Table of Contents
This section of Google Threat Intelligence Onboarding is going to cover the administration of Google TI’s Threat Graph. Google Threat Intelligence Graph is a visualization tool built on top of Google Threat Intelligence data set. It understands the relationship between files, URLs, domains, IP addresses and other items encountered in an ongoing investigation. With it, users can pivot intelligently over any of the malware artifacts in a user’s graph and synthesize findings into a threat map.
Prerequisites
- Access to the Homepage and its features, requires the user to have access, and a valid authentication. Users must be provided access and authentication from the organization’s administrator(s).
Actions
Understanding Nodes & Relationships
Google Threat Intelligence’s Threat Graph is a visualization tool built on top of Google Threat Intelligence data set, that contains maps relationships between files, URLs, domains, and more. Allowing users to explore this network in an interactive graph, to discover new infrastructure and artifacts used by your adversaries
Prerequisites
Access requires users have access, and a valid authentication. Users must be provided access and authentication from the organization’s administrator(s).
- On the main page of Google Threat Intelligence Platform, go to the Left Navbar to select Threat Graph option in the menu.
- The Threat Graph page will appear.
- There will be three options available:
- New Graph
- Search Query Bar
- Access to Graphs
- Users will need to understand what Nodes and Relationships are.
- Each node in the graph represents an entity. There are 5 basic entity types:
- Files
- Domains
- URLs
- IP Addresses
- Relationship Nodes
- Nodes and Entities that have one or more detections from any Anti-virus system, will be marked in Red. Onces that do not, will be marked in Gray.
- Files are represented as a rectangular shape with a representation of the file inside.
- Domains are represented using the domain favicon, if available.
- URLs are represented using the following icon.
- IP Addresses are represented using the flag for its country. If Google TI can’t detect the country from which the IP address is from, it will represent it as a black rectangle.
- Relationship Nodes are represented with a circle containing a representative icon inside.
- Each Node will have an arrow to link a Relationship Node to another Node.
- Once a Node is selected the left panel will show the relevant information related to it.
- The panel will include information about the Node:
- Node Name
- Actions list
- Add to Collection
- Basic Properties
- Relations
- Detections
- Comments
- The relevant information will assist users to expand relationships, find detection verdicts, comments, etc..
- Multiple Nodes can be selected at the same time. There are two ways to select Multiple Nodes:
- Clicking on Multiple Nodes while pressing the SHIFT key.
- Pressing the SHIFT key and click-dragging in the canvas.
- There are actions that can be performed over the selected Node. Right-clicking over a Node will show a contextual menu with the same actions that can be performed from the left panel.
- These actions include:
- Add to Collection
- Unpin Node
- Edit Label
- Hide Node Label
- Select Children
- Select Parents
- Highlight
- Full Expansion
- Add Connected Node
- Open Report
- Delete Node
- Relationship Nodes are a single Node that can link to Multiple Nodes. It merges actions from both single and multiple node selection.
Relevant Documentation Links
- All Steps: https://gtidocs.virustotal.com/docs/get-started-threat-graph
- Additional Documentation: https://gtidocs.virustotal.com/docs/threat-graph-nodes
- Additional Documentation: https://gtidocs.virustotal.com/docs/threat-graph-nodes#color-coding-of-nodes-and-edges
- Additional Documentation: https://gtidocs.virustotal.com/docs/threat-graph-nodes#node
Searching for Threat Graphs
Google Threat Intelligence’s Threat Graph is a visualization tool built on top of Google Threat Intelligence data set, that contains maps relationships between files, URLs, domains, and more. Allowing users to explore this network in an interactive graph, to discover new infrastructure and artifacts used by your adversaries
Prerequisites
Access requires users have access, and a valid authentication. Users must be provided access and authentication from the organization’s administrator(s).
Steps
- On the main page of Google Threat Intelligence Platform, go to the Left Navbar to select Threat Graph option in the menu.
- The Threat Graph page will appear.
- There will be an option to Search for Threat Graphs in a Search Query bar at the top of the page.
- Users can Search by:
- Name
- Owner
- Description
- Tags
- Multiple entity identifiers can be searched at the same time if users press the space key between each of them.
- Users can Search through Threat Graphs by selecting the Access to Graphs dropdown menu below the New Graph button.
