Integrate VirusTotal v3 with Google SecOps
This document explains how to integrate VirusTotal v3 with Google Security Operations (Google SecOps).
Integration version: 34.0
This integration uses the VirusTotal API v3. For more information about the VirusTotal API v3, see VirusTotal API v3 Overview .
This integration uses one or more open source components. You can download a zipped copy of the full source code of this integration from the Cloud Storage bucket .
Use cases
The VirusTotal v3 integration can help you solve the following use cases:
-
File analysis: use the Google SecOps capabilities to submit a file hash or a file to VirusTotal for analysis and retrieve scan results from multiple antivirus engines to determine if the submitted item is malicious.
-
URL analysis: use the Google SecOps capabilities to run a URL against the VirusTotal database to identify potentially malicious websites or phishing pages.
-
IP address analysis: use the Google SecOps capabilities to investigate an IP address and identify its reputation and any associated malicious activity.
-
Domain analysis: use the Google SecOps capabilities to analyze a domain name and identify its reputation and any associated malicious activity, such as phishing or malware distribution.
-
Retrohunting: use the Google SecOps capabilities to scan through the VirusTotal historical data to search for files, URLs, IPs, or domains that were previously flagged as malicious.
-
Automated enrichment: use the Google SecOps capabilities to automatically enrich incident data with threat intelligence.
-
Phishing investigation: use the Google SecOps capabilities to analyze suspicious emails and attachments by submitting them to VirusTotal for analysis.
-
Malware analysis: use the Google SecOps capabilities to upload malware samples to VirusTotal for dynamic and static analysis and obtain insights into the behavior and potential impact of the samples.
Before you begin
To function properly, this integration requires VirusTotal Premium API. For more information about the VirusTotal Premium API, see Public vs Premium API .
Before you configure the VirusTotal v3 integration in Google SecOps, configure an API key in VirusTotal.
To configure the API key, complete the following steps:
- Sign in to the VirusTotal portal.
- Under your username, click API key.
- Copy the generated API key to use it in the integration parameters .
- Click Save.
Integration parameters
The VirusTotal v3 integration requires the following parameters:
| Parameter | Description |
|---|---|
API Key
|
Required. The VirusTotal API key. |
Verify SSL
|
Optional. If selected, the integration validates the SSL certificate when connecting to VirusTotal. Selected by default. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances .
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action .
Add Comment To Entity
Use the Add Comment To Entityaction to add a comment to entities in VirusTotal.
This action runs on the following Google SecOps entities:
-
File Hash -
Hostname -
IP Address -
URL
This action only supports the MD5, SHA-1, and SHA-256 hashes.
Action inputs
The Add Comment To Entityaction requires the following parameters:
| Parameter | Description |
|---|---|
Comment
|
Required. A comment to add to entities. |
Action outputs
The Add Comment To Entityaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result outputs received when using the Add Comment To Entityaction:
{
"Status"
:
"Done"
}
{
"Status"
:
"Not done"
}
Output messages
The Add Comment To Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Add Comment To Entity". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Comment To Entityaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Add Vote To Entity
Use the Add Vote To Entityaction to add a vote to entities in VirusTotal.
This action runs on the following Google SecOps entities:
-
File Hash -
Hostname -
IP Address -
URL
This action only supports the MD5, SHA-1, and SHA-256 hashes.
Action inputs
The Add Vote To Entityaction requires the following parameters:
Vote
Required.
A vote to add to entities.
The possible values are as follows:
-
Harmless -
Malicious
Action outputs
The Add Vote To Entityaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Add Vote To Entityaction:
{
"Status"
:
"Done"
}
{
"Status"
:
"Not done"
}
Output messages
The Add Vote To Entityaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Add Vote To Entity". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Vote To Entityaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Download File
Use the Download Fileaction to download a file from VirusTotal.
To run the Download Fileaction, the VirusTotal Enterprise (VTE) is required.
This action runs on the Google SecOps Hash
entity.
This action only supports the MD5, SHA-1, and SHA-256 hashes.
Action inputs
The Download Fileaction requires the following parameters:
| Parameter | Description |
|---|---|
Download Folder Path
|
Required. The path to the folder to store downloaded files. |
Overwrite
|
Optional. If selected, the action overwrites an existing file with the new file if the filenames are identical. Selected by default. |
Action outputs
The Download Fileaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Download Fileaction:
{
"absolute_file_paths"
:
[
"file_path_1"
,
"file_path_2"
]
}
Output messages
The Download Fileaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Download File". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Enrich Hash
Use the Enrich Hashaction to enrich hashes with information from VirusTotal.
This action runs on the Google SecOps Hash
entity.
This action only supports the MD5, SHA-1, and SHA-256 hashes.
Action inputs
The Enrich Hashaction requires the following parameters:
Engine Threshold
Optional.
The minimum number of engines that must classify an entity as malicious or suspicious for it to be considered suspicious.
If you configure the Engine Whitelist
, the action only counts the results from the
specified engines.
Engine Percentage Threshold
Optional.
The minimum percentage of engines that mark the entity as malicious or suspicious to consider the entity suspicious.
If you configure the Engine Whitelist
, the action only counts the results from the
specified engines. If you configure both the Engine Threshold
and the Engine Percentage Threshold
parameters, the action uses
the Engine Threshold
parameter value.
The valid values for this parameter are from 0
to 100
, inclusive.
Engine Whitelist
Optional.
A comma-separated list of engine names for the action to consider when determining if a hash is malicious.
If you don't set a value, the action uses all available engines. The threshold calculation doesn't include engines that provide no information about entities.
Resubmit Hash
Optional.
If selected, the action resubmits the hash for analysis, instead of using existing results.
Not selected by default.
Resubmit After (Days)
Optional.
The number of days to resubmit the hash after the latest analysis.
This parameter only applies if you select the Resubmit Hash
parameter.
The default value is 30
.
Retrieve Comments
Optional.
If selected, the action retrieves comments that associate with the hash.
Selected by default.
Retrieve Sigma Analysis
Optional.
If selected, the action retrieves the Sigma analysis results for the hash.
Selected by default.
Sandbox
Optional.
A comma-separated list of sandbox environments to use for behavior analysis.
If you don't set a value, the action uses the default value.
The default value is VirusTotal Jujubox
.
Retrieve Sandbox Analysis
Optional.
If selected, the action retrieves sandbox analysis results for the hash and creates a separate section in the JSON output for every specified sandbox.
Selected by default.
Create Insight
Optional.
If selected, the action creates an insight that contains information about the analyzed hash.
Selected by default.
Only Suspicious Entity Insight
Optional.
If selected, the action generates insights only for hashes deemed suspicious based on the threshold parameters.
This parameter only
applies if you select the Create Insight
parameter.
Not selected by default.
Max Comments To Return
Optional.
The maximum number of comments to retrieve for every action run.
The default value is 10
.
Widget Theme
Optional.
The theme to use for the VirusTotal widget.
The default value is Dark
.
The possible values are as follows:
-
Light -
Dark -
Chronicle
Fetch Widget
Optional.
If selected, the action retrieves an augmented widget that is related to the hash.
Selected by default.
Fetch MITRE Details
Optional.
If selected, the action retrieves MITRE ATT&CK techniques and tactics that are related to the hash.
Not selected by default.
Lowest MITRE Technique Severity
Optional.
The minimum severity level for a MITRE ATT&CK technique to include in the
results. The action treats the Unknown
severity as Info
.
The possible values are as follows:
-
High -
Medium -
Low -
Info
The default value is Low
.
