Threat Landscape — Collections, Threat Actors, Malware & Tools, Campaigns, Reports, Vulnerabilities, and the curated IoC catalogue. Premium tier; this is where Mandiant-curated intelligence surfaces.
openapi: 3.0.3
info:
title: VirusTotal API v3 - Threat Landscape and Vulnerability Intelligence
version: '3.0'
description: Threat Landscape & Vulnerability Intelligence — Collections, Threat Actors, Malware & Tools, Campaigns, Reports, Vulnerabilities, and the curated IoC catalogue.
contact:
name: VirusTotal / Google Threat Intelligence
url: https://docs.virustotal.com/reference/overview
license:
name: VirusTotal Terms of Service
url: https://www.virustotal.com/gui/terms-of-service
x-generated-from: https://storage.googleapis.com/gtidocresources/guides/GTI_API_v3_openapi_spec_10022025.json
x-last-validated: '2026-05-29'
servers:
- url: https://www.virustotal.com/api/v3
description: VirusTotal / GTI API v3 production.
security:
- VTApiKey: []
tags:
- name: Threat Landscape & Vulnerability Intelligence & Reports & Analysis
description: Threat Landscape & Vulnerability Intelligence & Reports & Analysis
paths:
/collections:
get:
tags:
- Threat Landscape & Vulnerability Intelligence & Reports & Analysis
deprecated: false
description: "> \U0001F6A7 Special privileges required\n> \n> Threat Actors, Campaigns, Reports & Analyses and Vulnerabilities are only available to users with the Google Threat Intelligence (Google\
\ TI) Enterprise or Enterprise Plus licenses.\n\nThis endpoint allows us to search and filter Threat Intelligence objects effectively. It returns a list of Threat objects with a `collection_type`\
\ parameter whose value can be one of the followings:\n\n- **`collection`**: [Collections](https://gtidocs.virustotal.com/reference/ioc-collection-object) of Indicators of Compromise are grouped\
\ together based on their observed usage in the wild in malicious campaigns or their association with specific malware families. This OSINT and also curated information is provided by our users\
\ and certain trusted partners and security researchers, automatically created based on Reports from the cybersecurity community or by our Google TI experts. [UI](https://www.virustotal.com/gui/threat-landscape/ioc-collections)\n\
- **`threat-actor`**: [Threat Actors](https://gtidocs.virustotal.com/reference/threat-actor-object) curated information exposed by our Google TI experts tracking them or by certain trusted partners\
\ and security researchers. [UI](https://www.virustotal.com/gui/threat-landscape/threat-actors)\n- **`malware-family`**: Curated information related to [malware families](https://gtidocs.virustotal.com/reference/malware-family-object).\
\ This information is provided by our Google TI experts and certain trusted partners and security researchers. [UI](https://www.virustotal.com/gui/threat-landscape/malware-and-tools?filter=(collection_type:malware-family))\n\
- **`software-toolkit`**: Curated information related to malicious [software or toolkits](https://gtidocs.virustotal.com/reference/software-toolkit-object) used in threat campaigns. This information\
\ is provided by our Google TI experts. [UI](https://www.virustotal.com/gui/threat-landscape/malware-and-tools?filter=(collection_type:software-toolkit))\n- **`campaign`**: Curated information related\
\ to threat [campaigns](https://gtidocs.virustotal.com/reference/campaign-object). This information is provided by our Google TI experts. [UI](https://www.virustotal.com/gui/threat-landscape/campaigns)\n\
- **`report`**: OSINT and curated threats related [reports](https://gtidocs.virustotal.com/reference/report-object). They could be crowdsourced references created by the cybersecurity industry,\
\ curated reports created by certain trusted partners and security researchers or our Google TI experts. [UI](https://www.virustotal.com/gui/reports)\n- **`vulnerability`**: Curated information\
