API Reference

Search IoCs inside a threat

get https://www.virustotal.com/api/v3/collections//search

🚧

Special privileges required

Threat Actors and Campaigns are only available to users with the Google Threat Intelligence (Google TI) Enterprise or Enterprise Plus licenses.

Allows to search IoCs inside a threat object (threat actor, campaign, malware & tool or IoC collection) using advanced intelligence queries.

The expected input is the same as /intelligence/search. By default it searches files, in order to search other entities use entity:domain/ip/url.

Examples

Search for IoCs related to a threat actor that meet certain conditions.

import requests
import urllib

object_id = "threat-actor--bcaaad6f-0597-4b89-b69b-84a6be2b7bc3"
query = "tag%3Aexploit"
attributes = "name"
limit = "2"
url = f"https://www.virustotal.com/api/v3/collections/{object_id}/search?query={query}&limit={limit}&attributes={attributes}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)

Search for IoCs related to a malware or toolkit that meet certain conditions.

import requests
import urllib

object_id = "malware--350aa703-7750-5e07-997b-476375955828"
query = "p%3A5+"
attributes = "name"
limit = "2"
url = f"https://www.virustotal.com/api/v3/collections/{object_id}/search?query={query}&limit={limit}&attributes={attributes}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)

Search for IoCs related to a campaign that meet certain conditions.

import requests
import urllib

object_id = "campaign--24f96f40-b2fa-512c-b1da-2f22a949d12d"
query = "have%3Ayara_rules"
attributes = "name"
limit = "2"
url = f"https://www.virustotal.com/api/v3/collections/{object_id}/search?query={query}&limit={limit}&attributes={attributes}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)

Search for IoCs related to a IoC collection that meet certain conditions.

import requests
import urllib

object_id = "alienvault_64edfc5ab93abb1407070292"
query = "have%3Asigma_rules"
attributes = "name"
limit = "2"
url = f"https://www.virustotal.com/api/v3/collections/{object_id}/search?query={query}&limit={limit}&attributes={attributes}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)
Language
Click Try It! to start a request and see the response here!