Action outputs
The Enrich Hashaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Available |
| Case wall table | Available |
| Entity enrichment table | Available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall link
The Enrich Hashaction can provide the following link for every enriched entity:
Name: Report Link
Value: URL
Case wall table
The Enrich Hashaction can provide the following table for every enriched entity:
Table name: ENTITY_ID
Table columns:
- Name
- Category
- Method
- Result
The Enrich Hashaction can provide the following table for every entity that has comments:
Table name: Comments: ENTITY_ID
Table columns:
- Date
- Comment
- Abuse Votes
- Negative Votes
- Positive Votes
- ID
The Enrich Hashaction can provide the following table for every entity that has the Sigma analysis results:
Table name: Sigma Analysis: ENTITY_ID
Table columns:
- ID
- Severity
- Source
- Title
- Description
- Match Context
Entity enrichment table
The following table lists the fields enriched using the Enrich Hashaction:
| Enrichment field name | Applicability |
|---|---|
VT3_id
|
Applies when available in the JSON result. |
VT3_magic
|
Applies when available in the JSON result. |
VT3_md5
|
Applies when available in the JSON result. |
VT3_sha1
|
Applies when available in the JSON result. |
VT3_sha256
|
Applies when available in the JSON result. |
VT3_ssdeep
|
Applies when available in the JSON result. |
VT3_tlsh
|
Applies when available in the JSON result. |
VT3_vhash
|
Applies when available in the JSON result. |
VT3_meaningful_name
|
Applies when available in the JSON result. |
VT3_magic
|
Applies when available in the JSON result. |
VT3_harmless_count
|
Applies when available in the JSON result. |
VT3_malicious_count
|
Applies when available in the JSON result. |
VT3_suspicious_count
|
Applies when available in the JSON result. |
VT3_undetected_count
|
Applies when available in the JSON result. |
VT3_reputation
|
Applies when available in the JSON result. |
VT3_tags
|
Applies when available in the JSON result. |
VT3_malicious_vote_count
|
Applies when available in the JSON result. |
VT3_harmless_vote_count
|
Applies when available in the JSON result. |
VT3_report_link
|
Applies when available in the JSON result. |
JSON result
The following example shows the JSON result output received when using the Enrich Hashaction:
{
"data"
:
{
"attributes"
:
{
"categories"
:
{
"Dr.Web"
:
"known infection source/not recommended site"
,
"Forcepoint ThreatSeeker"
:
"compromised websites"
,
"sophos"
:
"malware repository, spyware and malware"
},
"first_submission_date"
:
1582300443
,
"html_meta"
:
{},
"last_analysis_date"
:
1599853405
,
"last_analysis_results"
:
{
"EXAMPLELabs"
:
{
"category"
:
"harmless"
,
"engine_name"
:
"EXAMPLELabs"
,
"method"
:
"blacklist"
,
"result"
:
"clean"
},
"Example"
:
{
"category"
:
"harmless"
,
"engine_name"
:
"Example"
,
"method"
:
"blacklist"
,
"result"
:
"clean"
},
},
"last_analysis_stats"
:
{
"harmless"
:
64
,
"malicious"
:
6
,
"suspicious"
:
1
,
"timeout"
:
0
,
"undetected"
:
8
},
"last_final_url"
:
"http://203.0.113.1/input/?mark=20200207-example.com/31mawe&tpl=example&engkey=bar+chart+click+event"
,
"last_http_response_code"
:
404
,
"last_http_response_content_length"
:
204
,
"last_http_response_content_sha256"
:
"58df637d178e35690516bda9e41e245db836170f046041fdebeedd20eca61d9d"
,
"last_http_response_headers"
:
{
"connection"
:
"keep-alive"
,
"content-length"
:
"204"
,
"content-type"
:
"text/html; charset=iso-8859-1"
,
"date"
:
"Fri, 11 Sep 2020 19:51:50 GMT"
,
"keep-alive"
:
"timeout=60"
,
"server"
:
"nginx"
},
"last_modification_date"
:
1599853921
,
"last_submission_date"
:
1599853405
,
"reputation"
:
0
,
"tags"
:
[
"ip"
],
"targeted_brand"
:
{},
"threat_names"
:
[
"Mal/HTMLGen-A"
],
"times_submitted"
:
3
,
"title"
:
"404 Not Found"
,
"total_votes"
:
{
"harmless"
:
0
,
"malicious"
:
0
},
"trackers"
:
{},
"url"
:
"http://203.0.113.1/input/?mark=20200207-example.com/31mawe&tpl=example&engkey=bar+chart+click+event"
},
"id"
:
" ID
"
,
"links"
:
{
"self"
:
"https://www.virustotal.com/api/v3/urls/ ID
"
},
"type"
:
"url"
,
"comments"
:
[
"text"
:
"attributes/text"
,
"date"
:
"attributes/date"
]
}
"is_risky"
:
true
"related_mitre_techniques"
:
[{
"id"
:
"T1071"
,
"name"
:
""
,
"severity"
:
""
}],
"related_mitre_tactics"
:
[{
"id"
:
"TA0011"
,
"name"
:
""
}]
}
Output messages
The Enrich Hashaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Enrich Hash". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Enrich Hashaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Enrich IOC
Use the Enrich IOCaction to enrich the indicators of compromise (IoCs) using information from VirusTotal.
This action doesn't run on Google SecOps entities.
Action inputs
The Enrich IOCaction requires the following parameters:
IOC Type
Optional.
The type of the IOC to enrich.
The default value is Filehash
.
The possible values are as follows:
-
Filehash -
URL -
Domain -
IP Address
IOCs
Required.
A comma-separated list of IOCs to enrich.
Widget Theme
Optional.
The theme to use for the widget.
The default value is Dark
.
The possible values are as follows:
-
Light -
Dark -
Chronicle
Fetch Widget
Optional.
If selected, the action retrieves the widget for the IOC.
Selected by default.
Action outputs
The Enrich IOCaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Case wall link
The Enrich IOCaction can provide the following link for every enriched entity:
Name: Report Link
Value: URL
Case wall table
The Enrich IOCaction can provide the following table for every enriched entity:
Table name: IOC_ID
Table columns:
- Name
- Category
- Method
- Result
JSON result
The following example shows the JSON result output received when using the Enrich IOCaction:
{
"ioc"
:
{
"identifier"
:
"203.0.113.1"
,
"details"
:
{
"attributes"
:
{
"categories"
:
{
"Dr.Web"
:
"known infection source/not recommended site"
,
"Forcepoint ThreatSeeker"
:
"compromised websites"
,
"sophos"
:
"malware repository, spyware and malware"
},
"first_submission_date"
:
1582300443
,
"html_meta"
:
{},
"last_analysis_date"
:
1599853405
,
"last_analysis_results"
:
{
"EXAMPLELabs"
:
{
"category"
:
"harmless"
,
"engine_name"
:
"EXAMPLELabs"
,
"method"
:
"blacklist"
,
"result"
:
"clean"
},
"Example"
:
{
"category"
:
"harmless"
,
"engine_name"
:
"Example"
,
"method"
:
"blacklist"
,
"result"
:
"clean"
}
},
"last_analysis_stats"
:
{
"harmless"
:
64
,
"malicious"
:
6
,
"suspicious"
:
1
,
"timeout"
:
0
,
"undetected"
:
8
},
"last_final_url"
:
"http://203.0.113.1/input/?mark=20200207-example.com/31mawe&tpl=example&engkey=bar+chart+click+event"
,
"last_http_response_code"
:
404
,
"last_http_response_content_length"
:
204
,
"last_http_response_content_sha256"
:
"58df637d178e35690516bda9e41e245db836170f046041fdebeedd20eca61d9d"
,
"last_http_response_headers"
:
{
"connection"
:
"keep-alive"
,
"content-length"
:
"204"
,
"content-type"
:
"text/html; charset=iso-8859-1"
,
"date"
:
"Fri, 11 Sep 2020 19:51:50 GMT"
,
"keep-alive"
:
"timeout=60"
,
"server"
:
"nginx"
},
"last_modification_date"
:
1599853921
,
"last_submission_date"
:
1599853405
,
"reputation"
:
0
,
"tags"
:
[
"ip"
],
"targeted_brand"
:
{},
"threat_names"
:
[
"Mal/HTMLGen-A"
],
"times_submitted"
:
3
,
"title"
:
"404 Not Found"
,
"total_votes"
:
{
"harmless"
:
0
,
"malicious"
:
0
},
"trackers"
:
{},
"url"
:
"http://203.0.113.1/input/?mark=20200207-example.com/31mawe&tpl=example&engkey=bar+chart+click+event"
},
"id"
:
" ID
"
,
"links"
:
{
"self"
:
"https://www.virustotal.com/api/v3/urls/ ID
"
},
"type"
:
"url"
,
"report_link"
:
"{generated report link}"
,
"widget_url"
:
"https: //www.virustotal.com/ui/widget/html/ WIDGET_ID
"
"widget_html"
}
}
}
Output messages
The Pingaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Enrich IOC". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Enrich IOCaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Enrich IP
Use the Enrich IPaction to enrich IP addresses using information from VirusTotal.
This action runs on the Google SecOps IP Address
entity.
Action inputs
The Enrich IPaction requires the following parameters:
Engine Threshold
Optional.
The minimum number of engines that must classify an entity as malicious or suspicious for it to be considered suspicious.
If you configure the Engine Whitelist
, the action only counts the results from the
specified engines.
Engine Percentage Threshold
Optional.
The minimum percentage of engines that must classify the entity as malicious or suspicious for it to be considered suspicious.
If you configure the Engine Whitelist
parameter, the action
only counts the results from the specified engines. If you configure both
the Engine Threshold
and the Engine Percentage
Threshold
parameters, the action uses the Engine
Threshold
parameter value.
The valid values for this parameter are from 0
to 100
, inclusive.
Engine Whitelist
Optional.
A comma-separated list of engine names for the action to consider when determining if a hash is malicious.
If you don't set a value, the action uses all available engines. The threshold calculation doesn't include engines that provide no information about entities.
Retrieve Comments
Optional.
If selected, the action retrieves comments that associate with the hash.
Selected by default.
Create Insight
Optional.
If selected, the action creates an insight that contains information about the analyzed hash.
Selected by default.
Only Suspicious Entity Insight
Optional.
If selected, the action generates insights only for hashes deemed suspicious based on the threshold parameters.
