IoC Collections
A collection is a live report which contains a title, a group of IoCs (file hashes, URLs, domains and IP addresses) and an optional description. Collections are open to our Google Threat Intelligence Community (registered users) and they will be enhanced with Google Threat Intelligence analysis metadata providing the latest information we have for the IoCs, along with some aggregated tags.
Collection creation
You can create a collection through the home view by clicking on the "Smart Search" button as shown below:
You need to add a name, a list of IoCs (file hashes, URLs, domains and IP addresses) and then click on Create collection.
Collection report
After your collection is created, you'll see a report that looks like this.
We've numbered the elements in the screenshot above for easy reference. They are:
- You can share the collection permanent link or post it to Twitter.
- The collection provides exporting capabilities in STIX, JSON and CSV formats.
- Open the IOCs in an VT Graph.
- You can more IOCs.
- Delete the collection.
- Edit IOCs of an specific type: you can add more IOCs or delete selected ones.
- You can sort the IOCs by Creation date, Last update date or Detections.
- You can search for IOCs of an specific type to filter the results.
- You can export IOCs of an specific type in STIX, JSON and CSV formats. You can also copy to clipboard. For files you can Download a selection of them.
- Different Tools depending on the IOC type: Send to VT Diff, Open in VT Graph or Calculate commonalities.
Own Collection Dashboard
Users can see their created collections in their profile page, as they currently do for graphs and comments.
Collections Visibility
You can set the visibility of your collections so they can be stablished as:
- Public
- Shared with your Org
- Private (only you see the collection)
- Custom visibility (shared with specifics users or groups)
Note only collection owners can change the visibility.
Setting collections visibility
On creation
You can change the visibility when creating a collection using this dropdown in the bottom of the creation dialog:
From collection report
This is the only way you can set custom visibility, if you require it, by clicking in the share icon on your collection:
As you can see, you can control the users / groups you stablish as editors / viewers, also set the private / public status of the collection, so this gives the collections owner full control on visibility.
Collaborator types
Collaborators can be groups or users playing one of the following roles:
- Viewer: Can see the collection, but cannot modify
- Editor: Can see the collection, also add / delete IoCs and description.
Collaborators cannot delete collections, neither modify the visibility. Only the owner can perform those actions.
Public collections
All public collections are available in VT under the community section of Google Threat Intelligence reports, also the Threat Landscape section. This way our users benefit from other analysis investigations.
X Integration
Security community is very active using X to promote their investigations. Public Collections can be shared on X using the share link in the collections report header:
The VT Collection report shows the following card on X.
Collections shared with my org
That means the Org is added as viewer, and any user in your VT group can see the collection (but not edit).
Private collections
Those collections are only visible by the owner. Typically, this is used for work-in-progress collections, then these collections may be shared with the desired scope.
On quota exceeded
Public users will have a quota of 20 Collections per month, if you reach the limit you would find the following message.
API Usage
As usual we have also most of the functionality available using our API v3 , in this case with the exception of the exporting feature that is still only available on our web interface. You can check the API documentation in our API Reference page.
Updated 5 months ago