Virus Total 4.2.2
  • 28 Mar 2023
  • 2 Minutes to read
  • Dark
    Light
  • PDF

Virus Total 4.2.2

  • Dark
    Light
  • PDF

Article summary

tags: python | Anti-Virus Aggregator | VirusTotal Enterprise API


Description

Integration with VirusTotal supports CDC users by providing enrichments for IP address, URL, domain, hash (MD5/SHA/SHA256), and files - to ascertain if they are identified as malicious or have been associated with any malicious activity reported using VirusTotal services. This enables CDC users to make informed decisions regarding incident response.

VirusTotal is an online service that analyzes suspicious IP addresses, files, and URLs to detect malware and malicious content using antivirus engines and website scanners. It can also be used as a means to detect false positives.

Virus Total offers for every object - i.e., files, URLs, domains, IP addresses, etc. - additional related information in the form of relationship information. We have enabled access to such supporting relationship information such as comments, referrer files, downloaded files, resolutions, related comments, and URLs - via the CDC Chat command.

We use custom adaptive cards to display large amounts of threat data in a meaningful and intuitive GUI, to facilitate the easy understanding of complex enriched data regarding the parameters provided by users.

Integration Type:Threat Intelligence Enrichment
Information read:Vulnerability data from Qualys Vulnerability Management tool for a given IP address.
API Supported:API V2.0
Input:IP address details in CLI, Selection of network if required.
Output:Detailed PDF report containing vulnerability data for a given IP and network details in input.

Customer Configuration

No customer configuration


CDC Command Lines

* **enrich_domain_cli**
Get information from VirusTotal about a certain domain.

OptionTypeDescriptionRequired
metadataobjectcommand metadataFalse
domainstringA single domain to look up if it is a threat.True

* **enrich_file_hash_cli**
Get information from VirusTotal about a certain file hash.

OptionTypeDescriptionRequired
metadataobjectCommand metadata.False
file_hashstringA single file hash to look up if it is a threat (MD5, SHA1, SHA256).True

* **enrich_ip_cli**
Get information from VirusTotal about a certain IP.

OptionTypeDescriptionRequired
metadataobjectcommand metadataFalse
ipstringA single IP to look up if it is a threat.True

* **enrich_url_cli**
Get information from VirusTotal about a certain URL.

OptionTypeDescriptionRequired
metadataobjectcommand metadataFalse
urlstringA single URL to look up if it is a threat.True

* **get_ip_address_investigation_enrichment_cli**
The CLI of the CDC, to pull IP address relationship details from VirusTotal. It contains an IP address as mandatory, and relationships as optional parameters. You can enter one relationship, or comma-separated multiple relationships. If no details are provided, all relationships will be shown. The relationships values are as [comments,related_comments,downloaded_files,referrer_files,resolutions,urls]

OptionTypeDescriptionRequired
metadataobjectCommand metadata.False
ipstringA single IP against which various relationship details will get pulled.True
relationshipsstringComma-separated relationship value details.False

* **re_analyse_file_hash_cli**
Get re-analyzed information from VirusTotal about a certain file hash.

OptionTypeDescriptionRequired
metadataobjectCommand metadata.False
file_hashstringA single file hash to look up if it is a threat (MD5, SHA1, SHA256).True

Workflows

No workflows


Rules

No rules


Sensors

No sensors


Triggers

No triggers


Known Issues

  • Time taken by re-analyse API to return re-analyzed results for some file hashes is more than 300 seconds. Delay is kept configurable for "/virus_total re_analyse_file_hash_cli --file_hash=[file_hash]* --delay=[delay]", and can be configured using "virus_total_re_analyse_delay" datastore key.

Was this article helpful?