VirusTotal Enrichment
  • 10 Jan 2024
  • 13 Minutes to read
  • Dark
    Light

VirusTotal Enrichment

  • Dark
    Light

Article summary

Enabling the VirusTotal Enrichment

Before you can retrieve data from VirusTotal™, a System Administrator must first enable and configure the VirusTotal enrichment in ThreatConnect.

  1. Log into ThreatConnect with a System Administrator account.
  2. On the top navigation bar, hover over SettingsSettings iconand select System Settings. The System Settings screen will be displayed with the Settings tab selected.
  3. Select the Indicators tab. The Indicators screen will be displayed.
  4. Click Enrichment Tools in the menu on the left side of the Indicators screen. The Enrichment Tools screen will be displayed.
  5. Click EditPencil icon_Blackin the Options column for VirusTotal. The Edit Vendor window will be displayed (Figure 1).
    Figure 1_VirusTotal Enrichment_7.3.0

     

    • Enable Vendor: Select this checkbox to enable VirusTotal.
    • Enable Automatic Retrieval: Select this checkbox to enable automatic data retrieval for VirusTotal. If automatic data retrieval is enabled, VirusTotal data will automatically populate when a user clicks on an Indicator’s Enrichment tab for the first time. This checkbox is selected by default.
    • API Key: Enter the API key that will be used to retrieve data from VirusTotal.
      Note
      For VirusTotal, the type of API key entered (Premium or Public) will determine the type and amount of information displayed on the VirusTotal Detailed View drawer that users can access from the Enrichment tab. See Table 2 for details on which content requires a Premium API key.
    • VALIDATE: After entering the VirusTotal API key, click this button to validate it. If the API key is accepted, the VALIDATE button’s label will change to VALID, indicating that a valid API key has been entered. If the API key is not accepted, a message stating “API Key is invalid.” will be displayed at the top of the Edit Vendor window.
    • Lookup/Retrieve: Select the Indicator type(s) for which to retrieve data from VirusTotal. Available Indicator types include Address, File, Host, and URL.
    • Click the SAVE button.

When VirusTotal is enabled, a value of true will be displayed in the Enabled column for its entry on the Enrichment Tools screen.

Data Overview

The Overview section of the VirusTotal card (Figure 2) provides a summary of data retrieved from VirusTotal for an Address, File, Host, or URL Indicator and the date and time the data were last retrieved.

Figure 2_VirusTotal Enrichment_7.3.0

 

The information displayed in the Overview section of this card varies based on the Indicator’s type. See Table 1 for a list of data fields that may be displayed on the Overview section of the VirusTotal card and the Indicator type(s) to which each field applies.

 

Field NameDescriptionApplicable Indicator Type(s)
ASNThe autonomous system (AS) number to which the Address belongs.Address
CountryThe country where the Address is placed.Address
Domain NameThe domain name corresponding to the Address.Address
File SizeThe File’s size in kilobytes (KB).File
File TypeThe File’s type.File
Final URLThe final URL to which the original URL redirects.URL
First Seen/ReferencedThe date and time when the object was first seen or referenced.Address; File; Host; URL
ImphashThe File’s import hash.File
Last DNS RecordThe Host’s DNS record on its last VirusTotal scan.Host
Last Seen/ReferencedThe date and time when the object was last seen or referenced.Address; File; Host; URL
MD5The File’s MD5 file hash.File
RegistrarThe company that registered the Host.Host
ScoreThe Indicator’s VirusTotal Score (i.e., the total number of VirusTotal partners who consider the Indicator harmful out of the total number of partners who reviewed the Indicator).
Note
When constructing a TQL query, you can use the vtMaliciousCount parameter to query for Indicators based on their VirusTotal Score.
Address; File; Host; URL
Serving IPThe IP address from which the URL is being served.URL
SHA-1The File’s SHA1 file hash.File
SHA-256The File’s SHA256 file hash.File
StatusThe HTTP status code corresponding to the URL.URL
TagsA list of tags applied to the Indicator in VirusTotal.Address; File; Host; URL

VirusTotal Detailed View

Click the Open Detailed View link on the VirusTotal card to display the VirusTotal Detailed View drawer (Figure 3). This drawer displays cards with additional data retrieved from VirusTotal.

