Search IOCs on VirusTotal Faster

EnesOzdemir — Mon, 27 Feb 2023 15:37:55 GMT

We are running a playbook to search a list of IOCs on VirusTotal, the list is received by an attachment on incident creation. The playbook then exports the VirusTotal scores into the war room as a csv file. All this is achieved by manual indicator creation an enrichment. The enrichment process however takes more than an hour for only 4000 IOCs. We want this process to go faster.

Indicator creation and enrichment trigger from in a single automation. After indicator is created with createNewIndicator we are running the command down below to get the VirusTotal scores.

demisto.executeCommand('enrichIndicators', {'indicatorsValues': '1.1.1.1,8.8.8.8,..,..'})

1- Why does it take a lot longer than a simple python script using VirusTotal library? Does it create a container for each value to use the virustotal integration commands "ip,domain,hash" for example?

2- What is the best way to deal with this sort of automation requests? Import VirusTotal library and make api calls to VirusTotal and create the indicator with the response yourself instead of enriching with VT Integration?

Re: Search IOCs on VirusTotal Faster

amontminy — Tue, 25 Apr 2023 17:06:59 GMT

One thing you can do to try and speed up the VirusTotal integration is removing the different relationships it searches for in the integration as seen below. Another way that you might be able to speed it up is to to use the using argument for enrichIndicator. In my instance it would look like this: !enrichIndicators indicatorsValues=103.67.197.51 using="VirusTotal (API v3)_instance_1"

This limits the enrichIndicators automation to use just the VirusTotal integration rather than every integration that is configured to work with that indicator type.

topic Search IOCs on VirusTotal Faster in Cortex XSOAR Discussions

Search IOCs on VirusTotal Faster

Re: Search IOCs on VirusTotal Faster