VirusTotal v3
Integration version: 22.0
This integration was created using the 3rd iteration of VT API.
Use cases
Perform enrichment actions.
Configure the VirusTotal v3 integration for use cases
- Log in to the VirusTotal portal.
- Under your username, click API key.
- Copy the API key that is presented there and use it in the integration.
Integrate VirusTotal v3 with Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Key | String | N/A | Yes | VirusTotal API Key |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verify the SSL certificate for the connection to the Cisco Orbital server is valid. |
Actions
Ping
Test connectivity to VirusTotal with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Run on
This action doesn't run on entities, nor has mandatory input parameters.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
If successful: "Successfully connected to
the VirusTotal server with the provided connection parameters!" If not successful: "Failed to connect to the VirusTotal server! Error is {0}".format(exception.stacktrace) |
General |
Enrich IP
Enrich IP using information from VirusTotal.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Engine Threshold | Integer | N/A | Yes | Specify the number of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious. Note: If the "Engine Whitelist" parameter contains values, the action only counts results from those engines. |
| Engine Whitelist | CSV | N/A | No | Specify a comma-separated list of engines that should be used to retrieve information, whether an entity is malicious or not. Example: AlienVault, Kaspersky. Note: If nothing is specified in this parameter, the action takes results from every available engine. If the engine doesn't return any information about the entity, it won't be counted for the "Engine Threshold" and "Engine Percentage Threshold" parameters. |
| Retrieve Comments | Checkbox | Checked | No | If enabled, the action retrieves comments about the entity. |
| Only Suspicious Entity Insight | Checkbox | Unchecked | No | If enabled, the action only creates an insight for suspicious entities. |
| Max Comments To Return | Integer | 10 | No | Specify the number of comments to return. |
| Engine Percentage Threshold | Integer | N/A | No | Specify the percentage of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious. Note: If the "Engine Whitelist" parameter contains values, the action only counts the percentage from those engines. If both "Engine Threshold" and "Engine Percentage Threshold" are provided, the "Engine Threshold" parameter is used. Maximum value: 100. Minimum value: 0. |
| Create Insight | Checkbox | Checked | No | If enabled, the action creates an insight containing information about the entities. |
| Fetch Widget | Checkbox | Checked | No | If enabled, the action fetches augmented widget related to the entity. |
Run on
This action runs on the IP Address entity.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"data": {
"attributes": {
"as_owner": "Example",
"asn": 50673,
"continent": "EU",
"country": "NL",
"last_analysis_results": {
"EXAMPLELabs": {
"category": "harmless",
"engine_name": "ExampleLabs",
"method": "blacklist",
"result": "clean"
},
"example.com URL checker": {
"category": "harmless",
"engine_name": "example.com URL checker",
"method": "blacklist",
"result": "clean"
},
"example": {
"category": "harmless",
"engine_name": "example",
"method": "blacklist",
"result": "clean"
},
"example": {
"category": "harmless",
"engine_name": "example",
"method": "blacklist",
"result": "clean"
}
},
"last_analysis_stats": {
"harmless": 81,
"malicious": 5,
"suspicious": 1,
"timeout": 0,
"undetected": 8
},
"last_https_certificate": {
"cert_signature": {
"signature": "48ae0d5d0eb411e56bd328b93c7212c72fd21785070648e11d9ae2b80386711699978e650eafa233d234671b87c8134c1c38c59f702518ddebdc7849dc512e0158941507970ab3ab93788d27df728d727d7f9d28ed358abb145fb24803d0eeab04687ae07c7f1d3176374367efc000bd26d3cfc0659e54826ea2dfa2366d7bd9e8ed3bd2ff8a26898b37fadea198f93de8cf3ae3d703513bc0638f7b411d8eda9a3ac9a7510d7bfe553592792d10f8b2c255bc4a05c8c6bfbdb8def045dc754b39c9b89d2a5140818622760eb116abf6fd0a5798c1e274fe56a056ed21f419a6873d314c15238a398d8049b5ecc1ca003d0a07a989a710d137e4fc74b5671caa",
"signature_algorithm": "sha256RSA"
},
"extensions": {
"1.3.6.1.4.1.11129.2.4.2": "0481f200f00075007d3ef2f88fff88556824c2c0ca9e5289792bc50e78097f2e",
"CA": true,
"authority_key_identifier": {
"keyid": "8d8c5ec454ad8ae177e99bf99b05e1b8018d61e1"
},
"ca_information_access": {
"CA Issuers": "http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt",
"OCSP": "http://ocsp.sectigo.com"
},
"certificate_policies": [
"1.3.6.1.4.1.6449.1.2.2.7",
"2.23.140.1.2.1"
],
"extended_key_usage": [
"serverAuth",
"clientAuth"
],
"key_usage": [
"ff"
],
"subject_alternative_name": [
"y2y-panel.xyz",
"www.y2y-panel.xyz"
],
"subject_key_identifier": "4f6429eaccd761eca91d9120b004f9d962453fef",
"tags": []
},
"issuer": {
"C": "GB",
"CN": "Sectigo RSA Domain Validation Secure Server CA",
"L": "Salford",
"O": "Sectigo Limited",
"ST": "Greater Manchester"
},
"public_key": {
"algorithm": "RSA",
"rsa": {
"exponent": "010001",
"key_size": 2048,
"modulus": "00aa8b74f0cc92a85ed4d515abef751a22fd65f2b6b0d33239040a99c65f322f3e833c77540a15ee31dabbd2889dd710ff9d8ccd3b9ea454ca87761cd9ff8a383806986461f8ff764a1202a5ebfb09995cbf40cc11eb2514529704744e6c97a872cde728e278fb140eba3c3aaf60644c8d75fd0048bb506f9b7314e33690f3514598ee45dd366c30a94d6178af91c2784872c162233c66659cea675f22f47752e0877ba5b12a3d800d2e2510d3cc1222c226cee2b85852a7e02da1de2718c746560f3ae05bc6f2d7f1cd6fcdbe37318fc7ddd19ae3486c5f3293946c068735e843fa8467199456d4725ac0b23fc4e0b7b9d3f51c0e16b27542d250d29d7b28fb95"
}
},
"serial_number": "248562d360bcc919bb97883f0dfc609d",
"signature_algorithm": "sha256RSA",
"size": 1472,
"subject": {
"CN": "y2y-panel.xyz"
},
"tags": [],
"thumbprint": "f9aae62cc9262302e45d94fcc512d65529ea1b31",
"thumbprint_sha256": "406ac0efb0ef67de743b1ab0f4e0352564a7d5ebbd71e3a883c067acc3563016",
"validity": {
"not_after": "2021-08-06 23:59:59",
"not_before": "2020-08-06 00:00:00"
},
"version": "V3"
},
"last_https_certificate_date": 1605415789,
"last_modification_date": 1605430702,
"network": "203.0.113.0/24",
"regional_internet_registry": "EXAMPLE",
"reputation": -95,
"tags": [],
"total_votes": {
"harmless": 0,
"malicious": 10
},
"whois": "NetRange: 203.0.113.0 - 203.0.113.255\nCIDR: 203.0.113.0/24\nNetName: EXAMPLE-5\nNetHandle: NET-203-0-113-0-1\nParent: ()\nNetType: Allocated to EXAMPLE\nOrig",
"whois_date": 1603912270
},
"id": "203.0.113.1",
"links": {
"self": "https://www.virustotal.com/api/v3/ip_addresses/203.0.113.1"
},
"type": "ip_address"
"comments": [
"text": "attributes/text",
"date": "attributes/date"
]
}
"is_risky": true
}
Entity enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| VT3_id | When available in JSON |
| VT3_owner | When available in JSON |
| VT3_asn | When available in JSON |
| VT3_continent | When available in JSON |
| VT3_country | When available in JSON |
| VT3_harmless_count | When available in JSON |
| VT3_malicious_count | When available in JSON |
| VT3_suspicious_count | When available in JSON |
| VT3_undetected_count | When available in JSON |
| VT3_certificate_valid_not_after | When available in JSON |
| VT3_certificate_valid_not_before | When available in JSON |
| VT3_reputation | When available in JSON |
| VT3_tags | When available in JSON |
| VT3_malicious_vote_count | When available in JSON |
| VT3_harmless_vote_count | When available in JSON |
| VT3_report_link | When available in JSON |
Case wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
If enriched some IPs (is_success = true):
"Successfully enriched the following IPs using VirusTotal:\n".
format(entity.identifier) If didn't enrich some
IPs (is_success = true): "Action wasn't able to enrich the following
IPs using VirusTotal:\n".format(entity.identifier)
If didn't enrich any IPs (is_success = false): "No IPs were enriched".
