The Google Threat Intelligence API differs in several aspects from the Mandiant API. Nevertheless, the Google Threat Intelligence API encompasses all data available in the Mandiant API, in addition to further information.
- There are field name changes.
- There are different endpoints.
- There are new Google TI API Functionalities.
It is important to note that while Google Threat Intelligence provides all information found in Mandiant API objects (and more), the JSON response objects have different structures. The following list shows the most popular objects and links to their respective documentation, where their JSON structure is defined:
Indicators of Compromise
Additionally, files can present a Sandbox analysis report represented by the File Behaviour object.
Although different endpoints exist, Google Threat Intelligence offers comprehensive information equivalent to Mandiant API objects, and more. We have delineated the most common use cases and popular endpoints, with observations on the distinctions between Mandiant and Google Threat Intelligence's APIs.
New Google TI API Functionalities:
In addition to the endpoints mapped in the previous section, Google TI offers other analysis and threat intelligence-related endpoints, including:
- Threat Profiles: Google TI provides access to the Threat Profile tool via API, to be able to programmatically manage them and retrieve recommendations on the most relevant threats.
- Categorized Threat Lists: Google TI includes API data streams that provide curated and categorized Indicators of Compromise (IoCs).
- Private Scanning: Google TI provides for programmatically scanning files and analyzing URLs within a completely private environment.
- YARA Livehunt: Google TI allows to programmatically create and manage Livehunt rulesets with YARA language to be notified any time a new IoC submitted to our open database matches the defined criteria (searching in the future).
- YARA Retrohunt: Running Retrohunt jobs to check our current database (searching in the past) for files matching YARA rules criteria defined by the user, can be done programmatically via our API endpoints.
- IoC Stream: Our API endpoints allow for programmatic control over the centralized notification hub. This means users can manage notifications for IoCs detected by Livehunt and Retrohunt jobs, and those related to Threat Profiles and Threat Intelligence objects they're following.
Conclusion
In conclusion, the document provides detailed information on the differences in field objects, endpoints, and new features when migrating from Mandiant's API to Google TI's API.
Author: Eric Wadlin, Technical Solutions Consultant, Google Cloud Security
Ismahan El-Frih, Google Cloud Security Digital Customer Excellence Team