Collection search modifiers

🚧

Special privileges required

This feature is only available to users with the Enterprise or Enterprise Plus module.

Google Threat Intelligence allows you to perform advanced faceted searches over the historical set of collections. These searches can act on basically all the metadata that we generate for collections: name, threat actor, references, urls, malware role, tags, etc.

If you use top search bar or home search bar, Google Threat Intelligence searches by default over the historical collection of files, in order to search over collections you need to add the facet condition entity:collection. For example, let's ask for all those collections that contains more than 5 files and were first submitted after October 17th 2019:

entity:collection files:5+ fs:2019-10-17+

If you use collection search bar, Google Threat Intelligence searches over the historical set of collections, as the image below. For example, let's ask for all those collections that contains more than 5 files and were first submitted after October 17th 2019:

files:5+ fs:2019-10-17+

Note that you're able to build complex searches combining AND, OR and NOT conditions. For example:

(entity:collection AND files:5+ AND fs:2019-10-17+) AND (threat_actor:apt29 OR threat_actor:"mummy spider")

You can directly type these modifiers on the collection search box:

Collection Search Modifiers search box

The following table describes all the search modifiers (facets) that can be used, you can combine any number of them:

comment:Search for collections that have a VirusTotal Community comment containing the word or phrase provided.
Example: entity:collection comment:IOCs
comment_author:Search for collections that have been commented by the user with the username provided.
Example: entity:collection comment_author:68h7EGyNm
creation_dateFilter collections based on its creation date. Accepts less than and greater than syntax.
Examples: entity:collection creation_date:2020-02-10+entity:collection creation_date:2020-02-10-, entity:collection creation_date:3d-
description:Search for collections that have a description containing the word or phrase provided.
Example: entity:collection description:IOCs
domains:Filter collections based on the number of domains included on the collection. Accepts less than and greater than syntax.
Examples: entity:collection domains:5+
files:Filter collections based on the number of files included on the collection. Accepts less than and greater than syntax.
Examples: entity:collection files:5+
fs:Filter collections based on the first seen date in VirusTotal. Note that less than and greater than syntax is allowed.
Examples: entity:collection fs:2019-10-10+, entity:collection fs:2019-10-10-
have:
has:
Allows you to fix a condition that the collection's indexed metadata should meet, it accepts any of the modifiers above and it means that the domain should have data for a given modifier.
Example: entity:collection have:comment
ips:
ip_addresses:
Filter collections based on the number of ip addresses included on the collection. Accepts less than and greater than syntax.
Examples: entity:collection ips:5+
last_modification_date:
lm:
Filter collections based on the last modification date. Note that less than and greater than syntax is allowed.
Examples: entity:collection lm:2019-10-10+ , entity:collection lm:2019-10-10-
ls:Filter collections based on the last seen date in VirusTotal. Note that less than and greater than syntax is allowed.
Examples: entity:collection ls:2019-10-10-, entity:collection ls:2019-10-10+
name:Search for collections whose name containing the word or phrase provided.
Example: entity:collection name:malware
owner:Search for collections that have a VirusTotal Community comment containing the word or phrase provided.
Example: entity:collection owner:Malpedia
references:Filter collections based on the number of references included on the collection. Accepts less than and greater than syntax.
Examples: entity:collection references:5+
sigma_rules:Filter collections based on the number of sigma rules included on the collection. Accepts less than and greater than syntax.
Examples: entity:collection sigma_rules:5+
sponsor_region:Filter collections which have that related sponsor regions. Accept the region in ISO code 2 format
Example: entity:collection sponsor_region:"US"
source_region:Filter collections which have that related source regions. Accept the region in ISO code 2 format
Example: entity:collection source_region:"US"
tagFilter collections according to their tags.
Example: entity:collection tag:attachment
targeted_industry:Filter collections which have that related targeted industry. Accept the region in ISO code 2 format
Example: entity:collection targeted_industry:"banking"
targeted_region:Filter collections which have that related targeted regions. Accept the region in ISO code 2 format
Example: entity:collection targeted_region:"US"
threat_actor:Filter collections which have that related threat actor.
Example: entity:collection threat_actor:"Lazarus Group"
threat_actors:Filter collections based on the number of threat actors included on the collection. Accepts less than and greater than syntax.
Examples: entity:collection threat_actors:5+
threat_category:Filter collections which have that related threat category associated to the files in the collection. Accept the region in ISO code 2 format
Example: entity:collection threat_category:"banker"
urls:Filter collections based on the number of urls included on the collection. Accepts less than and greater than syntax.
Examples: entity:collection urls:5+
yara_rulesets:Filter collections based on the number of yara rulesets included on the collection. Accepts less than and greater than syntax.
Examples: entity:collection yara_rulesets:5+
malware_role:Filter collections which have that malware role.
Example: entity:collection malware_role:backdoor-botnet
merged_actor:Filter collections which have that malware role.
Example: entity:collection merged_actor:unc1285
motivation:Filter collections which have that motivation.
Example: entity:collection motivation:ideological
operating_system:Filter collections which have operating system related to their files.
Example: entity:collection operating_system:linux
detection:Search for collections whose detections associated to the files containing the word or phrase provided.
Example: entity:collection detection:Trojan
capability:Search for collections whose capabilities associated to the files containing the word or phrase provided.
Example: entity:collection detection:"capture credentials"
origin:Search for collections whose report author containing the word or phrase provided.
Example: entity:collection origin:"google threat intelligence"
attributionSearch for ollections by malware family based on the verdicts provided by the data sources available in VirusTotal. Attribution can be of 3 types: malwares , actors or campaigns
Example: entity:collection attribution:nearmiss