This parameter only
applies if you select the Create Insight
parameter.
Not selected by default.
Max Comments To Return
Optional.
The maximum number of comments to retrieve for every action run.
The default value is 10
.
Widget Theme
Optional.
The theme to use for the VirusTotal widget.
The default value is Dark
.
The possible values are as follows:
-
Light -
Dark -
Chronicle
Fetch Widget
Optional.
If selected, the action retrieves an augmented widget that is related to the hash.
Selected by default.
Action outputs
The Enrich IPaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Available |
| Case wall table | Available |
| Entity enrichment table | Available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall link
The Enrich IPaction can provide the following link for every enriched entity:
Name: Report Link
Value: URL
Case wall table
The Enrich IPaction can provide the following table for every enriched entity:
Table name: ENTITY_ID
Table columns:
- Name
- Category
- Method
- Result
The Enrich IPaction can provide the following table for every entity that has comments:
Table name: Comments: ENTITY_ID
Table columns:
- Date
- Comment
- Abuse Votes
- Negative Votes
- Positive Votes
- ID
Entity enrichment table
The following table lists the fields enriched using the Enrich IPaction:
| Enrichment field name | Applicability |
|---|---|
VT3_id
|
Applies when available in the JSON result. |
VT3_owner
|
Applies when available in the JSON result. |
VT3_asn
|
Applies when available in the JSON result. |
VT3_continent
|
Applies when available in the JSON result. |
VT3_country
|
Applies when available in the JSON result. |
VT3_harmless_count
|
Applies when available in the JSON result. |
VT3_malicious_count
|
Applies when available in the JSON result. |
VT3_suspicious_count
|
Applies when available in the JSON result. |
VT3_undetected_count
|
Applies when available in the JSON result. |
VT3_certificate_valid_not_after
|
Applies when available in the JSON result. |
VT3_certificate_valid_not_before
|
Applies when available in the JSON result. |
VT3_reputation
|
Applies when available in the JSON result. |
VT3_tags
|
Applies when available in the JSON result. |
VT3_malicious_vote_count
|
Applies when available in the JSON result. |
VT3_harmless_vote_count
|
Applies when available in the JSON result. |
VT3_report_link
|
Applies when available in the JSON result. |
JSON result
The following example shows the JSON result output received when using the Enrich IPaction:
{
"data"
:
{
"attributes"
:
{
"as_owner"
:
"Example"
,
"asn"
:
50673
,
"continent"
:
"EU"
,
"country"
:
"NL"
,
"last_analysis_results"
:
{
"EXAMPLELabs"
:
{
"category"
:
"harmless"
,
"engine_name"
:
"ExampleLabs"
,
"method"
:
"blacklist"
,
"result"
:
"clean"
},
"example.com URL checker"
:
{
"category"
:
"harmless"
,
"engine_name"
:
"example.com URL checker"
,
"method"
:
"blacklist"
,
"result"
:
"clean"
},
"example"
:
{
"category"
:
"harmless"
,
"engine_name"
:
"example"
,
"method"
:
"blacklist"
,
"result"
:
"clean"
},
"example"
:
{
"category"
:
"harmless"
,
"engine_name"
:
"example"
,
"method"
:
"blacklist"
,
"result"
:
"clean"
}
},
"last_analysis_stats"
:
{
"harmless"
:
81
,
"malicious"
:
5
,
"suspicious"
:
1
,
"timeout"
:
0
,
"undetected"
:
8
},
"last_https_certificate"
:
{
"cert_signature"
:
{
"signature"
:
"48ae0d5d0eb411e56bd328b93c7212c72fd21785070648e11d9ae2b80386711699978e650eafa233d234671b87c8134c1c38c59f702518ddebdc7849dc512e0158941507970ab3ab93788d27df728d727d7f9d28ed358abb145fb24803d0eeab04687ae07c7f1d3176374367efc000bd26d3cfc0659e54826ea2dfa2366d7bd9e8ed3bd2ff8a26898b37fadea198f93de8cf3ae3d703513bc0638f7b411d8eda9a3ac9a7510d7bfe553592792d10f8b2c255bc4a05c8c6bfbdb8def045dc754b39c9b89d2a5140818622760eb116abf6fd0a5798c1e274fe56a056ed21f419a6873d314c15238a398d8049b5ecc1ca003d0a07a989a710d137e4fc74b5671caa"
,
"signature_algorithm"
:
"sha256RSA"
},
"extensions"
:
{
"1.3.6.1.4.1.11129.2.4.2"
:
"0481f200f00075007d3ef2f88fff88556824c2c0ca9e5289792bc50e78097f2e"
,
"CA"
:
true
,
"authority_key_identifier"
:
{
"keyid"
:
" KEY_ID
"
},
"ca_information_access"
:
{
"CA Issuers"
:
"http://example.RSADomainValidationSecureServerCA.crt"
,
"OCSP"
:
"http://example.com"
},
"certificate_policies"
:
[
"1.3.6.1.4.1.6449.1.2.2.7"
,
"2.23.140.1.2.1"
],
"extended_key_usage"
:
[
"serverAuth"
,
"clientAuth"
],
"key_usage"
:
[
"ff"
],
"subject_alternative_name"
:
[
"example-panel.xyz"
,
"www.example-panel.xyz"
],
"subject_key_identifier"
:
"4f6429eaccd761eca91d9120b004f9d962453fef"
,
"tags"
:
[]
},
"issuer"
:
{
"C"
:
"US"
,
"CN"
:
"Example RSA Domain Validation Secure Server CA"
,
"L"
:
"Mountain View"
,
"O"
:
"Example Ltd."
,
},
"public_key"
:
{
"algorithm"
:
"RSA"
,
"rsa"
:
{
"exponent"
:
"010001"
,
"key_size"
:
2048
,
"modulus"
:
"00aa8b74f0cc92a85ed4d515abef751a22fd65f2b6b0d33239040a99c65f322f3e833c77540a15ee31dabbd2889dd710ff9d8ccd3b9ea454ca87761cd9ff8a383806986461f8ff764a1202a5ebfb09995cbf40cc11eb2514529704744e6c97a872cde728e278fb140eba3c3aaf60644c8d75fd0048bb506f9b7314e33690f3514598ee45dd366c30a94d6178af91c2784872c162233c66659cea675f22f47752e0877ba5b12a3d800d2e2510d3cc1222c226cee2b85852a7e02da1de2718c746560f3ae05bc6f2d7f1cd6fcdbe37318fc7ddd19ae3486c5f3293946c068735e843fa8467199456d4725ac0b23fc4e0b7b9d3f51c0e16b27542d250d29d7b28fb95"
}
},
"serial_number"
:
"248562d360bcc919bb97883f0dfc609d"
,
"signature_algorithm"
:
"sha256RSA"
,
"size"
:
1472
,
"subject"
:
{
"CN"
:
"example-panel.xyz"
},
"tags"
:
[],
"thumbprint"
:
"f9aae62cc9262302e45d94fcc512d65529ea1b31"
,
"thumbprint_sha256"
:
"406ac0efb0ef67de743b1ab0f4e0352564a7d5ebbd71e3a883c067acc3563016"
,
"validity"
:
{
"not_after"
:
"2021-08-06 23:59:59"
,
"not_before"
:
"2020-08-06 00:00:00"
},
"version"
:
"V3"
},
"last_https_certificate_date"
:
1605415789
,
"last_modification_date"
:
1605430702
,
"network"
:
"203.0.113.0/24"
,
"regional_internet_registry"
:
"EXAMPLE"
,
"reputation"
:
-95
,
"tags"
:
[],
"total_votes"
:
{
"harmless"
:
0
,
"malicious"
:
10
},
"whois"
:
"NetRange: 203.0.113.0 - 203.0.113.255\nCIDR: 203.0.113.0/24\nNetName: EXAMPLE-5\nNetHandle: NET-203-0-113-0-1\nParent: ()\nNetType: Allocated to EXAMPLE\nOrig"
,
"whois_date"
:
1603912270
},
"id"
:
"203.0.113.1"
,
"links"
:
{
"self"
:
"https://www.virustotal.com/api/v3/ip_addresses/203.0.113.1"
},
"type"
:
"ip_address"
"comments"
:
[
"text"
:
"attributes/text"
,
"date"
:
"attributes/date"
]
}
"is_risky"
:
true
}
Output messages
The Enrich IPaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Enrich IP". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Enrich IPaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Enrich URL
Use the Enrich URLaction to enrich a URL using information from VirusTotal.
This action runs on the Google SecOps URL
entity.
Action inputs
The Enrich URLaction requires the following parameters:
Engine Threshold
Optional.
The minimum number of engines that must classify a URL as malicious or suspicious for it to be considered suspicious.
If you configure the Engine Whitelist
, the action only counts the results from the
specified engines.
Engine Percentage Threshold
Optional.
The minimum percentage of engines that must classify the URL as malicious or suspicious for it to be considered suspicious.
If you
configure the Engine Whitelist
parameter, the action only
counts the results from the
specified engines. If you configure both the Engine Threshold
and the Engine Percentage Threshold
parameters, the action uses
the Engine Threshold
parameter value.
The valid values for this parameter are from 0
to 100
, inclusive.
Engine Whitelist
Optional.
A comma-separated list of engine names for the action to consider when determining if a hash is malicious.
Resubmit URL
Optional.
If selected, the action resubmits the URL for analysis, instead of using existing results.
Not selected by default.
Resubmit After (Days)
Optional.
The number of days to resubmit the URL after the latest analysis.
This parameter only applies if you select the Resubmit URL
parameter.
The default value is 30
.
Retrieve Comments
Optional.
If selected, the action retrieves comments that associate with the URL.
Selected by default.
Create Insight
Optional.
If selected, the action creates an insight that contains information about the analyzed URL.
Selected by default.
Only Suspicious Entity Insight
Optional.
If selected, the action generates insights only for URLs deemed suspicious based on the threshold parameters.
This parameter only
applies if you select the Create Insight
parameter.
Not selected by default.
Max Comments To Return
Optional.
The maximum number of comments to retrieve for every action run.
The default value is 10
.
Widget Theme
Optional.
The theme to use for the VirusTotal widget.
The default value is Dark
.
The possible values are as follows:
-
Light -
Dark -
Chronicle
Fetch Widget
Optional.
If selected, the action retrieves an augmented widget that is related to the hash.
Selected by default.
Action outputs
The Enrich URLaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Available |
| Case wall table | Available |
| Entity enrichment table | Available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall link
The Enrich URLaction can provide the following link for every enriched entity:
Name: Report Link
Value: URL
Case wall table
The Enrich URLaction can provide the following table for every enriched entity:
Table name: ENTITY_ID
Table columns:
- Name
- Category
- Method
- Result
The Enrich URLaction can provide the following table for every entity that has comments:
Table name: Comments: ENTITY_ID
Table columns:
- Date
- Comment
- Abuse Votes
- Negative Votes
- Positive Votes
- ID
Entity enrichment table
The following table lists the fields enriched using the Enrich URLaction:
| Enrichment field name | Applicability |
|---|---|
VT3_id
|
Applies when available in the JSON result. |
VT3_title
|
Applies when available in the JSON result. |
VT3_last_http_response_code
|
Applies when available in the JSON result. |
VT3_last_http_response_content_length
|
Applies when available in the JSON result. |
VT3_threat_names
|
Applies when available in the JSON result. |
VT3_harmless_count
|
Applies when available in the JSON result. |
VT3_malicious_count
|
Applies when available in the JSON result. |
VT3_suspicious_count
|
Applies when available in the JSON result. |
VT3_undetected_count
|
Applies when available in the JSON result. |
VT3_reputation
|
Applies when available in the JSON result. |
VT3_tags
|
Applies when available in the JSON result. |
VT3_malicious_vote_count
|
Applies when available in the JSON result. |
VT3_harmless_vote_count
|
Applies when available in the JSON result. |
VT3_report_link
|
Applies when available in the JSON result. |
JSON result
The following example shows the JSON result output received when using the Enrich URLaction:
{
"data"
:
{
"attributes"
:
{
"categories"
:
{
"Dr.Web"
:
"known infection source/not recommended site"
,
"Forcepoint ThreatSeeker"
:
"compromised websites"
,
"sophos"
:
"malware repository, spyware and malware"
},
"first_submission_date"
:
1582300443
,
"html_meta"
:
{},
"last_analysis_date"
:
1599853405
,
"last_analysis_results"
:
{
"AEXAMPLELabs"
:
{
"category"
:
"harmless"
,
"engine_name"
:
"EXAMPLELabs"
,
"method"
:
"blacklist"
,
"result"
:
"clean"
},
"Example"
:
{
"category"
:
"harmless"
,
"engine_name"
:
"Example"
,
"method"
:
"blacklist"
,
"result"
:
"clean"
},
},
"last_analysis_stats"
:
{
"harmless"
:
64
,
"malicious"
:
6
,
"suspicious"
:
1
,
"timeout"
:
0
,
"undetected"
:
8
},
"last_final_url"
:
"http://203.0.113.1/input/?mark=20200207-example.com/31mawe&tpl=example&engkey=bar+chart+click+event"
,
"last_http_response_code"
:
404
,
"last_http_response_content_length"
:
204
,
"last_http_response_content_sha256"
:
"58df637d178e35690516bda9e41e245db836170f046041fdebeedd20eca61d9d"
,
"last_http_response_headers"
:
{
"connection"
:
"keep-alive"
,
"content-length"
:
"204"
,
"content-type"
:
"text/html; charset=iso-8859-1"
,
"date"
:
"Fri, 11 Sep 2020 19:51:50 GMT"
,
"keep-alive"
:
"timeout=60"
,
"server"
:
"nginx"
},
"last_modification_date"
:
1599853921
,
"last_submission_date"
:
1599853405
,
"reputation"
:
0
,
"tags"
:
[
"ip"
],
"targeted_brand"
:
{},
"threat_names"
:
[
"Mal/HTMLGen-A"
],
"times_submitted"
:
3
,
"title"
:
"404 Not Found"
,
"total_votes"
:
{
"harmless"
:
0
,
"malicious"
:
0
},
"trackers"
:
{},
"url"
:
"http://203.0.113.1/input/?mark=20200207-example.com/31mawe&tpl=example&engkey=bar+chart+click+event"
},
"id"
:
" ID
"
,
"links"
:
{
"self"
:
"https://www.virustotal.com/api/v3/urls/ ID
"
},
"type"
:
"url"
,
"comments"
:
[
"text"
:
"attributes/text"
,
"date"
:
"attributes/date"
]
}
"is_risky"
:
true
}
Output messages
The Enrich URLaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Enrich URL". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Enrich URLaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Domain Details
Use the Get Domain Detailsaction to retrieve detailed information about the domain using information from VirusTotal.
This action runs on the following Google SecOps entities:
-
URL -
Hostname
Action inputs
The Get Domain Detailsaction requires the following parameters:
Engine Threshold
Optional.
The minimum number of engines that must classify a domain as malicious or suspicious for it to be considered suspicious.
Engine Percentage Threshold
Optional.
The minimum percentage of engines that must classify the domain as malicious or suspicious for it to be considered suspicious.
Engine Whitelist
Optional.
A comma-separated list of engine names to consider when evaluating the domain risk.
Retrieve Comments
Optional.
If selected, the action retrieves comments that associate with the domain from VirusTotal.
Selected by default.
Create Insight
Optional.
If selected, the action creates an insight with information about the domain.
Selected by default.
Only Suspicious Entity Insight
Optional.
If selected, the action generates insights only for entities deemed suspicious based on the threshold parameters.
Not selected by default.
Max Comments To Return
Optional.
The maximum number of comments to retrieve for the domain in every action run.
The default value is 10
.
Widget Theme
Optional.
The theme to use for the VirusTotal widget.
The default value is Dark
.
The possible values are as follows:
-
Light -
Dark -
Chronicle
Fetch Widget
Optional.
If selected, the action retrieves and displays the VirusTotal widget for the domain.
Selected by default.
Action outputs
The Get Domain Detailsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall link
The Get Domain Detailsaction can provide the following link for every enriched entity:
Name: Report Link
Value: URL
Case wall table
The Get Domain Detailsaction can provide the following table for every enriched entity:
Table name: ENTITY_ID
Table columns:
- Name
- Category
- Method
- Result
The Get Domain Detailsaction can provide the following table for every entity that has comments:
Table name: Comments: ENTITY_ID
Table columns:
- Date
- Comment
- Abuse Votes
- Negative Votes
- Positive Votes
- ID
JSON result
The following example shows the JSON result output received when using the Get Domain Detailsaction:
{
"data"
:
{
"attributes"
:
{
"categories"
:
{
"Dr.Web"
:
"known infection source/not recommended site"
,
"Forcepoint ThreatSeeker"
:
"compromised websites"
,
"sophos"
:
"malware repository, spyware and malware"
},
"first_submission_date"
:
1582300443
,
"html_meta"
:
{},
"last_analysis_date"
:
1599853405
,
"last_analysis_results"
:
{
"EXAMPLELabs"
:
{
"category"
:
"harmless"
,
"engine_name"
:
"EXAMPLELabs"
,
"method"
:
"blacklist"
,
"result"
:
"clean"
},
"Example"
:
{
"category"
:
"harmless"
,
"engine_name"
:
"Example"
,
"method"
:
"blacklist"
,
"result"
:
"clean"
},
},
"last_analysis_stats"
:
{
"harmless"
:
64
,
"malicious"
:
6
,
"suspicious"
:
1
,
"timeout"
:
0
,
"undetected"
:
8
},
"last_final_url"
:
"http://203.0.113.1/input/?mark=20200207-example.com/31mawe&tpl=example&engkey=bar+chart+click+event"
,
"last_http_response_code"
:
404
,
"last_http_response_content_length"
:
204
,
"last_http_response_content_sha256"
:
"58df637d178e35690516bda9e41e245db836170f046041fdebeedd20eca61d9d"
,
"last_http_response_headers"
:
{
"connection"
:
"keep-alive"
,
"content-length"
:
"204"
,
"content-type"
:
"text/html; charset=iso-8859-1"
,
"date"
:
"Fri, 11 Sep 2020 19:51:50 GMT"
,
"keep-alive"
:
"timeout=60"
,
"server"
:
"nginx"
},
"last_modification_date"
:
1599853921
,
"last_submission_date"
:
1599853405
,
"reputation"
:
0
,
"tags"
:
[
"ip"
],
"targeted_brand"
:
{},
"threat_names"
:
[
"Mal/HTMLGen-A"
],
"times_submitted"
:
3
,
"title"
:
"404 Not Found"
,
"total_votes"
:
{
"harmless"
:
0
,
"malicious"
:
0
},
"trackers"
:
{},
"url"
:
"http://203.0.113.1/input/?mark=20200207-example.com/31mawe&tpl=example&engkey=bar+chart+click+event"
},
"id"
:
" ID
"
,
"links"
:
{
"self"
:
"https://www.virustotal.com/api/v3/urls/ ID
"
},
"type"
:
"url"
,
"comments"
:
[
"text"
:
"attributes/text"
,
"date"
:
"attributes/date"
]
}
"is_risky"
:
true
}
Output messages
The Get Domain Detailsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Domain Details". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Domain Detailsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Graph Details
Use the Get Graph Detailsaction to obtain detailed information about graphs in VirusTotal.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Graph Detailsaction requires the following parameters:
| Parameter | Description |
|---|---|
Graph ID
|
Required. A comma-separated list of graph IDs for which to retrieve details. |
Max Links To Return
|
Optional. The maximum number of links to return for each graph. The default value is |
Action outputs
The Get Graph Detailsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The Get Graph Detailsaction can provide the following table for every enriched entity:
Table name: Graph ENTITY_ID Links
Table columns:
- Source
- Target
- Connection Type
JSON result
The following example shows the JSON result output received when using the Get Graph Detailsaction:
{
"data"
:
{
"attributes"
:
{
"comments_count"
:
0
,
"creation_date"
:
1603219837
,
"graph_data"
:
{
"description"
:
"Example LLC"
,
"version"
:
"api-5.0.0"
},
"last_modified_date"
:
1603219837
,
"links"
:
[
{
"connection_type"
:
"last_serving_ip_address"
,
"source"
:
"ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671"
,
"target"
:
"relationships_last_serving_ip_address_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671"
},
{
"connection_type"
:
"last_serving_ip_address"
,
"source"
:
"relationships_last_serving_ip_address_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671"
,
"target"
:
"203.0.113.3"
},
{
"connection_type"
:
"network_location"
,
"source"
:
"ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671"
,
"target"
:
"relationships_network_location_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671"
},
{
"connection_type"
:
"network_location"
,
"source"
:
"relationships_network_location_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671"
,
"target"
:
"203.0.113.3"
},
{
"connection_type"
:
"communicating_files"
,
"source"
:
"203.0.113.3"
,
"target"
:
"relationships_communicating_files_20301133"
},
{
"connection_type"
:
"communicating_files"
,
"source"
:
"relationships_communicating_files_20301133"
,
"target"
:
"4935cc8a4ff76d595e1bfab9fd2e6aa0f7c2fea941693f1ab4586eaba1528f47"
},
{
"connection_type"
:
"communicating_files"
,
"source"
:
"relationships_communicating_files_20301133"
,
"target"
:
"c975794ff65c02b63fae1a94006a75294aac13277ca464e3ea7e40de5eda2b14"
},
{
"connection_type"
:
"communicating_files"
,
"source"
:
"relationships_communicating_files_20301133"
,
"target"
:
"c7752154a2e894a4dec84833bee656357f4b84a9c7f601f586f79de667d8fe5c"
},
{
"connection_type"
:
"communicating_files"
,
"source"
:
"relationships_communicating_files_20301133"
,
"target"
:
"692bb2ed1da43b0408c104b4ca4b4e97e15f3224e37dbea60214bcd991a2cfd3"
},
{
"connection_type"
:
"communicating_files"
,
"source"
:
"relationships_communicating_files_20301133"
,
"target"
:
"74273ef55d8b7d23f7b058c7e47f3cbaf60c823a3e41ffb10e494917bad77381"
},
{
"connection_type"
:
"communicating_files"
,
"source"
:
"relationships_communicating_files_20301133"
,
"target"
:
"f4f2f17c4df1b558cb80c8eab3edf5198970e9d87bd03943d4c2effafb696187"
},
{
"connection_type"
:
"communicating_files"
,
"source"
:
"relationships_communicating_files_20301133"
,
"target"
:
"5edc8496869697aa229540bd6106b6679f6cfcbc6ee4837887183f470b49acb5"
},
{
"connection_type"
:
"communicating_files"
,
"source"
:
"relationships_communicating_files_20301133"
,
"target"
:
"1582da57cb082d3f6835158133aafb5f3b8dcc880a813be135a0ff8099cf0ee8"
},
{
"connection_type"
:
"communicating_files"
,
"source"
:
"relationships_communicating_files_20301133"
,
"target"
:
"be4ccb1ca71a987f481c22a1a43de491353945d815c89cbcc06233d993ac73cf"
},
{
"connection_type"
:
"communicating_files"
,
"source"
:
"relationships_communicating_files_20301133"
,
"target"
:
"60bb6467ee465f23a15f17cd73f7ecb9db9894c5a3186081a1c70fdc6e7607d6"
}
],
"nodes"
:
[
{
"entity_attributes"
:
{
"has_detections"
:
false
},
"entity_id"
:
"ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671"
,
"index"
:
0
,
"text"
:
""
,
"type"
:
"url"
,
"x"
:
51.22276722115952
,
"y"
:
65.7811310194184
},
{
"entity_attributes"
:
{},
"entity_id"
:
"relationships_last_serving_ip_address_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671"
,
"index"
:
1
,
"text"
:
""
,
"type"
:
"relationship"
,
"x"
:
25.415664700492094
,
"y"
:
37.66636498768037
},
{
"entity_attributes"
:
{
"country"
:
"US"
},
"entity_id"
:
"203.0.113.3"
,
"fx"
:
-19.03611541222395
,
"fy"
:
24.958500220062717
,
"index"
:
2
,
"text"
:
""
,
"type"
:
"ip_address"
,
"x"
:
-19.03611541222395
,
"y"
:
24.958500220062717
},
{
"entity_attributes"
:
{},
"entity_id"
:
"relationships_network_location_ea241b193c1bd89f999db9231359e7479bc2f05105ce43964955068c5d7c4671"
,
"index"
:
3
,
"text"
:
""
,
"type"
:
"relationship"
,
"x"
:
14.37403861978968
,
"y"
:
56.85562691824892
},
{
"entity_attributes"
:
{},
"entity_id"
:
"relationships_communicating_files_20301133"
,
"index"
:
4
,
"text"
:
""
,
"type"
:
"relationship"
,
"x"
:
-51.78097726144755
,
"y"
:
10.087893225996158
},
{
"entity_attributes"
:
{
"has_detections"
:
true
,
"type_tag"
:
"peexe"
},
"entity_id"
:
"4935cc8a4ff76d595e1bfab9fd2e6aa0f7c2fea941693f1ab4586eaba1528f47"
,
"index"
:
5
,
"text"
:
""
,
"type"
:
"file"
,
"x"
:
-79.11606194776019
,
"y"
:
-18.475026322309112
},
{
"entity_attributes"
:
{
"has_detections"
:
true
,
"type_tag"
:
"peexe"
},
"entity_id"
:
"c975794ff65c02b63fae1a94006a75294aac13277ca464e3ea7e40de5eda2b14"
,
"index"
:
6
,
"text"
:
""
,
"type"
:
"file"
,
"x"
:
-64.80938048199627
,
"y"
:
46.75892061191275
},
{
"entity_attributes"
:
{
"has_detections"
:
true
,
"type_tag"
:
"android"
},
"entity_id"
:
"c7752154a2e894a4dec84833bee656357f4b84a9c7f601f586f79de667d8fe5c"
,
"index"
:
7
,
"text"
:
""
,
"type"
:
"file"
,
"x"
:
-43.54064004476819
,
"y"
:
-28.547923020662786
},
{
"entity_attributes"
:
{
"has_detections"
:
true
,
"type_tag"
:
"android"
},
"entity_id"
:
"692bb2ed1da43b0408c104b4ca4b4e97e15f3224e37dbea60214bcd991a2cfd3"
,
"index"
:
8
,
"text"
:
""
,
"type"
:
"file"
,
"x"
:
-15.529860440278318
,
"y"
:
-2.068209789825876
},
{
"entity_attributes"
:
{
"has_detections"
:
true
,
"type_tag"
:
"android"
},
"entity_id"
:
"74273ef55d8b7d23f7b058c7e47f3cbaf60c823a3e41ffb10e494917bad77381"
,
"index"
:
9
,
"text"
:
""
,
"type"
:
"file"
,
"x"
:
-42.55971948293377
,
"y"
:
46.937155845680415
},
{
"entity_attributes"
:
{
"has_detections"
:
true
,
"type_tag"
:
"html"
},
"entity_id"
:
"f4f2f17c4df1b558cb80c8eab3edf5198970e9d87bd03943d4c2effafb696187"
,
"index"
:
10
,
"text"
:
""
,
"type"
