VirusTotal v3

Integration version: 29.0

This integration was created using the 3rd iteration of VT API.

Use cases

Perform enrichment actions.

Configure the VirusTotal v3 integration for use cases

  1. Log in to the VirusTotal portal.
  2. Under your username, click API key.
  3. Copy the API key that is presented there and use it in the integration.

Integrate VirusTotal v3 with Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
API Key String N/A Yes VirusTotal API Key
Verify SSL Checkbox Checked Yes If enabled, verify the SSL certificate for the connection to the Cisco Orbital server is valid.

Actions

Ping

Test connectivity to VirusTotal with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Run on

This action doesn't run on entities, nor has mandatory input parameters.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
Case wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the VirusTotal server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the VirusTotal server! Error is {0}".format(exception.stacktrace)

General

Enrich IP

Enrich IP using information from VirusTotal.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Engine Threshold Integer N/A Yes

Specify the number of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious.

Note: If the "Engine Whitelist" parameter contains values, the action only counts results from those engines.

Engine Whitelist CSV N/A No

Specify a comma-separated list of engines that should be used to retrieve information, whether an entity is malicious or not.

Example: AlienVault, Kaspersky.

Note: If nothing is specified in this parameter, the action takes results from every available engine. If the engine doesn't return any information about the entity, it won't be counted for the "Engine Threshold" and "Engine Percentage Threshold" parameters.

Retrieve Comments Checkbox Checked No If enabled, the action retrieves comments about the entity.
Only Suspicious Entity Insight Checkbox Unchecked No If enabled, the action only creates an insight for suspicious entities.
Max Comments To Return Integer 10 No Specify the number of comments to return.
Engine Percentage Threshold Integer N/A No

Specify the percentage of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious.

Note: If the "Engine Whitelist" parameter contains values, the action only counts the percentage from those engines. If both "Engine Threshold" and "Engine Percentage Threshold" are provided, the "Engine Threshold" parameter is used.

Maximum value: 100. Minimum value: 0.

Create Insight Checkbox Checked No If enabled, the action creates an insight containing information about the entities.
Fetch Widget Checkbox Checked No If enabled, the action fetches augmented widget related to the entity.

Run on

This action runs on the IP Address entity.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
    "data": {
        "attributes": {
            "as_owner": "Example",
            "asn": 50673,
            "continent": "EU",
            "country": "NL",
            "last_analysis_results": {
                "EXAMPLELabs": {
                    "category": "harmless",
                    "engine_name": "ExampleLabs",
                    "method": "blacklist",
                    "result": "clean"
                },
                "example.com URL checker": {
                    "category": "harmless",
                    "engine_name": "example.com URL checker",
                    "method": "blacklist",
                    "result": "clean"
                },
                "example": {
                    "category": "harmless",
                    "engine_name": "example",
                    "method": "blacklist",
                    "result": "clean"
                },
                "example": {
                    "category": "harmless",
                    "engine_name": "example",
                    "method": "blacklist",
                    "result": "clean"
                }
            },
            "last_analysis_stats": {
                "harmless": 81,
                "malicious": 5,
                "suspicious": 1,
                "timeout": 0,
                "undetected": 8
            },
            "last_https_certificate": {
                "cert_signature": {
                    "signature": "48ae0d5d0eb411e56bd328b93c7212c72fd21785070648e11d9ae2b80386711699978e650eafa233d234671b87c8134c1c38c59f702518ddebdc7849dc512e0158941507970ab3ab93788d27df728d727d7f9d28ed358abb145fb24803d0eeab04687ae07c7f1d3176374367efc000bd26d3cfc0659e54826ea2dfa2366d7bd9e8ed3bd2ff8a26898b37fadea198f93de8cf3ae3d703513bc0638f7b411d8eda9a3ac9a7510d7bfe553592792d10f8b2c255bc4a05c8c6bfbdb8def045dc754b39c9b89d2a5140818622760eb116abf6fd0a5798c1e274fe56a056ed21f419a6873d314c15238a398d8049b5ecc1ca003d0a07a989a710d137e4fc74b5671caa",
                    "signature_algorithm": "sha256RSA"
                },
                "extensions": {
                    "1.3.6.1.4.1.11129.2.4.2": "0481f200f00075007d3ef2f88fff88556824c2c0ca9e5289792bc50e78097f2e",
                    "CA": true,
                    "authority_key_identifier": {
                        "keyid": "8d8c5ec454ad8ae177e99bf99b05e1b8018d61e1"
                    },
                    "ca_information_access": {
                        "CA Issuers": "http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt",
                        "OCSP": "http://ocsp.sectigo.com"
                    },
                    "certificate_policies": [
                        "1.3.6.1.4.1.6449.1.2.2.7",
                        "2.23.140.1.2.1"
                    ],
                    "extended_key_usage": [
                        "serverAuth",
                        "clientAuth"
                    ],
                    "key_usage": [
                        "ff"
                    ],
                    "subject_alternative_name": [
                        "y2y-panel.xyz",
                        "www.y2y-panel.xyz"
                    ],
                    "subject_key_identifier": "4f6429eaccd761eca91d9120b004f9d962453fef",
                    "tags": []
                },
                "issuer": {
                    "C": "GB",
                    "CN": "Sectigo RSA Domain Validation Secure Server CA",
                    "L": "Salford",
                    "O": "Sectigo Limited",
                    "ST": "Greater Manchester"
                },
                "public_key": {
                    "algorithm": "RSA",
                    "rsa": {
                        "exponent": "010001",
                        "key_size": 2048,
                        "modulus": "00aa8b74f0cc92a85ed4d515abef751a22fd65f2b6b0d33239040a99c65f322f3e833c77540a15ee31dabbd2889dd710ff9d8ccd3b9ea454ca87761cd9ff8a383806986461f8ff764a1202a5ebfb09995cbf40cc11eb2514529704744e6c97a872cde728e278fb140eba3c3aaf60644c8d75fd0048bb506f9b7314e33690f3514598ee45dd366c30a94d6178af91c2784872c162233c66659cea675f22f47752e0877ba5b12a3d800d2e2510d3cc1222c226cee2b85852a7e02da1de2718c746560f3ae05bc6f2d7f1cd6fcdbe37318fc7ddd19ae3486c5f3293946c068735e843fa8467199456d4725ac0b23fc4e0b7b9d3f51c0e16b27542d250d29d7b28fb95"
                    }
                },
                "serial_number": "248562d360bcc919bb97883f0dfc609d",
                "signature_algorithm": "sha256RSA",
                "size": 1472,
                "subject": {
                    "CN": "y2y-panel.xyz"
                },
                "tags": [],
                "thumbprint": "f9aae62cc9262302e45d94fcc512d65529ea1b31",
                "thumbprint_sha256": "406ac0efb0ef67de743b1ab0f4e0352564a7d5ebbd71e3a883c067acc3563016",
                "validity": {
                    "not_after": "2021-08-06 23:59:59",
                    "not_before": "2020-08-06 00:00:00"
                },
                "version": "V3"
            },
            "last_https_certificate_date": 1605415789,
            "last_modification_date": 1605430702,
            "network": "203.0.113.0/24",
            "regional_internet_registry": "EXAMPLE",
            "reputation": -95,
            "tags": [],
            "total_votes": {
                "harmless": 0,
                "malicious": 10
            },
            "whois": "NetRange: 203.0.113.0 - 203.0.113.255\nCIDR: 203.0.113.0/24\nNetName: EXAMPLE-5\nNetHandle: NET-203-0-113-0-1\nParent: ()\nNetType: Allocated to EXAMPLE\nOrig",
            "whois_date": 1603912270
        },
        "id": "203.0.113.1",
        "links": {
            "self": "https://www.virustotal.com/api/v3/ip_addresses/203.0.113.1"
        },
        "type": "ip_address"
        "comments": [
"text": "attributes/text",
"date": "attributes/date"
]
    }
    "is_risky": true
}
Entity enrichment
Enrichment Field Name Logic - When to apply
VT3_id When available in JSON
VT3_owner When available in JSON
VT3_asn When available in JSON
VT3_continent When available in JSON
VT3_country When available in JSON
VT3_harmless_count When available in JSON
VT3_malicious_count When available in JSON
VT3_suspicious_count When available in JSON
VT3_undetected_count When available in JSON
VT3_certificate_valid_not_after When available in JSON
VT3_certificate_valid_not_before When available in JSON
VT3_reputation When available in JSON
VT3_tags When available in JSON
VT3_malicious_vote_count When available in JSON
VT3_harmless_vote_count When available in JSON
VT3_report_link When available in JSON
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If enriched some IPs (is_success = true): "Successfully enriched the following IPs using VirusTotal:\n". format(entity.identifier)

If didn't enrich some IPs (is_success = true): "Action wasn't able to enrich the following IPs using VirusTotal:\n".format(entity.identifier)

If didn't enrich any IPs (is_success = false): "No IPs were enriched".

