+9I have a SOAR playbook for investigating emails. As part of the playbook, domain and URL case entities are checked against static lists to see if they are:
1 - Free Share Link sites
2- Domains for free email services (e.g. gmail.com)
3 - URL shorteners
4 - A obviously benign entity, belonging to a trusted organisation such as bank e.g. jpmorganchase.com
Does GI check and report back whether submitted domain or URL IOCs belong to any of these categories, if the submission is done via API?
Best answer by dnehoda
Yes, Google Threat Intelligence (GTI)—which leverages the combined power of Mandiant and VirusTotal—can fulfill these checks via API. However, the data isn't always returned as a single "yes/no" field for each of your categories. Instead, you extract this metadata from the categories, tags, and attributes fields in the API response.
Here is how GTI maps to your specific investigation requirements:
GTI (via the VirusTotal engine) explicitly tags these using a crowdsourced and automated classification system.
Where to find it: Check the tags or categories array in the API response for a Domain or URL object.
Expected Values: Look for tags like bitly, tinyurl, shortener, or categories like file-sharing and storage.
API Path: GET /domains/{domain} or GET /urls/{id}.
GTI identifies these primarily through category metadata provided by various web filtering engines (like Forcepoint, Bitdefender, etc.) that feed into the platform.
Where to find it: The categories object in the response.
Expected Values: Domains like gmail.com or outlook.com will frequently return categories like webmail or email.
Manual Verification: Since some "free" providers are also enterprise providers, many SOCs use the popularity_ranks attribute in GTI. A very high popularity rank (e.g., top 100 on Majestic or Umbrella) combined with an "email" category is a strong programmatic indicator.
+16Yes, Google Threat Intelligence (GTI)—which leverages the combined power of Mandiant and VirusTotal—can fulfill these checks via API. However, the data isn't always returned as a single "yes/no" field for each of your categories. Instead, you extract this metadata from the categories, tags, and attributes fields in the API response.
Here is how GTI maps to your specific investigation requirements:
GTI (via the VirusTotal engine) explicitly tags these using a crowdsourced and automated classification system.
Where to find it: Check the tags or categories array in the API response for a Domain or URL object.
Expected Values: Look for tags like bitly, tinyurl, shortener, or categories like file-sharing and storage.
API Path: GET /domains/{domain} or GET /urls/{id}.
GTI identifies these primarily through category metadata provided by various web filtering engines (like Forcepoint, Bitdefender, etc.) that feed into the platform.
Where to find it: The categories object in the response.
Expected Values: Domains like gmail.com or outlook.com will frequently return categories like webmail or email.
Manual Verification: Since some "free" providers are also enterprise providers, many SOCs use the popularity_ranks attribute in GTI. A very high popularity rank (e.g., top 100 on Majestic or Umbrella) combined with an "email" category is a strong programmatic indicator.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