\ of [vulnerabilities](https://gtidocs.virustotal.com/reference/vulnerability-object) and exploitations coming from our Google TI experts analysis. [UI](https://www.virustotal.com/gui/vulnerabilities)\n\
\n### Searches observations:\n\n- if you don't filter by the `collection_type` this endpoint will return a single list with all the objects that meet the filters and of any of the following types\
\ grouped together: [Vulnerabilities](https://gtidocs.virustotal.com/reference/vulnerability-object), [Reports](https://gtidocs.virustotal.com/reference/report-object), [Threat Actors](https://gtidocs.virustotal.com/reference/threat-actor-object),\
\ [Malware families](https://gtidocs.virustotal.com/reference/malware-family-object), [Software or Toolkits](https://gtidocs.virustotal.com/reference/software-toolkit-object), [Campaigns](https://gtidocs.virustotal.com/reference/campaign-object)\
\ or [IoC Collections](https://gtidocs.virustotal.com/reference/ioc-collection-object).\n- filers' values are case-insensitive\n- several filters can be combined together in a more complex and specific\
\ search\n- boolean operators can be used in more complex searches: `AND`, `OR`, `NOT`\n- quotes are needed for filters' values with spaces: `description:\"Phishing campaign\"`\n- wildcards (\\\
*) can be used for partial matches: `name:Ransom*`\n- date filters formats: `YYYY-MM-DD`, `YYYY-MM-DDTHH-mm-ss`\n- date relative formats: `60d` (for days), `10m` (for minutes)\n- date ranges can\
\ be specified with `+` or `-`: `last_modification_date:7d+`, `creation_date:2024-01-01-`\n\n## Allowed filters by object `collection_type`:\n\n| filters | `collection` | `threat-actor`\
\ | `malware-family` | `software-toolkit` | `campaign` | filter description |\n| ------------------------ | ------------ | -------------- | ---------------- | ------------------ | ---------- | --------\
\ |\n| Open search | ✓ | ✓ | ✓ | ✓ | ✓ | Text without modifiers matching against object's name or description|\n| `name`\
\ | ✓ | ✓ | ✓ | ✓ | ✓ | Object's name |\n| `description` | ✓ | ✓ | ✓ \
\ | ✓ | ✓ | Object's description |\n| `creation_date` | ✓ | ✓ | ✓ | ✓ | ✓ | Object's creation\
\ date |\n| `last_modification_date` | ✓ | ✓ | ✓ | ✓ | ✓ | Object's last modification date |\n| `origin` | ✓ \
\ | ✓ | ✓ | ✓ | ✓ | Object's origin. Available options: **Partner** for objects curated by trusted partners and security researchers\
\ , **Crowdsourced** for OSINT objects from the community or **Google Threat Intelligence** for objects curated by our Google TI experts|\n| `owner` | ✓ | ✓ \
\ | ✓ | ✓ | ✓ | Owner's username |\n| `suspected_threat_actor` | | ✓ | | | \
\ | Threat actor suspected to be part of a larger group |\n| `merged_actor` | | ✓ | | | | Threat actors confirmed\
\ to be part of a larger group |\n| `motivation` | ✓ | ✓ | | | | Threat actors and IoC collection's campaigns\
\ motivations |\n| `source_region` | ✓ | ✓ | | | ✓ | Region from which the threat actor or the an IoC collection's\
\ campaign are known to originate |\n| `targeted_region` | ✓ | ✓ | | | ✓ | Region targeted by a specific campaign, threat\
\ actor or an IoC collection's malicious activity |\n| `targeted_industry` | ✓ | ✓ | ✓ | ✓ | ✓ | Industry targeted by a specific\
\ campaign, malware family, software or toolkit, threat actor or by an IoC collection's malicious activity |\n| `targeted_industry_group`| ✓ | ✓ | ✓ | ✓ \
\ | ✓ | Group of industries targeted by a specific campaign, malware family, software or toolkit, threat actor or by an IoC collection's malicious activity |\n| `capability`\
\ | | ✓ | ✓ | | | Capabilities associated to threat actors' or malware families' associated files |\n| `operating_system`\
\ | | | ✓ | ✓ | | Operating system affected by a malware family or a software and toolkit |\n| `detection` \