If some of the engines were not found (is_success is not depending on this logic, it's an additional message for invalid engines): "The following whitelisted engines were not found in VirusTotal:\n{0}". (engine names)

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Enrich IP". Reason: {0}''.format(error.Stacktrace)

If the "Engine Percentage Threshold" parameter is greater than 100 or less than 0 or not integer: "Error executing action "{action name}". Reason: value for the parameter "Engine Percentage Threshold" is invalid. Please check it. The value should be in range from 0 to 100.

If neither the "Engine Percentage Threshold" parameter nor the "Engine Threshold" parameter is provided: "Error executing action "{action name}". Reason: either "Engine Threshold" or "Engine Percentage Threshold" should be provided.

General
CSV Table

Table Name: Entity.identifier

Table Columns:

  • Name
  • Category
  • Method
  • Result
Entity
Case Wall Table

Table Name: "Comments: {0}".format(entity identifier)

Table Columns:

  • Date
  • Comment
  • Abuse Votes
  • Negative Votes
  • Positive Votes
  • ID
General
Links

Name: Report Link

Value: {report link}

Entity

Enrich URL

Enrich URL using information from VirusTotal.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Engine Threshold Integer N/A Yes

Specify the number of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious.

Note: If the "Engine Whitelist" parameter contains values, the action only counts results from those engines.

Engine Whitelist CSV N/A No

Specify a comma-separated list of engines that should be used to retrieve information, whether an entity is malicious or not.

Example: AlienVault,Kaspersky.

Note: If nothing is specified in this parameter, the action takes results from every available engine. If the engine doesn't return any information about the entity, it won't be counted for the "Engine Threshold" and "Engine Percentage Threshold" parameters.

Resubmit URL Checkbox Unchecked No If enabled, the action resubmits URLs for analysis instead of using the latest information.
Retrieve Comments Checkbox Checked No If enabled, the action retrieves comments about the entity.
Only Suspicious Entity Insight Checkbox Unchecked No If enabled, the action only creates an insight for suspicious entities.
Max Comments To Return Integer 10 No Specify the number of comments to return.
Engine Percentage Threshold Integer N/A No

Specify the percentage of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious.

Note: If the "Engine Whitelist" parameter contains values, the action only counts the percentage from those engines. If both "Engine Threshold" and "Engine Percentage Threshold" are provided, the "Engine Threshold" parameter is used.

Maximum value: 100 Minimum value: 0

Resubmit After (Days) Integer 30 No

Specify the number of days since the last submission for the entity to be resubmitted.

Note: The "Resubmit URL" parameter needs to be enabled.

Create Insight Checkbox Checked No If enabled, the action creates an insight containing information about the entities.
Fetch Widget Checkbox Checked No If enabled, the action fetches augmented widget related to the entity.

Run on

This action runs on the URL entity.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
    "data": {
{
    "data": {
        "attributes": {
            "categories": {
                "Dr.Web": "known infection source/not recommended site",
                "Forcepoint ThreatSeeker": "compromised websites",
                "sophos": "malware repository, spyware and malware"
            },
            "first_submission_date": 1582300443,
            "html_meta": {},
            "last_analysis_date": 1599853405,
            "last_analysis_results": {
                "AEXAMPLELabs": {
                    "category": "harmless",
                    "engine_name": "EXAMPLELabs",
                    "method": "blacklist",
                    "result": "clean"
                },
                "Example": {
                    "category": "harmless",
                    "engine_name": "Example",
                    "method": "blacklist",
                    "result": "clean"
                },
            },
            "last_analysis_stats": {
                "harmless": 64,
                "malicious": 6,
                "suspicious": 1,
                "timeout": 0,
                "undetected": 8
            },
            "last_final_url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event",
            "last_http_response_code": 404,
            "last_http_response_content_length": 204,
            "last_http_response_content_sha256": "58df637d178e35690516bda9e41e245db836170f046041fdebeedd20eca61d9d",
            "last_http_response_headers": {
                "connection": "keep-alive",
                "content-length": "204",
                "content-type": "text/html; charset=iso-8859-1",
                "date": "Fri, 11 Sep 2020 19:51:50 GMT",
                "keep-alive": "timeout=60",
                "server": "nginx"
            },
            "last_modification_date": 1599853921,
            "last_submission_date": 1599853405,
            "reputation": 0,
            "tags": [
                "ip"
            ],
            "targeted_brand": {},
            "threat_names": [
                "Mal/HTMLGen-A"
            ],
            "times_submitted": 3,
            "title": "404 Not Found",
            "total_votes": {
                "harmless": 0,
                "malicious": 0
            },
            "trackers": {},
            "url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event"
        },
        "id": "05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981",
        "links": {
            "self": "https://www.virustotal.com/api/v3/urls/05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981"
        },
        "type": "url",
        "comments": [
"text": "attributes/text",
"date": "attributes/date"
]
    }
    "is_risky": true
}
Entity enrichment
Enrichment Field Name Logic - When to apply
VT3_id When available in JSON
VT3_title When available in JSON
VT3_last_http_response_code When available in JSON
VT3_last_http_response_content_length When available in JSON
VT3_threat_names When available in JSON
VT3_harmless_count When available in JSON
VT3_malicious_count When available in JSON
VT3_suspicious_count When available in JSON
VT3_undetected_count When available in JSON
VT3_reputation When available in JSON
VT3_tags When available in JSON
VT3_malicious_vote_count When available in JSON
VT3_harmless_vote_count When available in JSON
VT3_report_link When available in JSON
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If enriched some URLs (is_success = true): "Successfully enriched the following URLs using VirusTotal: \n".format(entity.identifier)

If didn't enrich some URLs (is_success = true): "Action wasn't able to enrich the following URLs using VirusTotal:\n".format(entity.identifier)

If didn't enrich any URLs (is_success = false): "No URLs were enriched".

If some of the engines were not found (is_success is not depending on this logic, it's an additional message for invalid engines): "The following whitelisted engines were not found in VirusTotal:\n{0}".(engine names)

Async message: "Waiting for action to retrieve results for the following URLs:\n{0}".format(unprocessed urls)

The action should fail and stop a playbook execution:


If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Enrich URL". Reason: {0}''.format(error.Stacktrace)

If the "Engine Percentage Threshold" parameter is greater than 100 or less than 0 or not integer: "Error executing action "{action name}". Reason: value for the parameter "Engine Percentage Threshold" is invalid. Please check it. The value should be in range from 0 to 100.

If neither the "Engine Percentage Threshold" parameter nor the "Engine Threshold" parameter is provided: "Error executing action "{action name}". Reason: either "Engine Threshold" or "Engine Percentage Threshold" should be provided.

General
CSV Table

Table Name: Entity.identifier

Table Columns:

  • Name
  • Category
  • Method
  • Result
Entity
Case Wall Table

Table Name: "Comments: {0}".format(entity identifier)

Table Columns:

  • Date
  • Comment
  • Abuse Votes
  • Negative Votes
  • Positive Votes
  • ID
General
Links

Name: Report Link

Value: {report link}

Entity

Enrich Hash

Enrich hash using information from VirusTotal.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Engine Threshold Integer N/A No

Specify the number of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious.

Note: If the "Engine Whitelist" parameter contains values, the action only counts results from those engines.

Engine Whitelist CSV N/A No

Specify a comma-separated list of engines that should be used to retrieve information, whether an entity is malicious or not.

Example: AlienVault,Kaspersky.

Note: If nothing is specified in this parameter, the action takes results from every available engine. If the engine doesn't return any information about the entity, it won't be counted for the "Engine Threshold" and "Engine Percentage Threshold" parameters.

