Incoming feed - VirusTotal Provider

Configure the incoming feed

1. Create or edit an incoming feed.

2. From the Transport type drop-down menu, select VirusTotal Provider.

3. From the Content type drop-down menu, select VirusTotal V2 JSON.

4. The API URL field is automatically filled in with the default domain for the endpoint.
   You can add a proxy or set up ports according to your needs.
   Default value: https://www.virustotal.com/vtapi/v2/file/search.

5. In the API key field, enter your VirusTotal API key.
   Sign up to the VirusTotal community to automatically be assigned a personal API key to access the VirusTotal API.
   If necessary, contact the intelligence provider to subscribe to the service and to obtain this information, along with any required authentication and authorization credentials.

6. In the User query field, you can specify a search query using a wide variety of search modifiers, including file size, file type, first or last submission date to VirusTotal, number of positives, binary content, file name, and so on.
   See the VirusTotal official documentation for a complete list of allowed search query modifiers.

   • Search modifiers are key:value pairs in the format: ${key}:${value}

   • You can concatenate multiple modifiers by separating key:value pairs with a space.

   • Example: type:pdf submitter:CN metadata:microsoft positives:30

7. Click the Start ingesting from field, and use the drop-down calendar to select an initial date and, where available, an initial time to fetch content from the intelligence provider/data source starting from a specific date in the past.

8. To store your changes, click Save; to discard them, click Cancel.

See also

• Configure the general options

• Set a schedule

• About TLP overrides

• Set half-life values

• Start and stop incoming feeds

• Purge incoming feeds

• Delete incoming feeds

• List of incoming feeds