Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to access and download all VT notifications and associated samples via CLI #106

Open
BlasterXiao opened this issue Feb 21, 2025 · 2 comments
Open

How to access and download all VT notifications and associated samples via CLI #106

BlasterXiao opened this issue Feb 21, 2025 · 2 comments

Comments

@BlasterXiao
Copy link

Question

I would like to know how to access and download all notifications and their associated samples through vt-cli, especially those captured by hunting rules.

Expected Features

  1. List all notifications
  2. Filter notifications by type (e.g., hunting rules matches)
  3. Download samples associated with notifications
  4. Export notification data in a structured format

Current Status

Currently, I cannot find documentation or commands in vt-cli that directly handle notification management and sample downloading from notifications.

Feature Request

Would it be possible to add the following commands to vt-cli:

  • vt notifications list - List all notifications
  • vt notifications download - Download samples from notifications
  • vt notifications export - Export notifications data

Use Cases

  1. Automated monitoring of hunting rule matches
  2. Batch downloading of matched samples
  3. Integration with security automation workflows

Any guidance on whether these features exist or if they're planned for future releases would be greatly appreciated.
@BlasterXiao BlasterXiao reopened this Feb 21, 2025
@BlasterXiao
Copy link
Author

notifications list---> URL\file\domain\IP information, it seems only file information can be displayed while others cannot be shown

@mgmacias95
Copy link
Member

You can list notifications by using iocstream command:

Usage:
  vt iocstream [notification_id]... [flags]
  vt iocstream [command]

Aliases:
  iocstream, is

Examples:
## List:
# List notifications from a hunting rule by name
vt iocstream list -f "origin:hunting tag:my_rule"
# List notifications from a hunting ruleset by name
vt iocstream list -f "origin:hunting tag:myRuleset"
# List just the entity IDs of your IoC Stream matches
vt iocstream list -I
# List ALL the entity IDs in your IoC Stream and store them in a csv file (this might take a while)
vt iocstream list -I –limit 9999999 > results.csv
# List the first IoC Stream notifications including the hash, last_analysis_stats, size and file type
vt iocstream list -i "_id,last_analysis_stats,size,type_tag"
# Check if a hash is in your IoC Stream matches
vt iocstream list -f "entity_type:file entity_id:hash"

## Delete:
# Delete all notifications matching a filter, e.g. all matches for a YARA rule/ruleset. This process is
# asynchronous, so it can take a while to delete all the notifications.
vt iocstream delete -f "origin:hunting tag:my_rule"
# Delete a single notification with ID 1234568. The notification ID is displayed in the context_attributes.
vt iocstream delete 1234568

Available Commands:
  delete      Deletes notifications from the IoC Stream
  list        List IoCs from notifications

And you can download a batch of files by using the download command:

Usage:
  vt download [flags]

Aliases:
  download, dl

Examples:
  vt download 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
  vt download 76cdb2bad9582d23c1f6f4d868218d6c 44d88612fea8a8f36de82e1278abb02f
  cat list_of_hashes | vt download -

I hope this helps

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mgmacias95 @BlasterXiao