Retrieve Comments Checkbox Checked No If enabled, the action retrieves comments about the entity.
Retrieve Sigma Analysis Checkbox Checked No If enabled, the action retrieves sigma analysis for the hash.
Fetch MITRE Details Bool False No If enabled, action will return information about related MITRE techniques and tactics.
Lowest MITRE Technique Severity DDL Low

Possible values:
  • High
  • Medium
  • Low
  • Info
No Specify the lowest signature severity related to MITRE technique for technique to be returned.
Unknown severity is treated as Info.
Only Suspicious Entity Insight Checkbox Unchecked No If enabled, the action only creates an insight for suspicious entities.
Max Comments To Return Integer N/A No Specify the number of comments to return.
Engine Percentage Threshold Integer N/A No

Specify the percentage of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious.

Note: If the "Engine Whitelist" parameter contains values, the action only counts the percentage from those engines. If both "Engine Threshold" and "Engine Percentage Threshold" are provided, the "Engine Threshold" parameter is used.

Maximum value: 100 Minimum value: 0

Resubmit Hash Checkbox Unchecked No If enabled, the action resubmits hashes for analysis instead of using the latest information.
Resubmit After (Days) Integer 30 No

Specify the number of days since the last submission for the entity to be resubmitted.

Note: The "Resubmit URL" parameter needs to be enabled.

Sandbox CSV VirusTotal Jujubox No

Specify a comma-separated list of sandbox names that should be used for behavior analysis. If nothing is provided, the action uses the "VirusTotal Jujubox" sandbox. Make sure that the spelling is correct.

Examples of sandboxes: VirusTotal Jujubox, VirusTotal ZenBox, Microsoft Sysinternals, Tencent HABO.

Retrieve Sandbox Analysis Checkbox Checked No If enabled, the action fetches sandbox analysis for the entity. For each sandbox, the action creates a separate section in the JSON result. The action only returns data for the sandboxes that are provided in the "Sandbox" parameter.
Create Insight Checkbox Checked No Specify the number of comments to return.
Fetch Widget Checkbox Checked No If enabled, the action fetches augmented widget related to the entity.

Run on

This action runs on the Hash entity.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
 {
    "data": {
{
    "data": {
        "attributes": {
            "categories": {
                "Dr.Web": "known infection source/not recommended site",
                "Forcepoint ThreatSeeker": "compromised websites",
                "sophos": "malware repository, spyware and malware"
            },
            "first_submission_date": 1582300443,
            "html_meta": {},
            "last_analysis_date": 1599853405,
            "last_analysis_results": {
                "EXAMPLELabs": {
                    "category": "harmless",
                    "engine_name": "EXAMPLELabs",
                    "method": "blacklist",
                    "result": "clean"
                },
                "Example": {
                    "category": "harmless",
                    "engine_name": "Example",
                    "method": "blacklist",
                    "result": "clean"
                },
            },
            "last_analysis_stats": {
                "harmless": 64,
                "malicious": 6,
                "suspicious": 1,
                "timeout": 0,
                "undetected": 8
            },
            "last_final_url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event",
            "last_http_response_code": 404,
            "last_http_response_content_length": 204,
            "last_http_response_content_sha256": "58df637d178e35690516bda9e41e245db836170f046041fdebeedd20eca61d9d",
            "last_http_response_headers": {
                "connection": "keep-alive",
                "content-length": "204",
                "content-type": "text/html; charset=iso-8859-1",
                "date": "Fri, 11 Sep 2020 19:51:50 GMT",
                "keep-alive": "timeout=60",
                "server": "nginx"
            },
            "last_modification_date": 1599853921,
            "last_submission_date": 1599853405,
            "reputation": 0,
            "tags": [
                "ip"
            ],
            "targeted_brand": {},
            "threat_names": [
                "Mal/HTMLGen-A"
            ],
            "times_submitted": 3,
            "title": "404 Not Found",
            "total_votes": {
                "harmless": 0,
                "malicious": 0
            },
            "trackers": {},
            "url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event"
        },
        "id": "05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981",
        "links": {
            "self": "https://www.virustotal.com/api/v3/urls/05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981"
        },
        "type": "url",
        "comments": [
"text": "attributes/text",
"date": "attributes/date"
]
    }
    "is_risky": true
    
"related_mitre_techniques": [{"id": "T1071", "name": "", "severity": ""}],
"related_mitre_tactics": [{"id":"TA0011", "name": ""}]
}
Entity enrichment
Enrichment Field Name Logic - When to apply
VT3_id When available in JSON
VT3_magic When available in JSON
VT3_md5 When available in JSON
VT3_sha1 When available in JSON
VT3_sha256 When available in JSON
VT3_ssdeep When available in JSON
VT3_tlsh When available in JSON
VT3_vhash When available in JSON
VT3_meaningful_name When available in JSON
VT3_magic When available in JSON
VT3_harmless_count When available in JSON
VT3_malicious_count When available in JSON
VT3_suspicious_count When available in JSON
VT3_undetected_count When available in JSON
VT3_reputation When available in JSON
VT3_tags When available in JSON
VT3_malicious_vote_count When available in JSON
VT3_harmless_vote_count When available in JSON
VT3_report_link When available in JSON
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If enriched some hashes (is_success = true): "Successfully enriched the following hashes using VirusTotal: \n".format(entity.identifier)

If didn't enrich some hashes (is_success = true): "Action wasn't able to enrich the following hashes using VirusTotal:\n".format(entity.identifier)

If didn't enrich any hashes (is_success = false): "No hashes were enriched".

If some of the engines were not found (is_success is not depending on this logic, it's an additional message for invalid engines): "The following whitelisted engines were not found in VirusTotal:\n{0}".(engine names)

The action should fail and stop a playbook execution:


If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Enrich Hash". Reason: {0}''.format(error.Stacktrace)

If the "Engine Percentage Threshold" parameter is > 100 or < 0 or not integer: "Error executing action "{action name}". Reason: value for the parameter "Engine Percentage Threshold" is invalid. Please check it. The value should be in range from 0 to 100.

If neither the "Engine Percentage Threshold" parameter nor the "Engine Threshold" parameter is provided: "Error executing action "{action name}". Reason: either "Engine Threshold" or "Engine Percentage Threshold" should be provided.

General
Case Wall Table

Table Name: Entity.identifier

Table Columns:

  • Name
  • Category
  • Method
  • Result
Entity
Case Wall Table

Table Name: "Comments: {0}".format(entity identifier)

Table Columns:

  • Date
  • Comment
  • Abuse Votes
  • Negative Votes
  • Positive Votes
  • ID
General
Links

Name: Report Link

Value: {report link}

Entity
Case Wall Table

Table Name: Sigma Analysis: {entity.identifier}

Table Columns:

  • ID
  • Severity
  • Source
  • Title
  • Description
  • Match Context
General

Get Domain Details

Get detailed information about the domain using information from VirusTotal.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Engine Threshold Integer N/A No

Specify the number of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious.

Note: If the "Engine Whitelist" parameter contains values, the action only counts results from those engines.

Engine Whitelist CSV N/A No

Specify a comma-separated list of engines that should be used to retrieve information, whether an entity is malicious or not.

Example: AlienVault,Kaspersky.

Note: If nothing is specified in this parameter, the action takes results from every available engine. If the engine doesn't return any information about the entity, it won't be counted for the "Engine Threshold" and "Engine Percentage Threshold" parameters."

Retrieve Comments Checkbox Checked No If enabled, the action retrieves comments about the entity.
Max Comments To Return Integer 10 No Specify the number of comments to return.
Engine Percentage Threshold Integer N/A No

Specify the percentage of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious.

Note: If the "Engine Whitelist" parameter contains values, the action only counts the percentage from those engines. If both "Engine Threshold" and "Engine Percentage Threshold" are provided, the "Engine Threshold" parameter is used.

Maximum value: 100 Minimum value: 0

Create Insight Checkbox Checked No If enabled, the action creates an insight containing information about the entities.
Only Suspicious Entity Insight Checkbox Unchecked No If enabled, the action only creates an insight for suspicious entities.
Fetch Widget Checkbox Checked No If enabled, the action fetches augmented widget related to the entity.