Graphical user interface, text, application, Teams  Description automatically generated

 

The cards displayed on the VirusTotal Detailed View drawer are collapsed by default and vary based on the Indicator’s type. Click on a card to expand it and view its data. Figure 4 shows the VirusTotal Detailed View drawer in Figure 3 with all available cards expanded.

Figure 4_VirusTotal Enrichment_7.3.0

 

See Table 2 for a list of cards that may be displayed on the VirusTotal Detailed View drawer based on an Indicator’s type.

Note
If a card is not displayed on the VirusTotal Detailed View drawer for an Indicator type (e.g., the Contacted IPs card is not displayed for a File Indicator), then no data of that kind were returned from VirusTotal. Similarly, some cards require a VirusTotal Premium API key and will not be displayed if your System Administrator entered a VirusTotal Public API key when configuring VirusTotal on the System Settings screen.

 

Indicator TypeCard NameDescription
AddressLast HTTPS CertificateThis card displays certificate details observed when attempting a standard HTTPS connection to the Address.
Passive DNS ReplicationThis card displays a list of related domains to which the Address resolves.
URLs*This card displays a list of related URLs to which the Address resolves.
FileContacted DomainsThis card displays a list of related domains contacted by the File.
Contacted IPsThis card displays a list of related IP addresses contacted by the File.
Contacted URLsThis card displays a list of related URLs contacted by the File.
HostCategoriesThis card displays a list of categories provided by URL sandboxing engines to which the URL or domain content belongs.
Passive DNS ReplicationThis card displays a list of related IP addresses to which the Host resolves.
URLs*This card displays a list of related URLs to which the Host resolves.
URLCategoriesThis card displays a list of categories provided by URL sandboxing engines to which the URL or domain content belongs.
Contacted Domains*This card displays a list of related domains from which the URL loads some type of resource.
Contacted IPs*This card displays a list of related IP addresses from which the URL loads some type of resource.

* Requires a VirusTotal Premium API key.

Importing Indicators From VirusTotal Into ThreatConnect

You may import all or a subset of the Indicators displayed on the Contacted Domains, Contacted IPs, Contacted URLs, Passive DNS Replication, and URLs cards into ThreatConnect and associate them to a new or existing Group. You may also import Indicators displayed on these cards into ThreatConnect and associate them directly to the enriched Indicator (i.e., the Indicator whose Details screen you are viewing) via a custom association.

  1. On the VirusTotal Detailed View drawer, expand one of the following cards to view a table containing Indicators retrieved from VirusTotal that are related to the enriched Indicator (Figure 4):
    • Contacted Domains: The Indicators on this card, available for File and URL Indicators, will be imported as Host Indicators.
    • Contacted IPs: The Indicators on this card, available for File and URL Indicators, will be imported as Address Indicators.
    • Contacted URLs: The Indicators on this card, available for File Indicators, will be imported as URL Indicators.
    • Passive DNS Replication: This card is available for Address and Host Indicators. If the enriched Indicator’s type is Address, Indicators on this card will be imported as Host Indicators. If the enriched Indicator’s type is Host, Indicators on this card will be imported as Address Indicators.
    • URLs: The Indicators on this card, available for Address and Host Indicators, will be imported as URL Indicators.
  2. On the expanded card, select the checkbox for each Indicator you want to import into ThreatConnect. To select all Indicators displayed on the current page in the table, select the checkbox in the table’s header.
    Important
    If a selected Indicator already exists in the ThreatConnect owner into which you are importing data, that copy of the Indicator will be updated based on the information entered and options configured during the import.
  3. Click the Import dropdown at the top left of the expanded card and select one of the following import options (Figure 5). Further instruction on each import option is available in the following subsections.Figure 5_VirusTotal Enrichment_7.3.0

     

    • To New Group: Select this option to import the selected Indicators and associate them to a new Group created during the import.
    • To Existing Group: Select this option to import the selected Indicators and associate them to an existing Group.
    • As an Indicator: Select this option to import the selected Indicators and associate them directly to the enriched Indicator via a custom association.
Note
If associating the Indicators selected for import to a new or existing Group, the Group will also be associated to the enriched Indicator, thus creating a second-level (i.e., indirect) association between the Indicators imported from VirusTotal and the enriched Indicator.