If some of the engines were not found (is_success
is not depending on this logic, it's an additional message for invalid engines):
"The following whitelisted engines were not found in VirusTotal:\n{0}".
(engine names) If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Enrich IP". Reason: {0}''.format(error.Stacktrace) If the "Engine Percentage Threshold" parameter is greater than 100 or less than 0 or not integer: "Error executing action "{action name}". Reason: value for the parameter "Engine Percentage Threshold" is invalid. Please check it. The value should be in range from 0 to 100. If neither the "Engine Percentage Threshold" parameter nor the "Engine Threshold" parameter is provided: "Error executing action "{action name}". Reason: either "Engine Threshold" or "Engine Percentage Threshold" should be provided. |
General |
| CSV Table | Table Name: Entity.identifier Table Columns:
|
Entity |
| Case Wall Table | Table Name: "Comments: {0}".format(entity identifier) Table Columns:
|
General |
| Links | Name: Report Link Value: {report link} |
Entity |
Enrich URL
Enrich URL using information from VirusTotal.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Engine Threshold | Integer | N/A | Yes | Specify the number of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious. Note: If the "Engine Whitelist" parameter contains values, the action only counts results from those engines. |
| Engine Whitelist | CSV | N/A | No | Specify a comma-separated list of engines that should be used to retrieve information, whether an entity is malicious or not. Example: AlienVault,Kaspersky. Note: If nothing is specified in this parameter, the action takes results from every available engine. If the engine doesn't return any information about the entity, it won't be counted for the "Engine Threshold" and "Engine Percentage Threshold" parameters. |
| Resubmit URL | Checkbox | Unchecked | No | If enabled, the action resubmits URLs for analysis instead of using the latest information. |
| Retrieve Comments | Checkbox | Checked | No | If enabled, the action retrieves comments about the entity. |
| Only Suspicious Entity Insight | Checkbox | Unchecked | No | If enabled, the action only creates an insight for suspicious entities. |
| Max Comments To Return | Integer | 10 | No | Specify the number of comments to return. |
| Engine Percentage Threshold | Integer | N/A | No | Specify the percentage of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious. Note: If the "Engine Whitelist" parameter contains values, the action only counts the percentage from those engines. If both "Engine Threshold" and "Engine Percentage Threshold" are provided, the "Engine Threshold" parameter is used. Maximum value: 100 Minimum value: 0 |
| Resubmit After (Days) | Integer | 30 | No | Specify the number of days since the last submission for the entity to be resubmitted. Note: The "Resubmit URL" parameter needs to be enabled. |
| Create Insight | Checkbox | Checked | No | If enabled, the action creates an insight containing information about the entities. |
| Fetch Widget | Checkbox | Checked | No | If enabled, the action fetches augmented widget related to the entity. |
Run on
This action runs on the URL entity.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"data": {
{
"data": {
"attributes": {
"categories": {
"Dr.Web": "known infection source/not recommended site",
"Forcepoint ThreatSeeker": "compromised websites",
"sophos": "malware repository, spyware and malware"
},
"first_submission_date": 1582300443,
"html_meta": {},
"last_analysis_date": 1599853405,
"last_analysis_results": {
"AEXAMPLELabs": {
"category": "harmless",
"engine_name": "EXAMPLELabs",
"method": "blacklist",
"result": "clean"
},
"Example": {
"category": "harmless",
"engine_name": "Example",
"method": "blacklist",
"result": "clean"
},
},
"last_analysis_stats": {
"harmless": 64,
"malicious": 6,
"suspicious": 1,
"timeout": 0,
"undetected": 8
},
"last_final_url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event",
"last_http_response_code": 404,
"last_http_response_content_length": 204,
"last_http_response_content_sha256": "58df637d178e35690516bda9e41e245db836170f046041fdebeedd20eca61d9d",
"last_http_response_headers": {
"connection": "keep-alive",
"content-length": "204",
"content-type": "text/html; charset=iso-8859-1",
"date": "Fri, 11 Sep 2020 19:51:50 GMT",
"keep-alive": "timeout=60",
"server": "nginx"
},
"last_modification_date": 1599853921,
"last_submission_date": 1599853405,
"reputation": 0,
"tags": [
"ip"
],
"targeted_brand": {},
"threat_names": [
"Mal/HTMLGen-A"
],
"times_submitted": 3,
"title": "404 Not Found",
"total_votes": {
"harmless": 0,
"malicious": 0
},
"trackers": {},
"url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event"
},
"id": "05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981",
"links": {
"self": "https://www.virustotal.com/api/v3/urls/05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981"
},
"type": "url",
"comments": [
"text": "attributes/text",
"date": "attributes/date"
]
}
"is_risky": true
}
Entity enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| VT3_id | When available in JSON |
| VT3_title | When available in JSON |
| VT3_last_http_response_code | When available in JSON |
| VT3_last_http_response_content_length | When available in JSON |
| VT3_threat_names | When available in JSON |
| VT3_harmless_count | When available in JSON |
| VT3_malicious_count | When available in JSON |
| VT3_suspicious_count | When available in JSON |
| VT3_undetected_count | When available in JSON |
| VT3_reputation | When available in JSON |
| VT3_tags | When available in JSON |
| VT3_malicious_vote_count | When available in JSON |
| VT3_harmless_vote_count | When available in JSON |
| VT3_report_link | When available in JSON |
Case wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
If enriched some URLs (is_success = true):
"Successfully enriched the following URLs using VirusTotal:
\n".format(entity.identifier) If didn't enrich
some URLs (is_success = true): "Action wasn't able to
enrich the following URLs using VirusTotal:\n".format(entity.identifier) If didn't enrich any URLs (is_success = false):
"No URLs were enriched". If some of the engines
were not found (is_success is not depending on this logic, it's an additional
message for invalid engines): "The following whitelisted engines were not
found in VirusTotal:\n{0}".(engine names) Async
message: "Waiting for action to retrieve results for the
following URLs:\n{0}".format(unprocessed urls)
If the "Engine Percentage Threshold" parameter is greater than 100 or less than 0 or not integer: "Error executing action "{action name}". Reason: value for the parameter "Engine Percentage Threshold" is invalid. Please check it. The value should be in range from 0 to 100. If neither the "Engine Percentage Threshold" parameter nor the "Engine Threshold" parameter is provided: "Error executing action "{action name}". Reason: either "Engine Threshold" or "Engine Percentage Threshold" should be provided. |
General |
| CSV Table | Table Name: Entity.identifier Table Columns:
|
Entity |
| Case Wall Table | Table Name: "Comments: {0}".format(entity identifier) Table Columns:
|
General |
| Links | Name: Report Link Value: {report link} |
Entity |
Enrich Hash
Enrich hash using information from VirusTotal.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Engine Threshold | Integer | N/A | No | Specify the number of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious. Note: If the "Engine Whitelist" parameter contains values, the action only counts results from those engines. |
| Engine Whitelist | CSV | N/A | No | Specify a comma-separated list of engines that should be used to retrieve information, whether an entity is malicious or not. Example: AlienVault,Kaspersky. Note: If nothing is specified in this parameter, the action takes results from every available engine. If the engine doesn't return any information about the entity, it won't be counted for the "Engine Threshold" and "Engine Percentage Threshold" parameters. |
