Add iocstream command examples (#66)

VirusTotal · Feb 24, 2023 · 6e23d13 · 6e23d13
1 parent e7144e6
commit 6e23d13
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 5 deletions.
diff --git a/cmd/collection.go b/cmd/collection.go
@@ -31,7 +31,7 @@ the standard input, one per line.`
 
 var collectionCmdExample = `  vt collection malpedia_win_emotet
   vt collection malpedia_win_emotet alienvault_603eb1abdd4812819c64e197
-  cat list_of_collections | vt collection -`
+  cat list_of_collections | vt collection -n [collection_name] -d [collection_description] -`
 
 // NewCollectionCmd returns a new instance of the 'collection' command.
 func NewCollectionCmd() *cobra.Command {

diff --git a/cmd/ioc_stream.go b/cmd/ioc_stream.go
@@ -28,12 +28,52 @@ import (
 	"github.com/spf13/cobra"
 )
 
+var iocStreamCmdExamples = `## List:
+# List notifications from a hunting rule by name
+vt iocstream list -f "origin:hunting tag:my_rule"
+# List notifications from a hunting ruleset by name
+vt iocstream list -f "origin:hunting tag:myRuleset"
+# List just the entity IDs of your IoC Stream matches
+vt iocstream list -I
+# List ALL the entity IDs in your IoC Stream and store them in a csv file (this might take a while)
+vt iocstream list -I –limit 9999999 > results.csv
+# List the first IoC Stream notifications including the hash, last_analysis_stats, size and file type
+vt iocstream list -i "_id,last_analysis_stats,size,type_tag"
+# Check if a hash is in your IoC Stream matches
+vt iocstream list -f "entity_type:file entity_id:hash"
+
+## Delete:
+# Delete all notifications matching a filter, e.g. all matches for a YARA rule/ruleset. This process is
+# asynchronous, so it can take a while to delete all the notifications.
+vt iocstream delete -f "origin:hunting tag:my_rule"
+# Delete a single notification with ID 1234568. The notification ID is displayed in the context_attributes.
+vt iocstream delete 1234568`
+
+var iocStreamListCmdExamples = `# List notifications from a hunting rule by name
+vt iocstream list -f "origin:hunting tag:my_rule"
+# List notifications from a hunting ruleset by name
+vt iocstream list -f "origin:hunting tag:myRuleset"
+# List just the entity IDs of your IoC Stream matches
+vt iocstream list -I
+# List ALL the entity IDs in your IoC Stream and store them in a csv file (this might take a while)
+vt iocstream list -I –limit 9999999 > results.csv
+# List the first IoC Stream notifications including the hash, last_analysis_stats, size and file type
+vt iocstream list -i "_id,last_analysis_stats,size,type_tag"
+# Check if a hash is in your IoC Stream matches
+vt iocstream list -f "entity_type:file entity_id:hash"`
+
+var iocStreamDeleteCmdExamples = `# Delete all notifications matching a filter, e.g. all matches for a YARA rule/ruleset
+vt iocstream delete -f "origin:hunting tag:my_rule"
+# Delete a single notification with ID 1234568. The notification ID is displayed in the context_attributes.
+vt iocstream delete 1234568`
+
 // NewIOCStreamCmd returns a new instance of the `ioc
 func NewIOCStreamCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Aliases: []string{"is"},
-		Use:     "iocstream [id]...",
+		Use:     "iocstream [notification_id]...",
 		Short:   "Manage IoC Stream notifications",
+		Example: iocStreamCmdExamples,
 		Args:    cobra.ExactArgs(1),
 
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -65,6 +105,7 @@ func NewIOCStreamListCmd() *cobra.Command {
 		Aliases: []string{"il"},
 		Use:     "list",
 		Short:   "List IoCs from notifications",
+		Example: iocStreamListCmdExamples,
 
 		RunE: func(cmd *cobra.Command, args []string) error {
 			p, err := NewPrinter(cmd)
@@ -93,9 +134,10 @@ then all the IoC Stream notifications matching the given filter are deleted.
 // NewIOCStreamDeleteCmd returns a new instance of the `ioc_stream delete` command.
 func NewIOCStreamDeleteCmd() *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "delete [notification id]...",
-		Short: "Deletes notifications from the IoC Stream",
-		Long:  iocStreamNotificationsDeleteCmdHelp,
+		Use:     "delete [notification id]...",
+		Short:   "Deletes notifications from the IoC Stream",
+		Long:    iocStreamNotificationsDeleteCmdHelp,
+		Example: iocStreamDeleteCmdExamples,
 
 		RunE: func(cmd *cobra.Command, args []string) error {
 			client, err := NewAPIClient()
@@ -132,6 +174,7 @@ func NewIOCStreamDeleteCmd() *cobra.Command {
 				if _, err := client.Delete(targetUrl); err != nil {
 					return err
 				}
+				fmt.Println("Notifications being deleted. This can take a while depending on the number of notifications.")
 			}
 			return nil
 		},