Virus Total | APIv3 | Hash enricher

The Hash enricher provides additional intelligence connected to Hash observables.

Observable types

This Enricher enriches hash-md5, hash-sha1, and hash-sha256 observables.

Endpoints & Outputs

Endpoint	Reponse	Output type
Compressed parents	File hashes of compressed packages that contain the enriched file hash.	hash-md5, hash-sha1, hash-sha256
Execution parents	All files that are known to execute the file represented by the enriched file hash.	hash-md5 hash-sha1 hash-sha256 hash-vhash hash-ssdeep hash-rich-pe-header hash-authentihash
In The Wild (ITW) domains	Domains the enriched file is known to have downloaded from.	domain
In The Wild (ITW) IPs	IPs the enriched file is known to have downloaded from.	ipv4
In The Wild (ITW) URLs	Uri’s the enriched file is known to have downloaded from.	uri
Contacted IPs	IPs the enriched file is known to have contacted.	ipv4
Contacted URLs	Uri’s the enriched file is known to have contacted.	uri
Similar files	Files similar to the enriched file.	hash-sha256
Embedded domains	Domains embedded in the file hash.	domain
Embedded IPs	IPs embedded in the file hash.	ipv4
Embedded URLs	Uri’s embedded in the file hash.	uri
Bundled files	Files that are known to be bundled inside the enriched file.	hash-sha256
Dropped files	Files that are known to be written to disk (dropped) by the enriched file when it executes.	hash-sha256
Email attachments	Files attached to email files that are matches for the enriched file.	hash-sha256
Email parents	Email files that contain the enriched file as an attachment.	hash-sha256

Configure

Make sure you’ve configured your VT APIv3 key.

Required fields

Fields on the Enricher pane marked with an asterisk (“*”) are required to fill in, but may come pre-filled.

1. Go to Data configuration > Enrichers.

2. Filter the list by searching for VirusTotal APIv3 Hash enricher.

3. In the row of the URL enricher, select More > Edit.

4. For Source reliability, select the source reliability rating that will be applied to the Entities and Observables this enricher will produce if you haven’t configured it yet.

5. Under API key, enter your VirusTotal API key if you haven’t configured it yet.

6. Under Include Endpoints, select the Endpoints you’d like the enricher to hit.

7. (Optional) Change the Description.

8. (Optional) Change the Cache validity, Rate limit, or Monthly execution cap.

9. (Optional) Select Create Parent Report or SSL verification and supply a Path to SSL certificate file.

10. Check the Enabled box to enable the enricher when you’re done configuring it.

11. Select Save.