Run on

This action runs on the following entities:

  • URL
  • Hostname

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "data": {
{
    "data": {
        "attributes": {
            "categories": {
                "Dr.Web": "known infection source/not recommended site",
                "Forcepoint ThreatSeeker": "compromised websites",
                "sophos": "malware repository, spyware and malware"
            },
            "first_submission_date": 1582300443,
            "html_meta": {},
            "last_analysis_date": 1599853405,
            "last_analysis_results": {
                "EXAMPLELabs": {
                    "category": "harmless",
                    "engine_name": "EXAMPLELabs",
                    "method": "blacklist",
                    "result": "clean"
                },
                "Example": {
                    "category": "harmless",
                    "engine_name": "Example",
                    "method": "blacklist",
                    "result": "clean"
                },
            },
            "last_analysis_stats": {
                "harmless": 64,
                "malicious": 6,
                "suspicious": 1,
                "timeout": 0,
                "undetected": 8
            },
            "last_final_url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event",
            "last_http_response_code": 404,
            "last_http_response_content_length": 204,
            "last_http_response_content_sha256": "58df637d178e35690516bda9e41e245db836170f046041fdebeedd20eca61d9d",
            "last_http_response_headers": {
                "connection": "keep-alive",
                "content-length": "204",
                "content-type": "text/html; charset=iso-8859-1",
                "date": "Fri, 11 Sep 2020 19:51:50 GMT",
                "keep-alive": "timeout=60",
                "server": "nginx"
            },
            "last_modification_date": 1599853921,
            "last_submission_date": 1599853405,
            "reputation": 0,
            "tags": [
                "ip"
            ],
            "targeted_brand": {},
            "threat_names": [
                "Mal/HTMLGen-A"
            ],
            "times_submitted": 3,
            "title": "404 Not Found",
            "total_votes": {
                "harmless": 0,
                "malicious": 0
            },
            "trackers": {},
            "url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event"
        },
        "id": "05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981",
        "links": {
            "self": "https://www.virustotal.com/api/v3/urls/05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981"
        },
        "type": "url",
        "comments": [
"text": "attributes/text",
"date": "attributes/date"
]
    }
    "is_risky": true
}
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If enriched some (is_success = true): "Successfully returned details about the following domains using VirusTotal:\n".format(domain part of the entity.identifier)

If didn't enrich some (is_success = true): "Action wasn't able to return details about the following domains using VirusTotal:\n".format(domain part of the entity.identifier)

If didn't enrich all (is_success = false): "No hashes were enriched".

If some of the engines are not found (is_success is not depending on this logic, it's an additional message for invalid engines): "The following whitelisted engines were not found in VirusTotal:\n{0}".(engine names)

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Enrich Hash". Reason: {0}''.format(error.Stacktrace)

If the "Engine Percentage Threshold" parameter is > 100 or < 0 or not integer: "Error executing action "{action name}". Reason: value for the parameter "Engine Percentage Threshold" is invalid. Please check it. The value should be in range from 0 to 100.

If neither the "Engine Percentage Threshold" parameter nor the "Engine Threshold" parameter is provided: "Error executing action "{action name}". Reason: either "Engine Threshold" or "Engine Percentage Threshold" should be provided.

General
Case Wall Table

Table Name: entity.identifier

Table Columns:

  • Name
  • Category
  • Method
  • Result
General
Case Wall Table

Table Name: "Comments: {0}".format(domain part of the entity identifier)

Table Columns:

  • Date
  • Comment
  • Abuse Votes
  • Negative Votes
  • Positive Votes
  • ID
General
Links

Name: "Report Link: {0}".(domain part of the entity)

Value: {report link}

General

Submit File

Submit a file and return results from VirusTotal.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
File Paths CSV N/A Yes

Specify a comma-separated list of absolute file paths.

Note: If the "Linux Server Address" parameter is specified, the action tries to fetch the file from the remote server.

Private Submission Bool False No If enabled, action will submit the file privately. Note: this functionality requires premium VT access.
Engine Threshold Integer N/A No

Specify the number of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious.

Note: If the "Engine Whitelist" parameter contains values, the action only counts results from those engines.

Engine Whitelist CSV N/A No

Specify a comma-separated list of engines that should be used to retrieve information, whether an entity is malicious or not.

Example: AlienVault,Kaspersky.

Note: If nothing is specified in this parameter, the action takes results from every available engine. If the engine doesn't return any information about the entity, it won't be counted for the "Engine Threshold" and "Engine Percentage Threshold" parameters.

Retrieve Comments Checkbox Checked No If enabled, the action retrieves comments about the entity.
Fetch MITRE Details Bool False No If enabled, action will return information about related MITRE techniques and tactics.
Lowest MITRE Technique Severity DDL Low

Possible values:
  • High
  • Medium
  • Low
  • Info
No Specify the lowest signature severity related to MITRE technique for the technique to be returned.
Unknown severity is treated as Info.
Retrieve AI Summary Checkbox Unhecked No

Experimental.

If enabled, the action retrieves an AI summary for the submitted file.

AI Summary is only available for private submissions.

Retrieve Sigma Analysis Checkbox Checked No If enabled, the action retrieves sigma analysis for the file.
Max Comments To Return Integer 50 No Specify the number of comments to return.
Linux Server Address String N/A No Specify the IP address of the remote linux server, where the file is located.
Linux Username String N/A No Specify the username of the remote linux server, where the file is located.
Linux Password Password N/A No Specify the password of the remote linux server, where the file is located.
Engine Percentage Threshold Integer N/A No

Specify the percentage of engines that should mark the entity as malicious or suspicious, for Google Security Operations SOAR to label it as suspicious.

Note: If the "Engine Whitelist" parameter contains values, the action only counts the percentage from those engines. If both "Engine Threshold" and "Engine Percentage Threshold" are provided, the "Engine Threshold" parameter is used.

Maximum value: 100. Minimum value: 0.

Run on

This action doesn't run on entities.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
    "data": {
        "attributes": {
            "categories": {
                "Dr.Web": "known infection source/not recommended site",
                "Forcepoint ThreatSeeker": "compromised websites",
                "sophos": "malware repository, spyware and malware"
            },
            "first_submission_date": 1582300443,
            "html_meta": {},
            "last_analysis_date": 1599853405,
            "last_analysis_results": {
                "EXAMPLELabs": {
                    "category": "harmless",
                    "engine_name": "EXAMPLELabs",
                    "method": "blacklist",
                    "result": "clean"
                },
                "Example": {
                    "category": "harmless",
                    "engine_name": "Example",
                    "method": "blacklist",
                    "result": "clean"
                },
            },
            "last_analysis_stats": {
                "harmless": 64,
                "malicious": 6,
                "suspicious": 1,
                "timeout": 0,
                "undetected": 8
            },
            "last_final_url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event",
            "last_http_response_code": 404,
            "last_http_response_content_length": 204,
            "last_http_response_content_sha256": "58df637d178e35690516bda9e41e245db836170f046041fdebeedd20eca61d9d",
            "last_http_response_headers": {
                "connection": "keep-alive",
                "content-length": "204",
                "content-type": "text/html; charset=iso-8859-1",
                "date": "Fri, 11 Sep 2020 19:51:50 GMT",
                "keep-alive": "timeout=60",
                "server": "nginx"
            },
            "last_modification_date": 1599853921,
            "last_submission_date": 1599853405,
            "reputation": 0,
            "tags": [
                "ip"
            ],
            "targeted_brand": {},
            "threat_names": [
                "Mal/HTMLGen-A"
            ],
            "times_submitted": 3,
            "title": "404 Not Found",
            "total_votes": {
                "harmless": 0,
                "malicious": 0
            },
            "trackers": {},
            "url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event"
        },
        "id": "05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981",
        "links": {
            "self": "https://www.virustotal.com/api/v3/urls/05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981"
        },
        "type": "url",
        "comments": [
"text": "attributes/text",
"date": "attributes/date"
]
    }
    "is_risky": true
}
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If enriched some entities (is_success = true): "Successfully returned details about the following files using VirusTotal:\n".format(filepaths)

If didn't enrich some entities (is_success = true): "Action wasn't able to return details about the following domains using VirusTotal:\n".format(filepaths)

If didn't enrich all entities (is_success = false): "No details about the files were retrieved".

If some of the engines were not found (is_success is not depending on this logic, it's an additional message for invalid engines): "The following whitelisted engines were not found in VirusTotal:\n{0}".(engine names)

Async message: "Waiting for results for the following files:\n{0}".format(filepaths)

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Submit File". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Name: "Results: {0}".format(filepath)

Table Columns:

  • Name
  • Category
  • Method
  • Result
General
Case Wall Table

Table Name: "Comments: {0}".format(filepath)

Table Columns:

  • Date
  • Comment
  • Abuse Votes
  • Negative Votes
  • Positive Votes
  • ID
General
Links

Name: "Report Link: {0}".format(filepath)

Value: {report link}

General
Case Wall Table

Table Name: Sigma Analysis: {entity.identifier}

Table Columns:

  • ID
  • Severity
  • Source
  • Title
  • Description
  • Match Context
General

Get related URLs to the provided entities from VirusTotal.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Results DDL

Combined

Possible values:

  • Combined
  • Per Entity
No Specify how the JSON result should look like. If "Combined" is selected, the action returns all of the unique results that were found among the provided entities. If "Per Entity" is selected, the action returns all of the unique items per entity.
Max URLs To Return Integer 40 No

Specify the number of URLs to return. Depending on the "Results" parameter value, this parameter will behave differently.

