Special privileges required
Campaigns are only available to users with the Google Threat Intelligence (Google TI) Enterprise or Enterprise plus license.
Campaigns objects are cyberattacks performed by one or more threat actors against a specific target or group of targets.
Object Attributes
A campaign object contains the following attributes:
aggregations: <dictionary> dictionary of commonalities between the different IoCs associated with the campaign, grouped by IoC type (files, URLs, domains, IP addresses).files: <dictionary> technical commonalities among all files tied to the campaign.urls: <dictionary> technical commonalities among all URLs tied to the campaign.domains: <dictionary> technical commonalities among all domains tied to the campaign.ip_addresses: <dictionary> technical commonalities among all IP addresses tied to the campaign.
alt_names_details: <list of dictionaries> dictionary of alternative names / aliases by which the campaign could be known, including additional data such as the confidence of the information.value: <string> the alternative name.description: <string> descriptive information related to the alternative name.confidence: <string> the confidence of the alternative name associated to the campaign.first_seen: <integer> the first time when the alternative name was seen in the wild (UTC timestamp).last_seen: <integer> the last time when the alternative name was seen in the wild (UTC timestamp).
autogenerated_tags: <list of strings> relevant tags automatically generated by AI.collection_type: <string> identifies the type of the object. For campaigns the value of this attribute iscampaign.counters: <dictionary> dictionary of counters of related objects.attack_techniques: <integer> number of MITRE ATT&CK techniques associated with the campaign.domains: <integer> number of domains related to the campaign.files: <integer> number of files related to the campaign.iocs: <integer> number of IoCs (files + URLs + domains + IP addresses) related to the campaign.ip_addresses: <integer> number of IP addresses related to the campaign.subscribers: <integer> number of users subscribed to the campaign.urls: <integer> number of URLs related to the campaign.
creation_date: <integer> campaign object creation date (UTC timestamp).description: <string> description / context about the campaign.first_seen_details: <list of dictionaries> dictionaries with additional information related to the campaign's first activity, differentiating between confirmed and unconfirmed activity.confidence: <string> confidence on the information or the attribution of the first activity seen related to the campaign.description: <string> description / additional information about the first activity seen related to the campaign.first_seen: <integer> the first time this first activity date has been attributed to the campaign (UTC timestamp).last_seen: <integer> the last time this first activity date has been attributed to the campaign (UTC timestamp).value: <string> date when the first observation about that campaign was made ("YYYY-MM-DDTHH:mm:ssZ" format).
last_modification_date: <integer> last time when the campaign's information was updated (UTC timestamp).last_seen_details: <list of dictionaries> dictionaries with additional information related to the campaign's last activity, differentiating between confirmed and unconfirmed activity.confidence: <string> confidence on the information or the attribution of the last activity seen related to the campaign.description: <string> description / additional information about the last activity seen related to the campaign.first_seen: <integer> the first time this last activity date has been attributed to the campaign (UTC timestamp).last_seen: <integer> the last time this last activity date has been attributed to the campaign (UTC timestamp).value: <string> date when the last observation about that campaign was made ("YYYY-MM-DDTHH:mm:ssZ" format).
name: <string> campaign's name.origin: <string> identifies the source of the information. Google Threat Intelligence for curated objects from our Google TI experts.private: <boolean> whether the campaign object is private or not.recent_activity_relative_change: <float> ratio of change between the last two "recent activity" periods. Note: "recent activity" refers to a period of 14 days.recent_activity_summary: <list of integers> time series representing the activity of the indicators of compromise related to the campaign. (2 weeks)status: <string> ndicates if the object has attributes pending to be computed again (e.g. top_icon_md5 after making changes). The possible values arePENDING_RECOMPUTEandCOMPUTED.source_regions_hierarchy: <list of dictionaries> country or region from which the campaign is known to originate.confidence: <string> confidence on the information or the source region of the malicious campaign.country: <string> country from which the malicious campaign is known to originate.country_iso2: <string> source country in ISO 3166 Alpha2 - code format.description: <string> description / additional information about the country or region targeted by the campaign.first_seen: <integer> the first time this source region was attributed to the campaign (UTC timestamp).last_seen:<integer> the last time this source region was attributed to the campaign (UTC timestamp).region: <string> region from which the malicious campaign is known to originate.source: <string> information's supplier.sub_region: <string> subregion from which the malicious campaign is known to originate.
