VirusTotal Collections Introduction
A collection is a live report which contains a title, a group of IoCs (file hashes, URLs, domains and IP addresses) and an optional description. Collections are open to our VirusTotal Community (registered users) and they will be enhanced with VirusTotal analysis metadata providing the latest information we have for the IoCs, along with some aggregated tags.
Collection creation
Create empty collection.
You can create a collection through the home view by clicking on the "create an IoC collection" link as shown below:
You need to add a name, a list of IoCs (file hashes, URLs, domains and IP addresses) and then click on Create collection.
Create collection from a list of IOCs.
You can create a collection directly with a list of IOCs from a result page, click on "Tools" and "Add to Collection" and "Add to a new collection"
Collection report
After your collection is created, you'll see a report that looks like this.
We've numbered the elements in the screenshot above for easy reference. They are:
- You can share the collection permanent link or post it to Twitter.
2) The collection provides exporting capabilities in STIX, JSON and CSV formats.
-
Open the IOCs in an VT Graph.
-
You can add more IOCs.
-
Delete the collection.
-
Add a description.
-
Edit IOCs of an specific type: you can add more IOCs or delete selected ones.
-
You can sort the IOCs by Creation date, Last update date or Detections.
-
You can search for IOCs of an specific type to filter the results.
-
You can export IOCs of an specific type in STIX, JSON and CSV formats. You can also copy to clipboard. For files you can Download a selection of them.
-
Different Tools depending on the IOC type: Send to VT Diff, Open in VT Graph or Calculate commonalities.
Add more IOCs directly from a result page.
When you get a list of IOCs, as a result page, you can select some or all of these IOCs and add them to an already existant collection.
- Check the IOCs you want to add
- Click on Tools
- Click on Add to collection
- Select the collection you want these IOCs to be added to.
Own Collection Dashboard
Users can see their created collections in their profile page, as they currently do for graphs and comments.
Collections Visibility
You can set the visibility of your collections so they can be stablished as:
- Public
- Shared with your Org
- Private (only you see the collection)
- Custom visibility (shared with specifics users or groups)
Note only collection owners can change the visibility.
Special privileges required
This feature is only available to users with special privileges.
Setting collections visibility
On creation
You can change the visibility when creating a collection using this dropdown in the bottom of the creation dialog:
From collection report
This is the only way you can set custom visibility, if you require it, by clicking in the share icon on your collection:
As you can see, you can control the users / groups you stablish as editors / viewers, also set the private / public status of the collection, so this gives the collections owner full control on visibility.
Collaborator types
Collaborators can be groups or users playing one of the following roles:
- Viewer: Can see the collection, but cannot modify
- Editor: Can see the collection, also add / delete IoCs and description.
Collaborators cannot delete collections, neither modify the visibility. Only the owner can perform those actions.
Public collections
All public collections are available in VT under the community section of VirusTotal reports, also the Threat Landscape section. This way our users benefit from other analysis investigations.
X Integration
Security community is very active using X to promote their investigations. Public Collections can be shared on X using the share link in the collections report header:
The VT Collection report shows the following card on X.
Collections shared with my org
That means the Org is added as viewer, and any user in your VT group can see the collection (but not edit).
Private collections
Private collections are only visible by the owner or the users in your VirusTotal group. Typically, this is used for work-in-progress collections, then these collections may be shared with the desired scope. Check the Collections Visibility section for more details on how to create a private collection.
On quota exceeded
Public users will have a quota of 20 Collections per month, if you reach the limit you would find the following message.
API Usage
As usual we have also most of the functionality available using our API v3 , in this case with the exception of the exporting feature that is still only available on our web interface. You can check the API documentation in our API Reference page.
Updated about 2 months ago