🚧
Special privileges required
Reports are only available to users with the Google Threat Intelligence (Google TI) Enterprise or Enterprise Plus licenses.

The Reports & Analysis section provides in-depth, continuously updated reports on a wide range of cybersecurity topics, including threat activity, event coverage, etc. There are two main types of reports: (1) Google Threat Intelligence reports - written and curated by Mandiant analysts, leveraging their expertise and access to vast amounts of data to provide actionable insights for security professionals and organizations, and (2) Community reports - collecting crowdsourced information from vendors around the world, from independent researchers to blogs from security teams. While more dispersed and sometimes noisy, community information provides diversity and a broader perspective.

Object Attributes

A report object contains the following attributes:

affected_systems: <list of strings> affected systems by the threat covered in the report.
aggregations: <dictionary> dictionary of commonalities between the different IoCs associated to the report, grouped by IoC type (files, URLs, domains, IP addresses).
- domains: <dictionary> technical commonalities among all domains tied to the report.
- files: <dictionary> technical commonalities among all files tied to the report.
- ip_addresses: <dictionary> technical commonalities among all IP addresses tied to the report.
- urls: <dictionary> technical commonalities among all URLs tied to the report.
alt_names: <list of strings> list of alternative names / aliases for the report.
analyst_comment:<string> comments made by Google Threat Intelligence analysts on a given new or online report.
author: <string> author of the report.
autogenerated_summary:<string> autogenerated summary of the report by ML.
capabilities: <list of dictionaries> list of capabilities associated with the report.
- confidence: <string> the confidence of the report's associated capability.
- description: <string> description of the capability.
- first_seen: <integer> the first time when the capability was associated with the report (UTC timestamp).
- last_seen: <integer> the first time when the capability was associated with the report (UTC timestamp).
- value: <string> capability associated with the report.
collection_type: <string> identifies the type of the object. For reports the value of this attribute is report.
content:<string> full report content.
counters: <dictionary> dictionary of counters of related objects.
- domains: <integer> number of domains related to the report.
- files: <integer> number of files related to the report.
- iocs: <integer> number of IoCs (files + URLs + domains + IP addresses) related to the report.
- ip_addresses: <integer> number of IP addresses related to the report.
- subscribers: <integer> number of users subscribed to the report.
- urls: <integer> number of URLs related to the report.
creation_date: <integer> report creation date (UTC timestamp). Note that for OSINT reports, this refers to the source's creation date rather than our database entry date.
description: <string> description / context about the report.
detection_names: <list of dictionaries> list of detection names and extra context.
- confidence: <string> the confidence of the detection.
- description: <string> descriptive information related to the detection.
- first_seen: <integer> the first time when the detection was associated with the report (UTC timestamp).
- last_seen: <integer> the last time when the detection was associated with the report (UTC timestamp).
- value: <string> the detection name.
executive_summary: <string> summary of the content of the report.
first_seen_details: <list of dictionaries> dictionaries with additional information related to the report's first activity.
- confidence: <string> confidence on the information or the attribution of the first activity seen related to the report.
- description: <string> description / additional information about the first activity seen related to the report.
- first_seen: <integer> the first time this first activity date has been attributed to the report (UTC timestamp).
- last_seen: <integer> the last time this first activity date has been attributed to the report (UTC timestamp).
- value: <string> date of the first observation of that report ("YYYY-MM-DDTHH:mm:ssZ" format).
intended_effects: <list of strings> intended effects of the threat described in the report.
last_modification_date: <integer> last time when the report's information was updated (UTC timestamp).
last_seen_details: <list of dictionaries> dictionaries with additional information related to the report's last activity.
- confidence: <string> confidence on the information or the attribution of the last activity seen related to the report.
- description: <string> description / additional information about the last activity seen related to the report.
- first_seen: <integer> the first time this last activity date has been attributed to the report (UTC timestamp).
- last_seen: <integer> the last time this last activity date has been attributed to the report (UTC timestamp).
- value: <string> date of the last observation of that report ("YYYY-MM-DDTHH:mm:ssZ" format).
link: <string> URL to the original report.
malware_roles: <list of dictionaries> the list of malware roles associated with the report.
- confidence: <string> the confidence of the associated malware role.
- description: <string> descriptive information related to the associated malware role.
- first_seen: <integer> the first time when the malware role was associated with the report(UTC timestamp).
- last_seen: <integer> the last time when the malware role was associated with the report (UTC timestamp).
- value: <string> the malware role name.
mitigations: <list of strings> list of available ways to reduce / mitigate the threat impact.
motivations: <list of dictionaries> motivations of the threat described in the report such as espionage, financial gain, etc.
- confidence: <string> confidence on the associated motivation.
- description: <string> description / additional information about the associated motivation.
- first_seen: <integer> the first time this motivation was attributed to the current report (UTC timestamp).
- last_seen: <integer> the last time this motivation was attributed to the current report (UTC timestamp).
- value: <string> motivations of the threat described in the report.
name: <string> report's title.
operating_systems: <list of dictionaries> operating systems affected by threat described in the report. Possible values: Android, BSD, FreeBSD, Linux, Mac, Unix, VMkernel, Windows, iOS.
- confidence: <string> the confidence that the operating system is affected by the threat described in the report.
