Fortinet Document Library

Version:


Table of Contents

1.0.1
Copy Link

About the connector

VirusTotal provides a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.

This document provides information about the VirusTotal connector, which facilitates automated interactions, with a VirusTotal server using FortiSOAR™playbooks. Add the VirusTotal connector as a step in FortiSOAR™playbooks and perform automated operations, such as scanning and analyzing suspicious files and URLs and retrieving reports from VirusTotal for files, IP addresses, and domains.

 

Version information

Connector Version: 1.0.1

Compatibility with FortiSOAR™Versions: 4.9.0.0-708 and later

Compatibility with VirusTotal Versions: 2.0 and later

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.0.1

Following enhancements have been made to the VirusTotal Connector in version 1.0.1:

  • Masked the text entered in the API Field field, on the Configuration page.

  • Renamed the API Server configuration parameter to Server URL and added the Verify SSL parameter on the Configuration page.

  • Added a link to the online help.

 

Installing the connector

All connectors provided by FortiSOAR™are delivered using a FortiSOAR™repository. Therefore, you must set up your FortiSOAR™repository and use the yum command to install connectors:

yum install cyops-connector-virustotal

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

  • You must have the URL and credentials of the VirusTotal server on which you will perform the automated operations.
  • You must have the API key for the VirusTotal server.
  • To access the FortiSOAR™UI, ensure that port 443 is open through the firewall for the FortiSOAR™instance.

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In CyOPs™, on the Connectors page, select the VirusTotal connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the VirusTotal endpoint server to which you will connect and perform the automated operations
API Key API key to access the VirusTotal endpoint.
Verify SSL Verify SSL connection to the VirusTotal server.
Defaults to True.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™release 4.10.0 onwards:

 

Function Description Annotation and Category
Submit File Scans and analyzes files submitted from FortiSOAR™to VirusTotal determine if they are suspicious. submit_sample
Investigation
Submit URL for scanning Scans and analyzes URLs submitted to VirusTotal to determine if they are suspicious. submit_url
Investigation
Get File Reputation Retrieves a report from VirusTotal for the file that you have submitted using file hash. file_reputation
Investigation
Get IP Reputation Retrieves a report from VirusTotal for the IP addresses submitted to determine if they are suspicious. ip_reputation
Investigation
Get Domain Reputation Retrieves a report from VirusTotal for the domains submitted to determine if they are suspicious. domain_reputation
Investigation
Get URL Reputation Retrieves a report from VirusTotal for the URL submitted to determine if they are suspicious. url_reputation
Investigation

 

operation: Submit File

Input parameters

 

Note: Using this operation, you submit files available in the FortiSOAR™'Attachments' module to VirusTotal.

 

Parameter Description
Type Type can be an Attachment ID or a File IRI.
Reference ID Reference ID that is used to access the attachment metadata from the FortiSOAR™Attachments module.
In the playbook, this defaults to the{{vars.attachment_id}} value or the {{vars.file_iri}} value.

 

Output

The JSON output contains the scan_id for the file. You can use this scan_id in future to query and retrieve scan reports from VirusTotal for this file.

Following image displays a sample output:

 

Sample output of the Submit File operation

 

operation: Submit URL for scanning

Input parameters

 

Parameter Description
Scan URL URL that you want to submit to VirusTotal for scanning.

 

Output

The JSON output contains the scan_id for the URL. You can use this scan_id in future to query and retrieve scan reports from VirusTotal for this URL.

Following image displays a sample output:

 

Sample output of the Submit URL for scanning operation

 

operation: Get File Reputation

Input parameters

 

Parameter Description
File Hash File Hash of the file for which you want to retrieve a VirusTotal report.

 

Output

The JSON contains the report from VirusTotal for a sample based on the specified file hash. You can use this report to determine if the submitted files are suspicious.

Following image displays a sample output:

 

Sample output of the Get File Reputation operation

 

operation: Get IP Reputation

Input parameters

 

Parameter Description
IP Address IP address for which you want to retrieve a VirusTotal report.

 

Output

The JSON contains the report from VirusTotal for a sample based on the specified IP address. You can use this report to determine if the submitted IP address is suspicious.

Following image displays a sample output:

 

Sample output of the Get IP Reputation operation

 

operation: Get Domain Reputation

Input parameters

 

Parameter Description
Domain Domain name for which you want to retrieve a VirusTotal report.

 

Output

The JSON contains the report from VirusTotal for a sample based on the specified domain name. You can use this report to determine if the submitted domain is suspicious.

Following image displays a sample output:

 

Sample output of the Get Domain Reputation operation

 

operation: Get URL Reputation

Input parameters

 

Parameter Description
URL URL for which you want to retrieve a VirusTotal report.

 

Output

The JSON contains the report from VirusTotal for a sample based on the specified URL. You can use this report to determine if the submitted URL is suspicious.