If "Combined" is selected, this parameter defines the number of results to return from all entities.

If "Per Entity" is selected, the parameter dictates the number of results to return per entity.

Run on

This action runs on the following entities:

  • URL
  • IP Address
  • Hash
  • jsHostname

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
"urls": ["http://example.com",]
}
Case wall
Result Type Value / Description Type
Output message\*

The action should not fail nor stop a playbook execution:

If at least one URL is found (is_success = true): "Successfully returned related URLs to the provided entities from VirusTotal."
If no URLs are found (is_success = false): "No related URLs were found to the provided entities from VirusTotal.".
The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Related URLs". Reason: {0}''.format(error.Stacktrace)

General

Get related IPs to the provided entities from VirusTotal.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Results DDL

Combined

Possible values:

  • Combined
  • Per Entity
No

Specify how the JSON result should look like.

If "Combined" is selected, the action returns all of the unique results that were found among the provided entities. If "Per Entity" is selected, the action returns all of the unique items per entity.

Max IPs To Return Integer 40 No

"Specify the number of IPs to return. Depending on the "Results" parameter value, this parameter will behave differently.

If "Combined" is selected, this parameter defines the number of results to return from all entities.

If "Per Entity" is selected, the parameter dictates the number of results to return per entity.

Run on

This action runs on the entities:

  • URL
  • Hash
  • Hostname

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
"ips": ["203.0.113.0",]
}
Case wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If at least one IP is found (is_success = true): "Successfully returned related IPs to the provided entities from VirusTotal.
If no IPs are found (is_success = false): "No related IPs were found to the provided entities from VirusTotal.".

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Related IPs". Reason: {0}''.format(error.Stacktrace)

General

Get related domains to the provided entities from VirusTotal.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Results DDL

Combined

Possible values

  • Combined
  • Per Entity
No

Specify how the JSON result should look like.

If "Combined" is selected, the action returns all of the unique results that were found among the provided entities.

If "Per Entity" is selected, the action returns all of the unique items per entity.

Max Domains To Return Integer 40 No

Specify the number of domains to return. Depending on the "Results" parameter value, this parameter will behave differently.

If "Combined" is selected, this parameter defines the number of results to return from all entities.

If "Per Entity" is selected, the parameter dictates the number of results to return per entity.

Run on

This action runs on the entities:

  • URL
  • IP
  • Hash
  • Hostname

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
"domain": ["example.com",]
}
Case wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If at least one domain is found (is_success=true): "Successfully returned related domains to the provided entities from VirusTotal.
If no domains are found (is_success=false): "No related domains were found to the provided entities from VirusTotal.".

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Related Domains". Reason: {0}''.format(error.Stacktrace)

General

Get related hashes to the provided entities from VirusTotal.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Results DDL

Combined

Possible values:

  • Combined
  • Per Entity
No

Specify how the JSON result should look like.

If "Combined" is selected, the action returns all of the unique results that were found among the provided entities. If "Per Entity" is selected, the action returns all of the unique items per entity.

Max Hashes To Return Integer 40 No

Specify the number of hashes to return. Depending on the "Results" parameter value, this parameter will behave differently.

If "Combined" is selected, this parameter defines the number of results to return from all entities.

If "Per Entity" is selected, the parameter dictates the number of results to return per entity.

Run on

This action runs on the entities:

  • URL
  • IP Address
  • Hash
  • Hostname

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
"sha256_hashes": ["http://example.com",]
}
Case wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If at least one hash is found (is_success=true): "Successfully returned related hashes to the provided entities from VirusTotal.
If no hashes are found (is_success=false): "No related hashes were found to the provided entities from VirusTotal.".
The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Related Hashes". Reason: {0}''.format(error.Stacktrace)

General

Search Graphs

Search graphs based on custom filters in VirusTotal.

How to construct the query

There are a set of multiple modifiers that you can use to refine your search results. You can combine all of them together and use them in conjunction with AND, OR and NOT operators.

Date and numeric fields support the suffix plus or minus to match values greater or less than the passed value. If not sign has been added to the modifier, you will get exact matches. You can use more than once the same modifier in the same query to define ranges: creation_date:2018-11-1+ creation_date:2018-11-12- will match graphs created between 2018-11-1 and 2018-11-22.

Modifier Description Example
Id Filters by graph identifier.

id:g675a2fd4c8834e288af
d71bbbe88f78884e7d21a8
c9348b5ab45cc9281cffc3c

Name Filters by graph name. name:Example-name
Owner Filters by graphs owned by user. owner:example_user
Group Filters by graphs owned by group. group:example
Visible_to_user Filters by graphs visible to user. visible_to_user:example_user
Visible_to_group Filters by graphs visible to group. visible_to_group:example
Private Filters by private graphs. private:true, private:false
Creation_date Filters by the graph creation date. creation_date:2018-11-1
last_modified_date Filters by the last date the graph was modified. last_modified_date:2018-11-12
Total_nodes Filters by graphs containing some amount of nodes. total_nodes:100
Comments_count Filter by the number of comments of the graph. comments_count:10+
Views_count Filter by the number of graph views. views_count:1000+
Modifier Description Example
Label Filters by graphs containing nodes with a specific label label:Kill switch
File Filters by graphs containing the file.

file:131f95c51cc819465fa17
97f6ccacf9d494aaaff46fa3ea
c73ae63ffbdfd8267

Domain Filters by graphs containing the domain. domain:example.com
Ip_address Filters by graphs containing the ip address. ip_address:203.0.113.1
Url Filters by graphs containing the url. url:https://example.com/example/
Actor Filters by graphs containing the actor. actor:example actor
Victim Filters by graphs containing the victim. victim:example_user
Email Filters by graphs containing the email. email:user@example.com
Department Filters by graphs containing the department. department:engineers

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Query String N/A Yes Specify the query filter for the graph. Please refer to the documentation portal for more details.
Sort Field DDL

Name

Possible values:

  • Name
  • Owner
  • Creation Date
  • Last Modified Date
  • Views Count
  • Comments Count
No Specify the sort field.
Max Graphs To Return Integer 10 No Specify the number of graphs to return.

Run on

This action doesn't run on entities.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
    "data": [
        {
            "attributes": {
                "graph_data": {
                    "description": "EXAMPLE",
                    "version": "5.0.0"
                }
            },
            "id": "g304a40e2b2fe4641a5648286fcf8be249d48d2c7c1d64d02a7b1cfe6e09f562d",
            "links": {
                "self": "https://www.virustotal.com/api/v3/graphs/g304a40e2b2fe4641a5648286fcf8be249d48d2c7c1d64d02a7b1cfe6e09f562d"
            },
            "type": "graph"
        },
        {
            "attributes": {
                "graph_data": {
                    "description": "Example Feb2020",
                    "version": "5.0.0"
                }
            },
            "id": "gb942e956b3764e3395859a0e0c29258b731bef6d8dc049618c6c66b5897259c1",
            "links": {
                "self": "https://www.virustotal.com/api/v3/graphs/gb942e956b3764e3395859a0e0c29258b731bef6d8dc049618c6c66b5897259c1"
            },
            "type": "graph"
        }
    ],
    "links": {
        "next": "https://www.virustotal",
        "self": "https://www.virustotal.com/api/v3/graphs?filter=ip_address:203.0.113.3%20OR%20file:b345697c16f84d3775924dc17847fa3ff61579ee793a95248e9c4964da586dd1&order=last_modified_date&limit=2&attributes=graph_data"
    },
    "meta": {
        "cursor": "True:CsEGCo0CCusBAP8_vihw3_S_"
    }
}
Case wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If at least one graph is returned (is_success = true): "Successfully returned graphs for the provided query in VirusTotal".