:
"file"
,
"x"
:
-62.447976875107706
,
"y"
:
-28.172418384729067
},
{
"entity_attributes"
:
{
"has_detections"
:
true
,
"type_tag"
:
"android"
},
"entity_id"
:
"5edc8496869697aa229540bd6106b6679f6cfcbc6ee4837887183f470b49acb5"
,
"index"
:
11
,
"text"
:
""
,
"type"
:
"file"
,
"x"
:
-89.0326649183805
,
"y"
:
-2.2638551448322484
},
{
"entity_attributes"
:
{
"has_detections"
:
true
,
"type_tag"
:
"android"
},
"entity_id"
:
"1582da57cb082d3f6835158133aafb5f3b8dcc880a813be135a0ff8099cf0ee8"
,
"index"
:
12
,
"text"
:
""
,
"type"
:
"file"
,
"x"
:
-26.35260716195174
,
"y"
:
-20.25669077264115
},
{
"entity_attributes"
:
{
"has_detections"
:
true
,
"type_tag"
:
"android"
},
"entity_id"
:
"be4ccb1ca71a987f481c22a1a43de491353945d815c89cbcc06233d993ac73cf"
,
"index"
:
13
,
"text"
:
""
,
"type"
:
"file"
,
"x"
:
-82.1415994911387
,
"y"
:
34.89636762607467
},
{
"entity_attributes"
:
{
"has_detections"
:
true
,
"type_tag"
:
"android"
},
"entity_id"
:
" ENTITY_ID
"
,
"index"
:
14
,
"text"
:
""
,
"type"
:
"file"
,
"x"
:
-90.87738694680043
,
"y"
:
16.374462198116138
}
],
"private"
:
false
,
"views_count"
:
30
},
"id"
:
" ID
"
,
"links"
:
{
"self"
:
"https://www.virustotal.com/api/v3/graphs/ ID
"
},
"type"
:
"graph"
}
}
Output messages
The Get Graph Detailsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Graph Details". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Graph Detailsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Related Domains
Use the Get Related Domainsaction to obtain the domains related to the provided entities from VirusTotal.
To run the Get Related Domainsaction, the VirusTotal Enterprise (VTE) is required.
This action only supports the MD5, SHA-1, and SHA-256 hashes.
This action runs on the following Google SecOps entities:
-
Hash -
Hostname -
IP Address -
URL
Action inputs
The Get Related Domainsaction requires the following parameters:
Results
Optional.
The order to return JSON results.
The possible values are as follows:
-
Combined -
Per Entity
If you select Combined
,
the action returns all unique results for the provided entities. If you
select Per Entity
, the action returns all unique items for
every entity.
The default value is Combined
.
Max Domains To Return
Optional.
The number of domains to return.
If you select Combined
in the Results
parameter, the action returns the configured
number of domains for all entities. If you select Per Entity
in the Results
parameter, the action returns the configured
number of domains for every entity.
The default value is 40
.
Action outputs
The Get Related Domainsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Related Domainsaction:
{
"domain"
:
[
"example.com"
]
}
Output messages
The Get Related Domainsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Related Domains". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Related Domainsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Related Hashes
Use the Get Related Hashesaction to obtain the hashes related to the provided entities from VirusTotal.
To run the Get Related Hashesaction, the VirusTotal Enterprise (VTE) is required.
This action only supports the MD5, SHA-1, and SHA-256 hashes.
This action runs on the following Google SecOps entities:
-
Hash -
Hostname -
IP Address -
URL
Action inputs
The Get Related Hashesaction requires the following parameters:
Results
Optional.
The order to return JSON results.
The possible values are as follows:
-
Combined -
Per Entity
If you select Combined
,
the action returns all unique results for the provided entities. If you
select Per Entity
, the action returns all unique items for
every entity.
The default value is Combined
.
Max Hashes To Return
Optional.
The number of file hashes to return.
If you select Combined
in the Results
parameter, the action
returns the configured number of hashes for all entities. If you select Per Entity
in the Results
parameter, the action
returns the configured number of hashes for every entity.
The default value is 40
.
Action outputs
The Get Related Hashesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Related Hashesaction:
{
"sha256_hashes"
:
[
"http://example.com"
]
}
Output messages
The Get Related Hashesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Related Hashes". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Related Hashesaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Related IPs
Use the Get Related IPsaction to obtain the IP addresses related to the provided entities from VirusTotal.
To run the Get Related IPsaction, the VirusTotal Enterprise (VTE) is required.
This action only supports the MD5, SHA-1, and SHA-256 hashes.
This action runs on the following Google SecOps entities:
-
Hash -
Hostname -
IP Address -
URL
Action inputs
The Get Related IPsaction requires the following parameters:
Results
Optional.
The order to return JSON results.
The possible values are as follows:
-
Combined -
Per Entity
If you select Combined
,
the action returns all unique results for the provided entities. If you
select Per Entity
, the action returns all unique items for
every entity.
The default value is Combined
.
Max IPs To Return
Optional.
The number of IP addresses to return.
If you select Combined
in the Results
parameter, the action
returns the configured number of IP addresses for all entities. If you select Per Entity
in the Results
parameter, the action
returns the configured number of IP addresses for every entity.
The default value is 40
.
Action outputs
The Get Related IPsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Related IPsaction:
{
"ips"
:
[
"203.0.113.1"
]
}
Output messages
The Get Related IPsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Related IPs". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Related IPsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Related URLs
Use the Get Related URLsaction to obtain the URLs related to the provided entities from VirusTotal.
To run the Get Related URLsaction, the VirusTotal Enterprise (VTE) is required.
This action only supports the MD5, SHA-1, and SHA-256 hashes.
This action runs on the following Google SecOps entities:
-
Hash -
jsHostname -
IP Address -
URL
Action inputs
The Get Related URLsaction requires the following parameters:
Results
Optional.
The order to return JSON results.
The possible values are as follows:
-
Combined -
Per Entity
If you select Combined
,
the action returns all unique results for the provided entities. If you
select Per Entity
, the action returns all unique items for
every entity.
The default value is Combined
.
Max URLs To Return
Optional.
The number of URLs to return.
If you select Combined
in the Results
parameter, the action
returns the configured number of URLs for all entities. If you select Per Entity
in the Results
parameter, the action
returns the configured number of URLs for every entity.
The default value is 40
.
Action outputs
The Get Related URLsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Related URLsaction:
{
"urls"
:
[
"http://example.com"
]
}
Output messages
The Get Related URLsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Related URLs". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Related URLsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Ping
Use the Pingaction to test the connectivity to VirusTotal.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Pingaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Failed to connect to the VirusTotal server! Error is ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Search Entity Graphs
Use the Search Entity Graphsaction to search graphs that are based on the entities in VirusTotal.
This action only supports the MD5, SHA-1, and SHA-256 hashes.
This action runs on the following Google SecOps entities:
-
Hash -
IP Address -
Threat Actor -
URL -
User
Action inputs
The Search Entity Graphsaction requires the following parameters:
Sort Field
Optional.
The field value to sort the VirusTotal graphs.
The default value is Owner
.
The possible values are as follows:
-
Owner -
Creation Date -
Last Modified Date -
Views Count -
Comments Count
Max Graphs To Return
Optional.
The maximum number of graphs to return for every action run.
The default value is 10
.
Action outputs
The Search Entity Graphsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Search Entity Graphsaction:
{
"data"
:
[
{
"attributes"
:
{
"graph_data"
:
{
"description"
:
"EXAMPLE"
,
"version"
:
"5.0.0"
}
},
"id"
:
" ID
"
,
"links"
:
{
"self"
:
"https://www.virustotal.com/api/v3/graphs/ ID
"
},
"type"
:
"graph"
},
{
"attributes"
:
{
"graph_data"
:
{
"description"
:
"Example Feb2020"
,
"version"
:
"5.0.0"
}
},
"id"
:
" ID_2
"
,
"links"
:
{
"self"
:
"https://www.virustotal.com/api/v3/graphs/ ID_2
"
},
"type"
:
"graph"
}
],
"links"
:
{
"next"
:
"https://www.virustotal"
,
"self"
:
"https://www.virustotal.com/api/v3/graphs?filter=ip_address:203.0.113.3%20OR%20file: FILE_ID
&order=last_modified_date&limit=2&attributes=graph_data"
},
"meta"
:
{
"cursor"
:
"True:CsEGCo0CCusBAP8_vihw3_S_"
}
}
Output messages
The Search Entity Graphsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Search Entity Graphs". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Search Graphs
Use the Search Graphsaction to search graphs based on custom filters in VirusTotal.
