- 21 Feb 2025
- 16 Minutes to read
-
Print
-
DarkLight
VirusTotal Enrichment
- Updated on 21 Feb 2025
- 16 Minutes to read
-
Print
-
DarkLight
Overview
The VirusTotal™ built-in enrichment in ThreatConnect® lets you use the extensive scanning and analysis capabilities of VirusTotal directly within ThreatConnect, providing you with contextual information about a given file, domain, IP address, or URL and enabling you to make faster and more well-informed decisions about potential threats to your organization.
This article describes how to enable the VirusTotal enrichment service in ThreatConnect, view data retrieved from VirusTotal on the Enrichment tab of an Indicator’s Details screen, and import Indicators from VirusTotal into ThreatConnect.
Before You Start
User Roles
- To enable and configure the VirusTotal enrichment, your user account must have a System role of Administrator.
- To view VirusTotal data on the Enrichment tab of an Indicator’s Details screen, your user account can have any Organization role.
- To retrieve data manually on the VirusTotal card on the Enrichment tab of an Indicator’s Details screen, your user account can have any Organization role.
- To import VirusTotal data into an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
- To import VirusTotal data into a Community or Source, your user account must have a Community role of Contributor, Editor, or Director for that Community or Source.
Prerequisites
- A VirusTotal API key. To obtain a VirusTotal API key, create a free VirusTotal API user account at virustotal.com/gui/join-us.
Enabling the VirusTotal Enrichment
Before you can retrieve data from VirusTotal, you must enable and configure the VirusTotal enrichment in ThreatConnect. Follow these steps to enable and configure the VirusTotal enrichment on your ThreatConnect instance:
- Hover over Settings
on the top navigation bar and select System Settings.
- Select the Indicators tab on the System Settings screen, and then click Enrichment Tools in the sidebar.
- Click Edit
in the Options column for VirusTotal and fill out the fields on the Edit Vendor window (Figure 1) as follows:
- Enable Vendor: Select this checkbox to enable VirusTotal.
- Enable Automatic Retrieval: Select this checkbox to enable automatic data retrieval for VirusTotal. If automatic data retrieval is enabled, VirusTotal data will automatically populate when a user opens an Address, File, Host, or URL Indicator's Enrichment tab for the first time. This checkbox is selected by default.
- API Key: Enter the API key that will be used to retrieve data from VirusTotal.NoteFor VirusTotal, the type of API key entered (Premium or Public) determines the type and amount of information displayed on the VirusTotal Detailed View drawer that users can access from the Enrichment tab. See the “VirusTotal Detailed View” section for details on which content requires a Premium API key.
- VALIDATE: After entering the VirusTotal API key, click this button to validate it. If the API key is accepted, the VALIDATE button’s label will change to VALID.
- Lookup/Retrieve: Select one or more Indicator types to retrieve data from VirusTotal for. Available Indicator types include Address, File, Host, and URL.
- Click SAVE on the Edit Vendor window to save the configuration for the VirusTotal enrichment.
When VirusTotal is enabled, a value of true will be displayed in the Enabled column for its entry on the Enrichment Tools screen.
Data Overview
The Overview section of the VirusTotal card (Figure 2) provides a summary of data retrieved from VirusTotal for an Address, File, Host, or URL Indicator and the date and time the data were last retrieved.
Depending on the type of Indicator you are viewing, the Overview section displays the following information:
- Address Indicator
- Score: The Address’s VirusTotal Score (i.e., the total number of VirusTotal partners who consider the Address harmful out of the total number of partners who reviewed the Address).
- Tags: The Tags applied to the Address in VirusTotal.
- Domain Name: The domain name corresponding to the Address.
- Country: The country where the Address is placed.
- ASN: The autonomous system (AS) number to which the Address belongs.
- First Seen/Referenced: The date and time when the Address was first seen or referenced.
- Last Seen/Referenced: The date and time when the Address was last seen or referenced.
- File Indicator
- Score: The File’s VirusTotal Score (i.e., the total number of VirusTotal partners who consider the File harmful out of the total number of partners who reviewed the File).
- MD5: The File’s MD5 file hash.
- SHA-1: The File’s SHA1 file hash.
- SHA-256: The File’s SHA256 file hash.
- Imphash: The File’s import hash.
- File Type: The File’s type.
- File Size: The File’s size in kilobytes (KB).
- Tags: The Tags applied to the File in VirusTotal.
- First Seen/Referenced: The date and time when the File was first seen or referenced.
- Last Seen/Referenced: The date and time when the File was last seen or referenced.
