VirusTotal

Integration version: 35.0

This integration was created using the 2nd iteration of VT API.

Use Cases

Suspicious phishing emails If you have received an email from a sender with an attachment that you believe is fishy, you have the option to contact VirusTotal for virus scanning of the attachment. Send the email attachment to VirusTotal at this ID of theirs: scan@virustotal.com

Use case workflow

Scanning a file for ransomware related malware Files can be scanned for malice such as ransomware related malware by using their hashes. On the GUI a user can upload a file, and the tool proceeds to check for its hash value.

Configure VirusTotal to work with Chronicle SOAR

Credentials

In order to obtain your personal API key, sign in to the VirusTotal Community.

The API key will be on the personal settings section. It is used for authentication and must be included in x-apikey header in all requests. The API key carries all the privileges so it must be kept secure. HTTPS should be used to make requests at all times.

Network

Function Default Port Direction Protocol
API Multivalues Outbound apikey

Configure VirusTotal integration in Chronicle SOAR

For detailed instructions on how to configure an integration in Chronicle SOAR, see Configure integrations.

Actions

Get Domain Report

Description

The action allows the user to gather information recently seen by VirusTotal on a particular domain.

Use cases

Searching Domain name via the webpage: Users can submit a domain via the GUI when they are suspicious about the domain due to unusual activity being reported on IDs logs that looks like malicious activity.

Use case
workflow

Run On

This action runs on the following entities:

  • User
  • Hostname

Action Results

Entity Enrichment
Enrichment Field Name Logic - When to apply
Forcepoint ThreatSeeker category Returns if it exists in JSON result
BitDefender domain info Returns if it exists in JSON result
Categories Returns if it exists in JSON result
BitDefender Category Returns if it exists in JSON result
Alexa Category Returns if it exists in JSON result
Alexa domain info Returns if it exists in JSON result
Websense ThreatSeeker category Returns if it exists in JSON result
TrendMicro category Returns if it exists in JSON result
Opera domain info Returns if it exists in JSON result
Webutation domain info Returns if it exists in JSON result
verbose_msg Returns if it exists in JSON result
whois Returns if it exists in JSON result
Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
        "EntityResult": {
            "detected_downloaded_samples": [],
            "undetected_downloaded_samples": [{
                "date": "2018-08-08 22:48:28",
                "positives": 0,
                "sha256": "ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629",
                "total": 59
            }],
            "resolutions": [{
                "last_resolved": "2019-01-13 03:31:09",
                "ip_address": "1.1.1.1"
            }],
            "Opera domain info": "The URL domain/host was seen to host badware at some point in time",
            "domain_siblings": [],
            "BitDefender domain info": "This URL domain/host was seen to host badware at some point in time",
            "whois": "Domain Name: GOOGLE.CO.IN, nRegistry Domain ID: D8357-AFIN, nRegistrar URL: http://www.markmonitor.comm, nUpdated Date: 2018-05-22T09:30:37Z, nCreation Date: 2003-06-23T14:02:33Z, nRegistry Expiry Date: 2019-06-23T14:02:33Z, nRegistrar: MarkMonitor Inc., nRegistrar IANA ID: 292, nDomain Status: clientDeleteProhibited, nDomain Status: clientTransferProhibited, nDomain Status: clientUpdateProhibited, nRegistrant Country: US, nName Server: NS1.GOOGLE.COM, nName Server: NS2.GOOGLE.COM, nName Server: NS3.GOOGLE.COM, nName Server: NS4.GOOGLE.COM, nDNSSEC: unsigned",
            "Alexa domain info": "google.co.in is one of the top 100 sites in the world and is in the Search_Engines category",
            "verbose_msg": "Domain found in dataset",
            "BitDefender category": "searchengines",
            "undetected_referrer_samples": [{
                "date": "2019-02-05 13:20:39",
                "positives": 0,
                "sha256": "3baf9f2a2d2b152193d2af602378b71e40d381e835b0aa3111851b2f29e64f38",
                "total": 71
            }],
            "whois_timestamp": 1548379042,
            "WOT domain info": {
                "Vendor reliability": "Excellent",
                "Child safety": "Excellent",
                "Trustworthiness": "Excellent",
                "Privacy": "Excellent"
            },
            "detected_referrer_samples": [{
                "date": "2019-02-05 01:11:35",
                "positives": 1,
                "sha256": "097ea19b440441248b157698e2b23555cdf6117491b5f49f7ec8e492550cb02c",
                "total": 70
            }],
            "Forcepoint ThreatSeeker category": "search engines and portals",
            "Alexa category": "search_engines",
            "detected_communicating_samples": [{
                "date": "2019-01-28 23:58:13",
                "positives": 30,
                "sha256": "e65faa1283f8941d98dc23ff6822be228a24cb4489a5e5b01aeee749bf851658",
                "total": 70
            }],
            "TrendMicro category": "search engines portals",
            "categories": [
                "searchengines", "search engines and portals"
            ],
            "undetected_urls": [[
                "http://google.co.in/cwcspnqyntq", "daed97b2c77f0f72c9e4ee45506e3e1bc4e34d7b8846246877a02779bb85dd5b", 0, 70, "2019-02-04 14:58:23"
            ]],
            "response_code": 1,
            "Webutation domain info": {
                "Safety score": 100,
                "Adult content": "no",
                "Verdict": "safe"
            },
            "subdomains": [
                "www.google.co.in"
            ],
            "Websense ThreatSeeker category": "search engines and portals",
            "detected_urls": [{
                "url": "http://google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&sqi=2&ved=0CCQQFjAB&url=http://www.vicky.in/bike/honda/activa/on-road-price-in-jamnagar/&ei=ApojVdTGE4KBuwTD14HIBw&usg=AFQjCNH5-ir0ZlKxQELVfE2iB-HbUyFsRg&bvm=bv.89947451d.c2E&cad=rja",
                "positives": 2,
                "total": 66,
                "scan_date": "2018-01-13 00:38:35"
            }],
            "Alexa rank": 100,
            "undetected_communicating_samples": [{
                "date": "2018-11-17 03:19:28",
                "positives": 0,
                "sha256": "e2a6ab7d594490c62bd3bb508dc38d7191ad48977da4d8dcce08dcb8af0070e9",
                "total": 68
            }],
            "pcaps": [
           "97e4a17068ce3ed01ed1c25c3d263fc0145e5ecc53b7db6f2ba84496b53d4a65"
            ]},
        "Entity": "google.co.in"
    }
]

