If you are looking to advance your threat hunting capabilities, this webinar provides a practical deep dive into mastering GTI Dorking within Google Threat Intelligence. The session focuses on how to transform standard IoC lookups into sophisticated, multi-parameter searches that uncover hidden threats.
Led by Technical Solutions Consultant Robert Parker, this session highlights the shift from searching for single indicators to building complex, behavioral-based queries. It demonstrates how to leverage advanced modifiers and AI-powered insights to move from manual investigation to automated, proactive alerting.
For example, instead of just searching for a suspicious domain name, the demonstration shows how to combine parameters to find high-confidence phishing pages: "Find domains containing the word 'Google' that use a .xyz top-level domain, return a successful HTTP 200 response, and have at least five malicious detections."
The Result: Users can identify precisely which "needles in the haystack" are currently active and targeting their brand, then use agentic capabilities to automatically convert those searches into live Yara-X hunting rules.
What You Can Expect
In this webinar, you can expect to learn how to:
- Master GTI Dorking by using advanced syntax (modifier:value) and boolean logic to filter the global threat landscape with surgical precision.
- Protect Your Brand by using fuzzy domain searches and Favicon dHash tracking to identify fraudulent websites mimicking your organization.
- Leverage Code Insights to analyze scripts, PowerShell, and Chrome extensions using AI to understand their intent in plain English before you run them.
- Automate the Threat Lifecycle by converting manual search queries into Yara-X rules for continuous "Live Hunting" and alerting.
- Operationalize Intelligence by calculating commonalities across large datasets and exporting findings directly to Google SecOps or EDR blocklists.
Key Discussion Points & Timestamps
If you're looking to jump to a specific section of the recording, use this guide:
- [06:02] – The Strategy: Transitioning from single-indicator searches to complex, multi-parameter queries.
- [13:40] – GTI Dorking 101: Understanding the syntax, boolean operators, and "hacking" the search bar.
- [17:42] – Mastering Time & Logic: How to use relative dates (+/- 14d) and detection ratios correctly.
- [21:13] – Live Challenge: Crafting a query for malicious Excel attachments with network behavior.
- [28:41] – Brand & Fraud Monitoring: Using fuzzy domains and the "Icon dHash" to find logo abuse.
- [36:03] – Targeted Brand Search: Built-in modifiers for identifying mimics of major brands like Octa and PayPal.
- [42:33] – AI-Powered Analysis: Using Code Insights to summarize the behavior of fileless malware and web hooks.
- [49:18] – The Agentic Workflow: Converting a GTI search into a Yara-X rule using an AI prompt.
- [55:56] – Testing the Hunt: Validating your automated rules against real-world malicious samples.
- [57:23] – Q&A: Leveraging GTI data within Google SecOps and future integration roadmaps.
References:
List of Search Modifiers from GTI Documentation
Advanced IOC Searches Cheat Sheet PDF
Advanced IOC Searches Adoption Guide
Brand Monitoring & Phishing Detection Use Case Examples
Advanced IOC Searches Blog from Dominic Chua
Agentic Google Threat Intelligence Prompt For Converting IOC Searches to YARA-X Code