| Retrieve Comments | Checkbox | Checked | No | If enabled, the action retrieves comments about the entity. |
| Retrieve Sigma Analysis | Checkbox | Checked | No | If enabled, the action retrieves sigma analysis for the hash. |
| Fetch MITRE Details | Bool | False | No | If enabled, action will return information about related MITRE techniques and tactics. |
| Lowest MITRE Technique Severity | DDL | Low Possible values:
|
No | Specify the lowest signature severity related to MITRE technique for
technique to be returned. Unknown severity is treated as Info. |
| Only Suspicious Entity Insight | Checkbox | Unchecked | No | If enabled, the action only creates an insight for suspicious entities. |
| Max Comments To Return | Integer | N/A | No | Specify the number of comments to return. |
| Engine Percentage Threshold | Integer | N/A | No | Specify the percentage of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious. Note: If the "Engine Whitelist" parameter contains values, the action only counts the percentage from those engines. If both "Engine Threshold" and "Engine Percentage Threshold" are provided, the "Engine Threshold" parameter is used. Maximum value: 100 Minimum value: 0 |
| Resubmit Hash | Checkbox | Unchecked | No | If enabled, the action resubmits hashes for analysis instead of using the latest information. |
| Resubmit After (Days) | Integer | 30 | No | Specify the number of days since the last submission for the entity to be resubmitted. Note: The "Resubmit URL" parameter needs to be enabled. |
| Sandbox | CSV | VirusTotal Jujubox | No | Specify a comma-separated list of sandbox names that should be used for behavior analysis. If nothing is provided, the action uses the "VirusTotal Jujubox" sandbox. Make sure that the spelling is correct. Examples of sandboxes: VirusTotal Jujubox, VirusTotal ZenBox, Microsoft Sysinternals, Tencent HABO. |
| Retrieve Sandbox Analysis | Checkbox | Checked | No | If enabled, the action fetches sandbox analysis for the entity. For each sandbox, the action creates a separate section in the JSON result. The action only returns data for the sandboxes that are provided in the "Sandbox" parameter. |
| Create Insight | Checkbox | Checked | No | Specify the number of comments to return. |
| Fetch Widget | Checkbox | Checked | No | If enabled, the action fetches augmented widget related to the entity. |
Run on
This action runs on the Hash entity.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
{
"data": {
"attributes": {
"categories": {
"Dr.Web": "known infection source/not recommended site",
"Forcepoint ThreatSeeker": "compromised websites",
"sophos": "malware repository, spyware and malware"
},
"first_submission_date": 1582300443,
"html_meta": {},
"last_analysis_date": 1599853405,
"last_analysis_results": {
"EXAMPLELabs": {
"category": "harmless",
"engine_name": "EXAMPLELabs",
"method": "blacklist",
"result": "clean"
},
"Example": {
"category": "harmless",
"engine_name": "Example",
"method": "blacklist",
"result": "clean"
},
},
"last_analysis_stats": {
"harmless": 64,
"malicious": 6,
"suspicious": 1,
"timeout": 0,
"undetected": 8
},
"last_final_url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event",
"last_http_response_code": 404,
"last_http_response_content_length": 204,
"last_http_response_content_sha256": "58df637d178e35690516bda9e41e245db836170f046041fdebeedd20eca61d9d",
"last_http_response_headers": {
"connection": "keep-alive",
"content-length": "204",
"content-type": "text/html; charset=iso-8859-1",
"date": "Fri, 11 Sep 2020 19:51:50 GMT",
"keep-alive": "timeout=60",
"server": "nginx"
},
"last_modification_date": 1599853921,
"last_submission_date": 1599853405,
"reputation": 0,
"tags": [
"ip"
],
"targeted_brand": {},
"threat_names": [
"Mal/HTMLGen-A"
],
"times_submitted": 3,
"title": "404 Not Found",
"total_votes": {
"harmless": 0,
"malicious": 0
},
"trackers": {},
"url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event"
},
"id": "05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981",
"links": {
"self": "https://www.virustotal.com/api/v3/urls/05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981"
},
"type": "url",
"comments": [
"text": "attributes/text",
"date": "attributes/date"
]
}
"is_risky": true
"related_mitre_techniques": [{"id": "T1071", "name": "", "severity": ""}],
"related_mitre_tactics": [{"id":"TA0011", "name": ""}]
}
Entity enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| VT3_id | When available in JSON |
| VT3_magic | When available in JSON |
| VT3_md5 | When available in JSON |
| VT3_sha1 | When available in JSON |
| VT3_sha256 | When available in JSON |
| VT3_ssdeep | When available in JSON |
| VT3_tlsh | When available in JSON |
| VT3_vhash | When available in JSON |
| VT3_meaningful_name | When available in JSON |
| VT3_magic | When available in JSON |
| VT3_harmless_count | When available in JSON |
| VT3_malicious_count | When available in JSON |
| VT3_suspicious_count | When available in JSON |
| VT3_undetected_count | When available in JSON |
| VT3_reputation | When available in JSON |
| VT3_tags | When available in JSON |
| VT3_malicious_vote_count | When available in JSON |
| VT3_harmless_vote_count | When available in JSON |
| VT3_report_link | When available in JSON |
Case wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If enriched some hashes (is_success = true):
"Successfully enriched the following hashes using VirusTotal:
\n".format(entity.identifier) If didn't enrich some hashes (is_success = true): "Action wasn't able to enrich the following hashes using VirusTotal:\n".format(entity.identifier) If didn't enrich any hashes (is_success = false): "No hashes were enriched". If some of the engines were not found (is_success is not depending on this logic, it's an additional message for invalid engines): "The following whitelisted engines were not found in VirusTotal:\n{0}".(engine names) The action should fail and stop a playbook execution:
If the "Engine Percentage Threshold" parameter is > 100 or < 0 or not integer: "Error executing action "{action name}". Reason: value for the parameter "Engine Percentage Threshold" is invalid. Please check it. The value should be in range from 0 to 100. If neither the "Engine Percentage Threshold" parameter nor the "Engine Threshold" parameter is provided: "Error executing action "{action name}". Reason: either "Engine Threshold" or "Engine Percentage Threshold" should be provided. |
General |
| Case Wall Table | Table Name: Entity.identifier Table Columns:
|
Entity |
| Case Wall Table | Table Name: "Comments: {0}".format(entity identifier) Table Columns:
|
General |
| Links | Name: Report Link Value: {report link} |
Entity |
| Case Wall Table | Table Name: Sigma Analysis: {entity.identifier} Table Columns:
|
General |
Get Domain Details
Get detailed information about the domain using information from VirusTotal.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Engine Threshold | Integer | N/A | No | Specify the number of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious. Note: If the "Engine Whitelist" parameter contains values, the action only counts results from those engines. |
| Engine Whitelist | CSV | N/A | No | Specify a comma-separated list of engines that should be used to retrieve information, whether an entity is malicious or not. Example: AlienVault,Kaspersky. Note: If nothing is specified in this parameter, the action takes results from every available engine. If the engine doesn't return any information about the entity, it won't be counted for the "Engine Threshold" and "Engine Percentage Threshold" parameters." |
| Retrieve Comments | Checkbox | Checked | No | If enabled, the action retrieves comments about the entity. |
| Max Comments To Return | Integer | 10 | No | Specify the number of comments to return. |