Scan Hash

Description

Scan File Hash via VirusTotal. Mark entities as suspicious and show insights if the risk score matches a given threshold.

Parameters

Parameter Type Default Value Description
Threshold Int 2 Mark entity as suspicious if the number of negative engines is equal or above the given threshold.
Re-scan After Days Int 0 Action will fetch the latest result. If the result is older than mentioned days it will automatically re-scan the entity.

Use cases

Searching for a hash on VirusTotal: VirusTotal checks whether a hash exists in its database and returns the appropriate report. The absence of the report on the hash calls for the file to be uploaded for scanning.

Use case
workflow

Run On

This action runs on the Filehash entity.

Action Results

Entity Enrichment

Entities are marked as Suspicious (True) if they exceed threshold. Else: False.

Enrichment Field Name Logic - When to apply
permalink Returns if it exists in JSON result
sha1 Returns if it exists in JSON result
resource Returns if it exists in JSON result
Scan date Returns if it exists in JSON result
Scan ID Returns if it exists in JSON result
verbose_msg Returns if it exists in JSON result
total Returns if it exists in JSON result
positives Returns if it exists in JSON result
sha256 Returns if it exists in JSON result
md5 Returns if it exists in JSON result
Detecting Engines Returns if it exists in JSON result
Insights
Severity Description
Warn A warning insight shall be created to inform on the malicious status of the enriched hash. The insight will be created when the number of detected engines equals or exceeds the minimum suspicious threshold set before scan.
Script Result
Script Result Name Value Options Example
is_risky True/False is_risky:False
JSON Result
[
    {
        "EntityResult": {
            "permalink": "https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1549381312/",
            "sha1": "3395856ce81f2b7382dee72602f798b642f14140",
            "resource": "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F",
            "response_code": 1,
            "scan_date": "2019-02-05 15:41:52",
            "scan_id": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1549381312",
            "verbose_msg": "Scan finished, information embedded",
            "total": 60,
            "positives": 54,
            "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
            "md5": "44d88612fea8a8f36de82e1278abb02f",
            "scans": {
                "Bkav": {
                    "detected": true,
                    "version": "1.1.1.1",
                    "result": "DOS.EiracA.Trojan",
                    "update": "20190201"
                },
                "MicroWorld-eScan": {
                    "detected": true,
                    "version": "14.0.297.0",
                    "result": "EICAR-Test-File",
                    "update": "20190205"
                }}},
        "Entity": "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F"
    }
]

Scan IP

Description

The action allows the user to gather the information that VirusTotal has seen recently on a specific IP.

