get https://www.virustotal.com/api/v3/collections
Special privileges required
Vulnerability Intelligence is only available to users with the Google Threat Intelligence (Google TI) Enterprise or Enterprise Plus licenses.
This endpoint allows us to search and filter Google TI Vulnerabilities effectively. It returns a list of Vulnerability objects only when filtering by the parameter collection_type:vulnerability.
Searches observations:
- if you don't filter by the
collection_typethis endpoint will return not only Vulnerabilities but other types of objects such as Reports, Threat Actors, Malware families, Software or Toolkits, Campaigns or IoC Collections, matching the rest of the filters. - filers' values are case-insensitive
- several filters can be combined together in a more complex and specific search
- boolean operators can be used in more complex searches:
AND,OR,NOT - quotes are needed for filters' values with spaces:
description:"Cross-site Scripting" - wildcards (*) can be used for partial matches:
name:cve-2024* - date filters formats:
YYYY-MM-DD,YYYY-MM-DDTHH-mm-ss - date relative formats:
60d(for days),10m(for minutes) - date ranges can be specified with
+or-:last_modification_date:7d+,creation_date:2024-01-01-
Allowed filters by object collection_type:vulnerability:
collection_type:vulnerability:| filters | filter description |
|---|---|
| Open search | Text without modifiers matching against object's name or description |
name | Object's name |
description | Object's description |
creation_date | Object's creation date |
last_modification_date | Object's last modification date |
cvss_3x_base_score | Vulnerability objects with numeric CVSS 3.X base score |
cvss_3x_temporal_score | Vulnerability objects with numeric CVSS 3.X temporal score |
cvss_2x_base_score | Vulnerability objects with numeric CVSS 2.0 base score |
cvss_2x_temporal_score | Vulnerability objects with numeric CVSS 2.0 temporal score |
exploitation_consequence | Exploitation consequence of a Vulnerability. Ex: Code Execution, Command Execution, Container Escape, Data Loss, Data Manipulation, Denial-of-Service (DoS), Information Disclosure, Privilege Escalation, Sandbox Escape, Security Bypass, Spoofing, Unauthorized Access |
exploitation_state | Exploitation state of a Vulnerability. Possible values: Confirmed, No Known, Reported, Suspected |
exploitation_vector | Exploitation vector of a Vulnerability. Possible values: Administrative Interface, Bluetooth Access, Browser, Email, Exposed Web Application, File Share, General Network Connectivity, Local Access, Local Network Access, Malicious Application, Malicious File, Malicious Server, Open Port, Physical Access, Short Range Radio, Unspecified Local Vector, Unspecified Remote Vector, VPN Access, Web, WiFi Access |
vulnerable_cpe | Vulnerability objects with specific standardized product naming scheme - cpe |
vulnerable_product | Vulnerability objects of known security flaw of specific product. Ex: Apache Log4j |
vulnerable_vendor | Vulnerability objects affecting specific vendors. Ex: Apache |
vulnerability_filter | Specific Vulnerability Filters. Possible values: Affects Cloud, Affects Operational Technology, CISA Exploited, Has Exploits, Observed In The Wild, Requires User Interaction, Zero Day |
risk_rating | Vulnerability objects based on Vulnerability Risk Rating. Possible values: Critical, High, Medium, Low |
targeted_industry | Industry targeted by the vulnerability |
targeted_industry_group | Groups of industries targeted by the vulnerability |
software_toolkit | SoftwareToolkit name associated to the object |
Allowed orders:
order:name+: sorts objects alphabetically by name, ascending+or descending-.order:creation_date-: sorts objects descending-(default) by most recently created objects first, or ascending+by oldest objects first.order:last_modification_date-: sorts objects descending-by most recently modified objects first, or ascending+by firstly modified objects first.order:lookups_trend-: sorts objects ascending+or descending-based on the trend of the daily distinct-user lookups over the IoCs of the object in the last 14 days.order:submissions_trend-: sorts objects ascending+or descending-based on the trend of the daily distinct-user submissions of IoCs of the object in the last 14 days.order:relevance+: sorts objects ascending+or descending-based on the relevance of the object.order:exploitation_state+: sorts objects ascending+or descending-based on the exploitation state of the vulnerability.order:risk_rating+: sorts objects ascending+or descending-based on the risk rating of the vulnerability.
Examples
Get the list of all Vulnerabilities from 2024 sorted by creation date (FIFO order).
import requests
import urllib
filters = "collection_type:vulnerability name:CVE-2024"
order = "creation_date+"
url = f"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}&order={order}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)
Get the list of all Vulnerabilities with cvss_3x base score equal or greater than 4 and with confirmed or suspected exploitation state. Then sort results descending based on their risk rating value.
import requests
import urllib
filters = "collection_type:vulnerability cvss_3x_base_score:4+ (exploitation_state:Confirmed or exploitation_state:Suspected)"
order = "risk_rating-"
url = f"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}&order={order}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)