- Host Indicator
- Score: The Host’s VirusTotal Score (i.e., the total number of VirusTotal partners who consider the Host harmful out of the total number of partners who reviewed the Host).
- Last DNS Record: The Host’s DNS record on its last VirusTotal scan.
- Registrar: The company that registered the Host.
- Tags: The Tags applied to the Host in VirusTotal.
- First Seen/Referenced: The date and time when the Host was first seen or referenced.
- Last Seen/Referenced: The date and time when the Host was last seen or referenced.
- URL Indicator
- Score: The URL’s VirusTotal Score (i.e., the total number of VirusTotal partners who consider the URL harmful out of the total number of partners who reviewed the URL).
- Final URL: The final URL to which the original URL redirects.
- Serving IP: The IP address from which the URL is being served.
- Status: The HTTP status code corresponding to the URL.
- Tags: The Tags applied to the URL in VirusTotal.
- First Seen/Referenced: The date and time when the URL was first seen or referenced.
- Last Seen/Referenced: The date and time when the URL was last seen or referenced.
VirusTotal Detailed View
Click Open Detailed View on the VirusTotal card to open the VirusTotal Detailed View drawer (Figure 3). This drawer displays cards with additional data retrieved from VirusTotal. The cards are collapsed by default and vary based on the type of Indicator you are viewing. Figure 3 shows the VirusTotal Detailed View drawer with all available cards expanded.
Depending on the type of Indicator you are viewing, as well as whether you are using a VirusTotal Public or Premium API key, the VirusTotal Detailed View drawer displays the following cards:
- Address Indicator
- Passive DNS Replication: The domains to which the Address resolves.
- Last HTTPS Certificate: The certificate details observed when attempting a standard HTTPS connection to the Address.
- URLs: (Requires a VirusTotal Premium API key) The URLs to which the Address resolves.
- File Indicator
- Contacted Domains: The domains contacted by the File.
- Contacted IPs: The IP addresses contacted by the File.
- Contacted URLs: The URLs contacted by the File.
- Host Indicator
- Categories: The categories provided by URL sandboxing engines to which the URL or domain content belongs.
- Passive DNS Replication: The IP addresses to which the Host resolves.
- URLs: (Requires a VirusTotal Premium API key) The URLs to which the Host resolves.
- URL Indicator
- Categories: The categories provided by URL sandboxing engines to which the URL or domain content belongs.
- Contacted Domains: (Requires a VirusTotal Premium API key) The domains from which the URL loads some type of resource.
- Contacted IPs: (Requires a VirusTotal Premium API key) The IP addresses from which the URL loads some type of resource.
Importing Indicators From VirusTotal Into ThreatConnect
You may import Indicators displayed on the Contacted Domains, Contacted IPs, Contacted URLs, Passive DNS Replication, and URLs cards into ThreatConnect and associate them to a new or existing Group. You may also import Indicators displayed on these cards into ThreatConnect and associate them directly to the enriched Indicator (i.e., the Indicator whose Details screen you are viewing) via a custom association.
Follow these steps to import Indicators from VirusTotal into ThreatConnect:
- Expand one of the following cards on the VirusTotal Detailed View drawer (Figure 3) to view Indicators retrieved from VirusTotal that are related to the enriched Indicator:
- Contacted Domains: (Available for File and URL Indicators only) Indicators on this card will be imported as Host Indicators.
- Contacted IPs: (Available for File and URL Indicators only) Indicators on this card will be imported as Address Indicators.
- Contacted URLs: (Available for File Indicators only) Indicators on this card will be imported as URL Indicators.
- Passive DNS Replication: (Available for Address and Host Indicators only) If the enriched Indicator is an Address, Indicators on this card will be imported as Host Indicators. If the enriched Indicator is a Host, Indicators on this card will be imported as Address Indicators.
- URLs: (Available for Address and Host Indicators only) Indicators on this card will be imported as URL Indicators.
- Select the checkbox for each Indicator to import into ThreatConnect, or select the checkbox in the table’s header to import all Indicators displayed on the current page in the table.ImportantIf a selected Indicator already exists in the ThreatConnect owner into which you are importing data, that copy of the Indicator will be updated based on the information entered and options configured during the import.
- Click the Import dropdown at the top left of the card and select one of the following import options (Figure 4):
- To New Group: Select this option to import the selected Indicators and associate them to a new Group created during the import.
- To Existing Group: Select this option to import the selected Indicators and associate them to an existing Group.