Parameters

Parameter Name Type Default Mandatory Description
Threshold Integer 25 No Specify the accepted threshold for the detected samples related to the IP address. If the number of engines that marked related samples as malicious is higher than the specified threshold, IP address will be marked as suspicious.

Use cases

Submitting IP via the webpage: If a user finds too many requests from a particular IP address on the firewall log, the user may send the IP address through the GUI to generate notifications based on VirusTotal's recent activity.

Use case workflow

Run On

This action runs on the IP Address entity.

Action Results

Entity Enrichment
Enrichment Field Name Logic - When to apply
Country Returns if it exists in JSON result
Related Domains Returns if it exists in JSON result
Last Scan Date Returns if it exists in JSON result
verbose_msg Returns if it exists in JSON result
Resolutions Returns if it exists in JSON result
Insights
Severity Description
Warn A warning insight shall be created to inform on the malicious status of the enriched hash. The insight will be created when the number of detected engines equals or exceeds the minimum suspicious Threshold set before scan.
Insight Name Body
Entity Insight

Country: {country}

Malicious Referrer Samples: {len(detected_referrer_samples)}

Malicious Downloaded Samples: {len(detected_downloaded_samples)}

Malicious Communicating Samples: {len(detected_communicating_samples)}

Malicious URLs: {len(detected_urls)}

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
        "EntityResult": {
            "asn": 4436,
            "undetected_urls": [[
                "http://notarealurl.com", "2ed06796f95e7c1xxxxxbd68d81754acf535c999e901bfe2cf9c45612396f66", 0, 66, "2022-11-23 06:51:49"
            ]],
            "undetected_downloaded_samples": [{
                "date": "2018-07-09 07:53:30",
                "positives": 0,
                "sha256": "6a0bf66xxxxxxxxddc73d7e64eb2ff0dd3512c5378c0c63c2ad4e13c0e1429fe",
                "total": 60
            }],
            "country": "country",
            "response_code": 1,
            "as_owner": "nLayer Communications, Inc.",
            "verbose_msg": "IP address in dataset",
            "detected_downloaded_samples": [{
                "date": "2023-05-20 08:38:00",
                "positives": 6,
                "sha256": "9cf5c07c99c3bxxxxx342d83b241c25850da0bf231ee150cb962cab1e8399cb",
                "total": 57
            }],
            "resolutions": [{
                "last_resolved": "2023-05-13 00:00:00",
                "hostname": "40515350444dxxxxff68-2f7735d5ad283fa41a203a082d9a8f25.ssl.cf3.rackcdn.com"
            }],
            "detected_urls": [{
                "url": "http://notarealurl2.com",
                "positives": 2,
                "total": 67,
                "scan_date": "2023-05-20 07:16:45"
            }]},
            "Entity": "1.1.1.1"
        }
    ]

Scan URL

Description

This action allows you to send a URL for scanning with the VirusTotal.

Parameters

Parameter Type Default Value Description
Threshold Integer 2 Mark entity as suspicious if the number of negative engines is equal or above the given threshold.
Re scan After Days Integer 0 Action will fetch the latest result. If the result is older than mentioned days it will automatically re scan the entity.

Use cases

Submitting URL via the webpage: Users can scan for or enter URLs to test for malware detection. The user accesses the software using the virustotal.com URL. The interface provides a search text field where a user can insert URLs for scanning.

Use case workflow

Run On

This action runs on the URL entity.

Action Results

Entity Enrichment

Entities are marked as Suspicious (True) if they exceed threshold. Else: False.

