get https://www.virustotal.com/api/v3/feeds/file_behaviours//evtx
Special privileges required
Sandbox analyses feeds endpoints are only available to users with a Sandbox feeds license. Contact us for more information.
Each JSON object contained in the file behaviour feed packages include a link to this API endpoint to download the extracted EVTX from the file's Windows sandbox execution. The available in the feed link already includes the download token required by this endpoint. The following snippet represents the JSON structure in the file behaviour feed that takes to the link:
{
"context_attributes": {
"evtx": "https://www.virustotal.com/api/v3/feeds/file_behaviours/<TOKEN>/evtx"
}
}
The link only works during the feed's lifetime. Check /feeds/file_behaviours/{time} for more information.