TL;DR: Threat researchers use Pastebin and similar sites to share sets of IoCs among themselves. We believe there is a more actionable and contextualized way to perform this task, enter VirusTotal Collections. Help us shape the future of IoC collections with the what’s next form.
Collective knowledge is key for the success of us all in the industry. For this reason, we paved the way to give a voice to our community by providing them the mechanisms to (annotate and share) comments on VT observables. Time evolves and now most investigations go beyond one observable, quickly adding up several indicators of compromise (IOCs) for one single incident . With many security researchers sharing their findings in blog posts and tweets, it’s getting hard to keep track of all these data inputs. Moreover, these investigations change over time bringing more difficulty into reporting the new findings.
To fill that gap, today, we are releasing VirusTotal Collections. A collection is a live report which contains a title, a group of IoCs (file hashes, URLs, domains and IP addresses) and an optional description. Collections are open to our VirusTotal Community (registered users) and they will be enhanced with VirusTotal analysis metadata providing the latest information we have for the IoCs, along with some aggregated tags.
Collection owners can update these by adding or removing IoCs. They are public via our UI and API, and they can be shared using their permalink. This makes it a very convenient way of linking to listings of IoCs in blog posts, research reports and the like.
All our community generated content, including comments, graphs and collections will contribute to the Community section of file, URL, domain and IP address reports. This means that if a security researcher creates a Collection with a file in it, if you visit the file report you will see the collection in the community section.
You can create IoC collections in the VirusTotal home page, under the SEARCH tab.