Enricher - VirusTotal APIv3#
Note
This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.
Specifications |
|
---|---|
Enricher name |
VirusTotal Enricher |
Supported observable types |
|
Output |
|
API endpoints |
See Individual enrichers. |
Description |
Uses the VirusTotal APIv3 to retrieve results from VirusTotal. |
Requirements#
Caution
The enrichers can technically work with Public API access, but are likely to fail because the number of API requests made exceed the 4 requests-per-minute limit for Public API keys, and may quickly exhaust your 500 requests-per-day limit even if the requests fail.
Configure the enricher parameters#
Before using the enrichers, configure them to add your VirusTotal credentials:
Select the enricher from the displayed list.
Edit the enricher by selecting from the top right More > Edit.
In the Edit enricher task view, fill out these fields:
Note
Required fields are marked with an asterisk (*).
Field
Description
Source reliability*
Set a reliability rating (based on Admiralty System reliability ratings) for entities and observables produced by this enricher.
API URL*
Set by default. See Individual enrichers.
API Key*
Set this to your VirusTotal API key.
Select Save to store your changes.
Individual enrichers#
This section describes the individual enrichers provided by the VirusTotal extension:
VirusTotal APIv3 File Hash (Compressed Parents) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/files/
Endpoint:
https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/compressed_parents
Supported observables:
hash-md5
hash-sha1
hash-sha256
Enriches a file hash. This enricher retrieves from VirusTotal the file hashes of compressed packages that contain the enriched file hash.
This produces related observables for the enriched file hash, of the following file hash types (where available):
hash-md5
hash-sha1
hash-sha256
hash-vhash
hash-ssdeep
hash-rich-pe-header
hash-authentihash
and relates it to the enriched observable.
VirusTotal APIv3 File Hash (Executable Parents) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/files/
Endpoint:
https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/execution_parents
Supported observables:
hash-md5
hash-sha1
hash-sha256
Enriches a file hash. This enricher retrieves from VirusTotal the file hashes of all files that are known to execute the file represented by the enriched file hash.
This produces related observables for the enriched file hash, of the following file hash types (where available):
hash-md5
hash-sha1
hash-sha256
hash-vhash
hash-ssdeep
hash-rich-pe-header
hash-authentihash
and relates it to the enriched observable.
VirusTotal APIv3 File Hash (In the Wild Infrastructure) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/files/
Endpoints:
https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/itw_domains
https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/itw_ips
https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/itw_urls
Supported observables:
hash-md5
hash-sha1
hash-sha256
Enriches a file hash. This enricher retrieves from VirusTotal a list of “In the Wild”:
domains
IPv4 addresses
URLs
that the file has been downloaded from, and:
creates new
domain
,ipv4
, anduri
observablesrelates them to the enriched observable
VirusTotal APIv3 File Hash (Contacted Infrastructure) Enricher#
Default API URL:
https://www.virustotal.com/api/v3/files/
Endpoints:
https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/contacted_domains
https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/contacted_ips
https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/contacted_urls
Supported observables:
hash-md5
hash-sha1
hash-sha256
Enriches a file hash. This enricher retrieves from VirusTotal a list of:
domains
IPv4 addresses
URLs
that the file is known to contact, and:
creates new
domain
,ipv4
, anduri
observablesrelates them to the enriched observable
VirusTotal APIv3 File Hash (Similar Files) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/files/
Endpoints:
https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/similar_files
Supported observables:
hash-md5
hash-sha1
hash-sha256
Enriches a file hash. This enricher retrieves from VirusTotal a list of files similar to the enriched value, and:
creates new
hash-sha256
observables from these file objectsrelates them to the enriched observable
VirusTotal APIv3 File Hash (Bundled Files) Enricher#
Default API URL:
https://www.virustotal.com/api/v3/files/
Endpoints:
https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/bundled_files
Supported observables:
hash-md5
hash-sha1
hash-sha256
Enriches a file hash. This enricher retrieves from VirusTotal a list of files that are known to be bundled inside the enriched file.