| Engine Percentage Threshold | Integer | N/A | No | Specify the percentage of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious. Note: If the "Engine Whitelist" parameter contains values, the action only counts the percentage from those engines. If both "Engine Threshold" and "Engine Percentage Threshold" are provided, the "Engine Threshold" parameter is used. Maximum value: 100 Minimum value: 0 |
| Create Insight | Checkbox | Checked | No | If enabled, the action creates an insight containing information about the entities. |
| Only Suspicious Entity Insight | Checkbox | Unchecked | No | If enabled, the action only creates an insight for suspicious entities. |
| Fetch Widget | Checkbox | Checked | No | If enabled, the action fetches augmented widget related to the entity. |
Run on
This action runs on the following entities:
- URL
- Hostname
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
{
"data": {
"attributes": {
"categories": {
"Dr.Web": "known infection source/not recommended site",
"Forcepoint ThreatSeeker": "compromised websites",
"sophos": "malware repository, spyware and malware"
},
"first_submission_date": 1582300443,
"html_meta": {},
"last_analysis_date": 1599853405,
"last_analysis_results": {
"EXAMPLELabs": {
"category": "harmless",
"engine_name": "EXAMPLELabs",
"method": "blacklist",
"result": "clean"
},
"Example": {
"category": "harmless",
"engine_name": "Example",
"method": "blacklist",
"result": "clean"
},
},
"last_analysis_stats": {
"harmless": 64,
"malicious": 6,
"suspicious": 1,
"timeout": 0,
"undetected": 8
},
"last_final_url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event",
"last_http_response_code": 404,
"last_http_response_content_length": 204,
"last_http_response_content_sha256": "58df637d178e35690516bda9e41e245db836170f046041fdebeedd20eca61d9d",
"last_http_response_headers": {
"connection": "keep-alive",
"content-length": "204",
"content-type": "text/html; charset=iso-8859-1",
"date": "Fri, 11 Sep 2020 19:51:50 GMT",
"keep-alive": "timeout=60",
"server": "nginx"
},
"last_modification_date": 1599853921,
"last_submission_date": 1599853405,
"reputation": 0,
"tags": [
"ip"
],
"targeted_brand": {},
"threat_names": [
"Mal/HTMLGen-A"
],
"times_submitted": 3,
"title": "404 Not Found",
"total_votes": {
"harmless": 0,
"malicious": 0
},
"trackers": {},
"url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event"
},
"id": "05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981",
"links": {
"self": "https://www.virustotal.com/api/v3/urls/05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981"
},
"type": "url",
"comments": [
"text": "attributes/text",
"date": "attributes/date"
]
}
"is_risky": true
}
Case wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
If enriched some (is_success = true): "Successfully returned
details about the following domains using VirusTotal:\n".format(domain part of
the entity.identifier) If didn't enrich some (is_success = true):
"Action wasn't able to return details about the following domains using
VirusTotal:\n".format(domain part of the entity.identifier) If
didn't enrich all (is_success = false): "No hashes were enriched". If some of the engines are not found (is_success is not depending on this
logic, it's an additional message for invalid engines): "The following
whitelisted engines were not found in VirusTotal:\n{0}".(engine names) The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Enrich Hash". Reason: {0}''.format(error.Stacktrace) If the "Engine Percentage Threshold" parameter is > 100 or < 0 or not integer: "Error executing action "{action name}". Reason: value for the parameter "Engine Percentage Threshold" is invalid. Please check it. The value should be in range from 0 to 100. If neither the "Engine Percentage Threshold" parameter nor the "Engine Threshold" parameter is provided: "Error executing action "{action name}". Reason: either "Engine Threshold" or "Engine Percentage Threshold" should be provided. |
General |
| Case Wall Table | Table Name: entity.identifier Table Columns:
|
General |
| Case Wall Table | Table Name: "Comments: {0}".format(domain part of the entity identifier) Table Columns:
|
General |
| Links | Name: "Report Link: {0}".(domain part of the entity) Value: {report link} |
General |
Submit File
Submit a file and return results from VirusTotal.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| File Paths | CSV | N/A | Yes | Specify a comma-separated list of absolute file paths. Note: If the "Linux Server Address" parameter is specified, the action tries to fetch the file from the remote server. |
| Private Submission | Bool | False | No | If enabled, action will submit the file privately. Note: this functionality requires premium VT access. |
| Engine Threshold | Integer | N/A | No | Specify the number of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious. Note: If the "Engine Whitelist" parameter contains values, the action only counts results from those engines. |
| Engine Whitelist | CSV | N/A | No | Specify a comma-separated list of engines that should be used to retrieve information, whether an entity is malicious or not. Example: AlienVault,Kaspersky. Note: If nothing is specified in this parameter, the action takes results from every available engine. If the engine doesn't return any information about the entity, it won't be counted for the "Engine Threshold" and "Engine Percentage Threshold" parameters. |
| Retrieve Comments | Checkbox | Checked | No | If enabled, the action retrieves comments about the entity. |
| Fetch MITRE Details | Bool | False | No | If enabled, action will return information about related MITRE techniques and tactics. |
| Lowest MITRE Technique Severity | DDL | Low Possible values:
|
No | Specify the lowest signature severity related to MITRE technique for the
technique to be returned. Unknown severity is treated as Info. |
| Retrieve AI Summary | Checkbox | Unhecked | No | Experimental. If enabled, the action retrieves an AI summary for the submitted file. AI Summary is only available for private submissions. |
| Retrieve Sigma Analysis | Checkbox | Checked | No | If enabled, the action retrieves sigma analysis for the file. |
| Max Comments To Return | Integer | 50 | No | Specify the number of comments to return. |
| Linux Server Address | String | N/A | No | Specify the IP address of the remote linux server, where the file is located. |
| Linux Username | String | N/A | No | Specify the username of the remote linux server, where the file is located. |
| Linux Password | Password | N/A | No | Specify the password of the remote linux server, where the file is located. |
| Engine Percentage Threshold | Integer | N/A | No | Specify the percentage of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious. Note: If the "Engine Whitelist" parameter contains values, the action only counts the percentage from those engines. If both "Engine Threshold" and "Engine Percentage Threshold" are provided, the "Engine Threshold" parameter is used. Maximum value: 100. Minimum value: 0. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"data": {
"attributes": {
"categories": {
"Dr.Web": "known infection source/not recommended site",
"Forcepoint ThreatSeeker": "compromised websites",
"sophos": "malware repository, spyware and malware"
},
"first_submission_date": 1582300443,
"html_meta": {},
"last_analysis_date": 1599853405,
"last_analysis_results": {
"EXAMPLELabs": {
"category": "harmless",
"engine_name": "EXAMPLELabs",
"method": "blacklist",
"result": "clean"
},
"Example": {
"category": "harmless",
"engine_name": "Example",
"method": "blacklist",
"result": "clean"
},
},
"last_analysis_stats": {
"harmless": 64,
"malicious": 6,
"suspicious": 1,
"timeout": 0,
"undetected": 8
},
"last_final_url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event",
"last_http_response_code": 404,
"last_http_response_content_length": 204,
