VirusTotal
Integration version: 35.0
This integration was created using the 2nd iteration of VT API.
Use Cases
Suspicious phishing emails If you have received an email from a sender with an attachment that you believe is fishy, you have the option to contact VirusTotal for virus scanning of the attachment. Send the email attachment to VirusTotal at this ID of theirs: scan@virustotal.com
Scanning a file for ransomware related malware Files can be scanned for malice such as ransomware related malware by using their hashes. On the GUI a user can upload a file, and the tool proceeds to check for its hash value.
Configure VirusTotal to work with Google Security Operations SOAR
Credentials
In order to obtain your personal API key, sign in to the VirusTotal Community.
The API key will be on the personal settings section. It is used for authentication and must be included in x-apikey header in all requests. The API key carries all the privileges so it must be kept secure. HTTPS should be used to make requests at all times.
Network
| Function | Default Port | Direction | Protocol |
|---|---|---|---|
| API | Multivalues | Outbound | apikey |
Configure VirusTotal integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Actions
Get Domain Report
Description
The action allows the user to gather information recently seen by VirusTotal on a particular domain.
Use cases
Searching Domain name via the webpage: Users can submit a domain via the GUI when they are suspicious about the domain due to unusual activity being reported on IDs logs that looks like malicious activity.
Run On
This action runs on the following entities:
- User
- Hostname
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Forcepoint ThreatSeeker category | Returns if it exists in JSON result |
| BitDefender domain info | Returns if it exists in JSON result |
| Categories | Returns if it exists in JSON result |
| BitDefender Category | Returns if it exists in JSON result |
| Alexa Category | Returns if it exists in JSON result |
| Alexa domain info | Returns if it exists in JSON result |
| Websense ThreatSeeker category | Returns if it exists in JSON result |
| TrendMicro category | Returns if it exists in JSON result |
| Opera domain info | Returns if it exists in JSON result |
| Webutation domain info | Returns if it exists in JSON result |
| verbose_msg | Returns if it exists in JSON result |
| whois | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult": {
"detected_downloaded_samples": [],
"undetected_downloaded_samples": [{
"date": "2018-08-08 22:48:28",
"positives": 0,
"sha256": "ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629",
"total": 59
}],
"resolutions": [{
"last_resolved": "2019-01-13 03:31:09",
"ip_address": "1.1.1.1"
}],
"Opera domain info": "The URL domain/host was seen to host badware at some point in time",
"domain_siblings": [],
"BitDefender domain info": "This URL domain/host was seen to host badware at some point in time",
"whois": "Domain Name: GOOGLE.CO.IN, nRegistry Domain ID: D8357-AFIN, nRegistrar URL: http://www.markmonitor.comm, nUpdated Date: 2018-05-22T09:30:37Z, nCreation Date: 2003-06-23T14:02:33Z, nRegistry Expiry Date: 2019-06-23T14:02:33Z, nRegistrar: MarkMonitor Inc., nRegistrar IANA ID: 292, nDomain Status: clientDeleteProhibited, nDomain Status: clientTransferProhibited, nDomain Status: clientUpdateProhibited, nRegistrant Country: US, nName Server: NS1.GOOGLE.COM, nName Server: NS2.GOOGLE.COM, nName Server: NS3.GOOGLE.COM, nName Server: NS4.GOOGLE.COM, nDNSSEC: unsigned",
"Alexa domain info": "google.co.in is one of the top 100 sites in the world and is in the Search_Engines category",
"verbose_msg": "Domain found in dataset",
"BitDefender category": "searchengines",
"undetected_referrer_samples": [{
"date": "2019-02-05 13:20:39",
"positives": 0,
"sha256": "3baf9f2a2d2b152193d2af602378b71e40d381e835b0aa3111851b2f29e64f38",
"total": 71
}],
"whois_timestamp": 1548379042,
"WOT domain info": {
"Vendor reliability": "Excellent",
"Child safety": "Excellent",
"Trustworthiness": "Excellent",
"Privacy": "Excellent"
},
"detected_referrer_samples": [{
"date": "2019-02-05 01:11:35",
"positives": 1,
"sha256": "097ea19b440441248b157698e2b23555cdf6117491b5f49f7ec8e492550cb02c",
"total": 70
}],
