VirusTotal provides a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.
This document provides information about the VirusTotal connector, which facilitates automated interactions, with a VirusTotal server using FortiSOAR™ playbooks. Add the VirusTotal connector as a step in FortiSOAR™ playbooks and perform automated operations, such as scanning and analyzing suspicious files and URLs and retrieving reports from VirusTotal for files, IP addresses, and domains.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 7.0.0-480
VirusTotal Version Tested on: 3.0
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the VirusTotal Connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-virustotal
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the VirusTotal connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the VirusTotal endpoint server to which you will connect and perform the automated operations. |
API Key | API key to access the VirusTotal endpoint to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Submit File | Scans and analyzes files submitted to VirusTotal from FortiSOAR™ to determine if it is suspicious based on the Attachment ID or File IRI you have specified. | submit_sample Investigation |
Submit URL for scanning | Scans and analyzes the URL submitted to VirusTotal to determine if it is suspicious based on the URL you have specified. | submit_url Investigation |
Get File Reputation | Retrieves a report from VirusTotal for the file that you have submitted to determine if it is suspicious based on the file hash value you have specified. | file_reputation Investigation |
Get IP Reputation | Retrieves a report from VirusTotal for the IP address submitted to determine if it is suspicious based on the IP address you have specified. | ip_reputation Investigation |
Get Domain Reputation | Retrieves a report from VirusTotal for the domain submitted to determine if it is suspicious based on the domain name you have specified. | domain_reputation Investigation |
Get URL Reputation | Retrieves a report from VirusTotal for the URL submitted to determine if it is suspicious based on the URL you have specified. | url_reputation Investigation |
Get Analysis Details | Retrieve details of a File or URL analysis from VirusTotal for the File or URL that you had submitted for scanning and analysis to VirusTotal using the "Submit File" or "Submit URL for scanning" action. | analysis_file Investigation |
Note: Using this operation, you submit files available in the FortiSOAR™ 'Attachments' module to VirusTotal.
Parameter | Description |
---|---|
Type | Type of file that you want to submit to VirusTotal for analysis. Type can be an Attachment ID or a File IRI. |
Reference ID | Reference ID that is used to access the attachment metadata from the FortiSOAR™ Attachments module.In the playbook, this defaults to the {{vars.attachment_id}} value or the {{vars.file_iri}} value. |
The JSON output contains the scan_id
for the file. You can use this scan_id in the future to query and retrieve scan reports from VirusTotal for this file.
The output contains the following populated JSON schema:
{
"id": "",
"type": ""
}
Parameter | Description |
---|---|
Scan URL | URL that you want to submit to VirusTotal for scanning. |
The JSON output contains the scan_id
for the URL. You can use this scan_id in the future to query and retrieve scan reports from VirusTotal for this URL.
The output contains the following populated JSON schema:
{
"type": "",
"id": ""
}
Parameter | Description |
---|---|
File Hash | File Hash of the file for which you want to retrieve a VirusTotal report. |
The JSON contains the report from VirusTotal for a sample based on the specified file hash. You can use this report to determine if the submitted files are suspicious.
The output contains the following populated JSON schema:
{
"attributes": {
"type_description": "",
"tlsh": "",
"trid": [],
"names": [],
"last_modification_date": "",
"type_tag": "",
"times_submitted": "",
"total_votes": {
"harmless": "",
"malicious": ""
},
"size": "",
"type_extension": "",
"last_submission_date": "",
"last_analysis_results": {},
"sha256": "",
"tags": [],
"last_analysis_date": "",
"unique_sources": "",
"first_submission_date": "",
"ssdeep": "",
"md5": "",
"sha1": "",
"magic": "",
"last_analysis_stats": {
"harmless": "",
"type-unsupported": "",
"suspicious": "",
"confirmed-timeout": "",
"timeout": "",
"failure": "",
"malicious": "",
"undetected": ""
},
"meaningful_name": "",
"reputation": ""
},
"type": "",
"id": "",
"links": {
"self": ""
}
}
Parameter | Description |
---|---|
IP Address | IP address for which you want to retrieve a VirusTotal report. |
The JSON contains the report from VirusTotal for a sample based on the specified IP address. You can use this report to determine if the submitted IP address is suspicious.
The output contains the following populated JSON schema:
{
"attributes": {
"regional_internet_registry": "",
"jarm": "",
"network": "",
"last_https_certificate_date": "",
"tags": [],
"country": "",
"as_owner": "",
"last_analysis_stats": {
"harmless": "",
"malicious": "",
"suspicious": "",
"undetected": "",
"timeout": ""
},
"asn": "",
"whois_date": "",
"last_analysis_results": {},
"reputation": "",
"last_modification_date": "",
"total_votes": {
"harmless": "",
"malicious": ""
},
"last_https_certificate": {},
"continent": "",
"whois": {}
},
"type": "",
"id": "",
"links": {
"self": ""
}
}
Parameter | Description |
---|---|
Domain | Domain name for which you want to retrieve a VirusTotal report. |
The JSON contains the report from VirusTotal for a sample based on the specified domain name. You can use this report to determine if the submitted domain is suspicious.