- description: <string> descriptive information related to the targeted operating system.
- first_seen: <integer> the first time when the operating system was associated with the report (UTC timestamp).
- last_seen: <integer> the last time when the operating system was associated with the report (UTC timestamp).
- value: <string> operating system name.
origin: <string> identifies the source of the information. Partner for curated objects from trusted partners and security researchers , Google Threat Intelligence for curated objects from our Google TI experts and Crowdsourced for online articles and blogposts from the community.
private: <boolean> whether the report object is private or not.
recent_activity_relative_change: <float> ratio of change between the last two "recent activity" periods. Note: "recent activity" refers to a period of 14 days.
recent_activity_summary: <list of integers> time series representing the activity of the indicators of compromise related to the report. (2 weeks)
report_confidence: <string> confidence on the information or the source of the report.
report_id: <string> identifier of the report.
report_type: <string> type of the report such as "News Analysis", "Actor Profile", "Industry Reporting", "OSINT Article", etc.
sponsor_region: <string> the main country or region suspected to sponsor the threat described in the report.
source_region: <string> the main country or region from which the threat described in the report is known to originate.
source_regions_hierarchy: <list of dictionaries> country or region from which the threat described in the report is known to originate.
- confidence: <string> confidence on the information or the source region of the threat described in the report.
- country: <string> country from which the threat described in the report is known to originate.
- country_iso2: <string> source country in ISO 3166 Alpha2 - code format.
- description: <string> description / additional information about the country or region targeted by threat described in the report.
- first_seen: <integer> the first time this source region was attributed to the current report (UTC timestamp).
- last_seen:<integer> the last time this source region was attributed to the current report (UTC timestamp).
- region: <string> region from which the threat described in the report is known to originate.
- source: <string> information's supplier.
- sub_region: <string> subregion from which the threat described in the report is known to originate.
status: <string> indicates if the object has attributes pending to be computed again (e.g. top_icon_md5 after making changes). The possible values are PENDING_RECOMPUTE and COMPUTED.
summary_stats: <list of dictionaries> stats associated with the report.
- first_submission_date: <dictionaries> the minimun (min), maximun (max) and average (avg) values of the first_submission_date of all the IoCs associated to the report.
- last_submission_date: <dictionaries> the minimun (min), maximun (max) and average (avg) values of the last_submission_date of all the IoCs associated to the report.
- files_detections: <dictionaries> the minimun (min), maximun (max) and average (avg) values of the files_detections of all the IoCs associated to the report.
- urls_detections: <dictionaries> the minimun (min), maximun (max) and average (avg) values of the urls_detections of all the IoCs associated to the report.
tags: <list of string> tags associated with the report.
targeted_industries: <list of strings> list of industries known to be targeted by the threat described in the report.
targeted_industries_tree: <list of dictionaries> list of industries and industry groups known to be targeted by the threat described in the report.
- confidence: <string> confidence on the information or the industry targeted by the threat described in the report.
- description: <string> description / additional information related to the industry targeted by the threat described in the report.
- first_seen: <integer> the first time this targeted industry was associated with the current report (UTC timestamp).
- industry: <string> sub-industry targeted by the threat described in the report.
- industry_group: <string> industry group targeted by the threat described in the report.
- last_seen: <integer> the last time this targeted industry was associated with the current report (UTC timestamp).
- source: <string> information's supplier.
targeted_informations: <list of strings> list of the types of information known to be targeted by the threat described in the report.
targeted_regions: <list of strings> list of regions and countries known to be targeted by the threat described in the report.
targeted_regions_hierarchy: <list of dictionaries> list of regions and countries known to be targeted by the threat described in the report.
- confidence: <string> confidence on the information or the region targeted by the threat described in the report.
- country: <string> country targeted by the threat described in the report.
- country_iso2: <string> targeted country in ISO 3166 Alpha2 - code format.
- description: <string> description / additional information related to the region targeted by the threat described in the report.
- first_seen: <integer> the first time this targeted region was associated with the current report (UTC timestamp).
- last_seen:<integer> the last time this targeted region was associated with the current report (UTC timestamp).
- region: <string> region targeted by the threat described in the report.
- source: <string> information's supplier.
- sub_region: <string> sub-region targeted by the threat described in the report.
technologies: <list of strings> list of Common Platform Enumeration (CPE) objects referring to the vulnerability described by the report.
- cpe:<string> SPE specific standardized product naming scheme.
- cpe_title:<string> represents the vendor and technology affected by the vulnerability introduced by the report.
- technology_name:<string> product or technology affected by the vulnerability introduced by the report.
- vendor:<string> vendor affected by the vulnerability introduced by the report.
threat_categories: <list of strings> list of threat categories derived from the IoCs associated to the report.
threat_scape: <list of strings> topic areas of the report.
tlp: <string> it indicates the sensitivity of the information and defines the boundaries for how and with whom the data can be shared. Available values are: RED, AMBER, GREEN, CLEAR .
top_icon_md5: <list of strings> list of the 3 most frequent icons among the report's IoCs (file's icons, URLs and domain's favicons). Favicons are represented by their MD5 hash.
version: <integer> version of the report.

