IoC Collections

A collection is a live report which contains a title, a group of IoCs (file hashes, URLs, domains and IP addresses) and an optional description. Collections are open to our Google Threat Intelligence Community (registered users) and they will be enhanced with Google Threat Intelligence analysis metadata providing the latest information we have for the IoCs, along with some aggregated tags. 

Collection creation

Collection report

Own Collection Dashboard

Collections visibility

On quota exceeded

API Usage

Collection creation


Create an empty collection.

You can create a collection through the home view by clicking on the "Smart Search" button as shown below:

Link to create a collection

You need to add a name, a list of IoCs (file hashes, URLs, domains and IP addresses) and then click on Create collection.

Collection Details

Create collection from a list of IOCs.

You can create a collection directly with a list of IOCs from a result page, click on "Tools" and "Add to Collection" and "Add to a new collection"

Collection creation from IOCs

New Collection creation from IOCs

Collection report


After your collection is created, you'll see a report that looks like this.

Collection Report

We've numbered the elements in the screenshot above for easy reference. They are:

  1. You can share the collection permanent link or post it to Twitter.
  2. The collection provides exporting capabilities in STIX, JSON and CSV formats.
  3. Open the IOCs in an VT Graph.
  4. You can add more IOCs.
  5. Delete the collection.
  6. Edit IOCs of an specific type: you can add more IOCs or delete selected ones.
  7. You can sort the IOCs by Creation date, Last update date or Detections.
  8. You can search for IOCs of an specific type to filter the results.
  9. You can export IOCs of an specific type in STIX, JSON and CSV formats. You can also copy to clipboard. For files you can Download a selection of them.
  10. Different Tools depending on the IOC type: Send to VT Diff, Open in VT Graph or Calculate commonalities.

Add more IOCs directly from a result page.

When you get a list of IOCs, as a result page, you can select some or all of these IOCs and add them to an already existant collection.

  • Check the IOCs you want to add
  • Click on Tools
  • Click on Add to collection
  • Select the collection you want these IOCs to be added to.

Add IOCs to collections

Add IOCs to collection selected

Own Collection Dashboard


Users can see their created collections in their profile page, as they currently do for graphs and comments.
Collections Dashboard

Collections Visibility


You can set the visibility of your collections so they can be stablished as:

  • Public
  • Shared with your Org
  • Private (only you see the collection)
  • Custom visibility (shared with specifics users or groups)

Note only collection owners can change the visibility.

Setting collections visibility

On creation

You can change the visibility when creating a collection using this dropdown in the bottom of the creation dialog:

Colletions X Integration

From collection report

This is the only way you can set custom visibility, if you require it, by clicking in the share icon on your collection:

Collections share button

As you can see, you can control the users / groups you stablish as editors / viewers, also set the private / public status of the collection, so this gives the collections owner full control on visibility.

Colletions Custom Visibility

Collaborator types

Collaborators can be groups or users playing one of the following roles:

  • Viewer: Can see the collection, but cannot modify
  • Editor: Can see the collection, also add / delete IoCs and description.

Collaborators cannot delete collections, neither modify the visibility. Only the owner can perform those actions.

Public collections

All public collections are available in VT under the community section of Google Threat Intelligence reports, also the Threat Landscape section. This way our users benefit from other analysis investigations.

Collections Visibility on reports

X Integration

Security community is very active using X to promote their investigations. Public Collections can be shared on X using the share link in the collections report header:

Colletions X Integration

The VT Collection report shows the following card on X.

Colletions X Integration Card

Collections shared with my org

That means the Org is added as viewer, and any user in your VT group can see the collection (but not edit).

Private collections

Private collections are only visible by the owner or the users in your VirusTotal group. Typically, this is used for work-in-progress collections, then these collections may be shared with the desired scope. Check the Collections Visibility section for more details on how to create a private collection.

On quota exceeded


Public users will have a quota of 20 Collections per month, if you reach the limit you would find the following message.

Collections Quota exceeded message

 

API Usage


As usual we have also most of the functionality available using our API v3 , in this case with the exception of the exporting feature that is still only available on our web interface. You can check the API documentation in our API Reference page.