This action doesn't run on Google SecOps entities.
Query
Required.
The query filter for the graph.
For more information about queries, see How to create queries and Graph-related modifiers .
Sort Field
Optional.
The field value to sort the VirusTotal graphs.
The default value is Owner
.
The possible values are as follows:
-
Owner -
Creation Date -
Last Modified Date -
Views Count -
Comments Count
Max Graphs To Return
Optional.
The maximum number of graphs to return for every action run.
The default value is 10
.
How to create queries
To refine search results from graphs, create queries that contain graph-related
modifiers
. To improve the search, you can combine
modifiers with AND
, OR
, and NOT
operators.
Date and numeric fields support plus ( +
) or minus ( -
) suffixes. A plus
suffix matches values greater than the provided value. A minus suffix matches
values less than the provided value. Without a suffix, the query returns exact
matches.
To define ranges, you can use the same modifier multiple times in a query. For example, to search graphs that are created between 2018-11-15 and 2018-11-20, use the following query:
creation_date:2018-11-15+ creation_date:2018-11-20-
For dates or months that begin with 0
, remove the 0
character in the query.
For example, format the date of 2018-11-01 as 2018-11-1
.
Graph-related modifiers
The following table lists modifiers which you can use to construct the search query:
| Modifier | Description | Example |
|---|---|---|
Id
|
Filters by graph identifier. | id:g675a2fd4c8834e288af
|
Name
|
Filters by graph name. | name:Example-name
|
Owner
|
Filters by graphs owned by the user. | owner:example_user
|
Group
|
Filters by graphs owned by a group. | group:example
|
Visible_to_user
|
Filters by graphs visible to the user. | visible_to_user:example_user
|
Visible_to_group
|
Filters by graphs visible to the group. | visible_to_group:example
|
Private
|
Filters by private graphs. | private:true
, private:false
|
Creation_date
|
Filters by the graph creation date. | creation_date:2018-11-15
|
last_modified_date
|
Filters by the latest graph modification date. | last_modified_date:2018-11-20
|
Total_nodes
|
Filters by graphs that contain a specific number of nodes. | total_nodes:100
|
Comments_count
|
Filters by the number of comments in the graph. | comments_count:10+
|
Views_count
|
Filters by the number of graph views. | views_count:1000+
|
Label
|
Filters by graphs that contain nodes with a specific label. | label:Kill switch
|
File
|
Filters by graphs that contain the specific file. | file:131f95c51cc819465fa17
|
Domain
|
Filters by graphs that contain the specific domain. | domain:example.com
|
Ip_address
|
Filters by graphs that contain the specific IP address. | ip_address:203.0.113.1
|
Url
|
Filters by graphs that contain the specific URL. | url:https://example.com/example/
|
Actor
|
Filters by graphs that contain the specific actor. | actor:example actor
|
Victim
|
Filters by graphs that contain the specific victim. | victim:example_user
|
Email
|
Filters by graphs that contain the specific email address. | email:user@example.com
|
Department
|
Filters by graphs that contain the specific department. | department:engineers
|
Action outputs
The Search Graphsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Search Graphsaction:
{
"data"
:
[
{
"attributes"
:
{
"graph_data"
:
{
"description"
:
"EXAMPLE"
,
"version"
:
"5.0.0"
}
},
"id"
:
" ID
"
,
"links"
:
{
"self"
:
"https://www.virustotal.com/api/v3/graphs/ ID
"
},
"type"
:
"graph"
},
{
"attributes"
:
{
"graph_data"
:
{
"description"
:
"Example Feb2020"
,
"version"
:
"5.0.0"
}
},
"id"
:
" ID_2
"
,
"links"
:
{
"self"
:
"https://www.virustotal.com/api/v3/graphs/ ID_2
"
},
"type"
:
"graph"
}
],
"links"
:
{
"next"
:
"https://www.virustotal"
,
"self"
:
"https://www.virustotal.com/api/v3/graphs?filter=ip_address:203.0.113.3%20OR%20file: FILE_ID
&order=last_modified_date&limit=2&attributes=graph_data"
},
"meta"
:
{
"cursor"
:
"True:CsEGCo0CCusBAP8_vihw3_S_"
}
}
Output messages
The Search Graphsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Search Graphs". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Search Graphsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Search IOCs
Use the Search IOCsaction to search for IOCs in the VirusTotal dataset.
To run the Search IOCsaction, the VirusTotal Enterprise (VTE) is required.
This action doesn't run on Google SecOps entities.
Action inputs
The Search IOCsaction requires the following parameters:
Query
Required.
The query to search IOCs.
The default value is ""
.
To configure the query, follow the query syntax applicable to the VirusTotal Intelligence user interface.
Create Entities
Optional.
If selected, the action creates entities for the returned IOCs.
This action does not enrich entities.
Not selected by default.
Order By
Required.
The order field to return the results.
The possible values are as follows:
-
Use Default Order -
Last Submission Date -
First Submission Date -
Positives -
Times Submitted -
Creation Date -
Last Modification Date Last Update Date
Entity types can have different order fields. For more information about how to search for files in VirusTotal, see Advanced corpus search .
The default value is Use Default
Order
.
Sort Order
Optional.
The order to sort the results.
The possible values are as follows:
-
Ascending -
Descending
If you set Use Default Order
value for the Order
By
parameter, the action ignores this parameter.
The default
value is Descending
.
Max IOCs To Return
Optional.
The number of IOCs to return.
The maximum value is 300
.
The default value is 10
.
Action outputs
The Search IOCsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Search IOCsaction:
{
"data"
:
[
{
"attributes"
:
{
"type_description"
:
"Email"
,
"tlsh"
:
"T1B4D31F04BE452B3093E7238E064E6FDBAFCC135F6611F1C60881AAD6C5C77A2E57D689"
,
"exiftool"
:
{
"MIMEType"
:
"text/plain"
,
"FileType"
:
"TXT"
,
"WordCount"
:
"2668"
,
"LineCount"
:
"1820"
,
"MIMEEncoding"
:
"us-ascii"
,
"FileTypeExtension"
:
"txt"
,
"Newlines"
:
"Windows CRLF"
},
"type_tags"
:
[
"internet"
,
"email"
],
"threat_severity"
:
{
"threat_severity_level"
:
"SEVERITY_HIGH"
,
"threat_severity_data"
:
{
"num_gav_detections"
:
3
,
"has_vulnerabilities"
:
true
,
"popular_threat_category"
:
"trojan"
,
"type_tag"
:
"email"
,
"has_embedded_ips_with_detections"
:
true
},
"last_analysis_date"
:
"1698050597"
,
"version"
:
2
,
"level_description"
:
"Severity HIGH because it was considered trojan. Other contributing factors were that it has known exploits, it contains embedded IPs with detections and it could not be run in sandboxes."
},
"names"
:
[
"Re Example.eml"
],
"last_modification_date"
:
1698057197
,
"type_tag"
:
"email"
,
"times_submitted"
:
1
,
"total_votes"
:
{
"harmless"
:
0
,
"malicious"
:
0
},
"size"
:
132299
,
"popular_threat_classification"
:
{
"suggested_threat_label"
:
"obfsobjdat/malformed"
,
"popular_threat_name"
:
[
{
"count"
:
8
,
"value"
:
"obfsobjdat"
},
{
"count"
:
2
,
"value"
:
"malformed"
}
]
},
"last_submission_date"
:
1698049979
,
"last_analysis_results"
:
{
"Bkav"
:
{
"category"
:
"undetected"
,
"engine_name"
:
"Example1"
,
"engine_version"
:
"2.0.0.1"
,
"result"
:
null
,
"method"
:
"blacklist"
,
"engine_update"
:
"20231023"
},
"Lionic"
:
{
"category"
:
"undetected"
,
"engine_name"
:
"Example2"
,
"engine_version"
:
"7.5"
,
"result"
:
null
,
"method"
:
"blacklist"
,
"engine_update"
:
"20231023"
},
},
"downloadable"
:
true
,
"trid"
:
[
{
"file_type"
:
"file seems to be plain text/ASCII"
,
"probability"
:
0
}
],
"sha256"
:
"2d9df36964fe2e477e6e0f7a73391e4d4b2eeb0995dd488b431c4abfb4c27dbf"
,
"type_extension"
:
"eml"
,
"tags"
:
[
"exploit"
,
"cve-2018-0802"
,
"cve-2018-0798"
,
"email"
,
"cve-2017-11882"
],
"last_analysis_date"
:
1698049979
,
"unique_sources"
:
1
,
"first_submission_date"
:
1698049979
,
"ssdeep"
:
"768:MedEkBNnx8ueVV+fitChi9KbpK0fixbRwHbcElIK944tCVQOgzdsSuom+cWmsCGY:Meo+fitC0mKuixYxlI1OO1cSPo0gptA"
,
"md5"
:
"bdfe36052e0c083869505ef4fd77e865"
,
"sha1"
:
"3a350de97009efe517ceffcea406534bb1ab800c"
,
"magic"
:
"SMTP mail, ASCII text, with CRLF line terminators"
,
"last_analysis_stats"
:
{
"harmless"
:
0
,
"type-unsupported"
:
16
,
"suspicious"
:
0
,
"confirmed-timeout"
:
0
,
"timeout"
:
0
,
"failure"
:
0
,
"malicious"
:
28
,
"undetected"
:
32
},
"meaningful_name"
:
"Re Example.eml"
,
"reputation"
:
0
},
"type"
:
"file"
,
"id"
:
" ID
"
,
"links"
:
{
"self"
:
" URL
"
}
},
]
}
Output messages
The Search IOCsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Search IOCs". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Search IOCsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Submit File
Use the Submit Fileaction to submit a file and return results from VirusTotal.
