Enricher - VirusTotal APIv2#
Note
This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.
Caution
The VirustTotal APIv2 Enricher has been designated as End of Life on 2021-08-11.
It will continue to be available for download, and is eligible for support until End of Support Life (EOSL) on 2022-02-11. EOSL products receive critical fixes and security updates, but no further improvements.
Specifications |
|
|---|---|
Enricher name |
VirusTotal Enricher |
Supported observable types |
|
Output |
See Results |
API endpoints |
|
Description |
Uses the VirusTotal APIv2 to retrieve results from VirusTotal. |
Requirements#
Configure the enricher parameters#
Before using the enricher, configure it to add your VirusTotal credentials:
Go to Data configuration {{ icon_data_configuration }} > Enrichers.
Select the enricher from the displayed list.
Edit the enricher by selecting from the top right More
> Edit.In the Edit enricher task view, fill out these fields:
Note
Required fields are marked with an asterisk (*).
Field
Description
API URL*
By default, this is set to https://www.virustotal.com/vtapi/v2/.
API Key*
Set this to your VirusTotal API key.
Low confidence infection rate (max)*
Default:
33Enter a numeric value between 0 and 99.
This value must always be lower than the High confidence infection rate.
Set an upper threshold to automatically flag enriched observables with a low confidence value.
After completing the sample analysis, enriched observables with a lower detection ratio than the specified value are flagged with Malicious – Low confidence.
High confidence infection rate (min)*
Default:
66Enter a numeric value between 0 and 99.
This value must always be higher than the High confidence infection rate.
Set a bottom threshold to automatically flag enriched observables with high confidence value.
After completing the sample analysis, enriched observables with a higher detection ratio than the specified value are flagged with Malicious – High confidence.
Select Save to store your changes.
Confidence infection rate#
VirusTotal positives / VirusTotal engines = confidence infection rate
To calculate the confidence infection rate value, the platform divides the number of positives — that is, infected or malicious results — the VirusTotal sample analysis returns by the total number of engines VirusTotal uses to perform the analysis.
Enriched observables with a detection ratio falling in the range between Max low confidence infection rate (range lower limit) and Min high confidence infection rate (range upper limit) are flagged as Malicious – Medium confidence.
The Max low confidence infection rate value should always be lower than the Min high confidence infection rate value.
Results#
Enriched observable type |
Endpoint |
Result |
|---|---|---|
|
|
Produces an Indicator entity named “Indicator of domain: <enriched_domain>” based on the VirusTotal domain scan report, with the following enrichment results:
|
|
|
Produces an Indicator entity named “Indicator of ipv4: <enriched_ipv4>” based on the VirusTotal ip address scan report, with the following enrichment results:
|
|
|
Produces an Indicator entity named “Indicator of uri: <enriched_uri>” based on the VirusTotal ip address scan report, with the following enrichment results:
|
|
|
Produces multiple TTP entities based on the VirusTotal file scan report, with the following enrichment results:
|