Google Threat Intelligence - Migration guide for Mandiant Advantage former users
This guide is designed to help Mandiant Advantage Threat Intelligence users seamlessly transition to and effectively utilize the new Google Threat Intelligence platform.
Former Mandiant Advantage Threat Intelligence users now also have access to the Threat Intelligence community data from VirusTotal and to Google's unparalleled threat visibility.
Crowdsource community and industry threat knowledge within VirusTotal adds breadth to Mandiant's existing knowledge, empowering users with almost real-time actionable insights, ensuring immediate preparedness for potential imminent attacks.
Get started
You can find here the provisioning process with all details on each step and all information required for closing the contract. Our provisioning team will support you during the entire process.
For a smooth transition, we'll need your previous Mandiant organization UUID, and VirusTotal group Token if you've used both solutions before (check here the migration guide for former VirusTotal users). All existing users will be automatically upgraded to Google Threat Intelligence and can access the platform once their accounts are fully activated.
Our provisioning team will assist during the entire process and will provide all the necessary.
Let's start by clarifying three fundamental user-level concepts in Google TI.
1. Group
In Google Threat Intelligence, all members of a Mandiant organization are consolidated under a single Google Threat Intelligence group.
2. Users
User's group roles are broadly categorized into two types: Members (regular users) and Admins (administrators). During the initial provisioning process, the first group administrator will be designated. This individual will be able to view certain features of other users and manage all users access and permissions. Group administrators can refer to this resource for a comprehensive overview of their capabilities on the platform.
Furthermore, access to Attack Surface Management (ASM) and Digital Threat Monitoring (DTM) is managed separately.

Remarks
- If an existing Mandiant user's email address matches a pre-existing VirusTotal account, their Mandiant account will be linked to it and they should continue to log in using their existing VirusTotal credentials.
- On the contrary, Mandiant users who do not have an existing VirusTotal account will receive an email invitation to create a new Google Threat Intelligence account.
- Completely new users must be added to the group by the group administrator. They will then receive an invitation email to activate their new accounts.
3. Service Account
Groups can also include service accounts, which are specifically designed for automation tasks. They are not tied to individual users, do not require an email address for creation, and provide API authentication solely via API keys accessible only to group administrators.
Note that Service Accounts from Mandiant are not migrated to Google Threat Intelligence.
Google Threat Intelligence tools
Google Threat Intelligence integrates the power of VirusTotal's community-driven data with Mandiant Advantage Threat Intelligence's curated insights, all enhanced by Google's unparalleled visibility.
Depending on your Google Threat Intelligence subscription, you can access these resources through the new left navigation menu, where some of the tools and services are grouped by different topics for effortless exploration and navigation:

