Wednesday, September 15, 2021

Introducing VT Alerts

 360-degrees insights into your assets

Many VirusTotal’s users deploy rules to monitor that their assets, including domains, IP ranges and intellectual property are not being abused by any attacker. Today we are proud to introduce VT Alerts, a solution designed to help detect any abuse in (almost) real time.

Before going into more details, we invite you to join us next September 28th at 17:00 CEST for our VT Alerts webinar if you want to know everything about it.

What is VT Alerts?

VT Alerts is designed to provide a feed-like experience providing different severity notifications on anything we detected in VirusTotal that matches your infrastructure and intellectual property. It offers you an easy way to create watchlists where you can include all the network-related assets of your company, as well as terms related to your brands and intellectual property. 

VT Alerts will take it from here, automatically monitoring anything new we detect in VirusTotal matching this criteria and providing you with alerts on anything suspicious we find in the VirusTotal ecosystem. 

Watchlists and notifications

We have designed three types of watchlists: Domains, IPs and Brand. Here is how it works.

For networking infrastructure there are two types of watchlists. The first one is for Domains and basically expects a list of, well, domains, and the second is for IP Ranges belonging to your infrastructure that you want to monitor. Once this is defined, alerts are created when any of the following criteria is met:

  • Any URL under any domain or subdomain in the Domains watchlist is detected as malicious in VirusTotal.
  • Any malicious file contacts a URL under any domain or subdomain in the Domains watchlist.
  • A malicious file is downloaded from a URL under any domain or subdomain in the Domains watchlist.
  • We detected any URLs or domains reusing any domain or subdomain in the Domains watchlist.
  • We find any Domain or IP in the content of any malicious file.
  • Domain typosquatting notifications.

Brand protection works a bit differently, as here you can provide any terms related to your business, brands and intellectual property. We will search for these terms in any suspicious network infrastructure and communication to detect abuses. 

For example, we will search for any link including any of the keywords from your list of terms to monitor, which is a very usual tactic used by attackers in phishing campaigns. We will also check if any of the terms are found in any website we analyse, flagging potential abuse by third-parties. These terms could be any strings that are characteristic to your brand or that are candidates to be reused by attackers, for example, in phishing websites cloning yours. Additionally to these strings, we will need your domains (allow-list) so we make sure every time we find something suspicious it does not belong to you. 

Alright, now everything is set and ready in your Brand watchlist. VT Alerts will let you know when:

  • Any domain outside your infrastructure reuses any of your favicons.
  • Any URL outside of your infrastructure uses any of the strings you defiled.

And that would be it. Next: let’s learn more about the Alerts.


After everything is set, we will start receiving alerts in our dashboard according to the criteria defined above. 

Each notification we get provides the following information:

  • Creation timestamp - when the alert was created
  • Severity (Info, Low, Medium, High) - depending on the detection ratio
  • Event type (URL sighting, File download, File contact, Domain sighting, IP sighting)
  • VirusTotal verdicts’ snapshot at notification time
  • Type of entity involved in the alert (Domain, URL, IP, File)
  • Detection Category
  • Use-Case Category

All this data is presented in a simplified form in the dashboard, but you can click on any of the items of the alerts to pivot to its VirusTotal report (for example, in the case of a domain or file) or you can click on the magnifying glass to get full information of the event.

All this information is also ready to be automated through our API.

We also added different options to make filtering noise out easier, or to quickly pinpoint worrisome alerts. For example, we can filter by time of the alerts, severity or even categorize potential false positives straight away.

Or use any of combination of the filters provided:

What now?

Notifications are the starting point for your investigation. Alerts contain all VirusTotal’s links to any involved entities, so you can continue your investigation as you’d normally do.


Q: Where is all this data coming from?

A: We use the VirusTotal corpus to watch for events to generate notifications on. Alerts won’t crawl nor visit any of the domains nor IPs that you create watchlists for.

Q: Is any of my information made public?

A: All of VT Alerts’ data (watchlists and feeds) is private to your VirusTotal group and is not published, directly or indirectly, anywhere else. Keep in mind that the suspicious artefacts found in the alerts, like URLs and files, are still accessible to other VirusTotal’s users.

Q: Can I get notifications pushed to my email/vendor/etc.?

A: We’re gathering feedback on the most sought-after delivery channels and adding those in the coming weeks.

Q: Are VT Alerts running retroactively?

A: No. At the moment, you will start receiving notifications once your alerts are set and ready.

Future Features and Parting Words

VT Alerts will be evolving quickly in the following months, with more features in the pipeline like notifications for WHOIS changes, improved typosquatting alerts, more brand protection notifications, watchlist management for large-scale users, and many more.

We’re excited about VT Alerts future, and we hope it will become your tool of choice for asset monitoring. Please let us know if you are interested or if you have any ideas how to make it better.

Happy hunting!


Post a Comment