Incoming feed - VirusTotal Provider#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.


Specifications

Transport type

VirusTotal Provider

Content type

VirusTotal V2 JSON

Ingested data

Retrieves file hashes matching the incoming feed search query input string.

Processed data

Indicators with related observables (hashes). Default maliciousness confidence level for ingested observables: low.

Description

Retrieve and process information on malicious file samples.

Configure the incoming feed#

  1. Create or edit an incoming feed.

  2. From the Transport type drop-down menu, select VirusTotal Provider.

  3. From the Content type drop-down menu, select VirusTotal V2 JSON.

  4. The API URL field is automatically filled in with the default domain for the endpoint.
    You can add a proxy or set up ports according to your needs.
    Default value: https://www.virustotal.com/vtapi/v2/file/search.

  5. In the API key field, enter your VirusTotal API key.
    Sign up to the VirusTotal community to automatically be assigned a personal API key to access the VirusTotal API.
    If necessary, contact the intelligence provider to subscribe to the service and to obtain this information, along with any required authentication and authorization credentials.

  6. In the User query field, you can specify a search query using a wide variety of search modifiers, including file size, file type, first or last submission date to VirusTotal, number of positives, binary content, file name, and so on.
    See the VirusTotal official documentation for a complete list of allowed search query modifiers.

    • Search modifiers are key:value pairs in the format: ${key}:${value}

    • You can concatenate multiple modifiers by separating key:value pairs with a space.

    • Example: type:pdf submitter:CN metadata:microsoft positives:30

  7. Click the Start ingesting from field, and use the drop-down calendar to select an initial date and, where available, an initial time to fetch content from the intelligence provider/data source starting from a specific date in the past.

  8. To store your changes, click Save. To discard them, click Cancel.