It then:
creates new
hash-sha256
observables from these file objectsrelates them to the enriched observable
VirusTotal APIv3 File Hash (Dropped Files) Enricher#
Default API URL:
https://www.virustotal.com/api/v3/files/
Endpoints:
https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/dropped_files
Supported observables:
hash-md5
hash-sha1
hash-sha256
Enriches a file hash. This enricher retrieves from VirusTotal a list of files that are known to be written to disk (dropped) by the enriched file when it executes.
It then:
creates new
hash-sha256
observables from these file objectsrelates them to the enriched observable
VirusTotal APIv3 File Hash (Email Attachments) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/files/
Endpoints:
https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/email_attachments
Supported observables:
hash-md5
hash-sha1
hash-sha256
Enriches a file hash. This enricher attempts to match it to known email files, and retrieves a list of files that are known attachments for that email file.
It then:
creates new
hash-sha256
observables from these file objectsrelates them to the enriched observable
VirusTotal APIv3 File Hash (Email Parents) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/files/
Endpoints:
https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/email_parents
Supported observables:
hash-md5
hash-sha1
hash-sha256
Enriches a file hash. This enricher retrieves a list of all known email files that contain the enriched file as an attachment.
It then:
creates new
hash-sha256
observables from these file objectsrelates them to the enriched observable
VirusTotal APIv3 File Hash (Embedded Infrastructure) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/files/
Endpoints:
https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/embedded_domains
https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/embedded_ips
https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/embedded_urls
Supported observables:
hash-md5
hash-sha1
hash-sha256
When a file hash is enriched with this enricher, it retrieves lists of all:
domain names
IPv4 addresses
URLs
that are known to be embbedded in the enriched file hash.
It then:
creates new
domain
,ipv4
, anduri
observables from these file objectsrelates them to the enriched observable
VirusTotal APIv3 File Names Enricher#
Default API URL:
https://www.virustotal.com/api/v3/files/
Endpoints:
https://www.virustotal.com/api/v3/files/{enriched_observable}
Supported observables:
hash-md5
hash-sha1
hash-sha256
Enriches a file hash. This enricher retrieves a list of known file names that the enriched hash is associated with, and:
creates new
file
observables from these file namesrelates them to the enriched observable
VirusTotal APIv3 URL (Communicating Files) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/url/
Endpoints:
https://www.virustotal.com/api/v3/url/{url_id}/relationship/communicating_files
Supported observables:
uri
Enriches a URI. This enricher retrieves from VirusTotal a list of files known to communicate with that URI when they are executed. It:
creates new
hash-sha256
observables from the retrieved list of filesrelates them to the enriched observable
VirusTotal APIv3 URL (Contacted Infrastructure) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/url/
Endpoints:
https://www.virustotal.com/api/v3/url/{url_id}/relationship/contacted_domains
https://www.virustotal.com/api/v3/url/{url_id}/relationship/contacted_ips
Supported observables:
uri
Enriches a URI. This enricher retrieves from VirusTotal a list of contacted domains and IP addresses from which the enriched URI loads resources from.
From this list, the enricher:
creates new
domain
andipv4
observablesrelates them to the enriched observable
VirusTotal APIv3 URL (Downloaded Files) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/url/
Endpoints:
https://www.virustotal.com/api/v3/url/{url_id}/relationship/downloaded_files
Supported observables:
uri
Enriches a URI. This enricher retrieves from VirusTotal a list of files that have been downloaded from the enriched URI.
From this list, the enricher:
creates new
hash-sha256
observablesrelates them to the enriched observable
VirusTotal APIv3 Domain (Communicating Files) Enricher#
Default API URL:
https://www.virustotal.com/api/v3/domains/
Endpoints:
https://www.virustotal.com/api/v3/domains/{enriched_observable}/relationship/communicating_files
Supported observables:
domain
Enriches a domain. This enricher retrieves from VirusTotal a list of hashes of files that have sent or received network traffic from the enriched domain.
From this list, the enricher:
creates new
hash-sha256
observablesrelates them to the enriched observable
VirusTotal APIv3 Domain (Downloaded Files) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/domains/
Endpoints:
https://www.virustotal.com/api/v3/domains/{enriched_observable}/relationship/communicating_files
Supported observables:
domain
Enriches a domain. This enricher retrieves from VirusTotal a list of hashes of files that available for download at URLs under the enriched domain.
