get https://www.virustotal.com/api/v3/collections
Special privileges required
Threat Actors and Campaigns are only available to users with the Google Threat Intelligence (Google TI) Enterprise or Enterprise Plus licenses.
This endpoint allows us to search and filter Threat Intelligence objects effectively. It returns a list of Threat objects with a collection_type parameter whose value can be one of the followings:
collection: Collections of Indicators of Compromise are grouped together based on their observed usage in the wild in malicious campaigns or their association with specific malware families. This OSINT and also curated information is provided by our users and certain trusted partners and security researchers, automatically created based on Reports from the cybersecurity community or by our Google TI experts. UIthreat-actor: Threat Actors curated information exposed by our Google TI experts tracking them or by certain trusted partners and security researchers. UImalware-family: Curated information related to malware families. This information is provided by our Google TI experts and certain trusted partners and security researchers. UIsoftware-toolkit: Curated information related to malicious software or toolkits used in threat campaigns. This information is provided by our Google TI experts. UIcampaign: Curated information related to threat campaigns. This information is provided by our Google TI experts. UI
Searches observations:
- if you don't filter by the
collection_typethis endpoint will return a single list with all the objects that meet the filters and of any of the following types grouped together: Vulnerabilities, Reports, Threat Actors, Malware families, Software or Toolkits, Campaigns or IoC Collections. - filers' values are case-insensitive
- several filters can be combined together in a more complex and specific search
- boolean operators can be used in more complex searches:
AND,OR,NOT - quotes are needed for filters' values with spaces:
description:"Phishing campaign" - wildcards (*) can be used for partial matches:
name:Ransom* - date filters formats:
YYYY-MM-DD,YYYY-MM-DDTHH-mm-ss - date relative formats:
60d(for days),10m(for minutes) - date ranges can be specified with
+or-:last_modification_date:7d+,creation_date:2024-01-01-
Allowed filters by object collection_type:
collection_type:| filters | collection | threat-actor | malware-family | software-toolkit | campaign | filter description |
|---|---|---|---|---|---|---|
| Open search | ✓ | ✓ | ✓ | ✓ | ✓ | Text without modifiers matching against object's name or description |
name | ✓ | ✓ | ✓ | ✓ | ✓ | Object's name |
description | ✓ | ✓ | ✓ | ✓ | ✓ | Object's description |
creation_date | ✓ | ✓ | ✓ | ✓ | ✓ | Object's creation date |
last_modification_date | ✓ | ✓ | ✓ | ✓ | ✓ | Object's last modification date |
origin | ✓ | ✓ | ✓ | ✓ | ✓ | Object's origin. Available options: Partner for objects curated by trusted partners and security researchers , Crowdsourced for OSINT objects from the community or Google Threat Intelligence for objects curated by our Google TI experts |
owner | ✓ | ✓ | ✓ | ✓ | ✓ | Owner's username |
suspected_threat_actor | ✓ | Threat actor suspected to be part of a larger group | ||||
merged_actor | ✓ | Threat actors confirmed to be part of a larger group | ||||
motivation | ✓ | ✓ | Threat actors and IoC collection's campaigns motivations | |||
source_region | ✓ | ✓ | ✓ | Region from which the threat actor or the an IoC collection's campaign are known to originate | ||
targeted_region | ✓ | ✓ | ✓ | Region targeted by a specific campaign, threat actor or an IoC collection's malicious activity | ||
targeted_industry | ✓ | ✓ | ✓ | ✓ | ✓ | Industry targeted by a specific campaign, malware family, software or toolkit, threat actor or by an IoC collection's malicious activity |
targeted_industry_group | ✓ | ✓ | ✓ | ✓ | ✓ | Group of industries targeted by a specific campaign, malware family, software or toolkit, threat actor or by an IoC collection's malicious activity |
capability | ✓ | ✓ | Capabilities associated to threat actors' or malware families' associated files | |||
operating_system | ✓ | ✓ | Operating system affected by a malware family or a software and toolkit | |||
detection | ✓ | ✓ | Detections associated to a malware family's or a software or toolkit's associated files | |||
malware_role | ✓ | ✓ | Object's associated malware role | |||
software_toolkit | ✓ | ✓ | ✓ | ✓ | Software or Toolkit name associated to the object | |
shared_with_me | ✓ | Private IoC Collection objects that are shared with me or my group |
Allowed orders:
order:name+: sorts objects alphabetically by name, ascending+or descending-.order:creation_date-: sorts objects descending-(default) by most recent created objects first, or ascending+by oldest objects first.order:last_modification_date-: sorts objects descending-by most recently modified objects first, or ascending+by firstly modified objects first.order:lookups_trend-: sorts objects ascending+or descending-based on the trend of the daily distinct-user lookups over the IoCs of the object in the last 14 days.order:submissions_trend-: sorts objects ascending+or descending-based on the trend of the daily distinct-user submissions of IoCs of the object in the last 14 days.order:relevance+: sorts objects ascending+or descending-based on the relevance of the object.order:exploitation_state+: sorts objects ascending+or descending-based on the exploitation state of the vulnerability.order:risk_rating+: sorts objects ascending+or descending-based on the risk rating of the vulnerability.
Examples
Get the list of all Threat, Reports and Vulnerbilities objects created in the last week. Note that in this fisrts example, the collection_type filter is not used as in the rest of the examples.
import requests
import urllib
filters = "creation_date:7d+"
url = f"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)
Get the list of all private IoC collections that are shared with me or my Google TI group.
import requests
import urllib
filters = "collection_type:collection (shared_with_me:true or owner:my_user_id)"
url = f"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)
Get the list of all IoC Collections describing malicious activity espionage motivated and targeting the Canada governments.
import requests
import urllib
filters = "collection_type:collection motivation:espionage targeted_industry:government targeted_region:CA"
url = f"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)
Get the list of all russian financially motivated Threat Actors utilizing backdoors in their attacks and sort the results by relevance.
import requests
import urllib
filters = "collection_type:threat-actor motivation:financial source_region:RU threat_category:backdoor"
order = "relevance-"
url = f"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}&order={order}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)
Get the list of all Malware families curated by the Google TI specialists, targeting the Linux operating system and whose information was updated in the last 60 days. Then sort results by the last modification date.
import requests
import urllib
filters = "collection_type:malware-family operating_system:linux owner:'Google Threat Intelligence' last_modification_date:60d+"
order = "last_modification_date-"
url = f"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}&order={order}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)
Get the list of all Software or Toolkits targeting the Windows operating system which are backdoors used in botnets. Then sort results by relevance providing first the most relevant objects.
import requests
import urllib
filters = "collection_type:software-toolkit operating_system:windows detection:backdoor malware_role:botnet"
order = "relevance-"
url = f"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}&order={order}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)
Get the list of all Campaigns targeting China and whose name or description mention the "ransomware" word. Then sort results ascending based on their last modification date.
import requests
import urllib
filters = "collection_type:campaign (name:ransomware or description:ransomware) targeted_region:CN"
order = "last_modification_date+"
url = f"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}&order={order}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)