- As an Indicator: Select this option to import the selected Indicators and associate them directly to the enriched Indicator via a custom association.
Importing Indicators Into a New Group
Follow these steps to import Indicators from VirusTotal and associate them to a new Group created during the import:
- Follow Steps 1–3 in the “Importing Indicators From VirusTotal Into ThreatConnect” section and select To New Group from the Import dropdown.
- Proceed through the steps on the Create screen to create the Group and configure the Indicators selected for import. There are three steps in this process: Details (required), Associations (optional), and Attachments (optional).
Step 1: Enter Details About the Group
The Details step of the Create screen (Figure 5) is a required step where you enter basic information about the Group you are creating.
- Provide the following details for the Group:
- Type: By default, Event is selected. However, you can select another Group type from the dropdown. If you select a new Group type from the Type dropdown, the fields on the Details step will change based on the new Group type.
- Owner: Select the owner in which to create the Group.
- Summary: Enter a name for the Group.
- Description: (Optional) Enter a Description for the Group. To apply the Description to the Indicators that will be associated to the Group, select Apply Description To Associations.
- Tags: (Optional) Enter one or more Tags to apply to the Group. (By default, the Tags field includes a VirusTotal Enrichment Tag.) To apply the Tags to the Indicators that will be associated to the Group, select Apply Tags To Associations.ImportantIf you select Apply Tags to Associations, it is recommended that you remove the VirusTotal Enrichment Tag from the Tags field so that the Tag is not applied to the enriched Indicator (that is, the Indicator whose Enrichment tab you are importing VirusTotal data from), as this Indicator will be added as an association to the new Group. Alternatively, if you want to apply the VirusTotal Enrichment Tag to all associations except for the enriched Indicator, select Apply Tags to Associations, leave the VirusTotal Enrichment Tag in the Tags field, and then, after completing the import, navigate to the enriched Indicator’s Details screen and remove the Tag from the Indicator manually.
- Click Next to proceed to the optional Associations step.NoteThe Save button is available only on the Associations and Attachments steps.
Step 2: Enter Details About Associated Indicators (Optional)
The Associations step of the Create screen (Figure 6) is an optional step where you configure the Indicators from VirusTotal that are being created and associated to the new Group.
Follow these steps to fill out the fields on the Associations step:
- (Optional) On the Associations card, review the table of Indicators that will be created and associated to the Group. This table includes all selected Indicators and the enriched Indicator. To remove an Indicator from the table, click Delete
in the Actions column.
NoteThe table on the Associations card will include a Private column if your System Administrator turned on private Indicators for your ThreatConnect instance. To mark an Indicator as private, select the corresponding checkbox in the Private column.NoteA checkmark in the Known column indicates that the corresponding Indicator exists in the owner in which you are creating the Group and Indicators. - (Optional) On the Association Details card, provide the following details for all Indicators that will be created and associated to the Group:ImportantAll information added in this section will be applied to the enriched Indicator (that is, the Indicator whose Enrichment tab you are importing VirusTotal data from), because the enriched Indicator is always added as an association to the new Group, along with the Indicators selected on the card on the VirusTotal Detailed View (Figure 4). If the enriched Indicator has a default Description, a Threat Rating, or a Confidence Rating and you enter a value for one of these fields, then that value will replace the existing value for the enriched Indicator. Tags entered in this section will be applied in addition to the enriched Indicator’s existing Tags.
- Description: Enter a default Description for the Indicators. If you entered a Description for the Group on the Details step and selected Apply Description to Associations, the text box will contain that Description.
- Tags: Enter one or more Tags to apply to the Indicators. If you entered Tags for the Group on the Details step and selected Apply Tags to Associations, the text box will contain those Tags.
- Threat Rating: Set the Threat Rating for the Indicators.
- Confidence Rating: Set the Confidence Rating for the Indicators.
- Click Next to proceed to the optional Attachments step, or click Save to create the Group and Indicators.
Step 3: Upload File Attachments to the Group (Optional)
If you click Next on the Associations step, you will proceed to the optional Attachments step of the Create screen (Figure 7). Here, you can upload and attach related files to the Group.
Follow these steps to proceed through the Attachments step:
- Upload one or more files for which Document Groups will be created and associated to the Group being created.
- After a file is uploaded, the filename will be displayed below the upload area, along with the Add to Malware Vault checkbox. Leave this checkbox cleared unless you are uploading a malware file.
- Click Save to create the Group and Indicators.
After you complete the import process, the Group’s Details screen will open. You can view the Indicators that were imported and associated to the Group on the Indicator Associations card of the Group’s Associations tab.