tags_details: <list of dictionaries> dictionaries of tags associated with the campaign with additional context.confidence: <string> confidence on the information or the tag association to the campaign.description: <string> description / additional information related to the tag associated to the campaign.first_seen: <integer> the first time this tag was attributed to the campaign (UTC timestamp).last_seen: <integer> the last time this tag was attributed to the campaign (UTC timestamp).value: <string> value of the tag.
targeted_industries_tree: <list of dictionaries> list of industries and industry groups known to be targeted by the campaign.confidence: <string> confidence on the information or the industry targeted by the campaign.description: <string> description / additional information related to the industry targeted by the campaign.first_seen: <integer> the first time this targeted industry was associated with the campaign (UTC timestamp).industry: <string> sub-industry targeted by the campaign.industry_group: <string> industry group targeted by the campaign.last_seen: <integer> the last time this targeted industry was associated with the campaign (UTC timestamp).source: <string> information's supplier.
targeted_regions_hierarchy: <list of dictionaries> list of regions and countries known to be targeted by the campaign.confidence: <string> confidence on the information related to the region targeted by the malicious campaign.country: <string> country targeted by the malicious campaign.country_iso2: <string> targeted country in ISO 3166 Alpha2 - code format.description: <string> description / additional information about the region targeted by the malicious campaign.first_seen: <integer> the first time this targeted region was associated with the campaign (UTC timestamp).last_seen:<integer> : the last time this targeted region was associated with the campaign (UTC timestamp).region: <string> region targeted by the malicious campaign.sub_region: <string> sub-region targeted by the malicious campaign.source: <string> information's supplier.
top_icon_md5: <list of strings> list of the 3 most frequent icons among the campaign's associated IoCs (file's icons, URLs and domain's favicons). Favicons are represented by their MD5 hash.
Relationships
In addition to the previously described attributes, campaign objects contain relationships with other objects in our dataset that can be retrieved as explained in the Relationships section.
The following table shows a summary of available relationships.
| Relationship | Return object type |
|---|---|
| associations | List of all objects (Reports, Campaigns, IoC collections, Malware families, Software and Toolkits, Vulnerabilities, Threat Actors) associated with the current campaign, without filtering by the object type. |
| attack_techniques | List of MITRE ATT&CK techniques. |
| collections | List of associated IoC collection objects. |
| comments | List of Comments. |
| domains | List of Domains associated with the campaign. |
| editors | List of users, groups and data connectors that can edit this threat actor (only available to the owner or editor of the entity). |
| files | List of Files associated with the campaign. |
| hunting_rulesets | List of curated YARA rulesets assigned by the entity owner. |
| ip_addresses | List of IP addresses associated with the campaign. |
| malware_families | List of associated Malware family objects. |
| owner | User who created the object. |
| related_collections | List of objects (Reports, Campaigns, IoC collections, Malware families, Software and Toolkits, Vulnerabilities, Threat Actors) containing IoCs associated with this entity. |
| reports | List of associated Report objects. |
| sigma_rules | List of crowdsourced SIGMA rulesets matching at least one file associated with this campaign. |
| software_toolkits | List of associated Software or Toolkit objects. |
| stats | Lookups and submissions trends. |
| threat_actors | List of other threat actors associated to the current campaign. |
| urls | List of URLs associated with the campaign. |
| viewers | List of users, groups and data connectors that can view the entity. |
| vulnerabilities | List of associated Vulnerability objects. |
| yara_rulesets | List of crowdsourced YARA rulesets matching at least one file associated with this campaign. |