IoC-Stream Notifications

Generated notifications by matches in the IoC-Stream

An IoC Stream Notification object represents a notification generated by one of your IoC-Stream sources.

The object contains the following attributes:

  • date: <integer> notification date as UTC timestamp.
  • entity_type: <string> the type of object the notification has matched.
  • entity_id: <string> the ID of the object the notification has matches.
  • origin: <string> the origin of the notification.
  • hunting_info: <dictionary> only present in notifications with origin=hunting. Includes additional information about the match, this dictionary can contain the following fields:
    • match_in_subfile: <boolean> whether the match was in a subfile or not.
    • rule_name: <string> matched rule name.
    • rule_tags: <list of strings> matched rule tags.
    • snippet: <string> matched contents inside the file as hexdump. Contains begin_highlight and end_highlight substrings to indicate the part of the file that produced the match and give additional context about surrounding bytes in the match.
    • source_country: <string> country where the matched file was uploaded from.
    • source_key: <string> unique identifier for the source in ciphered form.
  • sources: <list of dictionaries> the different sources associated to the notification. For example, in notifications from Livehunt the only source is always the hunting ruleset that triggered the notification.
  • tags: <list of strings> notification tags.
{
  "data": {
    "attributes": {
      "date": <int>,
      "entity_type": <string>,
      "entity_id": <string>,
      "origin": <string>,
      "hunting_info": {
        "match_in_subfile": <bool>,
        "rule_name": <string>,
        "rule_tags": [<string>, ...],
        "snippet": <string>,
        "source_country": <string>,
        "source_key": <string>,
      "sources": [{"type": <string>, "id": <string>}, ...],
      "tags": [<string>, ...]
    },
    "id": <string>,
    "links": {
      "self": "https://www.virustotal.com/api/v3/ioc_stream_notifications/<id>"
    },
    "type": "ioc_stream_notification"
  }
}

{
    "data": {
        "attributes": {
            "origin": "hunting",
            "entity_id": "7ed0586b68a24bbe7cb29852beb48f2c6a625af46d2fbc3c652d552aa1b1bb5b",
            "hunting_info": {
                "rule_name": "vulnerability_weaponization",
                "source_country": "TR",
                "source_key": "3ed40be4"
            },
            "tags": [
                "ransomware",
                "vulnerability_weaponization",
                "wcoyote"
            ],
            "entity_type": "file",
            "sources": [
                {
                    "type": "hunting_ruleset",
                    "id": "123456789"
                }
            ],
            "date": 1684830325
        },
        "type": "ioc_stream_notification",
        "id": "10494503008",
        "links": {
            "self": "https://www.virustotal.com/api/v3/ioc_stream_notifications/10494503008"
        }
    }
}