Importing Indicators Into an Existing Group
Follow these steps to import Indicators from VirusTotal and associate them to an existing Group:
- Follow Steps 1–3 in the “Importing Indicators From VirusTotal Into ThreatConnect” section and select To Existing Group from the Import dropdown.
- Proceed through the steps on the Import to Existing Group screen to select an existing Group and configure the Indicators selected for import. There are two steps in this process: Select Group (required) and Associations (optional).
Step 1: Select an Existing Group
The Select Group step of the Import to Existing Group screen (Figure 8) is a required step where you select an existing Group to associate to the imported Indicators.
Follow these steps to select a Group to associate to the imported Indicators:
- Select a Group to which the selected Indicators, as well as the enriched Indicator, will be associated. To search for a Group, enter its name in the search bar above the table containing all Groups.
- Click Next to proceed to the optional Associations step.NoteThe Save button is available only on the Associations step.
Step 2: Enter Details About Associated Indicators (Optional)
The Associations step of the Import to Existing Group screen (Figure 9) is an optional step where you configure the Indicators from VirusTotal that are being created and associated to the existing Group.
Follow these steps to fill out the fields on the Associations step:
- (Optional) On the Associations card, review the table of Indicators that will be created and associated to the Group. This table includes all selected Indicators and the enriched Indicator. To remove an Indicator from the table, click Delete
in the Actions column.
NoteThe table on the Associations card will include a Private column if your System Administrator turned on private Indicators for your ThreatConnect instance. To mark an Indicator as private, select the corresponding checkbox in the Private column.NoteA checkmark in the Known column indicates that the corresponding Indicator exists in the owner in which you are creating the Group and Indicators. - (Optional) On the Association Details card, provide the following details for all Indicators that will be created and associated to the Group:ImportantAll information added in this section will be applied to the enriched Indicator (that is, the Indicator whose Enrichment tab you are importing VirusTotal data from), because the enriched Indicator is always added as an association to the new Group, along with the Indicators selected on the card on the VirusTotal Detailed View (Figure 4). If the enriched Indicator has a default Description, a Threat Rating, or a Confidence Rating and you enter a value for one of these fields, then that value will replace the existing value for the enriched Indicator. Tags entered in this section will be applied in addition to the enriched Indicator’s existing Tags.
- Description: Enter a default Description for the Indicators.
- Tags: Enter one or more Tags to apply to the Indicators.
- Threat Rating: Set the Threat Rating for the Indicators.
- Confidence Rating: Set the Confidence Rating for the Indicators.
- Click Save to create the Indicators and associate them to the existing Group.
After you complete the import process, the Group’s Details screen will open. You can view the Indicators that were imported and associated to the Group on the Indicator Associations card of the Group’s Associations tab.
Importing Indicators as Indicators
Follow these steps to import Indicators from VirusTotal and associate them directly to the enriched Indicator via a custom association:
- Follow Steps 1–3 in the “Importing Indicators From VirusTotal Into ThreatConnect” section and select As an Indicator from the Import dropdown.
- On the Import Indicators window (Figure 10), review the list of Indicators that will be imported into ThreatConnect and associated directly to the enriched Indicator. To remove an Indicator from this list, click click Delete
.
- Click Import Indicators to import the Indicators and associate them directly to the enriched Indicator via a custom association.
After you complete the import process, the Associations tab of the enriched Indicator’s Details screen will be displayed. You can view the associated Indicators on the Indicator Associations card of this tab.
Retrieving Data Manually
When you open an Indicator’s Enrichment tab for the first time, data will be retrieved from VirusTotal and displayed on the VirusTotal card automatically if your System Administrator enabled automatic data retrieval for VirusTotal. Otherwise, the VirusTotal card will display a message stating “Automatic Data Retrieval has been disabled by the System Administrator,” and you will need to click Retrieve Data on the card to populate it with data. Once data have been retrieved, they will be cached for a period of time configured by your System Administrator. Each time you revisit that Indicator’s Enrichment tab, the cached VirusTotal data will be displayed until this period of time has passed.
To retrieve the latest VirusTotal data for the Indicator manually, click Retrieve Data on the VirusTotal card.
Enriching Indicators Using the ThreatConnect API
You can use the ThreatConnect v3 API to enrich Address, File, Host, and URL Indicators with data from VirusTotal. For instructions on using the ThreatConnect v3 API to enrich Indicators, see Indicator Enrichment Overview.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
VirusTotal™ is a trademark of Google, Inc.
20146-03 v.05.A