malware role and threat actors motivations, but also the way our ML module generates the recommendations.
From here they can select the Recommendations Count and the Matching Criteria as follows:

A dedicated Customize button can be found at the top of the Threat Profile card allowing to perform the same action too.

Note that changes on the configuration settings may take up to 5 minutes to update recommendations, and objects added by users to the Threat Profile won't suffer any change.

Managing existing Threat Profiles - Managing access

To facilitate collaboration, Threat Profiles can be shared with other users and groups members with different permission levels:

  • viewers - for only visualizing the Threat Profile, its configuration, Recommendations, Activity Timeline, Reportings, IoC Stream notifications, and TTPs analysis.
  • editors - for editing the Threat Profile's configuration and managing access to it and its Recommendations and associated objects.

A dedicated Share button can be found at the top of the Threat Profile card allowing to perform the same action too.

Managing existing Threat Profiles - Deletion

Only owners are able to delete a Threat Profile as follows:

Note that this action will stop new IoC Stream notifications from being generated but will not automatically delete existing ones.

Updated 23 days ago