\ | | | ✓ | ✓ | | Detections associated to a malware family's or a software or toolkit's associated files |\n| `malware_role`\
\ | | | ✓ | ✓ | | Object's associated malware role |\n| `software_toolkit` | | ✓ \
\ | ✓ | ✓ | ✓ | Software or Toolkit name associated to the object |\n| `shared_with_me` | ✓ | | \
\ | | | Private IoC Collection objects that are shared with me or my group |\n\n## Allowed filters by object `collection_type`:`report`:\n\n| filters \
\ | filter description |\n| -------------------------- | ------------------ |\n| Open search | Text without modifiers matching against object's name or description |\n| `name`\
\ | Object's name |\n| `description` | Object's description|\n| `creation_date` | Object's creation date |\n| `last_modification_date` | Object's last\
\ modification date |\n| `origin` | Object's origin. Available options: **Partner** for objects curated by trusted partners and security researchers , **Crowdsourced** for OSINT\
\ objects from the community or **Google Threat Intelligence** for objects curated by our Google TI experts |\n| `owner` | Owner's username |\n| `motivation` | Motivation\
\ behind the malicious activity described in the report |\n| `source_region` | Regions from where the malicious activity described in the report is originated |\n| `targeted_region` \
\ | Region targeted by the malicious activity described in the report |\n| `targeted_industry` | Industry targeted by the malicious activity described in the report |\n| `targeted_industry_group`\
\ | Groups of industries targeted by the malicious activity described in the report |\n| `operating_system` | Affected operating system |\n| `malware_role` | Report's associated\
\ malware role |\n| `software_toolkit` | Software or Toolkit's name, associated to the report |\n\n## Allowed filters by object `collection_type`:`vulnerability`:\n\n| filters \
\ | filter description |\n| ---------------------------- | --------------- | \n| Open search | Text without modifiers matching against object's name or description\
\ |\n| `name` | Object's name |\n| `description` | Object's description|\n| `creation_date` | Object's creation date |\n| `last_modification_date`\
\ | Object's last modification date |\n| `cvss_3x_base_score` | Vulnerability objects with numeric CVSS 3.X base score |\n| `cvss_3x_temporal_score` | Vulnerability objects\
\ with numeric CVSS 3.X temporal score |\n| `cvss_2x_base_score` | Vulnerability objects with numeric CVSS 2.0 base score |\n| `cvss_2x_temporal_score` | Vulnerability objects\
\ with numeric CVSS 2.0 temporal score |\n| `exploitation_consequence` | Exploitation consequence of a Vulnerability. Ex: Code Execution, Command Execution, Container Escape, Data Loss,\
\ Data Manipulation, Denial-of-Service (DoS), Information Disclosure, Privilege Escalation, Sandbox Escape, Security Bypass, Spoofing, Unauthorized Access |\n| `exploitation_state` \
\ | Exploitation state of a Vulnerability. Possible values: Confirmed, No Known, Reported, Suspected |\n| `exploitation_vector` | Exploitation vector of a Vulnerability. Possible values:\
\ Administrative Interface, Bluetooth Access, Browser, Email, Exposed Web Application, File Share, General Network Connectivity, Local Access, Local Network Access, Malicious Application, Malicious\
\ File, Malicious Server, Open Port, Physical Access, Short Range Radio, Unspecified Local Vector, Unspecified Remote Vector, VPN Access, Web, WiFi Access |\n| `vulnerable_cpe` |\
\ Vulnerability objects with specific standardized product naming scheme - cpe |\n| `vulnerable_product` | Vulnerability objects of known security flaw of specific product. Ex: Apache\
\ Log4j |\n| `vulnerable_vendor` | Vulnerability objects affecting specific vendors. Ex: Apache |\n| `vulnerability_filter` | Specific Vulnerability Filters. Possible values:\
