Documentation

Reports

Here are the key elements of Google Threat Intelligence reports. We'll look at a typical URL report first, then a typical report for files. The last two sections will focus on domain and IP address reports.

URL Report Summary
URL Report Details
File Report Summary
File Report Details
Domain and IP address reports

URL report summary

URL Reports summary

After your URL is scanned, you'll see a report that looks like this. Note that this is a sample report and does not reflect the actual ratings of any of the vendors listed. We've numbered the elements in the screenshot above for easy reference. They are:


  1. The Google Threat Intelligence Score of the scanned URL.

  2. The URL you scanned. Note that the URL may not match exactly your submission, this is because we canonicalize URLs, i.e. we normalize them in order to make sure that different variations of the same URL do not affect its detections.

  3. The link to the domain repo which this url belongs to.

  4. The date and time (UTC) of the last analysis.

  5. Content type of the resource analyzed. For example: html, xml, flash, fla, iecookie, bittorrent, email, outlook, cap.

  6. Favicon from the domain that belongs to the url scanned.

  7. You can reanalyze the URL to get an updated report. URLs statuses are updated frequently by Google Threat Intelligence as they are distributed by antivirus companies.

  8. Explore the URL Google Threat Intelligence Graph.

  9. Search for the URL in Google Threat Intelligence Intelligence.

  10. The severity level of the scanned URL.

URL report details

URL Reports details

  1. A summary about the scanned resource such as details, telemetry, curated threat actor, curated malware families, etc.
  2. A list of each reviewing partner and their findings. Possible findings include:
  • Clean site: no malware detected.
  • Unrated site: the partner never reviewed the given site.
  • Malware site: distributes malware.
  • Phishing site: the site tries to steal users' credentials.
  • Malicious site: the site contains exploits or other malicious artifacts.
  • Suspicious site: the partner thinks this site is suspicious. Grey area.
  • Spam site: involved in unsolicited email, popups, automatic commenting, etc.
  1. Additional information about the scanned resource, such as the category of its content, the HTTP response headers returned by the server upon asking for the given URL, etc.
  2. Information about the relations between objects related to the scanned resource, like contacted domains, contacted IPs, downloaded files, etc.
  3. Additional information about the observed behaviour during the opening of the URL.
  4. The content of the opened URL.
  5. Additional information about the telemetry of the file, including information about lookups and submissions.
  6. These are comments made by members of the Google Threat Intelligence Community. Most recent comments are listed first. This section also records the votes made by members of the Google Threat Intelligence Community on this file or URL.

File report summary

When you scan a file or search for a file given its hash, you'll see a report that looks like this:

File Reports summary

Again, this report is a sample only and does not reflect the actual ratings of any vendor listed. And again we have numbered the most characteristic elements in the screenshot above for reference. They are:

  1. The Google Threat Intelligence score of the submitted file.
  2. The security level of the submitted file.
  3. The total number of Google Threat Intelligence partners who consider this url harmful (in this case, 49) out of the total number of partners who reviewed the file (in this case, 70) and the sandboxes that considered this file harmful.
  4. SHA-256 (a cryptographic hash function) is a unique way to identify a file and used in the security industry to unambiguously refer to a particular threat. For more info see:
    https://en.wikipedia.org/wiki/Cryptographic_hash_function
    https://en.wikipedia.org/wiki/SHA-2
  5. File name of last submission, and access to search by file names.
  6. Tags.
  7. The date and time (UTC) of the last modification of the submission.
  8. Icon for the file type.
  9. Button to follow the file.
  10. Button to reanalyze the file.
  11. Download sample.
  12. Search for similar files.
  13. More options like explore the file in Google Threat Intelligence Graph and learn how to automate via API.

File report details

File Reports details

  1. A summary including information about the file, curated threat actors, curated malware families, etc.
  2. A list of each reviewing partner and their findings. Possible findings are:
  • Undetected: The given engine does not detect the file as malicious.
  • Suspicious:  The given engine flags the file as suspicious.
  • Unable to process file type: The given engine does not understand the type of file submitted and so will not produce verdicts for it.
  • Timeout: The given engine reached Google Threat Intelligence's time execution limit when processing the file and so no verdicts were recorded for it.
  1. Displays more information about the item being reviewed. For instance, for an Office document file this might list VBA code streams seen in document macros and other file type specific information. Similarly, Google Threat Intelligence specific metadata such as first submission and last submission dates, upload file names, etc are also recorded in this section.
  2. Information about the relations between objects related to the scanned file, like contacted domains, contacted IPs, downloaded files, etc.
  3. Additional information about the observed behaviour during the execution of the file.
  4. The content of the file.
  5. Additional information about the telemetry of the file, including information about lookups and submissions.
  6. These are comments made by members of the Google Threat Intelligence Community. Most recent comments are listed first. This section also records the votes made by members of the Google Threat Intelligence Community on this file or URL.
  7. See the detections evolution through time.
  8. Copy detections as plain text to clipboard.

Domain and IP address reports

Unlike file and URL reports, network location views do not record partner verdicts for the resource under consideration. Instead, these reports condense all of the recent activity that Google Threat Intelligence has seen for the resource under consideration, as well as contextual information about it. These details include:

  • Autonomous System and location country for IP addresses.
  • Passive DNS replication information: all the IP-domain name mappings that Google Threat Intelligence has seen over time for the item being studied. These resolutions are performed when contacting URLs submitted to Google Threat Intelligence for scanning, when executing files in sandboxes, through partnerships with third-parties, etc.
  • Whois lookups: registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information.
  • Observed subdomains: domains seen hierarchically under another domain stored in Google Threat Intelligence.
  • Sibling domains: domains at the same hierarchical level as the domain being studied.
  • URLs: latest URLs seen under the domain or IP address being studied. Note that the date reflected in this section is not the date at which the URL was contacted but rather the date of the last report that we have for the resource, this might be more recent or older than the retrieval date.
  • Downloaded files: latest files that have been retrieved from URLs sitting at the domain or IP address under study. Note that the date recorded in this section is not the date at which the file was downloaded but rather the date of the last report that we have for the resource.
  • Communicating files: latest files that, through their execution in a sandboxed virtual environment, have been seen to perform some kind of communication with the IP address or domain under consideration. Note that the date recorded in this section is not the date at which the communication took place but rather the date of the last report that we have for the resource.
  • Files referring: Google Threat Intelligence will inspect the strings contained in files submitted to the service and apply certain regular expressions to these in order to identify domains and IP addresses. This section records files that have referenced the domain or IP address under consideration. Note that the date recorded in this section is not the date at which the file that give raise to the relationship was submitted but rather the date of the last report that we have for the resource.

Updated about 2 months ago