In the May 25 release notes for Google Threat Intelligence, we introduced the concept of private knowledge collections, which allow you to create your own private instances of GTI objects like Malware, Campaigns, Threat Actors, and more.
Creating these private objects allows GTI teams to blend localized threat intelligence with Google’s global dataset rather than waiting for vendor attribution.
Some of the common use cases you might be interested in include creating a private collection based on the contents of a security blog or a PDF document that you are analyzing. An excellent way to implement this workflow is by leveraging the GTI MCP server in combination with “skills” to guide agents through the process of generating private collections based on these external resources.
In this post you’ll find two agent skills: One for creating a private collection based on PDFs and another for creating a private collection based on a security blog. You can introduce these skills into your existing agent workspace, in the same place you would include other agent skills.
Once you place these skills in your agent workspace, you can invoke them using a prompt similar to this:
Take the data in this PDF report and create a new collection in GTI using the GTI MCP server. The collection should capture all the IOCs from this report as well as other metadata like related threat actors, industry, etc. There is a skill called create_gti_collection_from_pdf that describes how to execute this in more detail.
---
name: create-gti-collection-from-pdf
description: >
Extract threat intelligence metadata and Indicators of Compromise (IOCs) from
reports (such as PDFs) and create a structured collection in Google Threat
Intelligence (GTI) using the GTI MCP server.
vaskenh@google.com
June 2026
---
# Extract Threat Intelligence and Create GTI Collection
This skill guides the agent in reading a threat intelligence report (e.g., a PDF or text report), extracting verified threat intelligence metadata and Indicators of Compromise (IOCs), and submitting them to Google Threat Intelligence (GTI) to create a structured collection.
## When to Use This Skill
- Use this skill when the user provides a threat intelligence report (PDF, text, or markdown) and asks to create a GTI collection or document the campaign.
- Use this when hunting for threat campaign indicators and structuring them in a centralized collection.
## Step 1: Read and Analyze the Threat Intelligence Report
Read the document provided by the user.
- If the file is in a restricted path (e.g., workspace root or user home directory), ask the user to copy or move it to the `scratch/` directory where you have read permissions.
- Use the `view_file` tool to extract the content.
Examine the report to identify:
- **Campaign / Threat Actor names**: E.g., FIN10, Megalodon Campaign.
- **Initial Infection Vector**: VS Code extensions, poisoned npm packages, etc.
- **Malware or Worms**: E.g., "Mini Shai-Hulud".
- **Targeted Platforms / Verticals**: GitHub, Grafana Labs, Technology, Financial Services.
## Step 2: Extract Verified Indicators of Compromise (IOCs)
Isolate the indicators that need to be blocked or searched for.
- **IP Addresses**: C2 servers, active scanning IPs.
- **Domains**: Malicious hostnames, domains used in bot email addresses (e.g., extract `automated.xyz` from `ci-bot@automated.xyz`).
- **File Hashes**: MD5, SHA1, SHA256 hashes of malware or exfiltrated tools.
- **URLs**: C2 endpoints or download locations.
> [!IMPORTANT]
> **Filter out Reference and News Domains:** Do NOT include domains, URLs, or hostnames of research blogs, news websites, or reporting agencies (such as `helpnetsecurity.com`, `ox.security`, or `hoploninfosec.com`) that are simply sources or references within the report. Only extract indicators belonging to the attack infrastructure or malicious activity.
## Step 3: Create the Collection in GTI
Using the `gti` MCP server, call the `create_collection` tool.
Specify the following arguments:
- **name**: A clear name formatted as `<Threat Actor or Campaign Name> Campaign (IOCs)` (e.g., `FIN10 GitHub & Grafana Labs Campaign (IOCs)`).
- **description**: A concise summary of the threat intelligence, covering the actor, campaign, initial entry vector, and impact.
- **iocs**: The array of extracted, verified IOCs (IPs, domains, hashes, URLs).
- **private**: `true` (keep it private by default, unless the user specifies public).
Example tool call:
```json
{
"name": "create_collection",
"arguments": {
"name": "FIN10 GitHub & Grafana Labs Campaign (IOCs)",
"description": "Threat intelligence collection containing verified indicators of compromise (IOCs) associated with the FIN10 GitHub and Grafana Labs breaches and subsequent ransomware campaign",
"iocs": ["216.41.225.62", "automated.xyz", "noreply.xyz"],
"private": true
}
}
```
## Step 4: Update Collection with Tags and Aliases
To make the collection discoverable, call the `update_collection_attributes` tool on the newly created collection ID.
Set the following attributes:
- **tags**: Lowercased keywords representing the campaign, actor, tools, and infection vectors (e.g., `["fin10", "github-breach", "grafana-breach", "megalodon", "shai-hulud", "nx-console"]`).
- **alt_names**: Alternative names or campaign aliases (e.g., `["FIN10 Campaign", "Megalodon Campaign"]`).
