Manage Threat Profile (Beta)
Public Preview
Threat Profile (Beta) module is provided as a public preview and is subject to change. Use with caution.
Threat Profiles serve as a customized lens through which you can view and analyze Google Threat Intelligence's vast data, by defining specific criteria such as the targeted industries, target regions, source regions, malware roles, and actors motivations. These criteria are then leveraged by our machine learning (ML) module – a sophisticated component that learns patterns from threat data to identify and recommend the most relevant threats (Threat Actors, Campaigns, Malware & Tools, IoC Collections, Vulnerabilities and Reports) and create a personalized Threat Profile tailored to your organization's unique risk profile allowing users to focus on threats that matter most.
Note that everything that can be done over the web automated via API. Visit the API documentation here.
Creating new Threat Profiles
To create a Threat Profile on Google Threat Intelligence:
- Navigate to the Manage Threat Profiles (Beta) left menu option -> Create Threat Profile button.
- First, give your new Threat Profile a name and indicate if you'd like to share it with your Google TI group members as view-only.
- Then choose your area of focus by selecting the desired Target industries and Targeted regions, and Advanced options such as Source regions, Malware roles and Actor motivations.
After creation, you'll find your new Threat Profile listed with your other accessible profiles under the MANAGE THREAT PROFILE section. You'll have owner permission level for this new Threat Profile, which allows you to fully manage it, control other users' access to it, and handle its Recommendations and associated objects as needed.
Other users and members of groups can get access to a Threat Profile as viewers and editos as described on section Managing existing Threat Profiles - Managing access
Threats Profile card
Once created, a Threat Profile card can be opened directly from the list of Threat Profiles, showing its name and threat-related configuration at the top.
Here you can also see a dropdown button with the name of the Threat Profile that allos to pivot and see the card of other Threat Profiles you have access to.
Apart from this you have other buttons for:
- Customize or changes the configuration settings
- Share or manage access to the profile
- View in IoC Stream notifications
Recommendations
Recommendations are Threat Actors, Campaigns, Malware & Tools, IoC Collections, Vulnerabilities and Reports objects associated with a Threat Profile by our machine learning (ML) module that uses the configuration settings of a Threat Profile and the huge Google TI database to recommend the most relevant threats.
Relevant threats are listed in the REPORTING tab (for reports only) and the THREAT PROFILE LIST tab (for all other object types). Both tabs offer filters on the left, allowing you to prioritize effectively.
This will allow you to filter for instance by Recommendation Source (objects automatically Recomended by our ML or those Added by users) or by the Origin of the data (curated data from our Google Threat Intelligence analysts or from our Partners, as well as Crowdsourced data from the community), among other filters.
Managing Recommendations - Adding new objects to a Threat Profile
Owners and editors, as mentioned before, have the ability to manually add relevant Threat objects, Reports, and Vulnerabilities not suggested by our ML module, or previously deleted, to a Threat Profile via the Follow button on the object's card.
Managing Recommendations - Deleting objects from a Threat Profile
Owners and editors, as mentioned before, have the ability to manually delete object and recommendations from a given Threat Profile, by simply selecting the objects from REPORTINGS and THREAT PROFILE LIST tabs followed by the "bin" button.
Activity Timeline
The ACTIVITY TIMELINE tab on a Threat Profile card shows a chronological history of relevant changes to its associated objects, with date and object type filters available on the left.
Managing existing Threat Profiles
Next to each Threat Profile on the list, a 3-dot icon provides access to several management options and some of them can be accesses also from the Threat Profile card:
Managing existing Threat Profiles - Update Configuration
Owners and editors are able to update a Threat Profile's configuration any time they need it. This not only includes the Threat Profile's name and the redefinition of targeted industries, targeted regions, source regions, malware role and threat actors motivations, but also the way our ML module generates the reccomendations.
From here they can select the Recommendations Count and the Matching Criteria as follwos:
A dedicated Customize button can be found at the top of the Threat Profile card allowing to perform the same acction too.
Note that changes the configuration settings may take up to 5 minutes to update recommendations, and objects added by users to the Threat Profile won't suffer any change.
Managing existing Threat Profiles - Managing access
To facilitate collaboration, Threat Profiles can be shared with other users and groups members with different permission levels:
- viewers - for only visualize the Threat Profile, its configuration, Recommendations, Activity Timeline, Reporting, IoC Stream notifications, and TTPs analysis.
- editors - for editing the Threat Profile's configuration and managing its Recommendations and associated objects.
A dedicated Share button can be found at the top of the Threat Profile card allowing to perform the same acction too.
Managing existing Threat Profiles - Deletion
Owners and editors are able to delete a Threat Profile as follows:
Note that this action will stop new IoC Stream notifications from being generated but will not automatically delete existing ones.
Updated about 13 hours ago