Searching using entities
One of the basics of VT Intelligence is using the “entity” search keyword to directly specify the type of output you want to get. There are specific modifiers for every entity, here you can find direct links to documentation for File Sarch modifiers , URL search modifiers , Domain search modifiers and IP address search modifiers .
The best approach to learn how to use them is with some real life examples:
Windows Executables that communicate over http
Argentinian domains used in phishing campaigns
Samples exploiting a recent exploit and barely detected by AVs
Windows file that connects to port 445 and (allegedly) use an exploit
LilithBot Malware command-and-control IPs
Using telegram favicon icon but not official telegram domains
Using typosquatting attacks on telegram
Some other examples
Ordering VirusTotal Intelligence searches
(https://www.virustotal.com/gui/search/entity%253Adomain%2520engines%253Aphishing%2520tld%253Aar)
Some other examples:
entity:ip asn:"15169" communicating_files_max_detections:30+
entity:domain downloaded_files_max_detections:20+
entity:url p:3+ have:tracker
entity:file tag:signed p:10+
entity:collection name:apt or tag:apt
Ordering VirusTotal Intelligence searches
Remember that VirusTotal Intelligence searches can user an order parameter. Thisorder
parameter defines the order in which results are returned. They can be followed by a plus (+
) or minus (-
) sign for indicating ascending or descending order respectively (i.e:<order>+
,<order>-
). If no ascending/descending order is specified it's assumed to be ascending, so<order>
and<order>+
are equivalent. If theorder
parameter is not provided, items are returned in a default order. The following table shows supported and default orders for every kind of entity:
Entity type | Supported orders | Default order |
file | first_submission_date, last_submission_date, positives, times_submitted, size | last_submission_date- |
url | first_submission_date, last_submission_date, positives, times_submitted, status | last_submission_date- |
domain | creation_date, last_modification_date, last_update_date, positives | last_modification_date- |
ip | ip, last_modification_date, positives | last_modification_date- |
Remember that content searches can not be sorted, so If your query contains content search the order parameter will make no effect.
Updated 10 months ago