If the 400 static code is reported (is_success = false): "Action wasn't able to successfully return graph for the provided query in VirusTotal. Reason: {0}.".format(error/message from the response)

If there is no information for query (is_success = false): "No graphs were found for the provided query.".
The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Search Graphs". Reason: {0}''.format(error.Stacktrace)

General

Search Entity Graphs

Search graphs based on the entities in VirusTotal.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Sort Field DDL

Name

Possible values:

  • Name
  • Owner
  • Creation Date
  • Last Modified Date
  • Views Count
  • Comments Count
No Specify the sort field.
Max Graphs To Return Integer 10 No Specify the number of graphs to return.

Run on

This action runs on the entities:

  • Hash
  • URL
  • Threat Actor
  • IP Address
  • User

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
    "data": [
        {
            "attributes": {
                "graph_data": {
                    "description": "EXAMPLE",
                    "version": "5.0.0"
                }
            },
            "id": "g304a40e2b2fe4641a5648286fcf8be249d48d2c7c1d64d02a7b1cfe6e09f562d",
            "links": {
                "self": "https://www.virustotal.com/api/v3/graphs/g304a40e2b2fe4641a5648286fcf8be249d48d2c7c1d64d02a7b1cfe6e09f562d"
            },
            "type": "graph"
        },
        {
            "attributes": {
                "graph_data": {
                    "description": "Example Feb2020",
                    "version": "5.0.0"
                }
            },
            "id": "gb942e956b3764e3395859a0e0c29258b731bef6d8dc049618c6c66b5897259c1",
            "links": {
                "self": "https://www.virustotal.com/api/v3/graphs/gb942e956b3764e3395859a0e0c29258b731bef6d8dc049618c6c66b5897259c1"
            },
            "type": "graph"
        }
    ],
    "links": {
        "next": "https://www.virustotal",
        "self": "https://www.virustotal.com/api/v3/graphs?filter=ip_address:203.0.113.3%20OR%20file:b345697c16f84d3775924dc17847fa3ff61579ee793a95248e9c4964da586dd1&order=last_modified_date&limit=2&attributes=graph_data"
    },
    "meta": {
        "cursor": "True:CsEGCo0CCusBAP8_vihw3_S_"
    }
}
Case wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If at least one graph is returned (is_success = true): "Successfully returned graphs based on the provided entities in VirusTotal".

If the 400 static code is reported (is_success = false): "Action wasn't able to successfully return graph based on the provided entities on VirusTotal. Reason: {0}.".format(error/message from the response)

If there is no information for query (is_success = false): "No graphs were found for the provided entities".

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Search Entity Graphs". Reason: {0}''.format(error.Stacktrace)

General

Search IOCs

Search for IOCs in the VirusTotal's dataset using the same query syntax that you would use in the VirusTotal Intelligence user interface.

Entities

This action doesn't run on entities.

Action inputs

To configure the action, use the following parameters:

Parameters
Query Required

The query specified according to the VirusTotal query search syntax.

Default value is "".

Create Entities Optional

If enabled, action will create entities for the returned IOCs.

Disabled by default.

Order By Required

The order specified by the selected field in which results are returned.

Default value is Use Default Order.

Possible values are:
  • Use Default Order
  • Last Submission Date
  • First Submission Date
  • Positives
  • Times Submitted
  • Creation Date
  • Last Modification Date Last Update Date
Sort Order Optional

Order to return the results in.

If the Use Default Order value is set for the Order By field, this parameter will be ignored.

Default value is Descending.

Possible values are:
  • Ascending
  • Descending
Max IOCs To Return Optional

The number of IOCs to return.

Max value is 300.

Default value is 10.

Action outputs

Action output type
Case wall attachment N/A
Case wall link N/A
Case wall table N/A
Enrichment table N/A
Entity insight N/A
Insight N/A
JSON result Available
OOTB widget N/A
Script result Available
Script result
Script result name Value
is_success True/False
JSON result
{
  "data": [
    {
      "attributes": {
        "type_description": "Email",
        "tlsh": "T1B4D31F04BE452B3093E7238E064E6FDBAFCC135F6611F1C60881AAD6C5C77A2E57D689",
        "exiftool": {
          "MIMEType": "text/plain",
          "FileType": "TXT",
          "WordCount": "2668",
          "LineCount": "1820",
          "MIMEEncoding": "us-ascii",
          "FileTypeExtension": "txt",
          "Newlines": "Windows CRLF"
        },
        "type_tags": [
          "internet",
          "email"
        ],
        "threat_severity": {
          "threat_severity_level": "SEVERITY_HIGH",
          "threat_severity_data": {
            "num_gav_detections": 3,
            "has_vulnerabilities": true,
            "popular_threat_category": "trojan",
            "type_tag": "email",
            "has_embedded_ips_with_detections": true
          },
          "last_analysis_date": "1698050597",
          "version": 2,
          "level_description": "Severity HIGH because it was considered trojan. Other contributing factors were that it has known exploits, it contains embedded IPs with detections and it could not be run in sandboxes."
        },
        "names": [
          "Re Proforma Invoice.eml"
        ],
        "last_modification_date": 1698057197,
        "type_tag": "email",
        "times_submitted": 1,
        "total_votes": {
          "harmless": 0,
          "malicious": 0
        },
        "size": 132299,
        "popular_threat_classification": {
          "suggested_threat_label": "obfsobjdat/malformed",
          "popular_threat_name": [
            {
              "count": 8,
              "value": "obfsobjdat"
            },
            {
              "count": 2,
              "value": "malformed"
            }
          ]
        },
        "last_submission_date": 1698049979,
        "last_analysis_results": {
          "Bkav": {
            "category": "undetected",
            "engine_name": "Example1",
            "engine_version": "2.0.0.1",
            "result": null,
            "method": "blacklist",
            "engine_update": "20231023"
          },
          "Lionic": {
            "category": "undetected",
            "engine_name": "Example2",
            "engine_version": "7.5",
            "result": null,
            "method": "blacklist",
            "engine_update": "20231023"
          },
          .
          .
          .
        },
        "downloadable": true,
        "trid": [
          {
            "file_type": "file seems to be plain text/ASCII",
            "probability": 0
          }
        ],
        "sha256": "2d9df36964fe2e477e6e0f7a73391e4d4b2eeb0995dd488b431c4abfb4c27dbf",
        "type_extension": "eml",
        "tags": [
          "exploit",
          "cve-2018-0802",
          "cve-2018-0798",
          "email",
          "cve-2017-11882"
        ],
        "last_analysis_date": 1698049979,
        "unique_sources": 1,
        "first_submission_date": 1698049979,
        "ssdeep": "768:MedEkBNnx8ueVV+fitChi9KbpK0fixbRwHbcElIK944tCVQOgzdsSuom+cWmsCGY:Meo+fitC0mKuixYxlI1OO1cSPo0gptA",
        "md5": "bdfe36052e0c083869505ef4fd77e865",
        "sha1": "3a350de97009efe517ceffcea406534bb1ab800c",
        "magic": "SMTP mail, ASCII text, with CRLF line terminators",
        "last_analysis_stats": {
          "harmless": 0,
          "type-unsupported": 16,
          "suspicious": 0,
          "confirmed-timeout": 0,
          "timeout": 0,
          "failure": 0,
          "malicious": 28,
          "undetected": 32
        },
        "meaningful_name": "Re Proforma Invoice.eml",
        "reputation": 0
      },
      "type": "file",
      "id": "example-id",
      "links": {
        "self": "example_url"
      }
    },
    .
    .
    .
  ]
}

Case wall

Output message Message description
Successfully returned IOCs based on the provided query from VirusTotal. The action is successful.
The following IOCs were not created as new entities, as they already exist in the system: LIST_OF_IOCS The action is successful.
No IOCs were found for the provided query. No information found for the submitted query.
Error executing action "Search IOCs". The action returned an error.

Check credentials or connection to the server.

Get Graph Details

Get detailed information about graphs in VirusTotal.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Graph ID CSV N/A Yes Specify a comma-separated list of graph IDs for which you want to retrieve detailed information.
Max Links To Return Integer 50 No Specify the number of links to return.