"Forcepoint ThreatSeeker category": "search engines and portals",
"Alexa category": "search_engines",
"detected_communicating_samples": [{
"date": "2019-01-28 23:58:13",
"positives": 30,
"sha256": "e65faa1283f8941d98dc23ff6822be228a24cb4489a5e5b01aeee749bf851658",
"total": 70
}],
"TrendMicro category": "search engines portals",
"categories": [
"searchengines", "search engines and portals"
],
"undetected_urls": [[
"http://google.co.in/cwcspnqyntq", "daed97b2c77f0f72c9e4ee45506e3e1bc4e34d7b8846246877a02779bb85dd5b", 0, 70, "2019-02-04 14:58:23"
]],
"response_code": 1,
"Webutation domain info": {
"Safety score": 100,
"Adult content": "no",
"Verdict": "safe"
},
"subdomains": [
"www.google.co.in"
],
"Websense ThreatSeeker category": "search engines and portals",
"detected_urls": [{
"url": "http://google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&sqi=2&ved=0CCQQFjAB&url=http://www.vicky.in/bike/honda/activa/on-road-price-in-jamnagar/&ei=ApojVdTGE4KBuwTD14HIBw&usg=AFQjCNH5-ir0ZlKxQELVfE2iB-HbUyFsRg&bvm=bv.89947451d.c2E&cad=rja",
"positives": 2,
"total": 66,
"scan_date": "2018-01-13 00:38:35"
}],
"Alexa rank": 100,
"undetected_communicating_samples": [{
"date": "2018-11-17 03:19:28",
"positives": 0,
"sha256": "e2a6ab7d594490c62bd3bb508dc38d7191ad48977da4d8dcce08dcb8af0070e9",
"total": 68
}],
"pcaps": [
"97e4a17068ce3ed01ed1c25c3d263fc0145e5ecc53b7db6f2ba84496b53d4a65"
]},
"Entity": "google.co.in"
}
]
Scan Hash
Description
Scan File Hash via VirusTotal. Mark entities as suspicious and show insights if the risk score matches a given threshold.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Threshold | Int | 2 | Mark entity as suspicious if the number of negative engines is equal or above the given threshold. |
| Re-scan After Days | Int | 0 | Action will fetch the latest result. If the result is older than mentioned days it will automatically re-scan the entity. |
Use cases
Searching for a hash on VirusTotal: VirusTotal checks whether a hash exists in its database and returns the appropriate report. The absence of the report on the hash calls for the file to be uploaded for scanning.
Run On
This action runs on the Filehash entity.
Action Results
Entity Enrichment
Entities are marked as Suspicious (True) if they exceed threshold. Else: False.
| Enrichment Field Name | Logic - When to apply |
|---|---|
| permalink | Returns if it exists in JSON result |
| sha1 | Returns if it exists in JSON result |
| resource | Returns if it exists in JSON result |
| Scan date | Returns if it exists in JSON result |
| Scan ID | Returns if it exists in JSON result |
| verbose_msg | Returns if it exists in JSON result |
| total | Returns if it exists in JSON result |
| positives | Returns if it exists in JSON result |
| sha256 | Returns if it exists in JSON result |
| md5 | Returns if it exists in JSON result |
| Detecting Engines | Returns if it exists in JSON result |
Insights
| Severity | Description |
|---|---|
| Warn | A warning insight shall be created to inform on the malicious status of the enriched hash. The insight will be created when the number of detected engines equals or exceeds the minimum suspicious threshold set before scan. |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_risky | True/False | is_risky:False |
JSON Result
[
{
"EntityResult": {
"permalink": "https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1549381312/",
"sha1": "3395856ce81f2b7382dee72602f798b642f14140",
"resource": "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F",
"response_code": 1,
"scan_date": "2019-02-05 15:41:52",
"scan_id": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1549381312",
"verbose_msg": "Scan finished, information embedded",
"total": 60,
"positives": 54,
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"md5": "44d88612fea8a8f36de82e1278abb02f",
"scans": {
"Bkav": {
"detected": true,
"version": "1.1.1.1",
"result": "DOS.EiracA.Trojan",
"update": "20190201"
},
"MicroWorld-eScan": {
"detected": true,
"version": "14.0.297.0",
"result": "EICAR-Test-File",
"update": "20190205"
}}},
"Entity": "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F"
}
]
Scan IP
Description
The action allows the user to gather the information that VirusTotal has seen recently on a specific IP.
