Virus Total 4.2.2
- 28 Mar 2023
- 2 Minutes to read
- DarkLight
- PDF
Virus Total 4.2.2
- Updated on 28 Mar 2023
- 2 Minutes to read
- DarkLight
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
tags: python | Anti-Virus Aggregator | VirusTotal Enterprise API
Description
Integration with VirusTotal supports CDC users by providing enrichments for IP address, URL, domain, hash (MD5/SHA/SHA256), and files - to ascertain if they are identified as malicious or have been associated with any malicious activity reported using VirusTotal services. This enables CDC users to make informed decisions regarding incident response.
VirusTotal is an online service that analyzes suspicious IP addresses, files, and URLs to detect malware and malicious content using antivirus engines and website scanners. It can also be used as a means to detect false positives.
Virus Total offers for every object - i.e., files, URLs, domains, IP addresses, etc. - additional related information in the form of relationship information. We have enabled access to such supporting relationship information such as comments, referrer files, downloaded files, resolutions, related comments, and URLs - via the CDC Chat command.
We use custom adaptive cards to display large amounts of threat data in a meaningful and intuitive GUI, to facilitate the easy understanding of complex enriched data regarding the parameters provided by users.
| Integration Type: | Threat Intelligence Enrichment |
| Information read: | Vulnerability data from Qualys Vulnerability Management tool for a given IP address. |
| API Supported: | API V2.0 |
| Input: | IP address details in CLI, Selection of network if required. |
| Output: | Detailed PDF report containing vulnerability data for a given IP and network details in input. |
Customer Configuration
No customer configuration
CDC Command Lines
* **enrich_domain_cli**
Get information from VirusTotal about a certain domain.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | False |
| domain | string | A single domain to look up if it is a threat. | True |
* **enrich_file_hash_cli**
Get information from VirusTotal about a certain file hash.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | Command metadata. | False |
| file_hash | string | A single file hash to look up if it is a threat (MD5, SHA1, SHA256). | True |
* **enrich_ip_cli**
Get information from VirusTotal about a certain IP.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | False |
| ip | string | A single IP to look up if it is a threat. | True |
* **enrich_url_cli**
Get information from VirusTotal about a certain URL.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | False |
| url | string | A single URL to look up if it is a threat. | True |
* **get_ip_address_investigation_enrichment_cli**
The CLI of the CDC, to pull IP address relationship details from VirusTotal. It contains an IP address as mandatory, and relationships as optional parameters. You can enter one relationship, or comma-separated multiple relationships. If no details are provided, all relationships will be shown. The relationships values are as [comments,related_comments,downloaded_files,referrer_files,resolutions,urls]
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | Command metadata. | False |
| ip | string | A single IP against which various relationship details will get pulled. | True |
| relationships | string | Comma-separated relationship value details. | False |
* **re_analyse_file_hash_cli**
Get re-analyzed information from VirusTotal about a certain file hash.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | Command metadata. | False |
| file_hash | string | A single file hash to look up if it is a threat (MD5, SHA1, SHA256). | True |
Workflows
No workflows
Rules
No rules
Sensors
No sensors
Triggers
No triggers
Known Issues
- Time taken by re-analyse API to return re-analyzed results for some file hashes is more than 300 seconds. Delay is kept configurable for "/virus_total re_analyse_file_hash_cli --file_hash=[file_hash]* --delay=[delay]", and can be configured using "virus_total_re_analyse_delay" datastore key.
Was this article helpful?