\ Affects Cloud, Affects Operational Technology, CISA Exploited, Has Exploits, Observed In The Wild, Requires User Interaction, Zero Day |\n| `risk_rating` | Vulnerability objects\
\ based on Vulnerability Risk Rating. Possible values: Critical, High, Medium, Low |\n| `targeted_industry` | Industry targeted by the vulnerability |\n| `targeted_industry_group`\
\ | Groups of industries targeted by the vulnerability |\n| `software_toolkit` | SoftwareToolkit name associated to the object |\n\n## Allowed orders:\n\n- `order:name+`: sorts\
\ objects alphabetically by name, ascending `+` or descending `-`.\n- `order:creation_date-`: sorts objects descending `-` (default) by most recent created objects first, or ascending `+` by oldest\
\ objects first.\n- `order:last_modification_date-`: sorts objects descending `-` by most recently modified objects first, or ascending `+` by firstly modified objects first.\n- `order:lookups_trend-`:\
\ sorts objects ascending `+` or descending `-` based on the trend of the daily distinct-user lookups over the IoCs of the object in the last 14 days.\n- `order:submissions_trend-`: sorts objects\
\ ascending `+` or descending `-` based on the trend of the daily distinct-user submissions of IoCs of the object in the last 14 days.\n- `order:relevance+`: sorts objects ascending `+` or descending\
\ `-` based on the relevance of the object.\n- `order:exploitation_state+`: sorts objects ascending `+` or descending `-` based on the exploitation state of the vulnerability.\n- `order:risk_rating+`:\
\ sorts objects ascending `+` or descending `-` based on the risk rating of the vulnerability.\n\n\n## Examples\n\nGet the list of all Threat, [Reports](https://gtidocs.virustotal.com/reference/report-object)\
\ and [Vulnerbilities](https://gtidocs.virustotal.com/reference/vulnerability-object) objects created in the last week. Note that in this fisrts example, the collection_type filter is not used as\
\ in the rest of the examples.\n\n```python\nimport requests\nimport urllib\n\nfilters = \"creation_date:7d+\"\nurl = f\"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}\"\
\nheaders = {\"accept\": \"application/json\",\"x-apikey\": <api-key>}\nresponse = requests.get(url, headers=headers)\n```\n\nGet the list of all private IoC collections that are shared with me\
\ or my Google TI group.\n\n```python\nimport requests\nimport urllib\n\nfilters = \"collection_type:collection (shared_with_me:true or owner:my_user_id)\"\nurl = f\"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}\"\
\nheaders = {\"accept\": \"application/json\",\"x-apikey\": <api-key>}\nresponse = requests.get(url, headers=headers)\n```\n\nGet the list of all IoC Collections describing malicious activity espionage\
\ motivated and targeting the Canada governments.\n\n```python\nimport requests\nimport urllib\n\nfilters = \"collection_type:collection motivation:espionage targeted_industry:government targeted_region:CA\"\
\nurl = f\"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}\"\nheaders = {\"accept\": \"application/json\",\"x-apikey\": <api-key>}\nresponse = requests.get(url,\
\ headers=headers)\n```\n\nGet the list of all russian financially motivated Threat Actors utilizing backdoors in their attacks and sort the results by relevance.\n\n```python\nimport requests\n\
import urllib\n\nfilters = \"collection_type:threat-actor motivation:financial source_region:RU threat_category:backdoor\"\norder = \"relevance-\"\nurl = f\"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}&order={order}\"\
\nheaders = {\"accept\": \"application/json\",\"x-apikey\": <api-key>}\nresponse = requests.get(url, headers=headers)\n```\n\nGet the list of all Malware families curated by the Google TI specialists,\
\ targeting the Linux operating system and whose information was updated in the last 60 days. Then sort results by the last modification date.\n\n```python\nimport requests\nimport urllib\n\nfilters\
