Enricher - VirusTotal APIv3

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

Specifications

Enricher name

VirusTotal Enricher

Supported observable types

  • hash-md5

  • hash-sha1

  • hash-sha256

Output

See Individual enrichers

API endpoints

See Individual enrichers.

Description

Uses the VirusTotal APIv3 to retrieve results from VirusTotal.

Requirements

The enrichers can technically work with Public API access, but are likely to fail because the number of API requests made exceed the 4 requests-per-minute limit for Public API keys, and may quickly exhaust your 500 requests-per-day limit even if the requests fail.

Configure the enricher parameters

Before using the enrichers, configure them to add your VirusTotal credentials:

  1. Go to Data configuration images/download/attachments/82475275/robot.svg-x24.png > Enrichers.

  2. Select the enricher from the displayed list.

  3. Edit the enricher by selecting from the top right More images/download/attachments/82475275/ellipsis-v.svg-x24.png > Edit.

  4. In the Edit enricher task view, fill out these fields:

    Required fields are marked with an asterisk (*).

    Field

    Description

    Source reliability*

    Set a reliability rating (based on Admiralty System reliability ratings) for entities and observables produced by this enricher.

    API URL*

    Set by default. See Individual enrichers.

    API Key*

    Set this to your VirusTotal API key.

  5. Select Save to store your changes.

Individual enrichers

This section describes the individual enrichers provided by the VirusTotal extension:

Enrichers

VirusTotal APIv3 File Hash (Related) Enricher

  • Default API URL: https://www.virustotal.com/api/v3/files/

  • Endpoint: https://www.virustotal.com/api/v3/files/{enriched_observable}

  • Supported observables:

    • hash-md5

    • hash-sha1

    • hash-sha256

Enriches file hashes. This enricher retrieves from VirusTotal lists of other file hashes related to the enriched file hash. This produces related observables for the enriched file hash, of the following file hash types (where available):

  • hash-md5

  • hash-sha1

  • hash-sha256

  • hash-vhash

  • hash-ssdeep

  • hash-rich-pe-header

  • hash-authentihash

VirusTotal APIv3 File Hash (Compressed Parents) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/files/

  • Endpoint: https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/compressed_parents

  • Supported observables:

    • hash-md5

    • hash-sha1

    • hash-sha256

Enriches a file hash. This enricher retrieves from VirusTotal the file hashes of compressed packages that contain the enriched file hash.

This produces related observables for the enriched file hash, of the following file hash types (where available):

  • hash-md5

  • hash-sha1

  • hash-sha256

  • hash-vhash

  • hash-ssdeep

  • hash-rich-pe-header

  • hash-authentihash

and relates it to the enriched observable.

VirusTotal APIv3 File Hash (Executable Parents) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/files/

  • Endpoint: https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/execution_parents

  • Supported observables:

    • hash-md5

    • hash-sha1

    • hash-sha256

Enriches a file hash. This enricher retrieves from VirusTotal the file hashes of all files that are known to execute the file represented by the enriched file hash.

This produces related observables for the enriched file hash, of the following file hash types (where available):

  • hash-md5

  • hash-sha1

  • hash-sha256

  • hash-vhash

  • hash-ssdeep

  • hash-rich-pe-header

  • hash-authentihash

and relates it to the enriched observable.

VirusTotal APIv3 File Hash (In the Wild Infrastructure) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/files/

  • Endpoints:

    • https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/itw_domains

    • https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/itw_ips

    • https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/itw_urls

  • Supported observables:

    • hash-md5

    • hash-sha1

    • hash-sha256

Enriches a file hash. This enricher retrieves from VirusTotal a list of “In the Wild”:

  • domains

  • IPv4 addresses

  • URLs

that the file has been downloaded from, and:

  1. creates new domain, ipv4, and uri observables

  2. relates them to the enriched observable

VirusTotal APIv3 File Hash (Contacted Infrastructure) Enricher

  • Default API URL: https://www.virustotal.com/api/v3/files/

  • Endpoints:

    • https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/contacted_domains

    • https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/contacted_ips

    • https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/contacted_urls

  • Supported observables:

    • hash-md5

    • hash-sha1

    • hash-sha256

Enriches a file hash. This enricher retrieves from VirusTotal a list of:

  • domains

  • IPv4 addresses

  • URLs

that the file is known to contact, and:

  1. creates new domain, ipv4, and uri observables

  2. relates them to the enriched observable

VirusTotal APIv3 File Hash (Similar Files) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/files/

  • Endpoints:

    • https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/similar_files

  • Supported observables:

    • hash-md5

    • hash-sha1

    • hash-sha256

Enriches a file hash. This enricher retrieves from VirusTotal a list of files similar to the enriched value, and:

  1. creates new hash-sha256 observables from these file objects

  2. relates them to the enriched observable

VirusTotal APIv3 File Hash (Bundled Files) Enricher

  • Default API URL: https://www.virustotal.com/api/v3/files/

  • Endpoints:

    • https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/bundled_files

  • Supported observables:

    • hash-md5

    • hash-sha1

    • hash-sha256

Enriches a file hash. This enricher retrieves from VirusTotal a list of files that are known to be bundled inside the enriched file.

It then:

  1. creates new hash-sha256 observables from these file objects

  2. relates them to the enriched observable

VirusTotal APIv3 File Hash (Dropped Files) Enricher

  • Default API URL: https://www.virustotal.com/api/v3/files/

  • Endpoints:

    • https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/dropped_files

  • Supported observables:

    • hash-md5

    • hash-sha1

    • hash-sha256

Enriches a file hash. This enricher retrieves from VirusTotal a list of files that are known to be written to disk (dropped) by the enriched file when it executes.

It then:

  1. creates new hash-sha256 observables from these file objects

  2. relates them to the enriched observable

VirusTotal APIv3 File Hash (Email Attachments) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/files/

  • Endpoints:

    • https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/email_attachments

  • Supported observables:

    • hash-md5

    • hash-sha1

    • hash-sha256

Enriches a file hash. This enricher attempts to match it to known email files, and retrieves a list of files that are known attachments for that email file.

It then:

  1. creates new hash-sha256 observables from these file objects

  2. relates them to the enriched observable

VirusTotal APIv3 File Hash (Email Parents) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/files/

  • Endpoints:

    • https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/email_parents

  • Supported observables:

    • hash-md5

    • hash-sha1

    • hash-sha256

Enriches a file hash. This enricher retrieves a list of all known email files that contain the enriched file as an attachment.

It then:

  1. creates new hash-sha256 observables from these file objects

  2. relates them to the enriched observable

VirusTotal APIv3 File Hash (Embedded Infrastructure) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/files/

  • Endpoints:

    • https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/embedded_domains

    • https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/embedded_ips

    • https://www.virustotal.com/api/v3/files/{enriched_observable}/relationship/embedded_urls

  • Supported observables:

    • hash-md5

    • hash-sha1

    • hash-sha256

When a file hash is enriched with this enricher, it retrieves lists of all:

  • domain names

  • IPv4 addresses

  • URLs

that are known to be embbedded in the enriched file hash.

It then:

  1. creates new domain, ipv4, and uri observables from these file objects

  2. relates them to the enriched observable

VirusTotal APIv3 File Names Enricher

  • Default API URL: https://www.virustotal.com/api/v3/files/

  • Endpoints:

    • https://www.virustotal.com/api/v3/files/{enriched_observable}

  • Supported observables:

    • hash-md5

    • hash-sha1

    • hash-sha256

Enriches a file hash. This enricher retrieves a list of known file names that the enriched hash is associated with, and:

  1. creates new file observables from these file names

  2. relates them to the enriched observable

VirusTotal APIv3 URL (Communicating Files) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/url/

  • Endpoints:

    • https://www.virustotal.com/api/v3/url/{url_id}/relationship/communicating_files

  • Supported observables:

    • uri

Enriches a URI. This enricher retrieves from VirusTotal a list of files known to communicate with that URI when they are executed. It:

  1. creates new hash-sha256 observables from the retrieved list of files

  2. relates them to the enriched observable

VirusTotal APIv3 URL (Contacted Infrastructure) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/url/

  • Endpoints:

    • https://www.virustotal.com/api/v3/url/{url_id}/relationship/contacted_domains

    • https://www.virustotal.com/api/v3/url/{url_id}/relationship/contacted_ips

  • Supported observables:

    • uri

Enriches a URI. This enricher retrieves from VirusTotal a list of contacted domains and IP addresses from which the enriched URI loads resources from.

From this list, the enricher:

  1. creates new domain and ipv4 observables

  2. relates them to the enriched observable

VirusTotal APIv3 URL (Downloaded Files) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/url/

  • Endpoints:

    • https://www.virustotal.com/api/v3/url/{url_id}/relationship/downloaded_files

  • Supported observables:

    • uri

Enriches a URI. This enricher retrieves from VirusTotal a list of files that have been downloaded from the enriched URI.

From this list, the enricher:

  1. creates new hash-sha256 observables

  2. relates them to the enriched observable

VirusTotal APIv3 Domain (Communicating Files) Enricher

  • Default API URL: https://www.virustotal.com/api/v3/domains/

  • Endpoints:

    • https://www.virustotal.com/api/v3/domains/{enriched_observable}/relationship/communicating_files

  • Supported observables:

    • domain

Enriches a domain. This enricher retrieves from VirusTotal a list of hashes of files that have sent or received network traffic from the enriched domain.

From this list, the enricher:

  1. creates new hash-sha256 observables

  2. relates them to the enriched observable

VirusTotal APIv3 Domain (Downloaded Files) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/domains/

  • Endpoints:

    • https://www.virustotal.com/api/v3/domains/{enriched_observable}/relationship/communicating_files

  • Supported observables:

    • domain

Enriches a domain. This enricher retrieves from VirusTotal a list of hashes of files that available for download at URLs under the enriched domain.

From this list, the enricher:

  1. creates new hash-sha256 observables

  2. relates them to the enriched observable

VirusTotal APIv3 Domain (Historical SSL Certificates) Enricher

  • Default API URL: https://www.virustotal.com/api/v3/domains/

  • Endpoints:

    • https://www.virustotal.com/api/v3/domains/{enriched_observable}/historical_ssl_certificates

  • Supported observables:

    • domain

Enriches a domain. This enricher retrieves from VirusTotal a list of hashes of SSL certificates associated with the enriched domain at some point in time.

These SSL certificates objects are ingested as SHA-1 and SHA-256 hashes.

From this list, the enricher:

  1. creates new hash-sha256 and hash-sha1 observables

  2. relates them to the enriched observable

VirusTotal APIv3 Domain (Related URLs) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/domains/

  • Endpoints:

    • https://www.virustotal.com/api/v3/domains/{enriched_observable}/urls

  • Supported observables:

    • domain

Enriches a domain. This enricher retrieves from VirusTotal a list of known URLs under the enriched domain.

From this list, the enricher:

  1. creates new uri observables

  2. relates them to the enriched observable

VirusTotal APIv3 Domain (Resolutions) Enricher

  • Default API URL: https://www.virustotal.com/api/v3/domains/

  • Endpoints:

    • https://www.virustotal.com/api/v3/domains/{enriched_observable}/resolutions

  • Supported observables:

    • domain

Enriches a domain. This enricher retrieves from VirusTotal a list of past and current IPv4 addresses that the enriched domain resolves to.