The output contains the following populated JSON schema:
{
"attributes": {
"last_dns_records": [],
"jarm": "",
"whois": {},
"last_https_certificate_date": "",
"tags": [],
"popularity_ranks": {},
"last_dns_records_date": "",
"last_analysis_stats": {
"harmless": "",
"malicious": "",
"suspicious": "",
"undetected": "",
"timeout": ""
},
"whois_date": "",
"reputation": "",
"last_analysis_results": {},
"last_modification_date": "",
"last_https_certificate": {},
"categories": {},
"total_votes": {
"harmless": "",
"malicious": ""
}
},
"type": "",
"id": "",
"links": {
"self": ""
}
}
Parameter | Description |
---|---|
URL | URL for which you want to retrieve a VirusTotal report. |
The JSON contains the report from VirusTotal for a sample based on the specified URL. You can use this report to determine if the submitted URL is suspicious.
The output contains the following populated JSON schema:
{
"attributes": {
"last_http_response_content_sha256": "",
"html_meta": {},
"last_http_response_code": "",
"trackers": {},
"last_final_url": "",
"last_http_response_content_length": "",
"url": "",
"last_analysis_date": "",
"tags": [],
"last_analysis_results": {},
"last_submission_date": "",
"threat_names": [],
"last_http_response_headers": {},
"reputation": "",
"targeted_brand": {},
"categories": {},
"last_modification_date": "",
"last_analysis_stats": {
"harmless": "",
"malicious": "",
"suspicious": "",
"undetected": "",
"timeout": ""
},
"times_submitted": "",
"first_submission_date": "",
"total_votes": {
"harmless": "",
"malicious": ""
}
},
"type": "",
"id": "",
"links": {
"self": ""
}
}
Parameter | Description |
---|---|
Analysis ID | ID of the File or URL analysis whose details you want to retrieve from VirusTotal. Note: To retrieve the analysis ID, you can use the "Submit File" or "Submit URL for scanning" operation. |
The output contains the following populated JSON schema:
{
"meta": {
"url_info": {
"url": "",
"id": ""
}
},
"data": {
"attributes": {
"date": "",
"status": "",
"stats": {
"harmless": "",
"malicious": "",
"suspicious": "",
"undetected": "",
"timeout": ""
},
"results": {}
},
"type": "",
"id": "",
"links": {
"self": ""
}
}
}
The Sample - VirusTotal - 2.0.0
playbook collection comes bundled with the VirusTotal connector. These playbooks contain steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the VirusTotal connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
VirusTotal provides a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.
This document provides information about the VirusTotal connector, which facilitates automated interactions, with a VirusTotal server using FortiSOAR™ playbooks. Add the VirusTotal connector as a step in FortiSOAR™ playbooks and perform automated operations, such as scanning and analyzing suspicious files and URLs and retrieving reports from VirusTotal for files, IP addresses, and domains.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 7.0.0-480
VirusTotal Version Tested on: 3.0
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the VirusTotal Connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-virustotal
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the VirusTotal connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the VirusTotal endpoint server to which you will connect and perform the automated operations. |
API Key | API key to access the VirusTotal endpoint to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Submit File | Scans and analyzes files submitted to VirusTotal from FortiSOAR™ to determine if it is suspicious based on the Attachment ID or File IRI you have specified. | submit_sample Investigation |
Submit URL for scanning | Scans and analyzes the URL submitted to VirusTotal to determine if it is suspicious based on the URL you have specified. | submit_url Investigation |
Get File Reputation | Retrieves a report from VirusTotal for the file that you have submitted to determine if it is suspicious based on the file hash value you have specified. | file_reputation Investigation |
Get IP Reputation | Retrieves a report from VirusTotal for the IP address submitted to determine if it is suspicious based on the IP address you have specified. | ip_reputation Investigation |
Get Domain Reputation | Retrieves a report from VirusTotal for the domain submitted to determine if it is suspicious based on the domain name you have specified. | domain_reputation Investigation |
Get URL Reputation | Retrieves a report from VirusTotal for the URL submitted to determine if it is suspicious based on the URL you have specified. | url_reputation Investigation |
Get Analysis Details | Retrieve details of a File or URL analysis from VirusTotal for the File or URL that you had submitted for scanning and analysis to VirusTotal using the "Submit File" or "Submit URL for scanning" action. | analysis_file Investigation |
Note: Using this operation, you submit files available in the FortiSOAR™ 'Attachments' module to VirusTotal.
Parameter | Description |
---|---|
Type | Type of file that you want to submit to VirusTotal for analysis. Type can be an Attachment ID or a File IRI. |
Reference ID | Reference ID that is used to access the attachment metadata from the FortiSOAR™ Attachments module.In the playbook, this defaults to the {{vars.attachment_id}} value or the {{vars.file_iri}} value. |
The JSON output contains the scan_id
for the file. You can use this scan_id in the future to query and retrieve scan reports from VirusTotal for this file.
