Collection search modifiers
Special privileges requiredThis feature is only available to users with the Enterprise or Enterprise Plus module.
Google Threat Intelligence allows you to perform advanced faceted searches over the historical set of collections. These searches can act on basically all the metadata that we generate for collections: name, threat actor, references, urls, malware role, tags, etc.
If you use top search bar or home search bar, Google Threat Intelligence searches by default over the historical collection of files, in order to search over collections you need to add the facet condition entity:collection. For example, let's ask for all those collections that contains more than 5 files and were first submitted after October 17th 2019:
entity:collection files:5+ fs:2019-10-17+
If you use collection search bar, Google Threat Intelligence searches over the historical set of collections, as the image below. For example, let's ask for all those collections that contains more than 5 files and were first submitted after October 17th 2019:
Note that you're able to build complex searches combining AND, OR and NOT conditions. For example:
You can directly type these modifiers on the collection search box:
The following table describes all the search modifiers (facets) that can be used, you can combine any number of them:
| available_mitigation | Search for vulnerabilities whose mitigation is the text provided. Only available for Vulnerabilities. Example:entity:collection collection_type:vulnerability available_mitigation:Patch |
| collection_type | Search for the type of the collection. Example:entity:collection collection_type:vulnerability |
| comment_author | Search for collections that have been commented by the user with the username provided. Example: entity:collection comment_author:68h7EGyNm |
| creation_date | Filter collections based on its creation date. Accepts less than and greater than syntax. Examples: entity:collection creation_date:2020-02-10+,Ā entity:collection creation_date:2020-02-10-,Ā entity:collection creation_date:3d- |
| cvss_3x_base_score | Filter vulnerabilities based on its CVSS 3.X base score. Only available for Vulnerabilities. Example:entity:collection collection_type:vulnerability cvss_3x_base_score:6+ |
| cvss_3x_temporal_score | Filter vulnerabilities based on its CVSS 3.X temporal score. Only available for Vulnerabilities. Example:entity:collection collection_type:vulnerability cvss_3x_temporal_score:7- |
| cvss_2x_base_score | Filter vulnerabilities based on its CVSS 2.X base score. Only available for Vulnerabilities. Example:entity:collection collection_type:vulnerability cvss_2x_base_score:7+ |
| cvss_2x_temporal_score | Filter vulnerabilities based on its CVSS 2.X temporal score. Only available for Vulnerabilities. Example:entity:collection collection_type:vulnerability cvss_2x_temporal_score:8- |
| description | Search for collections that have a description containing the word or phrase provided. Example: entity:collection description:IOCs |
| domains | Filter collections based on the number of domains included on the collection. Accepts less than and greater than syntax. Examples: entity:collection domains:5+ |
| exploitation_consequence | Filter vulnerabilities whose exploitation consequence matches the text provided. Only available for Vulnerabilities. Example:entity:collection collection_type:vulnerability exploitation_consequence:"Denial-of-Service (DoS)" |
| exploitation_state | Filter vulnerabilities whose exploitation state matched the text provided. Only available for Vulnerabilities. Example:entity:collection collection_type:vulnerability exploitation_state:Confirmed |
| exploitation_vector | Filter vulnerabilities whose exploitation vector matched the text provided. Only available for Vulnerabilities. Example:entity:collection collection_type:vulnerability exploitation_vector:Web |
| files | Filter collections based on the number of files included on the collection. Accepts less than and greater than syntax. Examples: entity:collection files:5+ |
| fs first_seen | Filter collections based on the first seen date in VirusTotal. Note that less than and greater than syntax is allowed. Examples: entity:collection fs:2019-10-10+, entity:collection fs:2019-10-10- |
| have has | Search the collections which report contains information from the selected field it accepts any of the modifiers described in this arcticle. Example:Ā entity:collection have:comment |
| ips ip_addresses | Filter collections based on the number of ip addresses included on the collection. Accepts less than and greater than syntax. Examples: entity:collection ips:5+ |
| last_modification_date lm | Filter collections based on the last modification date. Note that less than and greater than syntax is allowed. Examples: entity:collection lm:2019-10-10+ , entity:collection lm:2019-10-10- |
| ls last_seen | Filter collections based on the last seen date in VirusTotal. Note that less than and greater than syntax is allowed. Examples: entity:collection ls:2019-10-10-, entity:collection ls:2019-10-10+ |
| merged_actor | Filter threat actors that are associated with the provided group. Only available for Threat Actors. Example:entity:collection collection_type:threat-actor merged_actor:UNC1285 |
| name | Search for collections whose name containing the word or phrase provided. Example: entity:collection name:malware |
| owner | Search for collections that have been created by an specific owner. Example: entity:collection owner:CarlosCabal |
