Enricher - VirusTotal APIv2

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

The VirustTotal APIv2 Enricher has been designated as End of Life on 2021-08-11.

It will continue to be available for download, and is eligible for support until End of Support Life (EOSL) on 2022-02-11. EOSL products receive critical fixes and security updates, but no further improvements.

Specifications

Enricher name

VirusTotal Enricher

Supported observable types

  • domain

  • ipv4

  • uri

  • hash-md5

  • hash-sha1

  • hash-sha256

Output

See Results

API endpoints

  • https://www.virustotal.com/vtapi/v2/files/report

  • https://www.virustotal.com/vtapi/v2/domain/report

  • https://www.virustotal.com/vtapi/v2/url/report

  • https://www.virustotal.com/vtapi/v2/ip-address/report

Description

Uses the VirusTotal APIv2 to retrieve results from VirusTotal.

Requirements

Configure the enricher parameters

Before using the enricher, configure it to add your VirusTotal credentials:

  1. Open an enricher from the Enrichers view.

  2. In the Edit enricher task view, fill out these fields:

    Required fields are marked with an asterisk (*).

    Field

    Description

    API URL*

    By default, this is set to https://www.virustotal.com/vtapi/v2/.

    API Key*

    Set this to your VirusTotal API key.

    Low confidence infection rate (max)*

    Default: 33

    Enter a numeric value between 0 and 99.

    This value must always be lower than the High confidence infection rate.

    Set an upper threshold to automatically flag enriched observables with a low confidence value.

    After completing the sample analysis, enriched observables with a lower detection ratio than the specified value are flagged with Malicious – Low confidence.

    High confidence infection rate (min)*

    Default: 66

    Enter a numeric value between 0 and 99.

    This value must always be higher than the High confidence infection rate.

    Set a bottom threshold to automatically flag enriched observables with high confidence value.

    After completing the sample analysis, enriched observables with a higher detection ratio than the specified value are flagged with Malicious – High confidence.

  3. Select Save to store your changes.

Confidence infection rate

  • VirusTotal positives / VirusTotal engines = confidence infection rate

    To calculate the confidence infection rate value, the platform divides the number of positives — that is, infected or malicious results — the VirusTotal sample analysis returns by the total number of engines VirusTotal uses to perform the analysis.

  • Enriched observables with a detection ratio falling in the range between Max low confidence infection rate (range lower limit) and Min high confidence infection rate (range upper limit) are flagged as Malicious – Medium confidence.

  • The Max low confidence infection rate value should always be lower than the Min high confidence infection rate value.

Results

Enriched observable type

Endpoint

Result

  • domain

  • https://www.virustotal.com/vtapi/v2/domain/report

Produces an Indicator entity named “Indicator of domain: <enriched_domain>” based on the VirusTotal domain scan report, with the following enrichment results:

  • Indicators

  • Enrichment observables related to the indicators (for example: IP address, hash values)

  • Relationships from the indicator(s) to the related enrichment observables.

  • ipv4

  • https://www.virustotal.com/vtapi/v2/ip-address/report

Produces an Indicator entity named “Indicator of ipv4: <enriched_ipv4>” based on the VirusTotal ip address scan report, with the following enrichment results:

  • Indicators (for example: URI, hash values)

  • Enrichment observables related to the indicators (for example: ASN, country name)

  • Relationships from the indicator(s) to the related enrichment observables.

  • uri

https://www.virustotal.com/vtapi/v2/url/report

Produces an Indicator entity named “Indicator of uri: <enriched_uri>” based on the VirusTotal ip address scan report, with the following enrichment results:

  • Indicators (for example: country, IP address, URL after redirect)

  • Enrichment observables related to the indicator(s)

  • Relationships from the indicator(s) to the related enrichment observables.

  • hash-md5

  • hash-sha1

  • hash-sha256

https://www.virustotal.com/vtapi/v2/file/report

Produces multiple TTP entities based on the VirusTotal file scan report, with the following enrichment results:

  • Report with VirusTotal file scan results

  • TTP (malware variant)

  • Indicators (for example: host name, DNS)

  • Enrichment observables related to the indicators (for example: open ports, HTTP and TCP protocols)

  • Relationships from the indicator(s) to the main malware variant TTP, and from the file scan report to the malware variant TTP.