"last_http_response_content_sha256": "58df637d178e35690516bda9e41e245db836170f046041fdebeedd20eca61d9d",
"last_http_response_headers": {
"connection": "keep-alive",
"content-length": "204",
"content-type": "text/html; charset=iso-8859-1",
"date": "Fri, 11 Sep 2020 19:51:50 GMT",
"keep-alive": "timeout=60",
"server": "nginx"
},
"last_modification_date": 1599853921,
"last_submission_date": 1599853405,
"reputation": 0,
"tags": [
"ip"
],
"targeted_brand": {},
"threat_names": [
"Mal/HTMLGen-A"
],
"times_submitted": 3,
"title": "404 Not Found",
"total_votes": {
"harmless": 0,
"malicious": 0
},
"trackers": {},
"url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event"
},
"id": "05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981",
"links": {
"self": "https://www.virustotal.com/api/v3/urls/05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981"
},
"type": "url",
"comments": [
"text": "attributes/text",
"date": "attributes/date"
]
}
"is_risky": true
}
Case wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
If enriched some entities (is_success = true):
"Successfully returned details about the following files using
VirusTotal:\n".format(filepaths) If didn't enrich some entities
(is_success = true): "Action wasn't able to return details about the
following domains using VirusTotal:\n".format(filepaths) If didn't
enrich all entities (is_success = false): "No details about the files were
retrieved". If some of the engines were not found (is_success is
not depending on this logic, it's an additional message for invalid
engines): "The following whitelisted engines were not found in
VirusTotal:\n{0}".(engine names) Async message: "Waiting for
results for the following files:\n{0}".format(filepaths) The
action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Submit File". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Table Name: "Results: {0}".format(filepath) Table Columns:
|
General |
| Case Wall Table | Table Name: "Comments: {0}".format(filepath) Table Columns:
|
General |
| Links | Name: "Report Link: {0}".format(filepath) Value: {report link} |
General |
| Case Wall Table | Table Name: Sigma Analysis: {entity.identifier} Table Columns:
|
General |
Get Related URLs
Get related URLs to the provided entities from VirusTotal.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Results | DDL | Combined Possible values:
|
No | Specify how the JSON result should look like. If "Combined" is selected, the action returns all of the unique results that were found among the provided entities. If "Per Entity" is selected, the action returns all of the unique items per entity. |
| Max URLs To Return | Integer | 40 | No | Specify the number of URLs to return. Depending on the "Results" parameter value, this parameter will behave differently. If "Combined" is selected, this parameter defines the number of results to return from all entities. If "Per Entity" is selected, the parameter dictates the number of results to return per entity. |
Run on
This action runs on the following entities:
- URL
- IP Address
- Hash
- jsHostname
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"urls": ["http://example.com",]
}
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message\* | The action should not fail nor stop a playbook execution: If at least one URL is found (is_success = true): "Successfully
returned related URLs to the provided entities from VirusTotal." If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Related URLs". Reason: {0}''.format(error.Stacktrace) |
General |
Get Related IPs
Get related IPs to the provided entities from VirusTotal.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Results | DDL | Combined Possible values:
|
No | Specify how the JSON result should look like. If "Combined" is selected, the action returns all of the unique results that were found among the provided entities. If "Per Entity" is selected, the action returns all of the unique items per entity. |
| Max IPs To Return | Integer | 40 | No | "Specify the number of IPs to return. Depending on the "Results" parameter value, this parameter will behave differently. If "Combined" is selected, this parameter defines the number of results to return from all entities. If "Per Entity" is selected, the parameter dictates the number of results to return per entity. |
Run on
This action runs on the entities:
- URL
- Hash
- Hostname
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"ips": ["203.0.113.0",]
}
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If at least one IP is found (is_success = true): "Successfully
returned related IPs to the provided entities from VirusTotal. The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Related IPs". Reason: {0}''.format(error.Stacktrace) |
General |
Get Related Domains
Get related domains to the provided entities from VirusTotal.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Results | DDL | Combined Possible values
|
No | Specify how the JSON result should look like. If "Combined" is selected, the action returns all of the unique results that were found among the provided entities. If "Per Entity" is selected, the action returns all of the unique items per entity. |
| Max Domains To Return | Integer | 40 | No | Specify the number of domains to return. Depending on the "Results" parameter value, this parameter will behave differently. If "Combined" is selected, this parameter defines the number of results to return from all entities. If "Per Entity" is selected, the parameter dictates the number of results to return per entity. |
Run on
This action runs on the entities:
- URL
- IP
- Hash
- Hostname
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"domain": ["example.com",]
}
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If at least one domain is found (is_success=true): "Successfully
returned related domains to the provided entities from VirusTotal. If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Related Domains". Reason: {0}''.format(error.Stacktrace) |
General |
Get Related Hashes
Get related hashes to the provided entities from VirusTotal.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Results | DDL | Combined Possible values:
|
No | Specify how the JSON result should look like. If "Combined" is selected, the action returns all of the unique results that were found among the provided entities. If "Per Entity" is selected, the action returns all of the unique items per entity. |
| Max Hashes To Return | Integer | 40 | No | Specify the number of hashes to return. Depending on the "Results" parameter value, this parameter will behave differently. If "Combined" is selected, this parameter defines the number of results to return from all entities. If "Per Entity" is selected, the parameter dictates the number of results to return per entity. |
Run on
This action runs on the entities:
- URL
- IP Address
- Hash
- Hostname
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"sha256_hashes": ["http://example.com",]
}
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If at least one hash is found (is_success=true): "Successfully
returned related hashes to the provided entities from VirusTotal. If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Related Hashes". Reason: {0}''.format(error.Stacktrace) |
General |
Search Graphs
Search graphs based on custom filters in VirusTotal.
How to construct the query
There are a set of multiple modifiers that you can use to refine your search results. You can combine all of them together and use them in conjunction with AND, OR and NOT operators.
Date and numeric fields support the suffix plus or minus to match values greater or less than the passed value. If not sign has been added to the modifier, you will get exact matches. You can use more than once the same modifier in the same query to define ranges: creation_date:2018-11-1+ creation_date:2018-11-12- will match graphs created between 2018-11-1 and 2018-11-22.
