Hunting Rulesets

User's hunting rulesets

A Hunting Ruleset object describes a user's hunting ruleset. Hunting rulesets are only visible for their owners.

Object Attributes

creation_date: creation date as UTC timestamp.
enabled: <boolean> whether it's enabled or not.
limit: <integer> max number of notifications that will be generated by the ruleset in a 24h period. If a match is found, number of generated hunting notifications in the last 24h is looked up and if it's greater than this limit, that match is ignored.
rate_limited: <boolean> indicates whether the ruleset is currently disabled due to reaching its daily limit.
rate_limited_ratio: <float> this is a value between 0 and 1 and represents the percentile of time that a ruleset was rate-limited during the past 24 hours. If the value is 0.5 it means that during the past 24 hours the ruleset has been rate-limited for 50% of the time. If the value is 0.25 it has remained rate-limited 6 hours during the past 24 hours.
modification_date: <integer> last modification date as UTC timestamp.
name: <string> ruleset name.
notification_emails: <list of strings> emails receiving hunting notifications for that ruleset.
rule_names: <list of strings> contains the names of all rules in the ruleset.
number_of_rules: <integer> number of rules in the ruleset.
rules: <string> rule file contents.
scheduled_disable_date: <integer> ruleset will be disabled in the date marked in that field.
scheduled_disable_reason: <string> its only value for the moment is "abandoned", which means the ruleset has not been modified in two years.
tags: <list of strings> ruleset's custom tags.

{
  "data": {
    "attributes": {
      "creation_date": <int:timestamp>,
      "enabled": <boolean>,
      "limit": <int>,
			"rate_limited": <boolean>,
      "rate_limited_ratio": <float>,
      "modification_date": <int:timestamp>,
      "name": <string>,
      "notification_emails": [
        <string>
      ],
      "number_of_rules": <int>,
      "rule_names": [
        <string>
      ],
      "rules": <string>,
      "tags": [<string>]
    },
    "id": "<string>",
    "links": {
      "self": "https://www.virustotal.com/api/v3/intelligence/hunting_rulesets/<id>"
    },
    "type": "hunting_ruleset"
  }
}

{
  "data": {
    "attributes": {
      "creation_date": 1594997826,
      "enabled": true,
      "limit": 100,
      "modification_date": 1594997826,
      "name": "test",
      "notification_emails": [],
      "number_of_rules": 1,
      "tags": ["auto"],
      "rule_names": [
        "yara_template"
      ],
      "rules": "/*\n    Template YARA ruleset\n*/\nrule yara_template\n{\n    strings:\n        $a = \"VirusTotal\"\n    condition:\n        all of them\n}"
    },
    "id": "0000000000000000",
    "links": {
      "self": "https://www.virustotal.com/api/v3/intelligence/hunting_rulesets/0000000000000000"
    },
    "type": "hunting_ruleset"
  }
}

Relationships

In addition to the previously described attributes, Hunting Rulesets objects contain relationships with other objects in our dataset that can be retrieved as explained in the Relationships section.

The following table shows a summary of available relationships for hunting rulesets objects.

Relationship	Description	Accessibility	Return object type
editors	Users/Groups that can edit the ruleset.	Ruleset's owner/editor.	A list of Groups and Users.
hunting_notification_files	Files that matched with the ruleset filters.	Ruleset's owner/editor.	A list of Files.

These relationships are detailed in the subsections below.