Special privileges required
Threat Actors and Campaigns are only available to users with the Google Threat Intelligence (Google TI) Enterprise or Enterprise Plus licenses.
Allows to search IoCs inside a threat object (threat actor, campaign, malware & tool or IoC collection) using advanced intelligence queries.
The expected input is the same as /intelligence/search. By default it searches files, in order to search other entities use entity:domain/ip/url.
Note that the estimated_total_hits field in the response metadata indicates whether the total_hits value is an estimated number of IoCs. This field is usually set to true, which means the hit count is an estimate, though it may sometimes be the exact number.
{
"data": [],
"meta": {
"cursor": "eJwNjcFOxCAUAH8J7LKJBy91oYYEaikPWG5omzQCK6uNbY0fL8fJJDN_CvzPFVQb8na6Ot8NebkMt_gQgLeAWDs0LR8ivkzN0s8JNo3UTURy9r9cDCge2uLujWIIzdSLCIf-4EYgfB7d1BtUvqqXkj5S0EwqTDcdFZvhdNi8V--_reZ8ZgVCt_s50sO64gUu1LhSe6axSZn6W5Urck7sPNrUBCD3MS_BUMAaVAyU3H2393PEpLINptAxl1fVvW86qeeACAW3yJDVWns2sOJ0TtJgQDZNckJk1Zr3ItFdu1J7-MVo1odUPitLQTEZNXr6B8LRY_w=",
"total_hits": 90,
"execution_time_s": 0.253475691,
"allowed_orders": [
"first_submission_date",
"last_submission_date",
"positives",
"times_submitted",
"size",
"unique_sources",
"gti_score"
],
"st_search": true,
"estimated_total_hits": true
},
"links": {
"self": "https://www.virustotal.com/api/v3/collections/malware--cd1528ea-a37e-5633-9302-1c7721234411/search?query=p:5%2B",
"next": "https://www.virustotal.com/api/v3/collections/malware--cd1528ea-a37e-5633-9302-1c7721234411/search?query=p%3A5%2B&cursor=eJwNjcFOxCAUAH8J7LKJBy91oYYEaikPWG5omzQCK6uNbY0fL8fJJDN_CvzPFVQb8na6Ot8NebkMt_gQgLeAWDs0LR8ivkzN0s8JNo3UTURy9r9cDCge2uLujWIIzdSLCIf-4EYgfB7d1BtUvqqXkj5S0EwqTDcdFZvhdNi8V--_reZ8ZgVCt_s50sO64gUu1LhSe6axSZn6W5Urck7sPNrUBCD3MS_BUMAaVAyU3H2393PEpLINptAxl1fVvW86qeeACAW3yJDVWns2sOJ0TtJgQDZNckJk1Zr3ItFdu1J7-MVo1odUPitLQTEZNXr6B8LRY_w%3D"
}
}
Examples
Search for IoCs related to a threat actor that meet certain conditions.
import requests
import urllib
object_id = "threat-actor--bcaaad6f-0597-4b89-b69b-84a6be2b7bc3"
query = "tag%3Aexploit"
attributes = "name"
limit = "2"
url = f"https://www.virustotal.com/api/v3/collections/{object_id}/search?query={query}&limit={limit}&attributes={attributes}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)
Search for IoCs related to a malware or toolkit that meet certain conditions.
import requests
import urllib
object_id = "malware--350aa703-7750-5e07-997b-476375955828"
query = "p%3A5+"
attributes = "name"
limit = "2"
url = f"https://www.virustotal.com/api/v3/collections/{object_id}/search?query={query}&limit={limit}&attributes={attributes}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)
Search for IoCs related to a campaign that meet certain conditions.
import requests
import urllib
object_id = "campaign--24f96f40-b2fa-512c-b1da-2f22a949d12d"
query = "have%3Ayara_rules"
attributes = "name"
limit = "2"
url = f"https://www.virustotal.com/api/v3/collections/{object_id}/search?query={query}&limit={limit}&attributes={attributes}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)
Search for IoCs related to a IoC collection that meet certain conditions.
import requests
import urllib
object_id = "alienvault_64edfc5ab93abb1407070292"
query = "have%3Asigma_rules"
attributes = "name"
limit = "2"
url = f"https://www.virustotal.com/api/v3/collections/{object_id}/search?query={query}&limit={limit}&attributes={attributes}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)