Enrichment Field Name Logic - When to apply
Scan date Returns if it exists in JSON result
Scan ID Returns if it exists in JSON result
risk_score Returns if it exists in JSON result
Total Returns if it exists in JSON result
Online Link Returns if it exists in JSON result
Scanned Url Returns if it exists in JSON result
resource Returns if it exists in JSON result
Detecting Engines Returns if it exists in JSON result
Risk Score Returns if it exists in JSON result
Last Scan Date Returns if it exists in JSON result
verbose_msg Returns if it exists in JSON result
File Scan ID Returns if it exists in JSON result
Insights
Severity Description
Warn A warning insight shall be created to inform on the malicious status of the enriched URL. The insight will be created when the number of detected engines equals or exceeds the minimum suspicious Threshold set before scan.
Script Result
Script Result Name Value Options Example
is_risky True/False is_risky:False
JSON Result
[
    {
        "EntityResult": {
            "permalink": "https://www.virustotal.com/url/057e8630c8880da8778b4f99e048933efb7cee9abdcf57fad89a7e7a2c7eae04/analysis/1549258134/",
            "resource": "http://markossolomon.com/F1q7QX.php",
            "url": "http://markossolomon.com/F1q7QX.php",
            "response_code": 1,
            "scan_date": "2019-02-04 05:28:54",
            "scan_id": "057e8630c8880da8778b4f99e048933efb7cee9abdcf57fad89a7e7a2c7eae04-1549258134",
            "verbose_msg": "Scan finished, scan information embedded in this object",
            "filescan_id": null,
            "positives": 5,
            "total": 67,
            "scans": {
                "CLEAN MX": {
                    "detected": false,
                    "result": "clean site"
                },
                "DNS8": {
                    "detected": false,
                    "result": "clean site"
                }}},
        "Entity": "http://markossolomon.com/F1q7QX.php"
    }
]

Upload and Scan File

Description

This allows you to upload a file for scanning with the VirusTotal.

Parameters

Parameter Type Default Value Description
Threshold Int 2 Mark entity as suspicious if the number of negative engines is equal or above the given threshold.
File Paths String 0 Target File path.
Linux Server Address String N/A Linux server address (example: x.x.x.x). Address to locate Linux server.
Linux User String N/A N/A
Linux Password Multi values N/A N/A

Use cases

Scanning a file for malware: By using their signatures, it is possible to search for target files such as ransomware-like malware. A user can upload a file to the GUI and their hash value will be tested. It will be used as a scanning guide to the file once the hash value has been set.

Use case
workflow

Run On

This action runs on all entities.

Action Results

Entity Enrichment

Entities are marked as Suspicious (True) if they exceed threshold. Else: False.

Enrichment Field Name Logic - When to apply
resource Returns if it exists in JSON result
Scan date Returns if it exists in JSON result
Scan ID Returns if it exists in JSON result
permalink Returns if it exists in JSON result
Total Returns if it exists in JSON result
Md5 Returns if it exists in JSON result
Sha1 Returns if it exists in JSON result
Sha256 Returns if it exists in JSON result
positives Returns if it exists in JSON result
total Returns if it exists in JSON result
Detecting Engines Returns if it exists in JSON result
verbose_msg Returns if it exists in JSON result
Insights
Severity Description
Warn A warning insight shall be created to inform on the malicious status of the enriched file. The insight will be created when the number of detected engines equals or exceeds the minimum suspicious Threshold set before scan.
Script Result
Script Result Name Value Options Example
is_risky True/False is_risky:False
JSON Result
{
    "file_path": {
        "scan_id": "4753bb2449a27560c2945bf0d8aa5376743bf21fc184958ea3d481b556f4f91c-1549382150",
        "sha1": "ec44b2af88e602e3981db0b218ecb5d59dc0dfec",
        "resource": "4753bb2449a27560c2945bf0d8aa5376743bf21fc184958ea3d481b556f4f91c-1549382150",
        "response_code": 1,
        "scan_date": "2019-02-05 15:55:50",
        "permalink": "https://www.virustotal.com/file/4753bb2449a27560c2945bf0d8aa5376743bf21fc184958ea3d481b556f4f91c/analysis/1549382150/",
        "verbose_msg": "Scan finished, information embedded",
        "total": 58,
        "positives": 0,
        "sha256": "4753bb2449a27560c2945bf0d8aa5376743bf21fc184958ea3d481b556f4f91c",
        "md5": "848d57fbd8e29afa08bd3f58dd30f902",
        "scans": {
            "Bkav": {
                "detected": false,
                "version": "1.1.1.1",
                "result": null,
                "update": "20190201"
            },
            "MicroWorld-eScan": {
                "detected": false,
                "version": "14.0.297.0",
                "result": null,
                "update": "20190205"
            }
        }
    }
}