Back Home
Searching using entities
One of the basics of VT Intelligence is using the “entity” search keyword to directly specify the type of output you want to get. There are specific modifiers for every entity, here you can find direct links to documentation for file , URL , IP and Domain.
The best approach to learn how to use them is with some real life examples:
Windows Executables that communicate over http
Samples exploiting a recent exploit and barely detected by AVs
Windows file that connects to port 445 and (allegedly) use an exploit
LilithBot Malware command-and-control IPs
Using telegram favicon icon but not official telegram domains
Using typosquatting attacks on telegram
Some other examples:
Ordering VirusTotal Intelligence searches
Remember that VirusTotal Intelligence searches can user an order parameter. This
orderparameter defines the order in which results are returned. They can be followed by a plus (+) or minus (-) sign for indicating ascending or descending order respectively (i.e:<order>+,<order>-). If no ascending/descending order is specified it's assumed to be ascending, so<order>and<order>+are equivalent. If theorderparameter is not provided, items are returned in a default order. The following table shows supported and default orders for every kind of entity:| Entity type | Supported orders | Default order |
| file | first_submission_date, last_submission_date, positives, times_submitted, size | last_submission_date- |
| url | first_submission_date, last_submission_date, positives, times_submitted, status | last_submission_date- |
| domain | creation_date, last_modification_date, last_update_date, positives | last_modification_date- |
| ip | ip, last_modification_date, positives | last_modification_date- |
Remember that content searches can not be sorted, so If your query contains content search the order parameter will make no effect.