Parameters
| Parameter Name | Type | Default | Mandatory | Description |
|---|---|---|---|---|
| Threshold | Integer | 25 | No | Specify the accepted threshold for the detected samples related to the IP address. If the number of engines that marked related samples as malicious is higher than the specified threshold, IP address will be marked as suspicious. |
Use cases
Submitting IP via the webpage: If a user finds too many requests from a particular IP address on the firewall log, the user may send the IP address through the GUI to generate notifications based on VirusTotal's recent activity.
Run On
This action runs on the IP Address entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Country | Returns if it exists in JSON result |
| Related Domains | Returns if it exists in JSON result |
| Last Scan Date | Returns if it exists in JSON result |
| verbose_msg | Returns if it exists in JSON result |
| Resolutions | Returns if it exists in JSON result |
Insights
| Severity | Description |
|---|---|
| Warn | A warning insight shall be created to inform on the malicious status of the enriched hash. The insight will be created when the number of detected engines equals or exceeds the minimum suspicious Threshold set before scan. |
| Insight Name | Body |
|---|---|
| Entity Insight | Country: {country} Malicious Referrer Samples: {len(detected_referrer_samples)} Malicious Downloaded Samples: {len(detected_downloaded_samples)} Malicious Communicating Samples: {len(detected_communicating_samples)} Malicious URLs: {len(detected_urls)} |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult": {
"asn": 4436,
"undetected_urls": [[
"http://notarealurl.com", "2ed06796f95e7c1xxxxxbd68d81754acf535c999e901bfe2cf9c45612396f66", 0, 66, "2022-11-23 06:51:49"
]],
"undetected_downloaded_samples": [{
"date": "2018-07-09 07:53:30",
"positives": 0,
"sha256": "6a0bf66xxxxxxxxddc73d7e64eb2ff0dd3512c5378c0c63c2ad4e13c0e1429fe",
"total": 60
}],
"country": "country",
"response_code": 1,
"as_owner": "nLayer Communications, Inc.",
"verbose_msg": "IP address in dataset",
"detected_downloaded_samples": [{
"date": "2023-05-20 08:38:00",
"positives": 6,
"sha256": "9cf5c07c99c3bxxxxx342d83b241c25850da0bf231ee150cb962cab1e8399cb",
"total": 57
}],
"resolutions": [{
"last_resolved": "2023-05-13 00:00:00",
"hostname": "40515350444dxxxxff68-2f7735d5ad283fa41a203a082d9a8f25.ssl.cf3.rackcdn.com"
}],
"detected_urls": [{
"url": "http://notarealurl2.com",
"positives": 2,
"total": 67,
"scan_date": "2023-05-20 07:16:45"
}]},
"Entity": "1.1.1.1"
}
]
Scan URL
Description
This action allows you to send a URL for scanning with the VirusTotal.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Threshold | Integer | 2 | Mark entity as suspicious if the number of negative engines is equal or above the given threshold. |
| Re scan After Days | Integer | 0 | Action will fetch the latest result. If the result is older than mentioned days it will automatically re scan the entity. |
Use cases
Submitting URL via the webpage: Users can scan for or enter URLs to test for malware detection. The user accesses the software using the virustotal.com URL. The interface provides a search text field where a user can insert URLs for scanning.
Run On
This action runs on the URL entity.
Action Results
Entity Enrichment
Entities are marked as Suspicious (True) if they exceed threshold. Else: False.