- Users can select between:
-
- All Graphs (Public and Private Graphs)
- My Graphs
- My Group Graphs
Relevant Documentation Links
- All Steps: https://gtidocs.virustotal.com/docs/get-started-threat-graph
- Additional Documentation: https://gtidocs.virustotal.com/docs/threat-graph-search
Start a New Threat Graph
Google Threat Intelligence’s Threat Graph is a visualization tool built on top of Google Threat Intelligence data set, that contains maps relationships between files, URLs, domains, and more. Allowing users to explore this network in an interactive graph, to discover new infrastructure and artifacts used by your adversaries
Prerequisites
Access requires users have access, and a valid authentication. Users must be provided access and authentication from the organization’s administrator(s).
Steps
- On the main page of Google Threat Intelligence Platform, go to the Left Navbar to select Threat Graph option in the menu.
- The Threat Graph page will appear.
- Users can Start a New Threat Graph by selecting the New Graph button on the top left corner of the page.
- Another option to Start a New Threat Graph is by conducting a search for an Entity in the Search Query bar.
- Users will see a list of Graphs that matches the query.
- When a Graph is open, user can start a New Threat Graph, by selecting an Entity or Threat Graph. Once a selection is made, users will select File tab in the top left corner of the page.
- A drop down menu will appear and there will be two options, to select a New Blank Graph or New Graph from Selection.
- To add Nodes to an existing Threat Graph, users can:
- Add New Node (Top of Threat Graph)
- Add IOC to Collection (Left-side Panel)
- Search a Collection
- Add to a New Collection
- Add New Node (Right Click in Threat Graph)
- New Node Types available in the Add New Node dropdown menu includes:
- File
- Domain
- URL
- IP Address
- Collections
- Threat Actor
- Reference
- Attack Technique
- Attack Tactic
- Department
- Victim
- Device
- Port
- Service
- SSL Cert
- Wallet
- Once a New Node Type is selected, users will enter a Name for the New Node.
- To add the New Node to the graph, users will select Add Node.
Relevant Documentation Links
- All Steps: https://gtidocs.virustotal.com/docs/get-started-threat-graph
- Additional Documentation: https://gtidocs.virustotal.com/docs/threat-graph-search
Find Commonalities & Start Hunting
Google Threat Intelligence’s Threat Graph is a visualization tool built on top of Google Threat Intelligence data set, that contains maps relationships between files, URLs, domains, and more. Finding common patterns is very important to an investigation and gives users the opportunity to find common patterns in a selection of nodes or even the nodes within a relationship.
Prerequisites
Access requires users have access, and a valid authentication. Users must be provided access and authentication from the organization’s administrator(s).
Steps
- On the main page of Google Threat Intelligence Platform, go to the Left Navbar to select Threat Graph option in the menu.
- The Threat Graph page will appear.
- Users can find common patterns in a selection of Nodes, by selecting a Threat Graph.
- In the Threat Graph, on the right side of the graph, users will see a toolbar that shows the status of the Commonalities depending on the node selected.
- Users can also get the Commonalities for all the Children of a Relationship Node.
- Users will select a Relationship Node, and click Calculate Commonalities in the left drawer panel.
- Users can interact with Commonalities by selecting from the Commonalities Drawer, which will allow users to interact with the Threat Graph and its Commonalities.
- Users can select a list of Commonalities and click the button Search and Add to the Graph to perform a Google Threat Intelligence search and Aggregate the Nodes to the Threat Graph.
- Users can use the Threat Graph to integrate with Live Hunt and Retrohunt Jobs by selecting the Hunt icon on the left side of the Threat Graph, below the Commonalities icon.
- In the Hunting Jobs drawer, users will select from a list of Rulesets:
- Load Results of Graph
- Open Results in Hunting
- Launch a Retrohunt
- Delete a Rule
- In the Retrohunt Jobs drawer, users will select from a list of Retrohunt Jobs:
- Starting
- Running
- Aborted
- Aborting
- Finished
- Different action options with Retrohunt Jobs are:
- Load Results of Graph
- Open Results in Hunting
- Download
- Delete a Retrohunt
Relevant Documentation Links
- All Steps: https://gtidocs.virustotal.com/docs/get-started-threat-graph
- Additional Documentation: https://gtidocs.virustotal.com/docs/threat-graph-commonalities
Next Step: Google Threat Intelligence: Step 4 - Dissemination Overview
Previous Step: Google Threat Intelligence: Step 3.2 - Analysis | Private Scanning