From this list, the enricher:

  1. creates new ipv4 observables

  2. relates them to the enriched observable

VirusTotal APIv3 Domain (MX Records) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/domains/

  • Endpoints:

    • https://www.virustotal.com/api/v3/domains/{enriched_observable}/relationship/mx_records

  • Supported observables:

    • domain

Enriches a domain. This enricher retrieves from VirusTotal a list of all MX records associated with the enriched domain.

From this list, the enricher:

  1. creates new domain observables

  2. relates them to the enriched observable

VirusTotal APIv3 Domain (NS Records) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/domains/

  • Endpoints:

    • https://www.virustotal.com/api/v3/domains/{enriched_observable}/relationship/ns_records

  • Supported observables:

    • domain

Enriches a domain. This enricher retrieves from VirusTotal a list of all NS records associated with the enriched domain.

From this list, the enricher:

  1. creates new domain observables

  2. relates them to the enriched observable

VirusTotal APIv3 Domain (Referrer Files) Enricher

  • Default API URL: https://www.virustotal.com/api/v3/domains/

  • Endpoints:

    • https://www.virustotal.com/api/v3/domains/{enriched_observable}/relationship/referrer_files

  • Supported observables:

    • domain

Enriches a domain. This enricher retrieves from VirusTotal a list of files that contain a string representation of the enriched domain.

From this list, the enricher:

  1. creates new hash-sha256 observables

  2. relates them to the enriched observable

VirusTotal APIv3 Domain (SOA Records) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/domains/

  • Endpoints:

    • https://www.virustotal.com/api/v3/domains/{enriched_observable}/relationship/soa_records

  • Supported observables:

    • domain

Enriches a domain. This enricher retrieves from VirusTotal a list of all SOA records associated with the enriched domain.

From this list, the enricher:

  1. creates new domain observables

  2. relates them to the enriched observable

VirusTotal APIv3 Domain (Subdomains) Enricher

  • Default API URL: https://www.virustotal.com/api/v3/domains/

  • Endpoints:

    • https://www.virustotal.com/api/v3/domains/{enriched_observable}/relationship/subdomains

  • Supported observables:

    • domain

Enriches a domain. This enricher retrieves from VirusTotal a list of all direct subdomains for the enriched domain.

It does not retrieve subdomains recursively. Enriching example.com retrieves subdomain.example.com but not subdomain.subdomain.example.com.

From this list, the enricher:

  1. creates new domain observables

  2. relates them to the enriched observable

VirusTotal APIv3 IP Address (Communicating Files) Enricher

  • Default API URL: https://www.virustotal.com/api/v3/ip_addresses/

  • Endpoints:

    • https://www.virustotal.com/api/v3/ip_addresses/{enriched_observable}/relationship/communicating_files

  • Supported observables:

    • ipv4

Enriches an IP address. This enricher retrieves from VirusTotal a list of files that have presented any traffic to the enriched IP address at some point of time.

From this list, the enricher:

  1. creates new hash-sha256 observables

  2. relates them to the enriched observable

VirusTotal APIv3 IP Address (Downloaded Files) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/ip_addresses/

  • Endpoints:

    • https://www.virustotal.com/api/v3/ip_addresses/{enriched_observable}/relationship/downloaded_files

  • Supported observables:

    • ipv4

Enriches an IP address. This enricher retrieves from VirusTotal a list of files that were available from URLs under the enriched IP address at some point of time.

From this list, the enricher:

  1. creates new hash-sha256 observables

  2. relates them to the enriched observable

VirusTotal APIv3 IP Address (Historical SSL Certificates) Enricher

  • Default API URL: https://www.virustotal.com/api/v3/ip_addresses/

  • Endpoints:

    • https://www.virustotal.com/api/v3/ip_addresses/{enriched_observable}/relationship/historical_ssl_certificates

  • Supported observables:

    • ipv4

Enriches an IP address. This enricher retrieves from VirusTotal a list of SSL certificates objects that have been associated with the IP address at some point of time.

These SSL certificates objects are ingested as SHA-1 and SHA-256 hashes.