\ = \"collection_type:malware-family operating_system:linux owner:'Google Threat Intelligence' last_modification_date:60d+\"\norder = \"last_modification_date-\"\nurl = f\"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}&order={order}\"\
\nheaders = {\"accept\": \"application/json\",\"x-apikey\": <api-key>}\nresponse = requests.get(url, headers=headers)\n```\n\nGet the list of all Software or Toolkits targeting the Windows operating\
\ system which are backdoors used in botnets. Then sort results by relevance providing first the most relevant objects.\n\n```python\nimport requests\nimport urllib\n\nfilters = \"collection_type:software-toolkit\
\ operating_system:windows detection:backdoor malware_role:botnet\"\norder = \"relevance-\"\nurl = f\"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}&order={order}\"\
\nheaders = {\"accept\": \"application/json\",\"x-apikey\": <api-key>}\nresponse = requests.get(url, headers=headers)\n```\n\nGet the list of all Campaigns targeting China and whose name or description\
\ mention the \"ransomware\" word. Then sort results ascending based on their last modification date.\n\n```python\nimport requests\nimport urllib\n\nfilters = \"collection_type:campaign (name:ransomware\
\ or description:ransomware) targeted_region:CN\"\norder = \"last_modification_date+\"\nurl = f\"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}&order={order}\"\
\nheaders = {\"accept\": \"application/json\",\"x-apikey\": <api-key>}\nresponse = requests.get(url, headers=headers)\n```\n\n\nGet the list of all crowdsourced Reports created from the beginning\
\ of 2024 whose name contains the \"phishing\" word and sort results descending by creation date (FIFO order).\n\n```python\nimport requests\nimport urllib\n\nfilters = \"collection_type:report\
\ name:phishing creation_date:2024-01-01+ origin:Crowdsourced\"\norder = \"creation_date-\"\nurl = f\"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}&order={order}\"\
\nheaders = {\"accept\": \"application/json\",\"x-apikey\": <api-key>}\nresponse = requests.get(url, headers=headers)\n```\n\nGet the list of all Vulnerabilities from 2024 sorted by creation date\
\ (FIFO order).\n\n```python\nimport requests\nimport urllib\n\nfilters = \"collection_type:vulnerability name:CVE-2024\"\norder = \"creation_date+\"\nurl = f\"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}&order={order}\"\
\nheaders = {\"accept\": \"application/json\",\"x-apikey\": <api-key>}\nresponse = requests.get(url, headers=headers)\n```\n\nGet the list of all Vulnerabilities with cvss_3x base score equal or\
\ greater than 4 and with confirmed or suspected exploitation state. Then sort results descending based on their risk rating value.\n\n```python\nimport requests\nimport urllib\n\nfilters = \"collection_type:vulnerability\
\ cvss_3x_base_score:4+ (exploitation_state:Confirmed or exploitation_state:Suspected)\"\norder = \"risk_rating-\"\nurl = f\"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}&order={order}\"\
\nheaders = {\"accept\": \"application/json\",\"x-apikey\": <api-key>}\nresponse = requests.get(url, headers=headers)\n```"
operationId: listThreats
parameters:
- description: Maximum number of threat objects to retrieve (max 40)
in: query
name: limit
schema:
default: 10
format: int32
type: integer
- description: Continuation cursor
in: query
name: cursor
schema:
type: string
- description: Filter threat objects by different properties
in: query
name: filter
schema:
type: string
- description: Sorting order
in: query
name: order
schema:
type: string
responses:
'200':
content:
application/json:
examples:
Result:
value: "{\n\"meta\": {\n \"cursor\": <string>\n},\n\"data\": [\n <THREAT_OBJ>,\n <THREAT_OBJ>,\n ...\n],\n\"links\": {\n \"self\": <string>,\n \"next\": <string>\n}"
description: '200'
'400':
content:
application/json:
examples:
Result:
value: '{}'
schema:
properties: {}
type: object
description: '400'
summary: VirusTotal List Threat Objects (Actor, Malware & Tool, Campaign, IoC Collection, Vulnerability, Report)
security:
- VTApiKey: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
post:
tags:
- Threat Landscape & Vulnerability Intelligence & Reports & Analysis
deprecated: false
description: "Use this endpoint to create new IoC collections. In the request body, send a collection object containing its name, description and the elements it will contain (for URLs you can either\
\ use the URL or its ID). All IOCs must be described as relationships of a newly created Collection object. This is an example request body:\n\n```json Create an IoC collection from relationship\
\ descriptors\n{\n\t\"data\": {\n\t\t\"attributes\": {\n\t\t\t\"name\": \"Test IoC collection\",\n\t\t\t\"description\": \"This is how to create a new IoC collection via API.\"\n\t\t},\n\t\t\"relationships\"\
: {\n\t\t\t\"domains\": {\n\t\t\t\t\"data\": [\n\t\t\t\t\t{\n\t\t\t\t\t\t\"type\": \"domain\",\n\t\t\t\t\t\t\"id\": \"www.virustotal.com\"\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\t\"type\": \"domain\"\
,\n\t\t\t\t\t\t\"id\": \"www.hooli.com\"\n\t\t\t\t\t}\n\t\t\t\t]\n\t\t\t},\n\t\t\t\"urls\": {\n\t\t\t\t\"data\": [\n\t\t\t\t\t{\n\t\t\t\t\t\t\"type\": \"url\",\n\t\t\t\t\t\t\"url\": \"https://www.virustotal.com/\"\
\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\t\"type\": \"url\",\n\t\t\t\t\t\t\"id\": \"f11f7cc900638fae209f68498a90158fbfb067fc4191549ddb657e39cc4428c2\"\n\t\t\t\t\t}\n\t\t\t\t]\n\t\t\t},\n\t\t\t\"\
ip_addresses\": {\n\t\t\t\t\"data\": [\n\t\t\t\t\t{\n\t\t\t\t\t\t\"type\": \"ip_address\",\n\t\t\t\t\t\t\"id\": \"8.8.8.8\"\n\t\t\t\t\t}\n\t\t\t\t]\n\t\t\t},\n\t\t\t\"files\": {\n\t\t\t\t\"data\"\
: [\n\t\t\t\t\t{\n\t\t\t\t\t\t\"type\": \"file\",\n\t\t\t\t\t\t\"id\": \"ecc0f2aa29b102bf8d67b7d7173e8698c0341ddfdf9757be17595460fbf1791a\"\n\t\t\t\t\t}\n\t\t\t\t]\n\t\t\t}\n\t\t},\n\t\t\"type\"\
: \"collection\"\n\t}\n}\n```\n```json Create an IoC collection from raw text\n{\n\t\"data\": {\n\t\t\"attributes\": {\n\t\t\t\"name\": \"Test IoC collection\",\n\t\t\t\"description\": \"This is\
\ how to create a new IoC collection via API.\"\n\t\t},\n\t\t\"raw_items\": \"This is a text containing an IoC, www.virustotal.com\",\n\t\t\"type\": \"collection\"\n\t}\n}\n```\n\nTo modify the\
\ IoC collection's attributes or add more elements to an IoC collection using a raw text, refer to the [PATCH/collections/{id}](https://gtidocs.virustotal.com/reference/update-ioc-collection) endpoint.\
\ \nTo add new elements to the IoC collection refer to the [POST /collections/{id}/{relationship}](https://gtidocs.virustotal.com/reference/add-element-to-ioc-collection) endpoint. \nTo remove\
\ elements from the IoC collection refer to the [DELETE /collections/{id}/{relationship}](https://gtidocs.virustotal.com/reference/delete-element-from-ioc-collection) endpoint.\n\n## Examples\n\n\
Create a new private IoC collection with 2 IoCs which are ```google.com``` and ```virustotal.com``` domains.\n\n```python\nimport requests\n\nurl = \"https://www.virustotal.com/api/v3/collections\"\
\npayload = {\n \"data\":\n {\n \"type\": \"collection\",\n \"attributes\":\n {\n \"name\": \"Test IoC collection\",\n \"description\": \"This is\
\ how to create a new collection via API.\",\n \"private\": True\n },\n \"raw_items\": \"google.com, google.com\"\n }\n}\nheaders = {\n \"accept\": \"application/json\"\
,\"x-apikey\": <api-key>,\"content-type\": \"application/json\"\n}\nresponse = requests.post(url, json=payload, headers=headers)\nprint(response.text)\n```"
operationId: createIocCollection
parameters: []
requestBody:
content:
application/json:
schema:
properties:
data:
description: IoC Collection object
format: json
type: string