The output contains the following populated JSON schema:
{
"id": "",
"type": ""
}
Parameter | Description |
---|---|
Scan URL | URL that you want to submit to VirusTotal for scanning. |
The JSON output contains the scan_id
for the URL. You can use this scan_id in the future to query and retrieve scan reports from VirusTotal for this URL.
The output contains the following populated JSON schema:
{
"type": "",
"id": ""
}
Parameter | Description |
---|---|
File Hash | File Hash of the file for which you want to retrieve a VirusTotal report. |
The JSON contains the report from VirusTotal for a sample based on the specified file hash. You can use this report to determine if the submitted files are suspicious.
The output contains the following populated JSON schema:
{
"attributes": {
"type_description": "",
"tlsh": "",
"trid": [],
"names": [],
"last_modification_date": "",
"type_tag": "",
"times_submitted": "",
"total_votes": {
"harmless": "",
"malicious": ""
},
"size": "",
"type_extension": "",
"last_submission_date": "",
"last_analysis_results": {},
"sha256": "",
"tags": [],
"last_analysis_date": "",
"unique_sources": "",
"first_submission_date": "",
"ssdeep": "",
"md5": "",
"sha1": "",
"magic": "",
"last_analysis_stats": {
"harmless": "",
"type-unsupported": "",
"suspicious": "",
"confirmed-timeout": "",
"timeout": "",
"failure": "",
"malicious": "",
"undetected": ""
},
"meaningful_name": "",
"reputation": ""
},
"type": "",
"id": "",
"links": {
"self": ""
}
}
Parameter | Description |
---|---|
IP Address | IP address for which you want to retrieve a VirusTotal report. |
The JSON contains the report from VirusTotal for a sample based on the specified IP address. You can use this report to determine if the submitted IP address is suspicious.
The output contains the following populated JSON schema:
{
"attributes": {
"regional_internet_registry": "",
"jarm": "",
"network": "",
"last_https_certificate_date": "",
"tags": [],
"country": "",
"as_owner": "",
"last_analysis_stats": {
"harmless": "",
"malicious": "",
"suspicious": "",
"undetected": "",
"timeout": ""
},
"asn": "",
"whois_date": "",
"last_analysis_results": {},
"reputation": "",
"last_modification_date": "",
"total_votes": {
"harmless": "",
"malicious": ""
},
"last_https_certificate": {},
"continent": "",
"whois": {}
},
"type": "",
"id": "",
"links": {
"self": ""
}
}
Parameter | Description |
---|---|
Domain | Domain name for which you want to retrieve a VirusTotal report. |
The JSON contains the report from VirusTotal for a sample based on the specified domain name. You can use this report to determine if the submitted domain is suspicious.
The output contains the following populated JSON schema:
{
"attributes": {
"last_dns_records": [],
"jarm": "",
"whois": {},
"last_https_certificate_date": "",
"tags": [],
"popularity_ranks": {},
"last_dns_records_date": "",
"last_analysis_stats": {
"harmless": "",
"malicious": "",
"suspicious": "",
"undetected": "",
"timeout": ""
},
"whois_date": "",
"reputation": "",
"last_analysis_results": {},
"last_modification_date": "",
"last_https_certificate": {},
"categories": {},
"total_votes": {
"harmless": "",
"malicious": ""
}
},
"type": "",
"id": "",
"links": {
"self": ""
}
}
Parameter | Description |
---|---|
URL | URL for which you want to retrieve a VirusTotal report. |
The JSON contains the report from VirusTotal for a sample based on the specified URL. You can use this report to determine if the submitted URL is suspicious.
The output contains the following populated JSON schema:
{
"attributes": {
"last_http_response_content_sha256": "",
"html_meta": {},
"last_http_response_code": "",
"trackers": {},
"last_final_url": "",
"last_http_response_content_length": "",
"url": "",
"last_analysis_date": "",
"tags": [],
"last_analysis_results": {},
"last_submission_date": "",
"threat_names": [],
"last_http_response_headers": {},
"reputation": "",
"targeted_brand": {},
"categories": {},
"last_modification_date": "",
"last_analysis_stats": {
"harmless": "",
"malicious": "",
"suspicious": "",
"undetected": "",
"timeout": ""
},
"times_submitted": "",
"first_submission_date": "",
"total_votes": {
"harmless": "",
"malicious": ""
}
},
"type": "",
"id": "",
"links": {
"self": ""
}
}
Parameter | Description |
---|---|
Analysis ID | ID of the File or URL analysis whose details you want to retrieve from VirusTotal. Note: To retrieve the analysis ID, you can use the "Submit File" or "Submit URL for scanning" operation. |
The output contains the following populated JSON schema:
{
"meta": {
"url_info": {
"url": "",
"id": ""
}
},
"data": {
"attributes": {
"date": "",
"status": "",
"stats": {
"harmless": "",
"malicious": "",
"suspicious": "",
"undetected": "",
"timeout": ""
},
"results": {}
},
"type": "",
"id": "",
"links": {
"self": ""
}
}
}
The Sample - VirusTotal - 2.0.0
playbook collection comes bundled with the VirusTotal connector. These playbooks contain steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the VirusTotal connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.