Report

Information about reports

🚧

Special privileges required

Reports are only available to users with the Google Threat Intelligence (Google TI) Enterprise or Enterprise Plus licenses.

The Reports & Analysis section provides in-depth, continuously updated reports on a wide range of cybersecurity topics, including threat activity, event coverage, etc. There are two main types of reports: (1) Google Threat Intelligence reports - written and curated by Mandiant analysts, leveraging their expertise and access to vast amounts of data to provide actionable insights for security professionals and organizations, and (2) Community reports - collecting crowdsourced information from vendors around the world, from independent researchers to blogs from security teams. While more dispersed and sometimes noisy, community information provides diversity and a broader perspective.

Object Attributes

A report object contains the following attributes:

  • affected_systems: <list of strings> affected systems by the threat covered in the report.
  • aggregations: <dictionary> dictionary of commonalities between the different IoCs associated to the report, grouped by IoC type (files, URLs, domains, IP addresses).
    • domains: <dictionary> technical commonalities among all domains tied to the report.
    • files: <dictionary> technical commonalities among all files tied to the report.
    • ip_addresses: <dictionary> technical commonalities among all IP addresses tied to the report.
    • urls: <dictionary> technical commonalities among all URLs tied to the report.
  • analyst_comment:<string> comments made by Google Threat Intelligence analysts on a given new or online report.
  • author: <string> author of the report.
  • autogenerated_summary:<string> autogenerated summary of the report by ML.
  • collection_type: <string> identifies the type of the object. For reports the value of this attribute is report.
  • content:<string> full report content.
  • counters: <dictionary> dictionary of counters of related objects.
    • domains: <integer> number of domains related to the report.
    • files: <integer> number of files related to the report.
    • iocs: <integer> number of IoCs (files + URLs + domains + IP addresses) related to the report.
    • ip_addresses: <integer> number of IP addresses related to the report.
    • subscribers: <integer> number of users subscribed to the report.
    • urls: <integer> number of URLs related to the report.
  • creation_date: <integer> report object creation date (UTC timestamp).
  • executive_summary: <string> summary of the content of the report.
  • intended_effects: <list of strings> intended effects of the threat described in the report.
  • last_modification_date: <integer> last time when the report's information was updated (UTC timestamp).
  • link: <string> URL to the original report.
  • motivations: <list of dictionaries> motivations of the threat described in the report such as espionage, financial gain, etc.
    • confidence: <string> confidence on the information or the attribution of the motivation to the threat described in the report.
    • description: <string> description / additional information about the motivations of the threat described in the report.
    • first_seen: <integer> the first time this motivation was attributed to the current report (UTC timestamp).
    • last_seen: <integer> the last time this motivation was attributed to the current report (UTC timestamp).
    • value: <string> motivations of the threat described in the report.
  • name: <string> report's title.
  • origin: <string> identifies the source of the information. Partner for curated objects from trusted partners and security researchers , Google Threat Intelligence for curated objects from our Google TI experts and Crowdsourced for online articles and blogposts from the community.
  • private: <boolean> whether the report object is private or not.
  • recent_activity_relative_change: <float> ratio of change between the last two "recent activity" periods. Note: "recent activity" refers to a period of 14 days.
  • recent_activity_summary: <list of integers> time series representing the activity of the indicators of compromise related to the report. (2 weeks)
  • report_confidence: <string> confidence on the information or the source of the report.
  • report_id: <string> identifier of the report.
  • report_type: <string> type of the report such as "News Analysis", "Actor Profile", "Industry Reporting", "OSINT Article", etc.
  • source_regions_hierarchy: <list of dictionaries> country or region from which the threat described in the report is known to originate.
    • confidence: <string> confidence on the information or the source region of the threat described in the report.
    • country: <string> country from which the threat described in the report is known to originate.
    • country_iso2: <string> source country in ISO 3166 Alpha2 - code format.
    • description: <string> description / additional information about the country or region targeted by threat described in the report.
    • first_seen: <integer> the first time this source region was attributed to the current report (UTC timestamp).
    • last_seen:<integer> the last time this source region was attributed to the current report (UTC timestamp).
    • region: <string> region from which the threat described in the report is known to originate.
    • source: <string> information's supplier.
    • sub_region: <string> subregion from which the threat described in the report is known to originate.
  • status: <string> indicates if the object has attributes pending to be computed again (e.g. top_icon_md5 after making changes). The possible values are PENDING_RECOMPUTE and COMPUTED.
  • tags_details: <list of dictionaries> dictionaries of tags associated with the report with some additional context.
    • confidence: <string> confidence on the information or the tag association to the report.
    • description: <string> description / additional information related to the tag associated to the report.
    • first_seen: <integer> the first time this tag was attributed to the current report (UTC timestamp).
    • last_seen: <integer> the last time this tag was attributed to the current report (UTC timestamp).
    • value: <string> value of the tag.
  • targeted_industries_tree: <list of dictionaries> list of industries and industry groups known to be targeted by the threat described in the report.
    • confidence: <string> confidence on the information or the industry targeted by the threat described in the report.
    • description: <string> description / additional information related to the industry targeted by the threat described in the report.
    • first_seen: <integer> the first time this targeted industry was associated with the current report (UTC timestamp).
    • industry: <string> sub-industry targeted by the threat described in the report.
    • industry_group: <string> industry group targeted by the threat described in the report.
    • last_seen: <integer> the last time this targeted industry was associated with the current report (UTC timestamp).
    • source: <string> information's supplier.
  • targeted_informations: <list of strings> list of the types of information known to be targeted by the threat described in the report.
  • targeted_regions_hierarchy: <list of dictionaries> list of regions and countries known to be targeted by the threat described in the report.
    • confidence: <string> confidence on the information or the region targeted by the threat described in the report.
    • country: <string> country targeted by the threat described in the report.
    • country_iso2: <string> targeted country in ISO 3166 Alpha2 - code format.
    • description: <string> description / additional information related to the region targeted by the threat described in the report.
    • first_seen: <integer> the first time this targeted region was associated with the current report (UTC timestamp).
    • last_seen:<integer> the last time this targeted region was associated with the current report (UTC timestamp).
    • region: <string> region targeted by the threat described in the report.
    • source: <string> information's supplier.
    • sub_region: <string> sub-region targeted by the threat described in the report.
  • technologies: <list of strings> list of Common Platform Enumeration (CPE) objects referring to the vulnerability described by the report.
    • cpe:<string> SPE specific standardized product naming scheme.
    • cpe_title:<string> represents the vendor and technology affected by the vulnerability introduced by the report.
    • technology_name:<string> product or technology affected by the vulnerability introduced by the report.
    • vendor:<string> vendor affected by the vulnerability introduced by the report.
  • threat_categories: <list of strings> list of threat categories derived from the IoCs associated to the report.
  • threat_scape: <list of strings> topic areas of the report.
  • top_icon_md5: <list of strings> list of the 3 most frequent icons among the report's IoCs (file's icons, URLs and domain's favicons). Favicons are represented by their MD5 hash.
  • version: <integer> version of the report.