| publisher | Search for reports whose publisher matches the text provided. Example:entity:collection collection_type:report publisher:Google TAG |
| publisher_priority | Filter reports according to the priority score of the publisher. Example:entity:collection collection_type:report publisher_priority:50- |
| publisher_relevance | Filter reports based on the relevance score of the publisher. Only available for Reports Example:entity:collection collection_type:report publisher_relevance:70- |
| publisher_reliability | Filter reports based on the reliability score of the publisher. Example:entity:collection collection_type:report publisher_reliability:80- |
| references | Filter collections based on the number of references included on the collection. Accepts less than and greater than syntax. Examples: entity:collection references:5+ |
| report_type | Search for reports whose type matches the text provided. Only available for Google TI Enterprise license or higher. Example:entity:collection collection_type:report report_type:"OSINT article" |
| risk_rating | Filter vulnerabilities whose risk rating matches the text provided. Only available for Vulnerabilities. Example:entity:collection collection_type:vulnerability risk_rating:high |
| shared_with_me | Filter collections that have been shared with me. Example:entity:collection shared_with_me:true |
| sigma_rules | Filter collections based on the number of sigma rules included on the collection. Accepts less than and greater than syntax. Examples: entity:collection sigma_rules:5+ |
| software_toolkit | Filter collections that are associated with the software toolkit provided. Only available for Google TI Enterprise license or higher. Example:entity:collection software_toolkit:DCSYNCER |
| source_region | Filter collections which have that related source regions. Accept the region in ISO code 2 format Example: entity:collection source_region:"US" |
| suspected_threat_actor | Filter threat actors that are suspected to be associated, not yet confirmed, with the provided group. Only available for Threat Actors. Example:entity:collection collection_type:threat-actor suspected_threat_actor:UNC1285 |
| tag | Filter collections according to their tags. Example:Ā entity:collection tag:attachment |
| targeted_industry | Filter collections which have that related targeted industry. Accept the region in ISO code 2 format Example: entity:collection targeted_industry:"banking" |
| targeted_industry_group | Filter collections whose targeted_industry belong to the targeted_industry_group provided. Example:entity:collection targeted_industry_group:"aerospace & defense" |
| targeted_region | Filter collections which have that related targeted regions. Accept the region in ISO code 2 format Example: entity:collection targeted_region:"US" |
| threat_actor | Filter collections which have that related threat actor. Example: entity:collection threat_actor:"Lazarus Group" |
| threat_actors | Filter collections based on the number of threat actors included on the collection. Accepts less than and greater than syntax. Examples: entity:collection threat_actors:5+ |
| threat_category | Filter collections which have that related threat category associated to the files in the collection. Example: entity:collection threat_category:"banker" |
| threat_scape | Filter reports whose topic is the provided text. Only available for Reports. Only available for Google TI Enterprise license or higher. Example:entity:collection collection_type:report threat_scape:"Cyber crime" |
| urls | Filter collections based on the number of urls included on the collection. Accepts less than and greater than syntax. Examples: entity:collection urls:5+ |
| vulnerable_cpe | Filter vulnerabilities based on the standarized product naming scheme provided. Only available for Vulnerabilities. Example:entity:collection collection_type:vulnerability vulnerable_cpe:"2.3:a:siemens:nucleus_readystart:2012.12:::::::*" |
| vulnerable_vendor | Filter vulnerabilities using the vendor with know security flags provided. Only available for Vulnerabilities. Example:entity:collection collection_type:vulnerability vulnerable_vendor:Adobe |
| vulnerable_product | Filter vulnerabilities using the product with know security flags provided. Only available for Vulnerabilities. Example:entity:collection collection_type:vulnerability vulnerable_product:"Adobe Reader" |
| yara_rulesets | Filter collections based on the number of yara rulesets included on the collection. Accepts less than and greater than syntax. Examples: entity:collection yara_rulesets:5+ |
| malware_role | Filter collections which have that malware role. Example: entity:collection malware_role:backdoor-botnet |
| motivation | Filter collections which have that motivation. Example: entity:collection motivation:ideological |
| operating_system | Filter collections which have operating system related to their files. Example: entity:collection operating_system:linux |
| detection | Search for collections whose detections associated to the files containing the word or phrase provided. Example: entity:collection detection:Trojan |
| capability | Search for collections whose capabilities associated to the files containing the word or phrase provided. Example: entity:collection detection:"capture credentials" |
| origin | Search for collections whose report author containing the word or phrase provided. Example: entity:collection origin:"google threat intelligence" |
Updated 13 days ago