This November, Explore and Share with Google Threat Intelligence!
Join the #MonthOfGoogleTISearch initiative
This November, we’re inviting all Google Threat Intelligence users to explore, investigate, and share - unrestrictedly.
For the entire month, searches made through the GUI (only GUI, not API) will not consume any quota — so you can go further and deeper in your investigations.
From malware analysis to actor tracking and campaign correlation, this is your chance to experiment freely with advanced Google TI searches, discover new use cases, and uncover insights that connect the dots across the threat landscape.
What you can expect
- No quota consumption for all searches performed via the Google TI web interface during November. Note that API interaction will continue to consume quota.
- Each day, we’ll share new and creative search examples on LinkedIn and X under the hashtag #MonthOfGoogleTISearch.
- We encourage you to try these searches, share your own queries, and show how you use Google TI to accelerate investigations.
Learn, explore, and hunt smarter
Use this initiative to strengthen your threat-hunting workflows:
- Google Threat Intelligence Documentation
- Google TI Search Cheat Sheet
- Files Search Modifiers
- URL Search Modifiers
- Domain Search Modifiers
- IP address Search Modifiers
Example: Day 1 Search Query
To kick off #MonthOfVTSearch, here’s the first advanced query we’re sharing with the community:
| and (behavior_network:*.ru* or embedded_domain:*.ru* or embedded_url:*.ru*) |
What this query does:
This search helps identify document files that, when executed in a sandbox environment, show behavior consistent with potential malicious activity involving .ru infrastructure. It specifically looks for:
- Documents (type:document) that were uploaded to VT.
- During execution, they show process behavior containing:
- HTTP traffic (behavior_processes:*http*),
- The string DavSetCookie (often observed in HTTP request headers or custom cookie operations)
- And references to .ru domains.
- And additionally, they show network or embedded indicators related to .ru domains via:
- Behavior-based network connections (behavior_network:*.ru*), or
- Embedded domains or URLs within the file (embedded_domain:*.ru*, embedded_url:*.ru*).
Join the conversation!
Let’s make this a month of shared knowledge and creative threat hunting.
Every Monday in the Google Threat Intelligence forum we’ll provide you with the previous week’s searches.
🎬 🚀 Share your favorite IOC Searches, and other searches you use on a daily basis here in this post!
Also, follow the daily posts on LinkedIn and X, tag your findings with #MonthOfGoogleTISearch, and connect with analysts worldwide using Google Threat Intelligence to stay ahead of emerging threats.