Graph-related modifiers
| Modifier | Description | Example |
|---|---|---|
| Id | Filters by graph identifier. | id:g675a2fd4c8834e288af |
| Name | Filters by graph name. | name:Example-name |
| Owner | Filters by graphs owned by user. | owner:example_user |
| Group | Filters by graphs owned by group. | group:example |
| Visible_to_user | Filters by graphs visible to user. | visible_to_user:example_user |
| Visible_to_group | Filters by graphs visible to group. | visible_to_group:example |
| Private | Filters by private graphs. | private:true, private:false |
| Creation_date | Filters by the graph creation date. | creation_date:2018-11-1 |
| last_modified_date | Filters by the last date the graph was modified. | last_modified_date:2018-11-12 |
| Total_nodes | Filters by graphs containing some amount of nodes. | total_nodes:100 |
| Comments_count | Filter by the number of comments of the graph. | comments_count:10+ |
| Views_count | Filter by the number of graph views. | views_count:1000+ |
Graph-related modifiers
| Modifier | Description | Example |
|---|---|---|
| Label | Filters by graphs containing nodes with a specific label | label:Kill switch |
| File | Filters by graphs containing the file. | file:131f95c51cc819465fa17 |
| Domain | Filters by graphs containing the domain. | domain:example.com |
| Ip_address | Filters by graphs containing the ip address. | ip_address:203.0.113.1 |
| Url | Filters by graphs containing the url. | url:https://example.com/example/ |
| Actor | Filters by graphs containing the actor. | actor:example actor |
| Victim | Filters by graphs containing the victim. | victim:example_user |
| Filters by graphs containing the email. | email:user@example.com | |
| Department | Filters by graphs containing the department. | department:engineers |
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Query | String | N/A | Yes | Specify the query filter for the graph. Please refer to the documentation portal for more details. |
| Sort Field | DDL | Name Possible values:
|
No | Specify the sort field. |
| Max Graphs To Return | Integer | 10 | No | Specify the number of graphs to return. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"data": [
{
"attributes": {
"graph_data": {
"description": "EXAMPLE",
"version": "5.0.0"
}
},
"id": "g304a40e2b2fe4641a5648286fcf8be249d48d2c7c1d64d02a7b1cfe6e09f562d",
"links": {
"self": "https://www.virustotal.com/api/v3/graphs/g304a40e2b2fe4641a5648286fcf8be249d48d2c7c1d64d02a7b1cfe6e09f562d"
},
"type": "graph"
},
{
"attributes": {
"graph_data": {
"description": "Example Feb2020",
"version": "5.0.0"
}
},
"id": "gb942e956b3764e3395859a0e0c29258b731bef6d8dc049618c6c66b5897259c1",
"links": {
"self": "https://www.virustotal.com/api/v3/graphs/gb942e956b3764e3395859a0e0c29258b731bef6d8dc049618c6c66b5897259c1"
},
"type": "graph"
}
],
"links": {
"next": "https://www.virustotal",
"self": "https://www.virustotal.com/api/v3/graphs?filter=ip_address:203.0.113.3%20OR%20file:b345697c16f84d3775924dc17847fa3ff61579ee793a95248e9c4964da586dd1&order=last_modified_date&limit=2&attributes=graph_data"
},
"meta": {
"cursor": "True:CsEGCo0CCusBAP8_vihw3_S_"
}
}
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If at least one graph is returned (is_success = true): "Successfully returned graphs for the provided query in VirusTotal". If the 400 static code is reported (is_success = false): "Action wasn't able to successfully return graph for the provided query in VirusTotal. Reason: {0}.".format(error/message from the response) If there is no
information for query (is_success = false): "No graphs were found for the
provided query.". If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Search Graphs". Reason: {0}''.format(error.Stacktrace) |
General |
Search Entity Graphs
Search graphs based on the entities in VirusTotal.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Sort Field | DDL | Name Possible values:
|
No | Specify the sort field. |
| Max Graphs To Return | Integer | 10 | No | Specify the number of graphs to return. |
Run on
This action runs on the entities:
- Hash
- URL
- Threat Actor
- IP Address
- User
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"data": [
{
"attributes": {
"graph_data": {
"description": "EXAMPLE",
"version": "5.0.0"
}
},
"id": "g304a40e2b2fe4641a5648286fcf8be249d48d2c7c1d64d02a7b1cfe6e09f562d",
"links": {
"self": "https://www.virustotal.com/api/v3/graphs/g304a40e2b2fe4641a5648286fcf8be249d48d2c7c1d64d02a7b1cfe6e09f562d"
},
"type": "graph"
},
{
"attributes": {
"graph_data": {
"description": "Example Feb2020",
"version": "5.0.0"
}
},
"id": "gb942e956b3764e3395859a0e0c29258b731bef6d8dc049618c6c66b5897259c1",
"links": {
"self": "https://www.virustotal.com/api/v3/graphs/gb942e956b3764e3395859a0e0c29258b731bef6d8dc049618c6c66b5897259c1"
},
"type": "graph"
}
],
"links": {
"next": "https://www.virustotal",
"self": "https://www.virustotal.com/api/v3/graphs?filter=ip_address:203.0.113.3%20OR%20file:b345697c16f84d3775924dc17847fa3ff61579ee793a95248e9c4964da586dd1&order=last_modified_date&limit=2&attributes=graph_data"
},
"meta": {
"cursor": "True:CsEGCo0CCusBAP8_vihw3_S_"
}
}
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If at least one graph is returned (is_success = true): "Successfully returned graphs based on the provided entities in VirusTotal". If the 400 static code is reported (is_success = false): "Action
wasn't able to successfully return graph based on the provided entities on
VirusTotal. Reason: {0}.".format(error/message from the response) If there is no information for query (is_success = false): "No graphs were found for the provided entities". The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Search Entity Graphs". Reason: {0}''.format(error.Stacktrace) |
General |
Search IOCs
Search for IOCs in the VirusTotal's dataset using the same query syntax that you would use in the VirusTotal Intelligence user interface.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
| Parameters | |
|---|---|
| Query | Required
The query specified according to the VirusTotal query search syntax. Default value is |
| Create Entities | Optional
If enabled, action will create entities for the returned IOCs. Disabled by default. |
| Order By | Required
The order specified by the selected field in which results are returned. Default value is
|
| Sort Order | Optional
Order to return the results in. If the Default value is
|
| Max IOCs To Return | Optional
The number of IOCs to return. Max value is 300. Default value is 10. |
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| Entity insight | N/A |
| Insight | N/A |
| JSON result | Available |
| OOTB widget | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
JSON result
{
"data": [
{
"attributes": {
"type_description": "Email",
"tlsh": "T1B4D31F04BE452B3093E7238E064E6FDBAFCC135F6611F1C60881AAD6C5C77A2E57D689",
"exiftool": {
"MIMEType": "text/plain",
"FileType": "TXT",
"WordCount": "2668",
"LineCount": "1820",
"MIMEEncoding": "us-ascii",
"FileTypeExtension": "txt",
"Newlines": "Windows CRLF"
},
"type_tags": [
"internet",
"email"
],
"threat_severity": {
"threat_severity_level": "SEVERITY_HIGH",
"threat_severity_data": {
"num_gav_detections": 3,
"has_vulnerabilities": true,
"popular_threat_category": "trojan",
"type_tag": "email",
"has_embedded_ips_with_detections": true
},
"last_analysis_date": "1698050597",
"version": 2,
"level_description": "Severity HIGH because it was considered trojan. Other contributing factors were that it has known exploits, it contains embedded IPs with detections and it could not be run in sandboxes."
},
"names": [
"Re Proforma Invoice.eml"
],
"last_modification_date": 1698057197,
"type_tag": "email",
"times_submitted": 1,
"total_votes": {
"harmless": 0,
"malicious": 0
},
"size": 132299,
"popular_threat_classification": {
"suggested_threat_label": "obfsobjdat/malformed",
"popular_threat_name": [
{
"count": 8,
"value": "obfsobjdat"
},
{
"count": 2,
"value": "malformed"
}
]
},
"last_submission_date": 1698049979,
"last_analysis_results": {
"Bkav": {
"category": "undetected",
"engine_name": "Example1",
"engine_version": "2.0.0.1",
"result": null,
"method": "blacklist",
"engine_update": "20231023"
},
"Lionic": {
"category": "undetected",
"engine_name": "Example2",
"engine_version": "7.5",
"result": null,
"method": "blacklist",
"engine_update": "20231023"
},
.
.
.
},
"downloadable": true,
"trid": [
{
"file_type": "file seems to be plain text/ASCII",
"probability": 0
}
],
"sha256": "2d9df36964fe2e477e6e0f7a73391e4d4b2eeb0995dd488b431c4abfb4c27dbf",
"type_extension": "eml",
"tags": [
"exploit",
"cve-2018-0802",
"cve-2018-0798",
"email",
"cve-2017-11882"
],
"last_analysis_date": 1698049979,
"unique_sources": 1,
"first_submission_date": 1698049979,
"ssdeep": "768:MedEkBNnx8ueVV+fitChi9KbpK0fixbRwHbcElIK944tCVQOgzdsSuom+cWmsCGY:Meo+fitC0mKuixYxlI1OO1cSPo0gptA",
"md5": "bdfe36052e0c083869505ef4fd77e865",
"sha1": "3a350de97009efe517ceffcea406534bb1ab800c",
"magic": "SMTP mail, ASCII text, with CRLF line terminators",
"last_analysis_stats": {
"harmless": 0,
"type-unsupported": 16,
"suspicious": 0,
"confirmed-timeout": 0,
"timeout": 0,
"failure": 0,
"malicious": 28,
"undetected": 32
},
"meaningful_name": "Re Proforma Invoice.eml",
"reputation": 0
},
"type": "file",
"id": "example-id",
"links": {
"self": "example_url"
}
},
.
.
.