Relationships

In addition to the previously described attributes, report objects contain relationships with other objects in our dataset that can be retrieved as explained in the Relationships section.

The following table shows a summary of available relationships.

RelationshipReturn object type
associationsList of all objects (Reports, Campaigns, IoC collections, Malware families, Software and Toolkits, Vulnerabilities, Threat Actors) associated to the current report, without filtering by the object type.
attack_techniquesList of MITRE ATT&CK techniques.
autogenerated_graphsList of graphs related to the current report.
campaignsList of associated Campaign objects.
collectionsList of associated IoC collection objects.
commentsList of Comments.
domainsList of Domains associated with the report.
editorsList of users, groups and data connectors that can edit this report (only available to the owner or editor of the entity).
filesList of Files associated with the report.
hunting_rulesetsList of curated YARA rulesets assigned by the entity owner.
ip_addressesList of IP addresses associated with the report.
malware_familiesList of associated Malware family objects.
ownerUser who created the object.
related_collectionsList of objects (Reports, Campaigns, IoC collections, Malware families, Software and Toolkits, Vulnerabilities, Threat Actors) containing IoCs associated to this entity.
reportsList of associated Report objects.
sigma_rulesList of crowdsourced SIGMA rulesets matching at least one file associated with this report.
software_toolkitsList of associated Software or Toolkit objects.
threat_actorsList of other Threat Actors associated to the current report.
urlsList of URLs associated with the report.
viewersList of users, groups and data connectors that can view the entity (only available to the owner or editor of the entity).
vulnerabilitiesList of associated Vulnerability objects.
yara_rulesetsList of crowdsourced YARA rulesets matching at least one file associated with this report.