Importing Indicators Into a New Group

  1. Follow Steps 1–3 in the “Importing Indicators From VirusTotal Into ThreatConnect” section and select To New Group from the Import dropdown. The Details section of the Create screen will be displayed (Figure 6).

    Figure 6_VirusTotal Enrichment_7.3.0

     

    • Type: By default, Event is selected. If desired, select another Group type from the dropdown.
    • Fill out all remaining fields on the Details section. For descriptions of each field available on this screen, see the “Creating a Group” section of Create.
      Note
      By default, a VirusTotal Enrichment Tag will be applied in the Tags field. You can remove this Tag, if desired.
      Important
      If you select the Apply Tags to Associations checkbox, it is recommended that you remove the VirusTotal Enrichment Tag so that this Tag does not get applied to the enriched Indicator (that is, the Indicator whose Enrichment tab from which you are importing VirusTotal data), as the enriched Indicator will be added as an association to the new Group. Alternatively, if you want the VirusTotal Enrichment Tag to be applied to all associations except the enriched Indicator, you can select the Apply Tags to Associations checkbox, retain the VirusTotal Enrichment Tag, and then, after completing the import, navigate to the Overview tab of the Details screen for the enriched Indicator and remove the Tag manually.
    • Click the Next button.
      Note
      The Save button is available only on the Associations and Attachments sections.
  2. The Associations section will be displayed (Figure 7).

    Graphical user interface  Description automatically generated

     

    Note
    A checkmark in the Known column indicates that the corresponding Indicator exists in at least one owner to which you have access.
    • Associations: The selected Indicator(s), as well as the enriched Indicator, will be displayed in the Associations card. In this card, you can complete the following actions:
      • Private: To mark an Indicator as private, select the corresponding checkbox in the Private column. This column will be displayed only if your System Administrator has enabled private Indicators.
      • Actions: To remove an Indicator from the list of Indicators being imported, click DeleteTrash icon_Black.
    • Association Details: In the Associations Details card, you can fill out the following information, which will be applied to all Indicators being associated to the Group:
      Important
      All information added in this section will be applied to the enriched Indicator (that is, the Indicator whose Enrichment tab from which you are importing VirusTotal data), because the enriched Indicator is always added as an association to the new Group, along with the Indicators selected on the card on the VirusTotal Detailed View (Figure 5). If the enriched Indicator has a default Description, a Threat Rating, or a Confidence Rating and you enter a value for one of these fields, then that value will replace the existing value for the enriched Indicator. Tags entered in this section will be applied in addition to the enriched Indicator’s existing Tags.
      • Description: Enter a default Description for the Indicator(s).
      • Tags: Enter one or more Tags to apply to the Indicator(s).
      • Threat Rating: Use the skull icons to set the Threat Rating for the Indicator(s).
      • Confidence Rating: Use the slider to set the Confidence Rating for the Indicator(s).
    • Click the Next button.
  3. The Attachments section will be displayed (Figure 8). Attachments is an optional section where you can attach related files to the Group.

    Graphical user interface, text, application, email, website  Description automatically generated

     

    • Upload files for which Document Groups will be created and associated to the Group being created, if desired. After each file is uploaded, the filename will be displayed below the upload area, along with a checkbox labeled Add to Malware Vault. Leave this checkbox cleared unless you are uploading a malware file.
    • Click the Save button.

The selected Indicator(s) will be imported into ThreatConnect and associated to the newly created Group, and the Group’s Details screen will be displayed. The Indicators imported into ThreatConnect, as well as the enriched Indicator, will be displayed on the Indicators card of the Group’s Associations tab. You may also view these associations on the Associations card of the Group’s legacy Details screen, under the Associated Indicators section when the card is in table view.

Importing Indicators Into an Existing Group

  1. Follow Steps 1–3 in the “Importing Indicators From VirusTotal Into ThreatConnect” section and select To Existing Group from the Import dropdown. The Select Group section of the Import to Existing Group screen will be displayed (Figure 9).Graphical user interface, application  Description automatically generated

     

    • Select the Group to which the selected Indicator(s), as well as the enriched Indicator, will be associated. To search for a Group, enter its name in the search bar above the table containing all Groups.
    • To view a Group’s Details screen , click the Open in New TabOpen in New Tab iconicon to the right of the Owner column.
    • Click the Next button.
  2. The Associations section will be displayed (Figure 10).