]
}
Case wall
| Output message | Message description |
|---|---|
| Successfully returned IOCs based on the provided query from VirusTotal. | The action is successful. |
The following IOCs were not created as new entities, as they already
exist in the system: LIST_OF_IOCS |
The action is successful. |
| No IOCs were found for the provided query. | No information found for the submitted query. |
Error executing action "Search IOCs". |
The action returned an error. Check credentials or connection to the server. |
Get Graph Details
Get detailed information about graphs in VirusTotal.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Graph ID | CSV | N/A | Yes | Specify a comma-separated list of graph IDs for which you want to retrieve detailed information. |
| Max Links To Return | Integer | 50 | No | Specify the number of links to return. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"data": {
"attributes": {
"comments_count": 0,
"creation_date": 1603219837,
"graph_data": {
"description": "Example LLC",
"version": "api-5.0.0"
},
"last_modified_date": 1603219837,
"links": [
{
"connection_type": "last_serving_ip_address",
"source": "ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671",
"target": "relationships_last_serving_ip_address_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671"
},
{
"connection_type": "last_serving_ip_address",
"source": "relationships_last_serving_ip_address_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671",
"target": "203.0.113.3"
},
{
"connection_type": "network_location",
"source": "ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671",
"target": "relationships_network_location_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671"
},
{
"connection_type": "network_location",
"source": "relationships_network_location_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671",
"target": "203.0.113.3"
},
{
"connection_type": "communicating_files",
"source": "203.0.113.3",
"target": "relationships_communicating_files_20301133"
},
{
"connection_type": "communicating_files",
"source": "relationships_communicating_files_20301133",
"target": "4935cc8a4ff76d595e1bfab9fd2e6aa0f7c2fea941693f1ab4586eaba1528f47"
},
{
"connection_type": "communicating_files",
"source": "relationships_communicating_files_20301133",
"target": "c975794ff65c02b63fae1a94006a75294aac13277ca464e3ea7e40de5eda2b14"
},
{
"connection_type": "communicating_files",
"source": "relationships_communicating_files_20301133",
"target": "c7752154a2e894a4dec84833bee656357f4b84a9c7f601f586f79de667d8fe5c"
},
{
"connection_type": "communicating_files",
"source": "relationships_communicating_files_20301133",
"target": "692bb2ed1da43b0408c104b4ca4b4e97e15f3224e37dbea60214bcd991a2cfd3"
},
{
"connection_type": "communicating_files",
"source": "relationships_communicating_files_20301133",
"target": "74273ef55d8b7d23f7b058c7e47f3cbaf60c823a3e41ffb10e494917bad77381"
},
{
"connection_type": "communicating_files",
"source": "relationships_communicating_files_20301133",
"target": "f4f2f17c4df1b558cb80c8eab3edf5198970e9d87bd03943d4c2effafb696187"
},
{
"connection_type": "communicating_files",
"source": "relationships_communicating_files_20301133",
"target": "5edc8496869697aa229540bd6106b6679f6cfcbc6ee4837887183f470b49acb5"
},
{
"connection_type": "communicating_files",
"source": "relationships_communicating_files_20301133",
"target": "1582da57cb082d3f6835158133aafb5f3b8dcc880a813be135a0ff8099cf0ee8"
},
{
"connection_type": "communicating_files",
"source": "relationships_communicating_files_20301133",
"target": "be4ccb1ca71a987f481c22a1a43de491353945d815c89cbcc06233d993ac73cf"
},
{
"connection_type": "communicating_files",
"source": "relationships_communicating_files_20301133",
"target": "60bb6467ee465f23a15f17cd73f7ecb9db9894c5a3186081a1c70fdc6e7607d6"
}
],
"nodes": [
{
"entity_attributes": {
"has_detections": false
},
"entity_id": "ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671",
"index": 0,
"text": "",
"type": "url",
"x": 51.22276722115952,
"y": 65.7811310194184
},
{
"entity_attributes": {},
"entity_id": "relationships_last_serving_ip_address_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671",
"index": 1,
"text": "",
"type": "relationship",
"x": 25.415664700492094,
"y": 37.66636498768037
},
{
"entity_attributes": {
"country": "US"
},
"entity_id": "203.0.113.3",
"fx": -19.03611541222395,
"fy": 24.958500220062717,
"index": 2,
"text": "",
"type": "ip_address",
"x": -19.03611541222395,
"y": 24.958500220062717
},
{
"entity_attributes": {},
"entity_id": "relationships_network_location_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671",
"index": 3,
"text": "",
"type": "relationship",
"x": 14.37403861978968,
"y": 56.85562691824892
},
{
"entity_attributes": {},
"entity_id": "relationships_communicating_files_20301133",
"index": 4,
"text": "",
"type": "relationship",
"x": -51.78097726144755,
"y": 10.087893225996158
},
{
"entity_attributes": {
"has_detections": true,
"type_tag": "peexe"
},
"entity_id": "4935cc8a4ff76d595e1bfab9fd2e6aa0f7c2fea941693f1ab4586eaba1528f47",
"index": 5,
"text": "",
"type": "file",
"x": -79.11606194776019,
"y": -18.475026322309112
},
{
"entity_attributes": {
"has_detections": true,
"type_tag": "peexe"
},
"entity_id": "c975794ff65c02b63fae1a94006a75294aac13277ca464e3ea7e40de5eda2b14",
"index": 6,
"text": "",
"type": "file",
"x": -64.80938048199627,
"y": 46.75892061191275
},
{
"entity_attributes": {
"has_detections": true,
"type_tag": "android"
},
"entity_id": "c7752154a2e894a4dec84833bee656357f4b84a9c7f601f586f79de667d8fe5c",
"index": 7,
"text": "",
"type": "file",
"x": -43.54064004476819,
"y": -28.547923020662786
},
{
"entity_attributes": {
"has_detections": true,
"type_tag": "android"
},
"entity_id": "692bb2ed1da43b0408c104b4ca4b4e97e15f3224e37dbea60214bcd991a2cfd3",
"index": 8,
"text": "",
"type": "file",
"x": -15.529860440278318,
"y": -2.068209789825876
},
{
"entity_attributes": {
"has_detections": true,
"type_tag": "android"
},
"entity_id": "74273ef55d8b7d23f7b058c7e47f3cbaf60c823a3e41ffb10e494917bad77381",
"index": 9,
"text": "",
"type": "file",
"x": -42.55971948293377,
"y": 46.937155845680415
},
{
"entity_attributes": {
"has_detections": true,
"type_tag": "html"
},
"entity_id": "f4f2f17c4df1b558cb80c8eab3edf5198970e9d87bd03943d4c2effafb696187",
"index": 10,
"text": "",
"type": "file",
"x": -62.447976875107706,
"y": -28.172418384729067
},
{
"entity_attributes": {
"has_detections": true,
"type_tag": "android"
},
"entity_id": "5edc8496869697aa229540bd6106b6679f6cfcbc6ee4837887183f470b49acb5",
"index": 11,
"text": "",
"type": "file",
"x": -89.0326649183805,
"y": -2.2638551448322484
},
{
"entity_attributes": {
"has_detections": true,
"type_tag": "android"
},
"entity_id": "1582da57cb082d3f6835158133aafb5f3b8dcc880a813be135a0ff8099cf0ee8",
"index": 12,
"text": "",
"type": "file",
"x": -26.35260716195174,
"y": -20.25669077264115
},
{
"entity_attributes": {
"has_detections": true,
"type_tag": "android"
},
"entity_id": "be4ccb1ca71a987f481c22a1a43de491353945d815c89cbcc06233d993ac73cf",
"index": 13,
"text": "",
"type": "file",
"x": -82.1415994911387,
"y": 34.89636762607467
},
{
"entity_attributes": {
"has_detections": true,
"type_tag": "android"
},
"entity_id": "60bb6467ee465f23a15f17cd73f7ecb9db9894c5a3186081a1c70fdc6e7607d6",
"index": 14,
"text": "",
"type": "file",
"x": -90.87738694680043,
"y": 16.374462198116138
}
],
"private": false,
"views_count": 30
},
"id": "g809b60eac9c042d39dc38cc8a1b3f2d104bc046616b24d67959ca2b7678cf839",
"links": {
"self": "https://www.virustotal.com/api/v3/graphs/g809b60eac9c042d39dc38cc8a1b3f2d104bc046616b24d67959ca2b7678cf839"
},
"type": "graph"
}
}
Case wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If at least one graph is returned (is_success = true): "Successfully returned details about the following graphs in VirusTotal: {0}".format(graph ids) If at least one graph is returned
(is_success = true): "Action wasn't able to return details about the
following graphs in VirusTotal: {0}".format(graph ids) If there is
no information for all graphs (is_success = false): "No information about
