The IOC Stream view is an evolution to the previous Livehunt Notifications view. This view allows users to digest the incoming VT flux into relevant threat feeds that you can study here or easily export to improve detection in your security technologies.
As you can see in the screenshot below, you will see different tabs for the different Threat Feeds: Files, URLs, Domains and IP Addresses.
There is also the Aggregated tab for all the feeds combined and a manage sources link.
In this other article you can check how to subscribe to the new Threat Feeds (Collections and Threat Actors).
We'll use the files feed as an example, but all the views are similar.
In the IoC stream view, all the notifications are listed sorted by the matching date in descending order as shown in the image below. Notifications are deleted automatically after 7 days.
- You can filter the notifications by a searching string, specific source name, etc.
- You can click to filter the notifications based on the date they matched on.
- You can click to filter the notifications based on the source type: Collection, Hunting ruleset, Retrohunt job or Threat Actor.
- List with matches notifications generated by your subscription.
- You can click on the source of an IoC to filter by that source.
- You can sort by the matching date in ascendent or descendent order.
- You can export IOCs by downloading the matching files or copying the hashes to the clipboard.
- In the Actions menu you can
- Create a diff session with the selected files.
- Create a VT Graph with the selected files.
- Find commonalities in the selected files.
- Add the selected files to a collection.
- Refresh the data
- Delete selected or all notifications.
- Feature Icons:
- If your YARA rule is based on strings, if you hover the eye icon , you can see the Match context.
- If the matching file trigger network connections, if you hover the globe icon, you can see the Related network locations.
- If the matching file comes from a known distributor, if you hover the source icon, you will see the known distributor name.
- If the matching file have more than one name on its different submissions, if you hover the last name you can see the list of names.
For livehunt rules, additionally, you will receive notifications in your email if you configured your ruleset as described in the previous section. You can also access your notifications via the VirusTotal API.