×
VirusTotal

Overview

The Security Flow VirusTotal Plugin provides Incident enrichment with threat intelligence from the VirusTotal API. To use this plugin, please ensure to obtain a production API key.

Functionality

The plugin provides the following functionality.

  • Create nodes for domain, file, IP address or URL reports.
  • Generate a positives confidence value for the given action.
  • Customize the output of the positives value using a heuristic.

Instance Configuration Parameters

Property
Description

Instance Name

Name for the VirusTotal instance.


API Key

API Key used by the plugin instance to access the information generated by VirusTotal.


Rate Limit Requests

Schedule queries such that the VirusTotal API’s rate limits for the API Key license are honored.


Rate Limit (ms)

Milliseconds to wait between making API requests to VirusTotal.


Cache API Responses

Enables caching of VirusTotal API responses.


Response Cache Maximum Size

The maximum capacity of the response cache. The maximum value 500.


Response Cache Time Out (sec)

The maximum age of cached responses, in seconds, before they are removed from the cache.

Flow Nodes

The DXL-VirusTotal node is a helper node to add OpenDXL messaging information, DXL topic and DXL Message information into the received message for controlling the Nevelex Labs OpenDXL VirusTotal Plugin Instance(s). The node properties are in the following table.
Property
Description

Name

The display name of the node within the flows.


Action

The desired operation with VirusTotal for the node.

  • Search Within: Determines the report(s) to run based on a search of the contents within the Search Within field. For example, if the supplied value is payload.ioc and the contents at that location are as follows,
    {
    	"domain": "baddomain.com",
    	"url": "https://baddomain.com/path/to/file"
    }

    a domain report and url report will be run.

  • Domain Report: Used to request a report on the supplied Domain.
  • File Report: Used to request a report on the supplied file hash. The file hash can be any of the following hashes: MD5, SHA-1, or SHA-256
  • IP Address Report: Used to request a report on the supplied IP Address.
  • URL Report: Used to request a report on the supplied URL.

Domain/File Hash/IP Address/URL

This field defines the location from the message, flow, global, or JavaScript expression to use as the data source for the action. Additionally, the node context can also be changed. The following contexts are supported.

  • msg.: This selects part of the incoming message as the source of the data. This is typical choice.
  • flow.: This selects part of the flow context’s saved data as the source. This information is shared with only the nodes on a given tab.
  • global.: This selects part of the global context’s saved data as the source. This information is shared by all nodes regardless of tab.
  • J: expression: JSONata expression language to perform query and transform operations on the payload.

Helper node used to classify an Indicator of Compromise (IoC) from an VirusTotal report as trusted or malicious based on the report. This node takes as input the successful response from the NL VirusTotal node or the NL Broadcast Gather Threat Intelligence node.

Report analysis nodes have five (5) outputs.

  1. Malicious: The Malicious Positives matched the Indicator of Compromise's positives and the response_code == 1.
  2. Trusted: The Trusted Positives matched the Indicator of Compromise's positives and the response_code == 1.
  3. No Match: The rules did not match the IoC as either trusted or malicious or the response_code == 0.
  4. Report Missing: The incoming message did not include a report for VirusTotal.
  5. Report Error: A report exists with an error message of some type.

The response_code returned in a VirusTotal report is inspected to determine behavior.

  • -2: Still queued for analysis
  • -1: Some unexpected error
  • 0: Item is not present
  • 1: Item is present and was retrieved

Only a response_code value of 1 indicates a currently actionable value. A value of 0 goes out the Unmatched Item output. A value less than zero goes out the Report Error output.

For URL and file hash reports, the positives value used for determining whether to classify an IoC as trusted or malicious is found directly within the response.

For IP addresses and domains, no positives value is directly returned. These are not classified by this analysis node. However, the following heuristics could be applied in a switch node. Be aware, that typically trusted domains and IP addresses, such as google.com and microsoft.com, will report detections through the following heuristics. For a domain report, when the total number of elements in the detected_urls, detected_downloaded_samples, and detected_referrer_samples arrays exceeding a certain threshold classify the domain as untrusted. For an IP report, when the total number of elements in the detected_urls, detected_downloaded_samples, and detected_communicating_samples arrays exceeding a certain threshold classify the IP address as unstrusted.

Property
Description

Name

The display name of the node within the flows.


Malicious Positives

Any positives value matching the defined Malicious Positives level is considered a malicious IoC. Malicious positive value checks are done against one of the selected ranges.

  • >= 1
  • >= 2
  • >= 3
  • >= 4
  • >= 5
  • >= 10
  • >= 15
  • >= 20
  • >= 25

Trusted Positives

Any positives value matching the defined Trusted Positives level is considered a trusted IoC. This field can be set to Never to never consider an IoC trusted. Trusted positive value checks are done against one of the selected ranges.

  • Never
  • < 1
  • < 2
  • < 3
  • < 4
  • < 5
  • < 10
Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2021, All Rights Reserved.

EULA