threat_intel_search
Search VirusTotal Intelligence with advanced queries to find files matching specific criteria for threat hunting, malware research, and IOC discovery.
Instructions
Search VirusTotal Intelligence with advanced queries for threat hunting.
This tool allows searching the entire VirusTotal dataset using powerful query syntax to find files matching specific criteria. Essential for proactive threat hunting, malware research, and discovering related samples.
Query Syntax Examples:
File type: type:peexe type:pdf type:apk
Size: size:90kb+ size:1mb-5mb
Detections: positives:5+ engines:kaspersky
Time: fs:2024-01-01+ ls:7d-
Behavior: behavior:"contacts C2"
Tags: tag:ransomware tag:trojan
Strings: content:"malicious string"
Imports: imports:CreateRemoteThread
Certificates: signature:"Company Name"
What this tool provides:
Search results matching your criteria
File metadata and detection statistics
Comprehensive threat intelligence per result
Ability to hunt for specific malware characteristics
IOC discovery and threat research capabilities
Common Use Cases:
Threat hunting: Find files with specific behaviors or characteristics
Malware research: Discover related samples and families
IOC expansion: Find files using known infrastructure
Campaign tracking: Identify malware from specific actors
Signature development: Research samples for detection rules
Incident response: Find similar threats in your environment
Args: query: VT Intelligence search query using the VirusTotal query syntax.
Returns: JSON string containing: - results: Array of matching files with full details (up to 10) - count: Number of results returned - query: The search query used
Examples: query="type:peexe size:90kb+ positives:10+" query="behavior_network:C2 tag:ransomware" query="signature:'Microsoft Corporation' positives:0"
Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - Intelligence search requires a VirusTotal Premium/Enterprise API key - Returns up to 10 results per query - Complex queries may take longer to execute - Query syntax documentation: https://docs.virustotal.com/docs/intelligence-search - IMPORTANT: Do NOT call this tool repeatedly with the same parameters. It returns the same data each time, not additional results. Use different search queries to find different files.
Raises: ThreatIntelligenceClientError: If there's an error communicating with the API. RuntimeError: If the API key is not configured or lacks Intelligence access.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| query | Yes |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |