Clues

VT Clues object: patterns that are prevalent among files with the same range of detections.

VT Clue provides interesting patterns that are prevalent among files with the same range of detections. Clues can be used to find interesting pivots. It composes a message like the following:

<feature_type> with <objects[*]>. <last_month_positive_rate * 100>% of the <last_month_total_log10_count> matching files analyzed in <last_month> had .

For example:

Drops file with SHA256 4a7464a48384ec6460e4b06b2c4477cc443dd4f84874d0e064ae6445a4047524 . 99% of the thousands matching files analyzed in May had positives: 1+ AND positives: 19-.

VT Clue is only available for premium API users. You can read more about How VT Clue works on this article.

Object Attributes

A Clue object contains the following attributes:

  • features: <list of dictionaries> contains information about the detected feature. Every subitem contains the following fields:
    • feature_type: <string> type of detected feature.
    • objects: <list of strings> list of objects that matched the feature.
  • label: <string> represents what the clue thinks of the file. It can be any of the following:
    • P0: goodware (i.e. positives:0)
    • P1_TO_P19: malware without AV consensus (i.e. positives: 1+ and positives:19-).
    • P20_PLUS: known malware (i.e. positives: 20+).
  • last_month: <integer> month whose data was used to create the rule (1 - Jan, ... 12 - Dec)
  • last_month_positive_rate: <float> is between 0.98 and 1.0 and it is the rate of how many samples that have the respective clue had also the said label.
  • last_month_total_log10_count: <integer> is a measure of how many samples have this same rule. It is the magnitude of the count.
{
    "data": {
        "attributes": {
            "features": [
                {
                    "feature_type": "<string>",
                    "objects": [
                        "<string>",...
                    ]
                }
            ],
            "label": "<string>",
            "last_month": <int>,
            "last_month_positive_rate": <float>,
            "last_month_total_log10_count": <int>
        },
        "id": "<string>",
        "links": {
            "self": "https://www.virustotal.com/api/v3/clue_rules/<id>"
        },
        "type": "clue_rule"
    }
}
{
    "data": {
        "attributes": {
            "features": [
                {
                    "feature_type": "FILE_DROPPED_PATH",
                    "objects": [
                        "blablabla.exe"
                    ]
                }
            ],
            "label": "P20_PLUS",
            "last_month": 5,
            "last_month_positive_rate": 1.0,
            "last_month_total_log10_count": 2
        },
        "id": "0c1556aa519b5b4c56d1595905f8153151f5d2e15f54e4535859f5925532994d",
        "links": {
            "self": "https://www.virustotal.com/api/v3/clue_rules/0c1556aa519b5b4c56d1595905f8153151f5d2e15f54e4535859f5925532994d"
        },
        "type": "clue_rule"
    }
}

Relationships

In addition to the previously described attributes, Clue objects contain relationships with other objects in our dataset that can be retrieved as explained in the Relationships section.

The following table shows a summary of available relationships for clue objects.

Relationship

Description

Accessibility

Return object type

files

Files matching that clue rule.

VT Enterprise users only.

A list of Files.

These relationships are detailed in the subsections below.