Overview

Overview


Google Threat Intelligence Graph is a visualization tool built on top of Google Threat Intelligence data set. It understands the relationship between files, URLs, domains, IP addresses and other items encountered in an ongoing investigation. With it, you can pivot intelligently over any of the malware artifacts in your graph and synthesize your findings into a threat map that you can share with your colleagues.

A Google Threat Intelligence graph 

Relationships oriented


Google Threat Intelligence's backend generates rich relationships: URLs from which a file has been downloaded, whether a given file been seen contained in some other files, what are the parents of a given Portable Executable, domain to IP address mappings over time, etc. Explore all these 30+ inter-item links in a graph, with nodes and arcs that allow you to discover new infrastructure and artifacts leveraged by the subjects of your investigation.

Google Threat Intelligence Graph relations 

Create, collaborate, share


Work in the same investigation with your peers, save your investigation graphs and publish your findings either publicly or with your organization.

Google Threat Intelligence Graph share publicly Google Threat Intelligence Graph share within our organization 

Find patterns


Common patterns and commonalities are very interesting and, in a way, a critical piece in the investigation, this is why we have decided to calculate them on-demand for you. Just select a group of nodes in the graph and click on “Find commonalities” to see a list of common attributes in the selection.

Google Threat Intelligence Graph patterns 

Seamless integration with VTI search and hunting


Expand a node using a VTI search query or download the selected nodes in the graph. Google Threat Intelligence Graph works along with their sibling VT tools.

Google Threat Intelligence Graph VTI integration 

Threat cards


Hover over any of the nodes in your graph and see a summary of the item with the most representative data in Google Threat Intelligence database. Click in the node to see the available expansions, the submission graph, the AV verdicts (for files and urls) and the community comments.

Google Threat Intelligence Graph VTI threat cards 

Custom nodes


Google Threat Intelligence dataset might not know a link between two entities as it might only happen in your environment. VT Graph allow you to manually add this links and furthermore, to add a new node to the graph even when VT doesn’t know about it. Our supported custom types are file, url, domain, IP address, actor, department, email and victim.

Google Threat Intelligence Graph VTI custom nodes