Run on

This action doesn't run on entities.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
    "data": {
        "attributes": {
            "comments_count": 0,
            "creation_date": 1603219837,
            "graph_data": {
                "description": "Example LLC",
                "version": "api-5.0.0"
            },
            "last_modified_date": 1603219837,
            "links": [
                {
                    "connection_type": "last_serving_ip_address",
                    "source": "ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671",
                    "target": "relationships_last_serving_ip_address_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671"
                },
                {
                    "connection_type": "last_serving_ip_address",
                    "source": "relationships_last_serving_ip_address_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671",
                    "target": "203.0.113.3"
                },
                {
                    "connection_type": "network_location",
                    "source": "ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671",
                    "target": "relationships_network_location_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671"
                },
                {
                    "connection_type": "network_location",
                    "source": "relationships_network_location_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671",
                    "target": "203.0.113.3"
                },
                {
                    "connection_type": "communicating_files",
                    "source": "203.0.113.3",
                    "target": "relationships_communicating_files_20301133"
                },
                {
                    "connection_type": "communicating_files",
                    "source": "relationships_communicating_files_20301133",
                    "target": "4935cc8a4ff76d595e1bfab9fd2e6aa0f7c2fea941693f1ab4586eaba1528f47"
                },
                {
                    "connection_type": "communicating_files",
                    "source": "relationships_communicating_files_20301133",
                    "target": "c975794ff65c02b63fae1a94006a75294aac13277ca464e3ea7e40de5eda2b14"
                },
                {
                    "connection_type": "communicating_files",
                    "source": "relationships_communicating_files_20301133",
                    "target": "c7752154a2e894a4dec84833bee656357f4b84a9c7f601f586f79de667d8fe5c"
                },
                {
                    "connection_type": "communicating_files",
                    "source": "relationships_communicating_files_20301133",
                    "target": "692bb2ed1da43b0408c104b4ca4b4e97e15f3224e37dbea60214bcd991a2cfd3"
                },
                {
                    "connection_type": "communicating_files",
                    "source": "relationships_communicating_files_20301133",
                    "target": "74273ef55d8b7d23f7b058c7e47f3cbaf60c823a3e41ffb10e494917bad77381"
                },
                {
                    "connection_type": "communicating_files",
                    "source": "relationships_communicating_files_20301133",
                    "target": "f4f2f17c4df1b558cb80c8eab3edf5198970e9d87bd03943d4c2effafb696187"
                },
                {
                    "connection_type": "communicating_files",
                    "source": "relationships_communicating_files_20301133",
                    "target": "5edc8496869697aa229540bd6106b6679f6cfcbc6ee4837887183f470b49acb5"
                },
                {
                    "connection_type": "communicating_files",
                    "source": "relationships_communicating_files_20301133",
                    "target": "1582da57cb082d3f6835158133aafb5f3b8dcc880a813be135a0ff8099cf0ee8"
                },
                {
                    "connection_type": "communicating_files",
                    "source": "relationships_communicating_files_20301133",
                    "target": "be4ccb1ca71a987f481c22a1a43de491353945d815c89cbcc06233d993ac73cf"
                },
                {
                    "connection_type": "communicating_files",
                    "source": "relationships_communicating_files_20301133",
                    "target": "60bb6467ee465f23a15f17cd73f7ecb9db9894c5a3186081a1c70fdc6e7607d6"
                }
            ],
            "nodes": [
                {
                    "entity_attributes": {
                        "has_detections": false
                    },
                    "entity_id": "ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671",
                    "index": 0,
                    "text": "",
                    "type": "url",
                    "x": 51.22276722115952,
                    "y": 65.7811310194184
                },
                {
                    "entity_attributes": {},
                    "entity_id": "relationships_last_serving_ip_address_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671",
                    "index": 1,
                    "text": "",
                    "type": "relationship",
                    "x": 25.415664700492094,
                    "y": 37.66636498768037
                },
                {
                    "entity_attributes": {
                        "country": "US"
                    },
                    "entity_id": "203.0.113.3",
                    "fx": -19.03611541222395,
                    "fy": 24.958500220062717,
                    "index": 2,
                    "text": "",
                    "type": "ip_address",
                    "x": -19.03611541222395,
                    "y": 24.958500220062717
                },
                {
                    "entity_attributes": {},
                    "entity_id": "relationships_network_location_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671",
                    "index": 3,
                    "text": "",
                    "type": "relationship",
                    "x": 14.37403861978968,
                    "y": 56.85562691824892
                },
                {
                    "entity_attributes": {},
                    "entity_id": "relationships_communicating_files_20301133",
                    "index": 4,
                    "text": "",
                    "type": "relationship",
                    "x": -51.78097726144755,
                    "y": 10.087893225996158
                },
                {
                    "entity_attributes": {
                        "has_detections": true,
                        "type_tag": "peexe"
                    },
                    "entity_id": "4935cc8a4ff76d595e1bfab9fd2e6aa0f7c2fea941693f1ab4586eaba1528f47",
                    "index": 5,
                    "text": "",
                    "type": "file",
                    "x": -79.11606194776019,
                    "y": -18.475026322309112
                },
                {
                    "entity_attributes": {
                        "has_detections": true,
                        "type_tag": "peexe"
                    },
                    "entity_id": "c975794ff65c02b63fae1a94006a75294aac13277ca464e3ea7e40de5eda2b14",
                    "index": 6,
                    "text": "",
                    "type": "file",
                    "x": -64.80938048199627,
                    "y": 46.75892061191275
                },
                {
                    "entity_attributes": {
                        "has_detections": true,
                        "type_tag": "android"
                    },
                    "entity_id": "c7752154a2e894a4dec84833bee656357f4b84a9c7f601f586f79de667d8fe5c",
                    "index": 7,
                    "text": "",
                    "type": "file",
                    "x": -43.54064004476819,
                    "y": -28.547923020662786
                },
                {
                    "entity_attributes": {
                        "has_detections": true,
                        "type_tag": "android"
                    },
                    "entity_id": "692bb2ed1da43b0408c104b4ca4b4e97e15f3224e37dbea60214bcd991a2cfd3",
                    "index": 8,
                    "text": "",
                    "type": "file",
                    "x": -15.529860440278318,
                    "y": -2.068209789825876
                },
                {
                    "entity_attributes": {
                        "has_detections": true,
                        "type_tag": "android"
                    },
                    "entity_id": "74273ef55d8b7d23f7b058c7e47f3cbaf60c823a3e41ffb10e494917bad77381",
                    "index": 9,
                    "text": "",
                    "type": "file",
                    "x": -42.55971948293377,
                    "y": 46.937155845680415
                },
                {
                    "entity_attributes": {
                        "has_detections": true,
                        "type_tag": "html"
                    },
                    "entity_id": "f4f2f17c4df1b558cb80c8eab3edf5198970e9d87bd03943d4c2effafb696187",
                    "index": 10,
                    "text": "",
                    "type": "file",
                    "x": -62.447976875107706,
                    "y": -28.172418384729067
                },
                {
                    "entity_attributes": {
                        "has_detections": true,
                        "type_tag": "android"
                    },
                    "entity_id": "5edc8496869697aa229540bd6106b6679f6cfcbc6ee4837887183f470b49acb5",
                    "index": 11,
                    "text": "",
                    "type": "file",
                    "x": -89.0326649183805,
                    "y": -2.2638551448322484
                },
                {
                    "entity_attributes": {
                        "has_detections": true,
                        "type_tag": "android"
                    },
                    "entity_id": "1582da57cb082d3f6835158133aafb5f3b8dcc880a813be135a0ff8099cf0ee8",
                    "index": 12,
                    "text": "",
                    "type": "file",
                    "x": -26.35260716195174,
                    "y": -20.25669077264115
                },
                {
                    "entity_attributes": {
                        "has_detections": true,
                        "type_tag": "android"
                    },
                    "entity_id": "be4ccb1ca71a987f481c22a1a43de491353945d815c89cbcc06233d993ac73cf",
                    "index": 13,
                    "text": "",
                    "type": "file",
                    "x": -82.1415994911387,
                    "y": 34.89636762607467
                },
                {
                    "entity_attributes": {
                        "has_detections": true,
                        "type_tag": "android"
                    },
                    "entity_id": "60bb6467ee465f23a15f17cd73f7ecb9db9894c5a3186081a1c70fdc6e7607d6",
                    "index": 14,
                    "text": "",
                    "type": "file",
                    "x": -90.87738694680043,
                    "y": 16.374462198116138
                }
            ],
            "private": false,
            "views_count": 30
        },
        "id": "g809b60eac9c042d39dc38cc8a1b3f2d104bc046616b24d67959ca2b7678cf839",
        "links": {
            "self": "https://www.virustotal.com/api/v3/graphs/g809b60eac9c042d39dc38cc8a1b3f2d104bc046616b24d67959ca2b7678cf839"
        },
        "type": "graph"
    }
}
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If at least one graph is returned (is_success = true): "Successfully returned details about the following graphs in VirusTotal: {0}".format(graph ids)

If at least one graph is returned (is_success = true): "Action wasn't able to return details about the following graphs in VirusTotal: {0}".format(graph ids)

If there is no information for all graphs (is_success = false): "No information about the provided graphs was found".