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Scan date | Returns if it exists in JSON result |
| Scan ID | Returns if it exists in JSON result |
| risk_score | Returns if it exists in JSON result |
| Total | Returns if it exists in JSON result |
| Online Link | Returns if it exists in JSON result |
| Scanned Url | Returns if it exists in JSON result |
| resource | Returns if it exists in JSON result |
| Detecting Engines | Returns if it exists in JSON result |
| Risk Score | Returns if it exists in JSON result |
| Last Scan Date | Returns if it exists in JSON result |
| verbose_msg | Returns if it exists in JSON result |
| File Scan ID | Returns if it exists in JSON result |
Insights
| Severity | Description |
|---|---|
| Warn | A warning insight shall be created to inform on the malicious status of the enriched URL. The insight will be created when the number of detected engines equals or exceeds the minimum suspicious Threshold set before scan. |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_risky | True/False | is_risky:False |
JSON Result
[
{
"EntityResult": {
"permalink": "https://www.virustotal.com/url/057e8630c8880da8778b4f99e048933efb7cee9abdcf57fad89a7e7a2c7eae04/analysis/1549258134/",
"resource": "http://markossolomon.com/F1q7QX.php",
"url": "http://markossolomon.com/F1q7QX.php",
"response_code": 1,
"scan_date": "2019-02-04 05:28:54",
"scan_id": "057e8630c8880da8778b4f99e048933efb7cee9abdcf57fad89a7e7a2c7eae04-1549258134",
"verbose_msg": "Scan finished, scan information embedded in this object",
"filescan_id": null,
"positives": 5,
"total": 67,
"scans": {
"CLEAN MX": {
"detected": false,
"result": "clean site"
},
"DNS8": {
"detected": false,
"result": "clean site"
}}},
"Entity": "http://markossolomon.com/F1q7QX.php"
}
]
Upload and Scan File
Description
This allows you to upload a file for scanning with the VirusTotal.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Threshold | Int | 2 | Mark entity as suspicious if the number of negative engines is equal or above the given threshold. |
| File Paths | String | 0 | Target File path. |
| Linux Server Address | String | N/A | Linux server address (example: x.x.x.x). Address to locate Linux server. |
| Linux User | String | N/A | N/A |
| Linux Password | Multi values | N/A | N/A |
Use cases
Scanning a file for malware: By using their signatures, it is possible to search for target files such as ransomware-like malware. A user can upload a file to the GUI and their hash value will be tested. It will be used as a scanning guide to the file once the hash value has been set.
Run On
This action runs on all entities.
Action Results
Entity Enrichment
Entities are marked as Suspicious (True) if they exceed threshold. Else: False.
| Enrichment Field Name | Logic - When to apply |
|---|---|
| resource | Returns if it exists in JSON result |
| Scan date | Returns if it exists in JSON result |
| Scan ID | Returns if it exists in JSON result |
| permalink | Returns if it exists in JSON result |
| Total | Returns if it exists in JSON result |
| Md5 | Returns if it exists in JSON result |
| Sha1 | Returns if it exists in JSON result |
| Sha256 | Returns if it exists in JSON result |
| positives | Returns if it exists in JSON result |
| total | Returns if it exists in JSON result |
| Detecting Engines | Returns if it exists in JSON result |
| verbose_msg | Returns if it exists in JSON result |
Insights
| Severity | Description |
|---|---|
| Warn | A warning insight shall be created to inform on the malicious status of the enriched file. The insight will be created when the number of detected engines equals or exceeds the minimum suspicious Threshold set before scan. |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_risky | True/False | is_risky:False |
JSON Result
{
"file_path": {
"scan_id": "4753bb2449a27560c2945bf0d8aa5376743bf21fc184958ea3d481b556f4f91c-1549382150",
"sha1": "ec44b2af88e602e3981db0b218ecb5d59dc0dfec",
"resource": "4753bb2449a27560c2945bf0d8aa5376743bf21fc184958ea3d481b556f4f91c-1549382150",
"response_code": 1,
"scan_date": "2019-02-05 15:55:50",
"permalink": "https://www.virustotal.com/file/4753bb2449a27560c2945bf0d8aa5376743bf21fc184958ea3d481b556f4f91c/analysis/1549382150/",
"verbose_msg": "Scan finished, information embedded",
"total": 58,
"positives": 0,
"sha256": "4753bb2449a27560c2945bf0d8aa5376743bf21fc184958ea3d481b556f4f91c",
"md5": "848d57fbd8e29afa08bd3f58dd30f902",
"scans": {
"Bkav": {
"detected": false,
"version": "1.1.1.1",
"result": null,
"update": "20190201"
},
"MicroWorld-eScan": {
"detected": false,
"version": "14.0.297.0",
"result": null,
"update": "20190205"
}
}
}
}