From this list, the enricher:

  1. creates new hash-sha256 and hash-sha1 observables

  2. relates them to the enriched observable

VirusTotal APIv3 IP Address (Referrer Files) Enricher

  • Default API URL: https://www.virustotal.com/api/v3/ip_addresses/

  • Endpoints:

    • https://www.virustotal.com/api/v3/ip_addresses/{enriched_observable}/relationship/referrer_files

  • Supported observables:

    • ipv4

Enriches an IP address. This enricher retrieves from VirusTotal a list of files that contain a string representation of the enriched IP address.

From this list, the enricher:

  1. creates new hash-sha256 observables

  2. relates them to the enriched observable

VirusTotal APIv3 IP Address (Resolutions) Enricher

  • Default API URL: https://www.virustotal.com/api/v3/ip_addresses/

  • Endpoints:

    • https://www.virustotal.com/api/v3/ip_addresses/{enriched_observable}/resolutions

  • Supported observables:

    • ipv4

Enriches an IP address. This enricher retrieves from VirusTotal a list of past and present domain names that the enriched IP address resolves to.

From this list, the enricher:

  1. creates new domain observables

  2. relates them to the enriched observable

VirusTotal APIv3 IP Address (Related URLs) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/ip_addresses/

  • Endpoints:

    • https://www.virustotal.com/api/v3/ip_addresses/{enriched_observable}/urls

  • Supported observables:

    • ipv4

Enriches an IP address. This enricher retrieves from VirusTotal a list of URLs associated with the enriched IP address.

From this list, the enricher:

  1. creates new uri observables

  2. relates them to the enriched observable

VirusTotal APIv3 URL (Embedded JS Files) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/urls/

  • Endpoints:

    • https://www.virustotal.com/api/v3/urls/{enriched_observable}/relationship/embedded_js_files

  • Supported observables:

    • uri

Enriches a URL. This enricher retrieves from VirusTotal a list of JS scripts found in the response retrieved from the enriched URL.

From this list, the enricher:

  1. creates new hash-sha256 observables

  2. relates them to the enriched observable

VirusTotal APIv3 URL (Last Serving IP Address) Enricher

  • Default API URL: https://www.virustotal.com/api/v3/urls/

  • Endpoints:

    • https://www.virustotal.com/api/v3/urls/{enriched_observable}/relationship/last_serving_ip_address

  • Supported observables:

    • uri

Enriches a URL. This enricher retrieves from VirusTotal the last-known IPv4 address that the enriched URL resolves to.

From this, the enricher:

  1. creates new ipv4 observables

  2. relates them to the enriched observable

VirusTotal APIv3 URL (Redirecting URLs) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/urls/

  • Endpoints:

    • https://www.virustotal.com/api/v3/urls/{enriched_observable}/relationship/redirecting_urls

  • Supported observables:

    • uri

Enriches a URL. This enricher retrieves from VirusTotal a list of known URLs that redirect to the enriched URL.

From this list, the enricher:

  1. creates new uri observables

  2. relates them to the enriched observable

VirusTotal APIv3 URL (Referrer Files) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/urls/

  • Endpoints:

    • https://www.virustotal.com/api/v3/urls/{enriched_observable}/relationship/referrer_files

  • Supported observables:

    • uri

Enriches a URL. This enricher retrieves from VirusTotal a list of files known to contain the enriched URL.

From this list, the enricher:

  1. creates new hash-sha256 observables

  2. relates them to the enriched observable

VirusTotal APIv3 URL (Referrer URLs) Enricher

Requires VirusTotal Premium API.

  • Default API URL: https://www.virustotal.com/api/v3/urls/

  • Endpoints:

    • https://www.virustotal.com/api/v3/urls/{enriched_observable}/relationship/referrer_urls

  • Supported observables:

    • uri

Enriches a URL. This enricher retrieves from VirusTotal a list of URLs that are known to refer to the enriched URL.

From this list, the enricher:

  1. creates new uri observables

  2. relates them to the enriched observable