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Graph Details". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Name: "Graph {0} Links".format(graph_id)

Table Columns:

Source

Target

Connection Type

General

Download File

Download a file from VirusTotal.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Download Folder Path String N/A Yes Specify the path to the folder, where you want to store the files.
Overwrite Checkbox Checked Yes If enabled, the action overwrites the file with the same name.

Run on

This action runs on the Hash entity.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{"absolute_file_paths": ["file_path_1","file_path_2"]}
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If at least one hash returned data (is_success = true): "Successfully returned related files for the following entities in VirusTotal: {entity.identifier}.

If there is no data for a single hash (is_success = true): "No related files were found for the following entities in VirusTotal: {entity.identifier}.

If there is no data for all hashes (is_success = false): "No related files were found for the provided entities in VirusTotal.

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Download File". Reason: {0}''.format(error.Stacktrace).

If a file with the same name already exists, but "Overwrite" == false: "Error executing action "Download File". Reason: files with path {0} already exist. Please delete the files or set "Overwrite" to true."

General

Enrich IOC

Enrich IOCs using information from VirusTotal.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
IOC Type DDL

Filehash

Possible values:

  • Filehash
  • URL
  • Domain
  • IP Address
No Specify the type of the IOC.
IOCs CSV N/A Yes Specify a comma-separated list of IOCs for which you want to ingest data.
Fetch Widget Checkbox Checked No If enabled, the action fetches augmented widget related to the entity.

Run on

This action doesn't run on entities.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "ioc": {
        "identifier": "203.0.113.1",
        "details": {
            "attributes": {
                "categories": {
                    "Dr.Web": "known infection source/not recommended site",
                    "Forcepoint ThreatSeeker": "compromised websites",
                    "sophos": "malware repository, spyware and malware"
                },
                "first_submission_date": 1582300443,
                "html_meta": {},
                "last_analysis_date": 1599853405,
                "last_analysis_results": {
                    "EXAMPLELabs": {
                        "category": "harmless",
                        "engine_name": "EXAMPLELabs",
                        "method": "blacklist",
                        "result": "clean"
                    },
                    "Example": {
                        "category": "harmless",
                        "engine_name": "Example",
                        "method": "blacklist",
                        "result": "clean"
                    }
                },
                "last_analysis_stats": {
                    "harmless": 64,
                    "malicious": 6,
                    "suspicious": 1,
                    "timeout": 0,
                    "undetected": 8
                },
                "last_final_url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event",
                "last_http_response_code": 404,
                "last_http_response_content_length": 204,
                "last_http_response_content_sha256": "58df637d178e35690516bda9e41e245db836170f046041fdebeedd20eca61d9d",
                "last_http_response_headers": {
                    "connection": "keep-alive",
                    "content-length": "204",
                    "content-type": "text/html; charset=iso-8859-1",
                    "date": "Fri, 11 Sep 2020 19:51:50 GMT",
                    "keep-alive": "timeout=60",
                    "server": "nginx"
                },
                "last_modification_date": 1599853921,
                "last_submission_date": 1599853405,
                "reputation": 0,
                "tags": [
                    "ip"
                ],
                "targeted_brand": {},
                "threat_names": [
                    "Mal/HTMLGen-A"
                ],
                "times_submitted": 3,
                "title": "404 Not Found",
                "total_votes": {
                    "harmless": 0,
                    "malicious": 0
                },
                "trackers": {},
                "url": "http://203.0.113.1/input/?mark=20200207-healthybitesforlife.com/31mawe&tpl=example&engkey=bar+chart+click+event"
            },
            "id": "05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981",
            "links": {
                "self": "https://www.virustotal.com/api/v3/urls/05ef858c49887ce761de6b24bafb0461175acea385e3f4e8b114b043b7013981"
            },
            "type": "url",
        "report_link": "{generated report link}",
            "widget_url": "https: //www.virustotal.com/ui/widget/html/fHx8fHsiYmQxIjogIiM0ZDYzODUiLCAiYmcxIjogIiMzMTNkNWEiLCAiYmcyIjogIiMyMjJjNDIiLCAiZmcxIjogIiNmZmZmZmYiLCAidHlwZSI6ICJkZWZhdWx0In18fHx8bm90LWZvdW5kfHwxNjQ0NTczMjkwfHw"
"widget_html"
        }
    }
}
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If enriched some IOCs (is_success = true): "Successfully enriched the following IOCs using VirusTotal:\n".format(iocs)

If didn't enrich some IOCs (is_success = true): "No information found for the following IOCs using VirusTotal:\n".format(iocs)

If didn't enrich any IOCs (is_success = false): "No information about IOCs were found.".

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Enrich OC". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Name: {IOC identifier}

Table Columns:

  • Name - {last_analysis_results/ json keys}
  • Category - {last_analysis_results/json keys/category}
  • Method - {last_analysis_results/json keys/method}
  • Result - {last_analysis_results/json keys/result}
General
Links

Name: Report Link

Value: {report link}

General

Add Vote To Entity

Add a vote to entities in VirusTotal. Supported entities: File Hash, URL, Hostname, IP Address.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Vote DDL

Malicious

Possible values:

  • Harmless
  • Malicious
Yes Specify the vote that should be added to entities.

Run on

This action runs on the following entities:

  • File Hash
  • URL
  • Hostname
  • IP Address

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
   "Status": "Done or Not done" for every entity
}
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If the action is successful for one entity or the 409 status code is reported (is_success = true): "Successfully added votes to the following entities in VirusTotal: {entity.identifier}"

If the action wasn't successful for one entity (is_success = true): "Action wasn't able to add votes to the following entities in VirusTotal: {entity.identifier}"

If the action wasn't successful for all (is_success = false): "No votes were added to the provided entities in VirusTotal."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Add Vote To Entity". Reason: {0}''.format(error.Stacktrace)

General

Add Comment To Entity

Add a comment to entities in VirusTotal. Supported entities: File Hash, URL, Hostname, IP Address.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Comment String N/A Yes Specify the comment that should be added to entities.

Run on

This action runs on the following entities:

  • File Hash
  • URL
  • Hostname
  • IP Address

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
   "Status": "Done or Not done" for every entity
}
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If the action is successful for one entity (is_success = true): "Successfully added comments to the following entities in VirusTotal: {entity.identifier}"

If the action wasn't successful for one entity (is_success = true): "Action wasn't able to add comments to the following entities in VirusTotal: {entity.identifier}"

If the action wasn't successful for all (is_success = false): "No comments were added to the provided entities in VirusTotal."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Add Comment To Entity". Reason: {0}''.format(error.Stacktrace)

General

Connectors

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

VirusTotal - Livehunt Connector

Pull information about Livehunt notifications and related files from VirusTotal.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name Type Default Value Is Mandatory Description
Product Field Name String Product Name Yes Enter the source field name in order to retrieve the Product Field name.
Event Field Name String type Yes Enter the source field name in order to retrieve the Event Field name.
Environment Field Name String "" No

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

Environment Regex Pattern String .* No

A regex pattern to run on the value found in the "Environment Field Name" field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field via regex logic.

If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.

PythonProcessTimeout Integer 180 Yes Timeout limit for the python process running the current script.
API Key String N/A Yes API Key of the VirusTotal instance.
Engine Whitelist CSV N/A No

Specify a comma-separated list of engines that should be used, when counting the "Engine Percentage Threshold To Fetch" parameter.

Example: AlienVault,Kaspersky.

Note: If nothing is provided, all engines from the response are counted.

Engine Percentage Threshold To Fetch Integer 0 Yes

The percentage of engines that need to mark the file as suspicious or malicious before it's being ingested.

Maximum value: 100 Minimum: 0

Max Hours Backwards Integer 1 No The number of hours for which notifications should be fetched.
Max Notifications To Fetch Integer 40 No The number of notifications to process per one connector iteration.
Use dynamic list as a blocklist Checkbox Unchecked Yes If enabled, a dynamic list is used as a blocklist.
Verify SSL Checkbox Checked Yes If enabled, verifies that the SSL certificate for the connection to the VirusTotal server is valid.
Proxy Server Address String N/A No The address of the proxy server to use.
Proxy Username String N/A No The proxy username to authenticate with.
Proxy Password Password N/A No The proxy password to authenticate with.

Connector rules

The connector supports proxies.