From this list, the enricher:
creates new
hash-sha256
observablesrelates them to the enriched observable
VirusTotal APIv3 Domain (Historical SSL Certificates) Enricher#
Default API URL:
https://www.virustotal.com/api/v3/domains/
Endpoints:
https://www.virustotal.com/api/v3/domains/{enriched_observable}/historical_ssl_certificates
Supported observables:
domain
Enriches a domain. This enricher retrieves from VirusTotal a list of hashes of SSL certificates associated with the enriched domain at some point in time.
These SSL certificates objects are ingested as SHA-1 and SHA-256 hashes.
From this list, the enricher:
creates new
hash-sha256
andhash-sha1
observablesrelates them to the enriched observable
VirusTotal APIv3 Domain (Resolutions) Enricher#
Default API URL:
https://www.virustotal.com/api/v3/domains/
Endpoints:
https://www.virustotal.com/api/v3/domains/{enriched_observable}/resolutions
Supported observables:
domain
Enriches a domain. This enricher retrieves from VirusTotal a list of past and current IPv4 addresses that the enriched domain resolves to.
From this list, the enricher:
creates new
ipv4
observablesrelates them to the enriched observable
VirusTotal APIv3 Domain (MX Records) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/domains/
Endpoints:
https://www.virustotal.com/api/v3/domains/{enriched_observable}/relationship/mx_records
Supported observables:
domain
Enriches a domain. This enricher retrieves from VirusTotal a list of all MX records associated with the enriched domain.
From this list, the enricher:
creates new
domain
observablesrelates them to the enriched observable
VirusTotal APIv3 Domain (NS Records) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/domains/
Endpoints:
https://www.virustotal.com/api/v3/domains/{enriched_observable}/relationship/ns_records
Supported observables:
domain
Enriches a domain. This enricher retrieves from VirusTotal a list of all NS records associated with the enriched domain.
From this list, the enricher:
creates new
domain
observablesrelates them to the enriched observable
VirusTotal APIv3 Domain (Referrer Files) Enricher#
Default API URL:
https://www.virustotal.com/api/v3/domains/
Endpoints:
https://www.virustotal.com/api/v3/domains/{enriched_observable}/relationship/referrer_files
Supported observables:
domain
Enriches a domain. This enricher retrieves from VirusTotal a list of files that contain a string representation of the enriched domain.
From this list, the enricher:
creates new
hash-sha256
observablesrelates them to the enriched observable
VirusTotal APIv3 Domain (SOA Records) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/domains/
Endpoints:
https://www.virustotal.com/api/v3/domains/{enriched_observable}/relationship/soa_records
Supported observables:
domain
Enriches a domain. This enricher retrieves from VirusTotal a list of all SOA records associated with the enriched domain.
From this list, the enricher:
creates new
domain
observablesrelates them to the enriched observable
VirusTotal APIv3 Domain (Subdomains) Enricher#
Default API URL:
https://www.virustotal.com/api/v3/domains/
Endpoints:
https://www.virustotal.com/api/v3/domains/{enriched_observable}/relationship/subdomains
Supported observables:
domain
Enriches a domain. This enricher retrieves from VirusTotal a list of all direct subdomains for the enriched domain.
Note
It does not retrieve subdomains recursively.
Enriching example.com
retrieves
subdomain.example.com
but not
subdomain.subdomain.example.com
.
From this list, the enricher:
creates new
domain
observablesrelates them to the enriched observable
VirusTotal APIv3 IP Address (Communicating Files) Enricher#
Default API URL:
https://www.virustotal.com/api/v3/ip_addresses/
Endpoints:
https://www.virustotal.com/api/v3/ip_addresses/{enriched_observable}/relationship/communicating_files
Supported observables:
ipv4
Enriches an IP address. This enricher retrieves from VirusTotal a list of files that have presented any traffic to the enriched IP address at some point of time.
From this list, the enricher:
creates new
hash-sha256
observablesrelates them to the enriched observable
VirusTotal APIv3 IP Address (Downloaded Files) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/ip_addresses/
Endpoints:
https://www.virustotal.com/api/v3/ip_addresses/{enriched_observable}/relationship/downloaded_files
Supported observables:
ipv4
Enriches an IP address. This enricher retrieves from VirusTotal a list of files that were available from URLs under the enriched IP address at some point of time.