Relationships

In addition to the previously described attributes, report objects contain relationships with other objects in our dataset that can be retrieved as explained in the Relationships section.

The following table shows a summary of available relationships.

Relationship	Return object type
associations	List of all objects (Reports, Campaigns, IoC collections, Malware families, Software and Toolkits, Vulnerabilities, Threat Actors) associated to the current report, without filtering by the object type.
attack_techniques	List of MITRE ATT&CK techniques.
campaigns	List of associated collections of type Campaign objects.
collections	List of associated collections of type IoC collection objects.
comments	List of Comments.
domains	List of Domains associated with the report.
editors	List of users, groups and data connectors that can edit this report (only available to the owner or editor of the entity).
files	List of Files associated with the report.
hunting_rulesets	List of curated YARA rulesets assigned by the entity owner.
ip_addresses	List of IP addresses associated with the report.
malware_families	List of associated collections of type Malware family objects.
owner	User who created the object.
related_collections	List of collection objects of type (Reports, Campaigns, IoC collections, Malware families, Software and Toolkits, Vulnerabilities, Threat Actors containing IoCs associated to this entity.
reports	List of associated collections of type Report objects.
software_toolkits	List of associated collections of type Software or Toolkit objects.
threat_actors	List of other collections of type Threat Actors associated to the current report.
urls	List of URLs associated with the report.
viewers	List of users, groups and data connectors that can view the entity (only available to the owner or editor of the entity).
vulnerabilities	List of associated collections of type Vulnerability objects.
yara_rulesets	List of crowdsourced YARA rulesets matching at least one file associated with this report.