the provided graphs was found". The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Graph Details". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Table Name: "Graph {0} Links".format(graph_id) Table Columns: Source Target Connection Type |
General |
Download File
Download a file from VirusTotal.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Download Folder Path | String | N/A | Yes | Specify the path to the folder, where you want to store the files. |
| Overwrite | Checkbox | Checked | Yes | If enabled, the action overwrites the file with the same name. |
Run on
This action runs on the Hash entity.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{"absolute_file_paths": ["file_path_1","file_path_2"]}
Case wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
If at least one hash returned data (is_success = true): "Successfully returned related files for the following entities in VirusTotal: {entity.identifier}. If there is no data for a single hash (is_success = true): "No related files were found for the following entities in VirusTotal: {entity.identifier}. If there is no data for all hashes (is_success = false): "No related files were found for the provided entities in VirusTotal. The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Download File". Reason: {0}''.format(error.Stacktrace). If a file with the same name already exists, but "Overwrite" == false: "Error executing action "Download File". Reason: files with path {0} already exist. Please delete the files or set "Overwrite" to true." |
General |
Enrich IOC
Enrich IOCs using information from VirusTotal.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| IOC Type | DDL | Filehash Possible values:
|
No | Specify the type of the IOC. |
| IOCs | CSV | N/A | Yes | Specify a comma-separated list of IOCs for which you want to ingest data. |
| Fetch Widget | Checkbox | Checked | No | If enabled, the action fetches augmented widget related to the entity. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"ioc": {
"identifier": "203.0.113.1",
"details": {
"attributes": {
"categories": {
"Dr.Web": "known infection source/not recommended site",
"Forcepoint ThreatSeeker": "compromised websites",
"sophos": "malware repository, spyware and malware"
},
"first_submission_date": 1582300443,
"html_meta": {},
"last_analysis_date": 1599853405,
"last_analysis_results": {
"EXAMPLELabs": {
"category": "harmless",
"engine_name": "EXAMPLELabs",
"method": "blacklist",
"result": "clean"
},
"Example": {
"category": "harmless",
"engine_name": "Example",
"method": "blacklist",
"result": "clean"
}
},
"last_analysis_stats": {
"harmless": 64,
"malicious": 6,
"suspicious": 1,
"timeout": 0,
"undetected": 8
},
"last_final_url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event",
"last_http_response_code": 404,
"last_http_response_content_length": 204,
"last_http_response_content_sha256": "58df637d178e35690516bda9e41e245db836170f046041fdebeedd20eca61d9d",
"last_http_response_headers": {
"connection": "keep-alive",
"content-length": "204",
"content-type": "text/html; charset=iso-8859-1",
"date": "Fri, 11 Sep 2020 19:51:50 GMT",
"keep-alive": "timeout=60",
"server": "nginx"
},
"last_modification_date": 1599853921,
"last_submission_date": 1599853405,
"reputation": 0,
"tags": [
"ip"
],
"targeted_brand": {},
"threat_names": [
"Mal/HTMLGen-A"
],
"times_submitted": 3,
"title": "404 Not Found",
"total_votes": {
"harmless": 0,
"malicious": 0
},
"trackers": {},
"url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event"
},
"id": "05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981",
"links": {
"self": "https://www.virustotal.com/api/v3/urls/05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981"
},
"type": "url",
"report_link": "{generated report link}",
"widget_url": "https: //www.virustotal.com/ui/widget/html/fHx8fHsiYmQxIjogIiM0ZDYzODUiLCAiYmcxIjogIiMzMTNkNWEiLCAiYmcyIjogIiMyMjJjNDIiLCAiZmcxIjogIiNmZmZmZmYiLCAidHlwZSI6ICJkZWZhdWx0In18fHx8bm90LWZvdW5kfHwxNjQ0NTczMjkwfHw"
"widget_html"
}
}
}
Case wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
If enriched some IOCs (is_success = true): "Successfully enriched the following IOCs using VirusTotal:\n".format(iocs) If didn't enrich some IOCs (is_success = true): "No information found for the following IOCs using VirusTotal:\n".format(iocs) If didn't enrich any IOCs (is_success = false): "No information about IOCs were found.". The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Enrich OC". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Table Name: {IOC identifier} Table Columns:
|
General |
| Links | Name: Report Link Value: {report link} |
General |
Add Vote To Entity
Add a vote to entities in VirusTotal. Supported entities: File Hash, URL, Hostname, IP Address.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Vote | DDL | Malicious Possible values:
|
Yes | Specify the vote that should be added to entities. |
Run on
This action runs on the following entities:
- File Hash
- URL
- Hostname
- IP Address
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"Status": "Done or Not done" for every entity
}
Case wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the action is successful for one entity or the 409 status code is reported (is_success = true): "Successfully added votes to the following entities in VirusTotal: {entity.identifier}" If the action wasn't successful for one entity (is_success = true): "Action wasn't able to add votes to the following entities in VirusTotal: {entity.identifier}" If the action wasn't successful for all (is_success = false): "No votes were added to the provided entities in VirusTotal." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Add Vote To Entity". Reason: {0}''.format(error.Stacktrace) |
General |
Add Comment To Entity
Add a comment to entities in VirusTotal. Supported entities: File Hash, URL, Hostname, IP Address.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Comment | String | N/A | Yes | Specify the comment that should be added to entities. |
Run on
This action runs on the following entities:
- File Hash
- URL
- Hostname
- IP Address
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"Status": "Done or Not done" for every entity
}
Case wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the action is successful for one entity (is_success = true): "Successfully added comments to the following entities in VirusTotal: {entity.identifier}" If the action wasn't successful for one entity (is_success = true): "Action wasn't able to add comments to the following entities in VirusTotal: {entity.identifier}" If the action wasn't successful for all (is_success = false): "No comments were added to the provided entities in VirusTotal." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Add Comment To Entity". Reason: {0}''.format(error.Stacktrace) |
General |
Connectors
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
VirusTotal - Livehunt Connector
Pull information about Livehunt notifications and related files from VirusTotal.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | type | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| PythonProcessTimeout | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Key | String | N/A | Yes | API Key of the VirusTotal instance. |
| Engine Whitelist | CSV | N/A | No | Specify a comma-separated list of engines that should be used, when counting the "Engine Percentage Threshold To Fetch" parameter. Example: AlienVault,Kaspersky. Note: If nothing is provided, all engines from the response are counted. |
| Engine Percentage Threshold To Fetch | Integer | 0 | Yes | The percentage of engines that need to mark the file as suspicious or malicious before it's being ingested. Maximum value: 100 Minimum: 0 |
| Max Hours Backwards | Integer | 1 | No | The number of hours for which notifications should be fetched. |
| Max Notifications To Fetch | Integer | 40 | No | The number of notifications to process per one connector iteration. |
| Use dynamic list as a blocklist | Checkbox | Unchecked | Yes | If enabled, a dynamic list is used as a blocklist. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the VirusTotal server is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector rules
The connector supports proxies.