This action doesn't run on Google SecOps entities.
Action inputs
The Submit Fileaction requires the following parameters:
File Paths
Required.
A comma-separated list of absolute paths for the files to submit.
If you configure the Linux Server Address
parameter, the
action attempts to retrieve the file from the remote server.
Engine Threshold
Optional.
The minimum number of engines that must classify a file as malicious or suspicious for it to be considered suspicious.
If you configure the Engine Whitelist
, the action only counts the results from the
specified engines.
Engine Percentage Threshold
Optional.
The minimum percentage of engines that must classify the file as malicious or suspicious for it to be considered suspicious.
Engine Whitelist
Optional.
A comma-separated list of engine names to consider when evaluating the
risk, such as AlienVault,Kaspersky
.
If you don't set a value, the action uses all available engines. The threshold calculation doesn't include engines which that provide no information about entities.
Retrieve Comments
Optional.
If selected, the action retrieves comments that are associated with the file from VirusTotal.
Selected by default.
When private submission is enabled, comments are not fetched.
Retrieve Sigma Analysis
Optional.
If selected, the action retrieves the Sigma analysis results for the file.
Selected by default.
Max Comments To Return
Optional.
The maximum number of comments to retrieve for every action run.
The default value is 50
.
Linux Server Address
Optional.
The IP address or hostname of a remote Linux server where the files are located.
Linux Username
Optional.
The username to authenticateto the remote Linux server.
Linux Password
Optional.
The password to authenticate to the remote Linux server.
Private Submission
Optional.
If selected, the action submits the file privately. To submit the file privately, the VirusTotal Premium access is required.
Not selected by default.
Fetch MITRE Details
Optional.
If selected, the action retrieves MITRE ATT&CK techniques and tactics that are related to the hash.
Not selected by default.
Lowest MITRE Technique Severity
Optional.
The minimum severity level for a MITRE ATT&CK technique to include in the
results. The action treats the Unknown
severity as Info
.
The possible values are as follows:
-
High -
Medium -
Low -
Info
The default value is Low
.
Retrieve AI Summary
Optional.
This parameter is experimental.
If selected, the action retrieves an AI-generated summary for the file. This option is only available for private submissions.
Not selected by default.
Action outputs
The Submit Fileaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall link
The Submit Fileaction can provide the following link for every enriched entity:
Name: Report Link: PATH
Value: URL
Case wall table
The Submit Fileaction can provide the following table for every submitted file:
Table name: Results: PATH
Table columns:
- Name
- Category
- Method
- Result
The Submit Fileaction can provide the following table for every submitted file that has comments:
Table name: Comments: PATH
Table columns:
- Date
- Comment
- Abuse Votes
- Negative Votes
- Positive Votes
- ID
The Submit Fileaction can provide the following table for every entity that has the Sigma analysis results:
Table name: Sigma Analysis: ENTITY_ID
Table columns:
- ID
- Severity
- Source
- Title
- Description
- Match Context
JSON result
The following example shows the JSON result output received when using the Submit Fileaction:
{
"data"
:
{
"attributes"
:
{
"categories"
:
{
"Dr.Web"
:
"known infection source/not recommended site"
,
"Forcepoint ThreatSeeker"
:
"compromised websites"
,
"sophos"
:
"malware repository, spyware and malware"
},
"first_submission_date"
:
1582300443
,
"html_meta"
:
{},
"last_analysis_date"
:
1599853405
,
"last_analysis_results"
:
{
"EXAMPLELabs"
:
{
"category"
:
"harmless"
,
"engine_name"
:
"EXAMPLELabs"
,
"method"
:
"blacklist"
,
"result"
:
"clean"
},
"Example"
:
{
"category"
:
"harmless"
,
"engine_name"
:
"Example"
,
"method"
:
"blacklist"
,
"result"
:
"clean"
},
},
"last_analysis_stats"
:
{
"harmless"
:
64
,
"malicious"
:
6
,
"suspicious"
:
1
,
"timeout"
:
0
,
"undetected"
:
8
},
"last_final_url"
:
"http://203.0.113.1/input/?mark=20200207-example.com/31mawe&tpl=example&engkey=bar+chart+click+event"
,
"last_http_response_code"
:
404
,
"last_http_response_content_length"
:
204
,
"last_http_response_content_sha256"
:
"58df637d178e35690516bda9e41e245db836170f046041fdebeedd20eca61d9d"
,
"last_http_response_headers"
:
{
"connection"
:
"keep-alive"
,
"content-length"
:
"204"
,
"content-type"
:
"text/html; charset=iso-8859-1"
,
"date"
:
"Fri, 11 Sep 2020 19:51:50 GMT"
,
"keep-alive"
:
"timeout=60"
,
"server"
:
"nginx"
},
"last_modification_date"
:
1599853921
,
"last_submission_date"
:
1599853405
,
"reputation"
:
0
,
"tags"
:
[
"ip"
],
"targeted_brand"
:
{},
"threat_names"
:
[
"Mal/HTMLGen-A"
],
"times_submitted"
:
3
,
"title"
:
"404 Not Found"
,
"total_votes"
:
{
"harmless"
:
0
,
"malicious"
:
0
},
"trackers"
:
{},
"url"
:
"http://203.0.113.1/input/?mark=20200207-example.com/31mawe&tpl=example&engkey=bar+chart+click+event"
},
"id"
:
" ID
"
,
"links"
:
{
"self"
:
"https://www.virustotal.com/api/v3/urls/ ID
"
},
"type"
:
"url"
,
"comments"
:
[
"text"
:
"attributes/text"
,
"date"
:
"attributes/date"
]
}
"is_risky"
:
true
}
Output messages
The Submit Fileaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Submit File". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Submit Fileaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Connectors
For more detail about how to configure connectors in Google SecOps, see Ingest your data (connectors) .
VirusTotal - Livehunt Connector
Use the VirusTotal - Livehunt Connectorto pull information about the VirusTotal Livehunt notifications and related files.
This connector requires a VirusTotal Premium API token. The dynamic list works
with the rule_name
parameter.
Connector inputs
The VirusTotal - Livehunt Connectorrequires the following parameters:
| Parameter | Description |
|---|---|
Product Field Name
|
Required. The name of the field where the product name is stored. The default
value is The product name
primarily impacts mapping. To streamline and improve the mapping process for
the connector, the default value |
Event Field Name
|
Required. The name of the field where the event name (subtype) is stored. The
default value is |
Environment Field Name
|
Optional. The name of the field where the environment name is stored. If the environment field isn't found, the connector uses the default value. The default value is |
Environment Regex Pattern
|
Optional. A regular expression pattern to run on the value found in the Use the
default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
PythonProcessTimeout
|
Required. The timeout limit in seconds for the Python process that runs the current script. The default value is |
API Key
|
Required. The VirusTotal API key. |
Verify SSL
|
Required. If selected, the integration validates the SSL certificate when connecting to VirusTotal. Selected by default. |
Engine Whitelist
|
Optional. A comma-separated list of engine names to consider when evaluating the If you don't set a value, the action uses all available engines. |
Engine Percentage Threshold To Fetch
|
Required. The minimum percentage of engines that mark the file as malicious or suspicious for the connector to ingest the file. The valid values are
from The default value is |
Max Hours Backwards
|
Optional. The number of hours before the first connector iteration to retrieve the incidents. This parameter can apply to the initial connector iteration after you enable the connector for the first time or the fallback value for an expired connector timestamp. The default value is |
Max Notifications To Fetch
|
Optional. The maximum number of notifications to process in every connector run. The default value is |
Use dynamic list as a blacklist
|
Required. If selected, the dynamic list is used as a blocklist. Not selected by default. |
Proxy Server Address
|
Optional. The address of the proxy server to use. |
Proxy Username
|
Optional. The username for proxy server authentication. |
Proxy Password
|
Optional. The password for proxy server authentication. |
Connector rules
The connector supports proxies.
Need more help? Get answers from Community members and Google SecOps professionals.
