One of the basics of VT Intelligence is using the “entity” search keyword to directly specify the type of output you want to get. There are specific modifiers for every entity, here you can find direct links to documentation for File Sarch modifiers , URL search modifiers , Domain search modifiers and IP address search modifiers .

The best approach to learn how to use them is with some real life examples:

Windows Executables that communicate over http
Argentinian domains used in phishing campaigns
Samples exploiting a recent exploit and barely detected by AVs
Windows file that connects to port 445 and (allegedly) use an exploit
LilithBot Malware command-and-control IPs
Using telegram favicon icon but not official telegram domains
Using typosquatting attacks on telegram
Some other examples
Ordering VirusTotal Intelligence searches

Windows Executables that communicate over http

(https://www.virustotal.com/gui/search/entity%253Afile%2520(type%253Apeexe%2520or%2520type%253Apedll)%2520behavior%253Ahttp/files)

Argentinian domains used in phishing campaigns

(https://www.virustotal.com/gui/search/entity%253Adomain%2520engines%253Aphishing%2520tld%253Aar)

Samples exploiting a recent exploit and barely detected by AVs

(https://www.virustotal.com/gui/search/entity%253Afile%2520tag%253A%2522cve-2022*%2522%2520p%253A5%252B%2520p%253A20-/files)

Windows file that connects to port 445 and (allegedly) use an exploit

(https://www.virustotal.com/gui/search/entity%253Afile%2520behaviour_network%253A%2522%253A445%2522%2520type%253Apeexe%2520tag%253Aexploit/files)

LilithBot Malware command-and-control IPs

(https://www.virustotal.com/gui/search/entity%253Aurl%2520path%253A%252Fgate%252F*%252FregisterBot%2520or%2520path%253A%252Fgate%252F*%252FgetFile%253Fname%253Dadmin_settings_plugin.json%2520or%2520path%253A%252Fgate%252F*%252FuploadFile%253Fname/urls)

Using telegram favicon icon but not official telegram domains

(https://www.virustotal.com/gui/search/entity%253Aurl%2520main_icon_dhash%253Ae89e436964638ee8%2520AND%2520NOT%2520(%2520parent_domain%253A%2522tdesktop.com%2522%2520%2520OR%2520parent_domain%253A%2522telegram.org%2522%2520OR%2520parent_domain%253A%2522telegram.me%2522%2520OR%2520parent_domain%253A%2522t.me%2522%2520)/urls)

Using typosquatting attacks on telegram

(https://www.virustotal.com/gui/search/entity%253Adomain%2520fuzzy_domain%253Atelegram.org%2520%2520AND%2520NOT%2520(%2520parent_domain%253A%2522tdesktop.com%2522%2520%2520OR%2520parent_domain%253A%2522telegram.org%2522%2520OR%2520parent_domain%253A%2522telegram.me%2522%2520OR%2520parent_domain%253A%2522t.me%2522%2520))

Some other examples:

---

entity:ip asn:"15169" communicating_files_max_detections:30+
entity:domain downloaded_files_max_detections:20+
entity:url p:3+ have:tracker
entity:file tag:signed p:10+
entity:collection name:apt or tag:apt

Ordering VirusTotal Intelligence searches

---

Remember that VirusTotal Intelligence searches can user an order parameter. Thisorderparameter defines the order in which results are returned. They can be followed by a plus (+) or minus (-) sign for indicating ascending or descending order respectively (i.e:<order>+,<order>-). If no ascending/descending order is specified it's assumed to be ascending, so<order>and<order>+are equivalent. If theorderparameter is not provided, items are returned in a default order. The following table shows supported and default orders for every kind of entity:

Remember that content searches can not be sorted, so If your query contains content search the order parameter will make no effect.