required:
- data
type: object
responses:
'200':
content:
application/json:
examples:
Result:
value: "{\n \"data\": {\n \"attributes\": {\n \"name\": \"Test IoC collection\",\n \"description\": \"This is how to create a new collection via API.\",\n \"top_icon_md5\"\
: [\n \"1bc1faf71106e964e44cb17ab4dd8d11\"\n ],\n \"tags\": [],\n \"ip_addresses_count\": 0,\n \"domains_count\": 1,\n \"creation_date\": 1614784765,\n\
\ \"last_modification_date\": 1614784765,\n \"references_count\": 0,\n \"alt_names\": [],\n \"urls_count\": 0,\n \"autogenerated_tags\": [],\n \"files_count\"\
: 0\n },\n \"type\": \"collection\",\n \"id\": \"<ID>\",\n \"links\": {\n \"self\": \"https://www.virustotal.com/api/v3/collections/<ID>\"\n }\n }\n}"
schema:
properties:
data:
properties:
attributes:
properties:
alt_names:
type: array
autogenerated_tags:
type: array
creation_date:
default: 0
type: integer
description:
type: string
domains_count:
default: 0
type: integer
files_count:
default: 0
type: integer
ip_addresses_count:
default: 0
type: integer
last_modification_date:
default: 0
type: integer
name:
type: string
references_count:
default: 0
type: integer
tags:
type: array
top_icon_md5:
items:
type: string
type: array
urls_count:
default: 0
type: integer
type: object
id:
type: string
links:
properties:
self:
type: string
type: object
type:
type: string
type: object
type: object
description: '200'
'400':
content:
application/json:
examples:
Result:
value: '{}'
schema:
properties: {}
type: object
description: '400'
security:
- VTApiKey: []
summary: VirusTotal Create a New IoC Collection
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/collections/{id}:
get:
tags:
- Threat Landscape & Vulnerability Intelligence & Reports & Analysis
deprecated: false
description: "> \U0001F6A7 Special privileges required\n> \n> Threat Actors, Campaigns, Reports & Analyses and Vulnerabilities are only available to users with the Google Threat Intelligence (Google\
\ TI) Enterprise or Enterprise Plus licenses.\n\nThis endpoint returns a [Threat Actor](https://gtidocs.virustotal.com/reference/threat-actor-object), [Campaign](https://gtidocs.virustotal.com/reference/campaign-object),\
\ [Malware Family](https://gtidocs.virustotal.com/reference/malware-family-object), [Software or Toolkit Actor](https://gtidocs.virustotal.com/reference/software-toolkit-object), [IoC Collection](https://gtidocs.virustotal.com/reference/ioc-collection-object),\
\ [Report](https://gtidocs.virustotal.com/reference/report-object) or a [Vulnerability](https://gtidocs.virustotal.com/reference/vulnerability-object) object.\n\n## Examples\n\nGet a threat actor\
\ report.\n\n```python\nimport requests\nimport urllib\n\nobject_id = \"threat-actor--bcaaad6f-0597-4b89-b69b-84a6be2b7bc3\"\nurl = f\"https://www.virustotal.com/api/v3/collections/{object_id}\"\
\nheaders = {\"accept\": \"application/json\",\"x-apikey\": <api-key>}\nresponse = requests.get(url, headers=headers)\n```\n\nGet a malware or toolkit report.\n\n```python\nimport requests\nimport\
\ urllib\n\nobject_id = \"malware--350aa703-7750-5e07-997b-476375955828\"\nurl = f\"https://www.virustotal.com/api/v3/collections/{object_id}\"\nheaders = {\"accept\": \"application/json\",\"x-apikey\"\
: <api-key>}\nresponse = requests.get(url, headers=headers)\n```\n\nGet a campaign report.\n\n```python\nimport requests\nimport urllib\n\nobject_id = \"campaign--24f96f40-b2fa-512c-b1da-2f22a949d12d\"\
\nurl = f\"https://www.virustotal.com/api/v3/collections/{object_id}\"\nheaders = {\"accept\": \"application/json\",\"x-apikey\": <api-key>}\nresponse = requests.get(url, headers=headers)\n```\n\
\nGet a IoC collection report.\n\n```python\nimport requests\nimport urllib\n\nobj
# --- truncated at 32 KB (102 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/virustotal/refs/heads/main/openapi/virustotal-threat-landscape-openapi.yml