The table below enumerates the UI tools available within Google Threat Intelligence.This presentation highlights which capabilities will be familiar from your MATI experience and which are new additions designed to expand your threat intelligence resources.
Module | Tool | Status for MATI Users | Description |
---|---|---|---|
Threat Landscape | My Threat Profiles | Familiar from Mandiant Advantage | Curated threat inputs tailored to your organization profile, based on your own custom criteria. |
Manage Threat Profiles (Beta) | New Capability in GTI | Personalized, dynamic lens that filters curated Google Threat Intelligence's vast data to highlight threats most relevant to your organization, based on your own custom criteria. | |
Threat Actors | Familiar from Mandiant Advantage | Highly contextualized Threat Actors cards providing curated details verified by Google Threat Intelligence analysts and our community Partners. | |
Malware & Tools | Familiar from Mandiant Advantage | Rich, contextualized details on Malware families and Toolkits, powered by Google Threat Intelligence analysts and our community Partners. | |
Campaigns | Familiar from Mandiant Advantage | Curated intelligence on malware Campaigns continuously monitored by our Google Threat Intelligence analysts. | |
IoC Collections | New Capability in GTI | Live reports of indicators of compromise. Our Google Threat Intelligence analysts create them, as do our community Partners who track indicators in malicious campaigns. We also incorporate Crowdsourced threats observed by the wider community as Open Source Intelligence (OSINT). | |
TTP Analysis | Familiar from Mandiant Advantage | Powerful tool for exploring and analyzing threat objects, vulnerabilities, and reports, from the perspective of aligning the malicious activity represented by them against the MITRE ATT&CK framework. | |
IoC Investigation | Check with VirusTotal | New Capability in GTI | Evolving from VirusTotal Intelligence, this tool serves as a robust IoC search engine for querying based on specific criteria and for uploading files for analysis. Additionally, its advanced semantic search goes beyond just IoC lists, delivering a broader spectrum of threat intelligence including Threats, Reports, Vulnerabilities, Rules, Graphs, and valuable community Comments. |
Livehunt | New Capability in GTI | Constantly running YARA rulesets jobs, which analyze new IoCs submitted to the platform and generate notifications on IoCs that match the implemented conditions (search in the future). | |
Retrohunt | New Capability in GTI | YARA rulesets running against our extensive file database to pinpoint files that satisfy the rule's conditions (search in the past). | |
IoC Stream | New Capability in GTI | The centralized notifications hub for Livehunt and Retrohunt matches, Threat Intelligence objects subscriptions and Managed Threat Profiles. | |
Diff | New Capability in GTI | The assistant for creating files-based Yara rules. | |
Reports & Analysis | Familiar from Mandiant Advantage | Curated reports from Google Threat Intelligence analysts or community Partners as well as Crowdsourced reports from the rest of the community. | |
Threat Graph | New Capability in GTI | Previously known as VT Graph, a tool for visually exploring relations between Indicators. | |
Private Scanning | New Capability in GTI | VirusTotal Private Scanning for files and URLs that cannot be shared with the rest of the community. | |
Vulnerability Intelligence | Familiar from Mandiant Advantage | A curated database providing actionable insights to prioritize and implement effective security fixes. | |
Attack Surface Management | Familiar from Mandiant Advantage | ASM for assets and issues discovery. | |
Digital Threat Monitoring | Familiar from Mandiant Advantage | DTM to explore open-source and dark web data. |
Out-of-the-Box Third-Party Integrations
Legacy "out-of-the-box" (OOTB) integrations can still be used for proactive detection, allowing you to obtain curated Indicators of Compromise (IoCs) and merge Attack Surface Management (ASM) alerts into your preferred work management tools. To continue leveraging these, you'll need to update to the new Google Threat Intelligence (GTI) API Key and we recommend to:
- Create a Service Account (note that only group administrators can do this)
- Retrieve Service Account API key (note that only group administrators can do this)
- Replace your current integration API key with the new Service Account API key
New Google Threat Intelligence integrations enhance event and indicator enrichment, offering curated and crowdsourced data. We're continually expanding integrations for broader tool compatibility. Find available integrations, marked Compatible with Google Threat Intelligence, under the Technology Integration menu.
Furthermore, you will find existing VirusTotal "out-of-the-box" (OOTB) integrations listed under the Technology Integration menu as well as on the INTEGRATION dedicated section on our documentation portal. These can be utilized during their ongoing migration to Google Threat Intelligence.

API migration guide
Please refer to our API migration guide, created specifically for users transitioning from Mandiant Advantage.
Official documentation portal
Explore our documentation portal to discover everything you need to know about Google Threat Intelligence. You'll find in-depth information on features and services, plus helpful guides and walkthroughs to accelerate your learning journey.
To automate your workflows, we've compiled a comprehensive list of all API v3 endpoints, each with detailed descriptions and code snippets to help you get started.
API migration guide
Please refer to our API migration guide, created specifically for users transitioning from Mandiant Advantage.
Stay informed on the latest platform updates in our Release Notes and discover our new webinars and relevant blog posts announced through our In-app notification tool.

Ask for platform technical support on our Google Threat Intelligence contact portal. Additionally, if you need immediate assistance for an incident from here you can contact our Incident Response Team which will be happy to help you.

Updated 3 days ago