Google

With the Google Drive Playbook app, you can easily drive investigations and automate actions for folders and files within the Google suite. Easily automate tasks like creating a new directory on Google Drive to store related evidence or artifacts, or copying a document over to store and update during the investigation.

The following actions are available:

• Create Directory – Creates a new directory (folder) in Google Drive.
• Copy File – Copies an existing file into a new directory.

This app can be found in the Dataminr App Catalog under the name: Google Drive

The Investigation Insights – Google Drive integration enables analysts to search Google Drive for documents related to any keywords or indicators. Allowing analysts to quickly traverse through documents in specific knowledge management repositories to see what documents might reference an indicator or a keyword(s).

Examples

Google Drive Data Overview

• Document Preview: When clicking into the details view of the Google Drive integration analysts can get a quick preview of the document and then link back the document in Google Drive.
• Summary Tags: Quickly reference the title of any documents that contain the indicator or keywords that were looked up by Investigation Insights.

The Investigation Insights – Google Gemini integration allows for analysts to ask a question to Gemini and get back an AI driven answer. Allowing analysts to quickly ask Google Gemini questions about anything that they think they want an answer from Googles state of the art AI.

Examples

Google Gemini Data Overview

• Summary Tags: The Google Gemini integration works by asking Gemini a question, the question can be anything as long as it ends in a question mark. When the search comes back the associated summary tag will be the question that was asked.
• AI Response: The response from Gemini will be in the details of the integration. The response is behind a prompt to allow for companies to ensure that the question is appropriate. Once the prompt is accepted then Gemini will respond back in real time. Allow the analysts to quickly see the answer.

From there analysts can interact with Gemini and ask follow up questions and information.

The Investigation Insights – Google Maps integration enabled analysts to quick geolocate information whenever they come across an address or a Lat Long. Enabling them to pull up Google Maps directly to navigate and see the area in question.

Examples

Google Maps Data Overview

• Summary Tags: Quickly know the address of a Lat Long if there is one associated, and know the Lat Long of an Address. Being able to quickly understand the inverse of an address.
• Map: The Investigation Insights Google Maps integration enables analysts to see exactly where the address is on the map, and be able to interact with the map and scroll to see what could be located around the address/lat long.

The Investigation Insights – Google Search integration utilizes the Google Custom Search Engine to search Google for anything that an analyst cares about never having to pivot out to Google to run searches on things.

Please check out the reference links for all the sites the integration utilizes.

For more on Google Custom Search Engines, please see: https://developers.google.com/custom-search/v1/overview

Examples

Google Search Data Overview

• Summary Tags: When an analyst searches information with the Google Search integration they can quickly tell the number of results associated.
• Search Results: If an analyst is interested in learning more about the searches, they can drill into the details and see the results of the searches. They can click on the “View in Browser” button to view the entire search results versus what is in Investigation Insights.

The Investigation Insights – Google Custom Search Engine integration allows analysts to search any custom Google Search Engine they have setup. Allowing analysts to get complete insights into searches that matter to their workflows.

Examples

Google Custom Search Data Overview

• Summary Tags: When searching for things with the Google Custom Search integration analysts will quickly know the number of associated Google search results.
• Results: When drilling into the details of the integration, analysts can quickly see the most popular search results, pivot directly to those or view the entire search.

The Investigation Insights – Google Security Operations integration allows automated queries to the Events, Assets, and IOC Details endpoints in Security Operations’ API from the Investigation Insights user interface. The integration helps analysts quickly triage information from Security Operations to get the full picture of what might be occurring with indicators in their environment.

Examples

Google Security Operations Asset Data Overview

• Summary Tags: When running a search for an indicator in Google Security Operations, analysts quickly understand how many assets are associated with the indicator in your network.
• Asset Information: When drilling into the details of the Google Security Operation integration, analysts will be able to see more details on the assets associated with the indicator searched.

Google Security Operations Event Data Overview

• Summary Tags: When running a search for an indicator in Google Security Operation analysts quickly be able to understand how many events are associated with the indicator in your network.
• Event Details: When drilling into the details of the Google Security Operation integration, analysts will be able to see the events triggered that are associated with the indicator.

The Investigation Insights – Google Translate integration enables analysts to quickly translate any text to a language of their choice. Enabling analysts to quickly get an understanding of what adversaries are doing.

Examples

Google Translate Data Overview

• Summary Tags: Quickly know what language was identified.
• Translated Output: See the output of the text you wanted analyzed by Google Translate.

The Investigation Insights – Google Compute Engine integration gives users the ability to lookup IP addresses and host names for VM instances in your Google Compute Engine infrastructure. The integration supports both internal and external IP lookups, and internal and custom host names. Internal host names must end in .internal and custom host names must end in a public suffix to be recognized.

The integration uses the Google Compute Engine REST API to fetch instance information for the specified project. In order to provide fast lookups on external and internal IP addresses associated with VM Instances as well as both ZonalDNS and custom host names, the integration will cache IP address, host name, and zone information in memory when it first starts. This works by fetching 500 instances at a time from the Google Compute Engine REST API and building an in-memory map of the data which maps IP and hostname to an instance ID and zone. When a lookup request is sent for an IP address or host, the in-memory map is checked for a hit before the full instance details are retrieved through a REST API request.

By default, the integration will refresh the in-memory cache when it is restarted, and then once every 24 hours at midnight. You can adjust this refresh interval by providing your own CRON tab string via the “Instance Cache Update Cron” option.

In addition to custom host names, the integration will also build the internal (local) domain name using Zonal DNS rules. The integration will only search instances that are part of the project associated with the provided service account key

Examples

Google Compute Engine Data Overview

• Summary Tags: When an analyst runs a search with the Google Compute Engine they will immediately be able to know what the server name is and its purpose.
• Server Info: When drilling into the details of the integration the analysts will be able to get more information on the server. From its name to when it was created, what zone it belongs to and its status.
• Labels and Network Info: While in the details of the integration analysts will also be able to get an understanding of any associated labels and the network interfaces. The can get more insights int the access configs and the network IP.
• Tags and Disks: While in the details of the integration analysts will also be able to get an understanding of any associated tags and disk information.

The Investigation Insights – Google Big Query integration enables analysts to quickly run Big Query queries to have a complete picture of the information they are looking for, without having to pivot out to the Google Big Query platform to run the search. Allowing analysts to quickly have the information at their fingertips.

Examples

Data Overview – Google Big Query Searches

• Summary View: When running a search in Google Big Query the summary information that will come back is dependent on what is set up in the Configuration of the integration. Please see the configuration page to determine what information is showing up in the summary view.
• Details View: When drilling into the details, analysts will be able to see the detailed data that was setup by the admin in the configuration page. Analysts can also see the full data return in a table a json format to get a full picture of the information from the data return.