## Step 5: Format the Output Link for the GUI
When presenting the completed collection details to the user, ensure you format the link to point to the GTI **GUI interface** rather than the API endpoint.
- **GUI URL Format**: `https://www.virustotal.com/gui/collection/<collection_id>`
Present the final output containing:
- Collection Name
- Collection ID
- Privacy Status
- GUI URL Link
- Cleaned list of IOCs included
- Tags and Alt Names applied
---
name: create-gti-collection-from-website
description: >
Fetch content from a threat intelligence website (e.g. security blog or article),
extract verified Indicators of Compromise (IOCs) and campaign metadata,
and create a structured collection in Google Threat Intelligence (GTI).
vaskenh@google.com
June 2026
---
# Extract Threat Intelligence and Create GTI Collection from Website
This skill guides the agent in reading threat intelligence from a website (such as an online security blog, analysis article, or public advisory), extracting threat metadata and verified Indicators of Compromise (IOCs), and submitting them to Google Threat Intelligence (GTI) to create a structured collection.
## When to Use This Skill
- Use this skill when the user provides a URL to an online threat intelligence article (e.g., a Google Cloud Security Blog post, Mandiant Advisory, or other public research blogs) and asks to create a GTI collection or document the campaign.
- Use this when hunting for threat campaign indicators from web-based sources.
## Step-by-Step Instructions
### Step 1: Fetch and Read the Web Article Content
Fetch the content from the target URL.
- Call the `read_url_content` tool with the provided URL.
- The tool will download and convert the webpage to a markdown document saved in the system. Use `view_file` to read the sections of the downloaded file.
### Step 2: Clean and Analyze Content
Web page scrapes often contain a large amount of boilerplate (navigation bars, tracking metrics, CSS/JS configurations, related articles lists).
- Locate the main body of the article by skipping headers, nav menus, and sidebar elements.
- Focus on sections containing campaign descriptions, infection chains, malware analysis, and structured tables.
### Step 3: Extract Verified Indicators of Compromise (IOCs)
Look for structured tables or list sections under headings like "Indicators of Compromise", "IOCs", "Network Indicators", "File Indicators", or "Technical Details".
- **IP Addresses**: C2 servers, active scanning IPs.
- **Domains**: Malicious hostnames, domains used in phishing/email/Teams bot accounts.
- **File Hashes**: MD5, SHA-1, or SHA-256 hashes of malware binaries, scripts, or components.
- **URLs**: Active phishing landing pages, payload staging directories, or SOCKS proxy connections.
> [!IMPORTANT]
> **Exclude Reference and News Domains:** Do NOT extract domains or URLs of research blogs, security websites, or public tools (such as `virustotal.com`, `helpnetsecurity.com`, `github.com` reference pages, etc.) that are simply links to sources or references in the article. Only capture indicators that belong to the active attack infrastructure or malware campaign.
### Step 4: Extract Threat Intelligence Metadata
Analyze the narrative to identify:
- **Campaign / Threat Actor names**: E.g., UNC6692, Snow Campaign.
- **Initial Infection Vector**: E.g., social engineering, Microsoft Teams phishing, malicious extensions.
- **Malware or Worms**: E.g., SNOWBELT (extension), SNOWGLAZE (tunneler), SNOWBASIN (bindshell).
- **Targeted Verticals / Industries**: E.g., enterprise users, IT infrastructure, banking.
### Step 5: Create the Collection in GTI
Using the `gti` MCP server, call the `create_collection` tool.
Specify the following arguments:
- **name**: A clear name formatted as `<Threat Actor or Campaign Name> Campaign (IOCs)` (e.g., `UNC6692 Social Engineering Campaign (IOCs)`).
- **description**: A concise summary of the threat intelligence, covering the actor, campaign, initial entry vector, and impact.
- **iocs**: The array of extracted, verified IOCs (IPs, domains, hashes, URLs).
- **private**: `true` (keep it private by default, unless the user specifies public).
### Step 6: Update Collection with Tags and Aliases
To make the collection discoverable, call the `update_collection_attributes` tool on the newly created collection ID.
Set the following attributes:
- **tags**: Lowercased keywords representing the campaign, actor, tools, and infection vectors (e.g., `["unc6692", "social-engineering", "teams-phishing", "snowbelt", "snowglaze", "snowbasin"]`).
- **alt_names**: Alternative names or campaign aliases (e.g., `["UNC6692 Campaign", "Snow Ecosystem"]`).
### Step 7: Format the Output Link for the GUI
When presenting the completed collection details to the user, ensure you format the link to point to the GTI **GUI interface** rather than the API endpoint.
- **GUI URL Format**: `https://www.virustotal.com/gui/collection/<collection_id>`
Present the final output containing:
- Collection Name
- Collection ID
- Privacy Status
- GUI URL Link
- Cleaned list of IOCs included
- Tags and Alt Names applied
