From Campaign to Feature: Better Search Efficiency

For the last month, we’ve highlighted the critical importance of mastering search in our ongoing #monthofgoogletisearch campaign. We saw how security teams rely on complex, highly-tuned queries to identify threats, track adversaries, and perform deep-dive investigations.

This campaign emphasized a key challenge: once you craft the perfect query - a cornerstone of your investigation - it should be easy to reuse and share. Saved Searches is the direct answer to this need, turning successful, repeatable threat-hunting logic into a shared institutional asset.

Collaboration, Simplified: Save and Share Your Queries

With this initial launch of Saved Searches, we’re delivering two foundational capabilities that will immediately improve your team’s efficiency:

1. Save Searches: Instantly save any complex or frequently used query directly within GTI. This ensures your best investigative logic is always accessible, eliminating the need to rebuild queries from scratch or store them externally.
2. Share with Users: Critical insights are often time-sensitive. You can now easily share your saved searches with any other user in your organization with access to GTI. Whether you’re escalating a finding or establishing a standard workflow, sharing the exact query ensures consistency and accelerates joint analysis.

This means that a newly onboarded analyst can instantly access the expertise of senior members, and teams can maintain a unified approach to monitoring high-priority threats. It’s collaboration built right into your investigation tool.

Get Started Today with Campaign Searches

The Saved Searches feature is live now in Google Threat Intelligence and VirusTotal.

To help you hit the ground running, we have made the most impactful searches used throughout the #monthofgoogletisearch campaign public and available to all intelligence users! You can find these expert-crafted queries in your Saved Searches section today - a perfect starting point for your investigations.



Start by exploring these campaign searches and then easily save and share your own complex search queries. Look for the option to Save and Share your searches to transform your investigative logic into a shared asset.



This is just the first phase of enhancing search capabilities within GTI. We are committed to building on this foundation to provide even more robust tools that make your threat intelligence actionable and collaborative.

You can get more info by exploring our documentation page:

• Saved Searches documentation page

• API documentation

Thank you for your feedback during the #monthofgoogletisearch campaign - your input directly fueled this launch.

Happy Hunting! ^_^

This November, we’re celebrating the power of VirusTotal Enterprise search!
All VirusTotal customers will enjoy uncapped searches through the GUI — no quota consumption for the entire month so long as it is manual searches via the web interface.

Whether you’re investigating malware campaigns, analyzing infrastructure, or tracking threat actor activity, this is your chance to search freely and explore advanced use cases using VirusTotal Intelligence.

Experiment with powerful VT search modifiers to uncover patterns, hunt for related samples, and pivot across hashes, domains, IP addresses, or URLs — without worrying about your quota.

• No quota consumption for all GUI searches during November (API interaction will continue to consume).
• Every day, we’ll share interesting and creative search queries on our LinkedIn and X channels using the hashtag #MonthOfVTSearch.
• We invite you to try these searches, interact with us, and share your own search tips and findings with the community.

Make the most of this month to sharpen your threat-hunting skills:

• 📘 VirusTotal Documentation
• 🧾 VirusTotal Search Cheat Sheet

VT Intelligence Modifiers:

• File Search Modifiers
• URL Search Modifiers
• Domain Search Modifiers
• IP Search Modifiers

To kick off #MonthOfVTSearch, here’s the first advanced query we’re sharing with the community:

(type:document) and (behavior_processes:*.ru* and behavior_processes:*DavSetCookie* and behavior_processes:*http*) and (behavior_network:*.ru* or embedded_domain:*.ru* or embedded_url:*.ru*)

This search helps identify document files that, when executed in a sandbox environment, show behavior consistent with potential malicious activity involving .ru infrastructure. It specifically looks for:

• Documents (type:document) that were uploaded to VT.
• During execution, they show process behavior containing:
• HTTP traffic (behavior_processes:*http*)
• The string DavSetCookie (often observed in HTTP request headers or custom cookie operations)
• And references to .ru domains
• And additionally, they show network or embedded indicators related to .ru domains via:
• Behavior-based network connections (behavior_network:*.ru*), or
• Embedded domains or URLs within the file (embedded_domain:*.ru*, embedded_url:*.ru*)

Let’s make November a month of discovery and collaboration! Tag your posts with #MonthOfVTSearch, share your favorite searches, and show the world how you use VirusTotal to explore and understand the threat landscape.

In the meantime, if you have any feedback you can contact us.