Following image displays a sample output:

 

Sample output of the Get URL Reputation operation

 

Included playbooks

The Sample - VirusTotal - 1.0.0 playbook collection comes bundled with the Whois RDAP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™after importing the Whois RDAP connector.

  • Submit File
  • Get File Reputation
  • Submit URL for scanning
  • Get URL Reputation
  • Get Domain Reputation
  • Get IP Reputation

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

VirusTotal provides a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.

This document provides information about the VirusTotal connector, which facilitates automated interactions, with a VirusTotal server using FortiSOAR™playbooks. Add the VirusTotal connector as a step in FortiSOAR™playbooks and perform automated operations, such as scanning and analyzing suspicious files and URLs and retrieving reports from VirusTotal for files, IP addresses, and domains.

 

Version information

Connector Version: 1.0.1

Compatibility with FortiSOAR™Versions: 4.9.0.0-708 and later

Compatibility with VirusTotal Versions: 2.0 and later

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.0.1

Following enhancements have been made to the VirusTotal Connector in version 1.0.1:

 

Installing the connector

All connectors provided by FortiSOAR™are delivered using a FortiSOAR™repository. Therefore, you must set up your FortiSOAR™repository and use the yum command to install connectors:

yum install cyops-connector-virustotal

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In CyOPs™, on the Connectors page, select the VirusTotal connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the VirusTotal endpoint server to which you will connect and perform the automated operations
API Key API key to access the VirusTotal endpoint.
Verify SSL Verify SSL connection to the VirusTotal server.
Defaults to True.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™release 4.10.0 onwards:

 

Function Description Annotation and Category
Submit File Scans and analyzes files submitted from FortiSOAR™to VirusTotal determine if they are suspicious. submit_sample
Investigation
Submit URL for scanning Scans and analyzes URLs submitted to VirusTotal to determine if they are suspicious. submit_url
Investigation
Get File Reputation Retrieves a report from VirusTotal for the file that you have submitted using file hash. file_reputation
Investigation
Get IP Reputation Retrieves a report from VirusTotal for the IP addresses submitted to determine if they are suspicious. ip_reputation
Investigation
Get Domain Reputation Retrieves a report from VirusTotal for the domains submitted to determine if they are suspicious. domain_reputation
Investigation
Get URL Reputation Retrieves a report from VirusTotal for the URL submitted to determine if they are suspicious. url_reputation
Investigation

 

operation: Submit File

Input parameters

 

Note: Using this operation, you submit files available in the FortiSOAR™'Attachments' module to VirusTotal.

 

Parameter Description
Type Type can be an Attachment ID or a File IRI.
Reference ID Reference ID that is used to access the attachment metadata from the FortiSOAR™Attachments module.
In the playbook, this defaults to the{{vars.attachment_id}} value or the {{vars.file_iri}} value.

 

Output

The JSON output contains the scan_id for the file. You can use this scan_id in future to query and retrieve scan reports from VirusTotal for this file.

Following image displays a sample output:

 

Sample output of the Submit File operation

 

operation: Submit URL for scanning

Input parameters

 

Parameter Description
Scan URL URL that you want to submit to VirusTotal for scanning.

 

Output

The JSON output contains the scan_id for the URL. You can use this scan_id in future to query and retrieve scan reports from VirusTotal for this URL.

Following image displays a sample output:

 

Sample output of the Submit URL for scanning operation

 

operation: Get File Reputation

Input parameters

 

Parameter Description
File Hash File Hash of the file for which you want to retrieve a VirusTotal report.

 

Output

The JSON contains the report from VirusTotal for a sample based on the specified file hash. You can use this report to determine if the submitted files are suspicious.

Following image displays a sample output:

 

Sample output of the Get File Reputation operation

 

operation: Get IP Reputation

Input parameters

 

Parameter Description
IP Address IP address for which you want to retrieve a VirusTotal report.

 

Output

The JSON contains the report from VirusTotal for a sample based on the specified IP address. You can use this report to determine if the submitted IP address is suspicious.

Following image displays a sample output:

 

Sample output of the Get IP Reputation operation

 

operation: Get Domain Reputation

Input parameters

 

Parameter Description
Domain Domain name for which you want to retrieve a VirusTotal report.

 

Output

The JSON contains the report from VirusTotal for a sample based on the specified domain name. You can use this report to determine if the submitted domain is suspicious.

Following image displays a sample output:

 

Sample output of the Get Domain Reputation operation

 

operation: Get URL Reputation

Input parameters

 

Parameter Description
URL URL for which you want to retrieve a VirusTotal report.

 

Output

The JSON contains the report from VirusTotal for a sample based on the specified URL. You can use this report to determine if the submitted URL is suspicious.

Following image displays a sample output:

 

Sample output of the Get URL Reputation operation

 

Included playbooks

The Sample - VirusTotal - 1.0.0 playbook collection comes bundled with the Whois RDAP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™after importing the Whois RDAP connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.