From this list, the enricher:
creates new
hash-sha256
observablesrelates them to the enriched observable
VirusTotal APIv3 IP Address (Historical SSL Certificates) Enricher#
Default API URL:
https://www.virustotal.com/api/v3/ip_addresses/
Endpoints:
https://www.virustotal.com/api/v3/ip_addresses/{enriched_observable}/relationship/historical_ssl_certificates
Supported observables:
ipv4
Enriches an IP address. This enricher retrieves from VirusTotal a list of SSL certificates objects that have been associated with the IP address at some point of time.
These SSL certificates objects are ingested as SHA-1 and SHA-256 hashes.
From this list, the enricher:
creates new
hash-sha256
andhash-sha1
observablesrelates them to the enriched observable
VirusTotal APIv3 IP Address (Referrer Files) Enricher#
Default API URL:
https://www.virustotal.com/api/v3/ip_addresses/
Endpoints:
https://www.virustotal.com/api/v3/ip_addresses/{enriched_observable}/relationship/referrer_files
Supported observables:
ipv4
Enriches an IP address. This enricher retrieves from VirusTotal a list of files that contain a string representation of the enriched IP address.
From this list, the enricher:
creates new
hash-sha256
observablesrelates them to the enriched observable
VirusTotal APIv3 IP Address (Resolutions) Enricher#
Default API URL:
https://www.virustotal.com/api/v3/ip_addresses/
Endpoints:
https://www.virustotal.com/api/v3/ip_addresses/{enriched_observable}/resolutions
Supported observables:
ipv4
Enriches an IP address. This enricher retrieves from VirusTotal a list of past and present domain names that the enriched IP address resolves to.
From this list, the enricher:
creates new
domain
observablesrelates them to the enriched observable
VirusTotal APIv3 URL (Embedded JS Files) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/urls/
Endpoints:
https://www.virustotal.com/api/v3/urls/{enriched_observable}/relationship/embedded_js_files
Supported observables:
uri
Enriches a URL. This enricher retrieves from VirusTotal a list of JS scripts found in the response retrieved from the enriched URL.
From this list, the enricher:
creates new
hash-sha256
observablesrelates them to the enriched observable
VirusTotal APIv3 URL (Last Serving IP Address) Enricher#
Default API URL:
https://www.virustotal.com/api/v3/urls/
Endpoints:
https://www.virustotal.com/api/v3/urls/{enriched_observable}/relationship/last_serving_ip_address
Supported observables:
uri
Enriches a URL. This enricher retrieves from VirusTotal the last-known IPv4 address that the enriched URL resolves to.
From this, the enricher:
creates new
ipv4
observablesrelates them to the enriched observable
VirusTotal APIv3 URL (Redirecting URLs) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/urls/
Endpoints:
https://www.virustotal.com/api/v3/urls/{enriched_observable}/relationship/redirecting_urls
Supported observables:
uri
Enriches a URL. This enricher retrieves from VirusTotal a list of known URLs that redirect to the enriched URL.
From this list, the enricher:
creates new
uri
observablesrelates them to the enriched observable
VirusTotal APIv3 URL (Referrer Files) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/urls/
Endpoints:
https://www.virustotal.com/api/v3/urls/{enriched_observable}/relationship/referrer_files
Supported observables:
uri
Enriches a URL. This enricher retrieves from VirusTotal a list of files known to contain the enriched URL.
From this list, the enricher:
creates new
hash-sha256
observablesrelates them to the enriched observable
VirusTotal APIv3 URL (Referrer URLs) Enricher#
Note
Requires VirusTotal Premium API.
Default API URL:
https://www.virustotal.com/api/v3/urls/
Endpoints:
https://www.virustotal.com/api/v3/urls/{enriched_observable}/relationship/referrer_urls
Supported observables:
uri
Enriches a URL. This enricher retrieves from VirusTotal a list of URLs that are known to refer to the enriched URL.
From this list, the enricher:
creates new
uri
observablesrelates them to the enriched observable