    Graphical user interface  Description automatically generated

     

    Note
    A checkmark in the Known column indicates that the corresponding Indicator exists in at least one owner to which you have access.
    • Associations: The selected Indicator(s), as well as the enriched Indicator, will be displayed in the Associations card. In this card, you can complete the following actions:
      • Private: To mark an Indicator as private, select the corresponding checkbox in the Private column. This column will be displayed only if your System Administrator has enabled private Indicators.
      • Actions: To remove an Indicator from the list of Indicators being imported, click DeleteTrash icon_Black.
    • Association Details: In the Associations Details card, you can fill out the following information, which will be applied to all Indicators being associated to the Group:
      Important
      All information added in this section will be applied to the enriched Indicator (that is, the Indicator whose Enrichment tab from which you are importing VirusTotal data), because the enriched Indicator is always added as an association to the new Group, along with the Indicators selected on the card on the VirusTotal Detailed View (Figure 5). If the enriched Indicator has a default Description, a Threat Rating, or a Confidence Rating and you enter a value for one of these fields, then that value will replace the existing value for the enriched Indicator. Tags entered in this section will be applied in addition to the enriched Indicator’s existing Tags.
      • Description: Enter a default Description for the Indicator(s).
      • Tags: Enter one or more Tags to apply applied to the Indicator(s).
      • Threat Rating: Use the skull icons to set the Threat Rating for the Indicator(s).
      • Confidence Rating: Use the slider to set the Confidence Rating for the Indicator(s).
    • Click the Save button.

The selected Indicator(s) will be imported into ThreatConnect and associated to the existing Group, and the Group’s Details screen will be displayed. The Indicators imported into ThreatConnect, as well as the enriched Indicator, will be displayed on the Indicators card of the Group’s Associations tab. You may also view these associations on the Associations card of the Group’s legacy Details screen, under the Associated Indicators section when the card is in table view.

Importing Indicators as Indicators

Follow Steps 1–3 in the “Importing Indicators From VirusTotal Into ThreatConnect” section and select As an Indicator from the Import dropdown. The Import Indicators window will be displayed (Figure 11).

 

  • New Indicators to be Imported & Associated: This section displays the Indicators that will be imported into ThreatConnect and associated directly to the enriched Indicator. To remove an Indicator from this list, click DeleteDelete button_Details screen.
  • Click the Import Indicators button.

The selected Indicator(s) will be imported into ThreatConnect and associated to the enriched Indicator, and the Associations tab of the enriched Indicator’s Details screen will be displayed. The associated Indicators will be displayed on the Indicators card of this tab. You may also view these associations on the Associations card of the enriched Indicator’s legacy Details screen, under the Associated Indicators section when the card is in table view.

Retrieving Data Manually

When you click on an Indicator’s Enrichment tab for the first time, data will be retrieved from VirusTotal automatically if your System Administrator has enabled automatic data retrieval for VirusTotal. Otherwise, a message stating that “Automatic Data Retrieval has been disabled by the System Administrator” will be displayed on the card, and you will need to click the Retrieve Data button to populate the card with data. Once data have been retrieved, they will be cached for a period of time configured by your System Administrator. Each time you revisit that Indicator’s Enrichment tab, the cached VirusTotal data will be displayed until this period of time has passed.

To retrieve the latest VirusTotal data for the Indicator manually, click the Retrieve Data button.

Note
The API key your System Administrator entered when configuring VirusTotal on the System Settings screen will be used each time data are retrieved for the Indicator.

Enriching Indicators Using the ThreatConnect API

You can also use the ThreatConnect v3 API to enrich Address, File, Host, and URL Indicators with data from VirusTotal. For instructions on using the ThreatConnect v3 API to enrich Indicators, see Indicator Enrichment Overview.


ThreatConnect® is a registered trademark of ThreatConnect, Inc.
VirusTotal™ is a trademark of Google, Inc.

20146-03 v.04.A


Was this article helpful?