Palo Alto Networks Cortex XSOAR works with VirusTotal to help provide context for incidents that analysts are triaging. VirusTotal is an open-source antivirus scanner used to detect malicious files, URLs, and IP addresses. In this blog, we’ll learn how to configure the integration to ensure that VirusTotal is giving XSOAR high fidelity information to act on.
When leveraging the VirusTotal integration in XSOAR, you will need to know if you are using the free version of VirusTotal or the premium version. This becomes increasingly important the more IOCs you want to submit to VirusTotal, as the free version limits the amount of submissions individuals can submit in a given day.
When using either version of VirusTotal within XSOAR, be cautious of what exactly you submit to the tool. For example, if you have crafted a playbook that submits suspicious looking attachments to VirusTotal for analysis, you’ll want to be sure that what you are submitting is indeed a suspicious looking file — and not a confidential document that should have remained internal to your organization.
VirusTotal is an extremely powerful tool. Most incident response professionals are familiar with it. VirusTotal has the ability to analyze files, domains, ip addresses, URLs, etc, and share those results with an analyst. The analyst can then determine if there was a positive hit within the Virus Total dataset that may prompt additional investigation. While a positive hit isn't a guarantee of maliciousness, it does give context and a point of focus when conducting an investigation. In a world where analysts can see hundreds if not thousands of potential indicators of compromise (IOCs) context is exactly what an analyst needs, and VirusTotal can provide that.
When utilizing the free version of VirusTotal in a playbook for enrichment purposes, you are capped in the amount of submissions you can make within a given time frame. That’s why I recommend you input them manually — you can create a custom button on the incident layout page for enrichment purposes, or simply by run the VirusTotal commands in the XSOAR command line on the indicators you are interested in enriching.
Even if you are using the premium version of VirusTotal and are permitted several thousand submissions, you want to be vigilant about how many you make when testing or leveraging a VirusTotal automation within a playbook. You don’t want to run out of submissions early on.
The VirusTotal integration can be found installed on your system by going to Settings > Integrations > Instances > and typing “virustotal” into the search bar (See image below). You’ll want to leverage this integration for the type of enrichment we’re discussing in this article is the VirusTotal (API v3) (Partner Contribution) integration.*
When configuring the integration for the first time, click the “add instance” button on the right-hand side of the page (as shown in the see image above). After clicking that button, you will be prompted with a pop-up that contains various different fields that can be filled out for this integration (see image below). Most of these fields will be filled in by default. However, it is highly recommended to read through each one of the pre-populated fields to make sure that the configurations that have been populated by default meet your organization's needs.
In order to get the integration working you’ll also need to input your API key into the integration configuration settings. Once done, click the “Test” button at the bottom right hand side of the popup window to ensure connectivity to the integration is successful.
Let’s talk about a few specific settings in Cortex XSOAR that will help you take this integration to the next level in respect to your threat analysis and incident response operations.
In XSOAR, source reliability is defined as “the reliability of the source providing the intelligence data.” It is important to have an internal conversation at your organization about how reliable you consider not only VirusTotal to be as an enrichment source, but how reliable you want to consider any enrichment source you turn on in your environment. Different organizations are going to have different experiences with different sources of enrichment and/or threat intelligence. The more enrichment / threat intelligence sources you have turned on, the more likely you are to see a potential hit on an indicator. This is where the reliability score becomes crucially important. If you are looking at five positive hits from five different enrichment / threat intel sources, it would benefit the analyst in question to know which sources the organization as a whole trusts implicitly, so they can make a determination as to what the next steps are within their investigation.
There are four different types of indicator threshold settings I find very useful in XSOAR:
Out of the box, you’ll see that each one of these fields has a preset number of 10. If this setting goes unedited, a File, IP, URL, or Domain must have gotten at least 10 positive antivirus engine hits within VirusTotal to be considered malicious in nature. Depending on your organization's threshold for risk, you may want to consider readjusting these out of the box numbers. Philosophically speaking, you could ask the question: “If there were nine positive hit, would you not want to consider the indicator malicious? Or at the very least, highly suspicious and worth additional investigation?”
This brings us to our next set of fields that I want to discuss.
This section focuses on “Preferred Vendor List” and “Preferred Vendor Threshold”.
Remember earlier when we talked about “source reliability”? VirusTotal itself isn’t scoring indicators for you; they are aggregating the results of many sources of information, which is why it is increasingly important to specify trusted vendors within the integration configuration settings.
VirusTotal also says that it is “not responsible for false positives generated by any of the resources it uses. False positive issues should be addressed directly with the company or individual behind the product under consideration”. I bring this up because it directly applies to the “Preferred Vendor List” and “Preferred Vendor Threshold” fields that you can fill out within the VirusTotal integration. Because VirusTotal is an information aggregator, it is important to have a conversation internal to your organization about which tools you trust and plug them into the “Preferred Vendor List” field.
Let’s move on to the last set of fields for the XSOAR / VirusTotal integration.
You’ll need to be using the premium version of VirusTotal to leverage Relationship functionalities within XSOAR. If you refer to the documentation page on the XSOAR website you’ll find the following:
“If the organization is using the premium subscription of VirusTotal, you can use the premium API analysis. The premium API analysis will check 3 file relationships of each indicator (domain, url, and ip).
The premium API analysis can call up to 4 API calls per indicator. If you want to decrease the use of the API quota, you can disable it.”
You can read more about this integration on the Cortex XSOAR VirusTotal (API v3) documentation page.
VirusTotal also has the ability to aggregate relationship information surrounding various different indicators that are submitted to the platform. XSOAR has the ability to bring this information in for the analyst and present it to them in a visual way and or utilize it in a playbook for automation purposes later on. The fields IP Relationships, Domain Relationships, URL Relationships, and File Relationships all specify the types of relationships you want to see surrounding an indicator should any exist.
It is recommended to review the relationship items that are pre-populated for you in this integration by default. Curtailing these relationships could help analysts focus more on what a specific organization's security concerns are. Leaving them as is will bring in a lot of relationships (should they exist) surrounding your submissions. However, it is important to note that bringing in information that isn’t needed to thoroughly conduct an investigation could result in wasted analyst time.
I’ll leave you with this — in order to use the VirusTotal integration to its fullest you must do a few things:
By implementing the recommendations in this article, you will ultimately save on analyst resources and provide your team with high-fidelity data throughout each one of their investigations.
*Keep in mind this article was written in October 2022 and the integration may have had updates since then.
