IoC-Stream Notifications

Generated notifications by matches in the IoC-Stream

An IoC Stream Notification object represents a notification generated by one of your IoC-Stream sources.

The object contains the following attributes:

  • date: <integer> notification date as UTC timestamp.
  • entity_type: <string> the type of object the notification has matched.
  • entity_id: <string> the ID of the object the notification has matches.
  • origin: <string> the origin of the notification.
  • hunting_info: <dictionary> only present in notifications with origin=hunting. Includes additional information about the match, this dictionary can contain the following fields:
    • match_in_subfile: <boolean> whether the match was in a subfile or not.
    • rule_name: <string> matched rule name.
    • rule_tags: <list of strings> matched rule tags.
    • snippet: <string> matched contents inside the file as hexdump. Contains begin_highlight and end_highlight substrings to indicate the part of the file that produced the match and give additional context about surrounding bytes in the match.
    • source_country: <string> country where the matched file was uploaded from.
    • source_key: <string> unique identifier for the source in ciphered form.
  • sources: <list of dictionaries> the different sources associated to the notification. For example, in notifications from Livehunt the only source is always the hunting ruleset that triggered the notification.
  • tags: <list of strings> notification tags.
{
  "data": {
    "attributes": {
      "date": <int>,
      "entity_type": <string>,
      "entity_id": <string>,
      "origin": <string>,
      "hunting_info": {
        "match_in_subfile": <bool>,
        "rule_name": <string>,
        "rule_tags": [<string>, ...],
        "snippet": <string>,
        "source_country": <string>,
        "source_key": <string>,
      "sources": [{"type": <string>, "id": <string>}, ...],
      "tags": [<string>, ...]
    },
    "id": <string>,
    "links": {
      "self": "https://www.virustotal.com/api/v3/ioc_stream_notifications/<id>"
    },
    "type": "ioc_stream_notification"
  }
}

{
	"data": {
		"attributes": {
			"origin": "hunting",
			"entity_id": "7ed0586b68a24bbe7cb29852beb48f2c6a625af46d2fbc3c652d552aa1b1bb5b",
			"hunting_info": {
				"rule_name": "vulnerability_weaponization",
				"source_country": "TR",
				"source_key": "3ed40be4"
			},
			"tags": [
				"ransomware",
				"vulnerability_weaponization",
				"wcoyote"
			],
			"entity_type": "file",
			"sources": [
				{
					"type": "hunting_ruleset",
					"id": "123456789"
				}
			],
			"date": 1684830325
		},
		"type": "ioc_stream_notification",
		"id": "10494503008",
		"links": {
			"self": "https://www.virustotal.com/api/v3/ioc_stream_notifications/10494503008"
		}
	}
}