Integrating Cortex XSOAR and VirusTotal for Maximum Incident Response and Investigation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L2 Linker

XSOAR-VirusTotal.jpg

 

Palo Alto Networks Cortex XSOAR works with VirusTotal to help provide context for incidents that analysts are triaging. VirusTotal is an open-source antivirus scanner used to detect malicious files, URLs, and IP addresses. In this blog, we’ll learn how to configure the integration to ensure that VirusTotal is giving XSOAR high fidelity information to act on. 

 

Cortex XSOAR and VirusTotal: What to Know Beforehand

 

When leveraging the VirusTotal integration in XSOAR, you will need to know if you are using the free version of VirusTotal or the premium version. This becomes increasingly important the more IOCs you want to submit to VirusTotal, as the free version limits the amount of submissions individuals can submit in a given day.

 

When using either version of VirusTotal within XSOAR, be cautious of what exactly you submit to the tool. For example, if you have crafted a playbook that submits suspicious looking attachments to VirusTotal for analysis, you’ll want to be sure that what you are submitting is indeed a suspicious looking file — and not a confidential document that should have remained internal to your organization. 

 

How to Integrate VirusTotal With XSOAR

 

VirusTotal is an extremely powerful tool. Most incident response professionals are familiar with it. VirusTotal has the ability to analyze files, domains, ip addresses, URLs, etc, and share those results with an analyst. The analyst can then determine if there was a positive hit within the Virus Total dataset that may prompt additional investigation. While a positive hit isn't a guarantee of maliciousness, it does give context and a point of focus when conducting an investigation. In a world where analysts can see hundreds if not thousands of potential indicators of compromise (IOCs) context is exactly what an analyst needs, and VirusTotal can provide that. 

 

When utilizing the free version of VirusTotal in a playbook for enrichment purposes, you are capped in the amount of submissions you can make within a given time frame. That’s why I recommend you input them manually — you can create a custom button on the incident layout page for enrichment purposes, or simply by run the VirusTotal commands in the XSOAR command line on the indicators you are interested in enriching.

 

Even if you are using the premium version of VirusTotal and are permitted several thousand submissions, you want to be vigilant about how many you make when testing or leveraging a VirusTotal automation within a playbook. You don’t want to run out of submissions early on.

 

The VirusTotal integration can be found installed on your system by going to Settings > Integrations > Instances > and typing “virustotal” into the search bar (See image below). You’ll want to leverage this integration for the type of enrichment we’re discussing in this article is the VirusTotal (API v3) (Partner Contribution) integration.* 

 

ColeLisko_0-1667413446030.png

 

 

When configuring the integration for the first time, click the “add instance” button on the right-hand side of the page (as shown in the see image above). After clicking that button, you will be prompted with a pop-up that contains various different fields that can be filled out for this integration (see image below). Most of these fields will be filled in by default. However, it is highly recommended to read through each one of the pre-populated fields to make sure that the configurations that have been populated by default meet your organization's needs.

 

In order to get the integration working you’ll also need to input your API key into the integration configuration settings. Once done, click the “Test” button at the bottom right hand side of the popup window to ensure connectivity to the integration is successful. 

 

ColeLisko_1-1667413446052.png

 

VirusTotal Advanced Integration Settings 

 

Let’s talk about a few specific settings in Cortex XSOAR that will help you take this integration to the next level in respect to your threat analysis and incident response operations. 

 

1. Source Reliability Settings in XSOAR

ColeLisko_2-1667413445888.png

 

In XSOAR, source reliability is defined as “the reliability of the source providing the intelligence data.” It is important to have an internal conversation at your organization about how reliable you consider not only VirusTotal to be as an enrichment source, but how reliable you want to consider any enrichment source you turn on in your environment. Different organizations are going to have different experiences with different sources of enrichment and/or threat intelligence. The more enrichment / threat intelligence sources you have turned on, the more likely you are to see a potential hit on an indicator. This is where the reliability score becomes crucially important. If you are looking at five positive hits from five different enrichment / threat intel sources, it would benefit the analyst in question to know which sources the organization as a whole trusts implicitly, so they can make a determination as to what the next steps are within their investigation. 

 

2.  Indicator Thresholds Settings in XSOAR

 

There are four different types of indicator threshold settings I find very useful in XSOAR:

 

  • File Threshold
  • IP Threshold
  • URL Threshold
  • Domain Threshold

 

ColeLisko_3-1667413445957.png

 

 

Out of the box, you’ll see that each one of these fields has a preset number of 10. If this setting goes unedited, a File, IP, URL, or Domain must have gotten at least 10 positive antivirus engine hits within VirusTotal to be considered malicious in nature. Depending on your organization's threshold for risk, you may want to consider readjusting these out of the box numbers. Philosophically speaking, you could ask the question: “If there were nine positive hit, would you not want to consider the indicator malicious? Or at the very least, highly suspicious and worth additional investigation?”

 

This brings us to our next set of fields that I want to discuss. 

 

3. Advanced VirusTotal Integration Settings in XSOAR

 

  • Preferred Vendor List
  • Preferred Vendor Threshold. 
  • Crowdsourced Yara Rules Threshold
  • Sigma and Intrusion Detection Rules Threshold
  • Domain Popularity Ranking threshold
  • Premium Subscription Only: Relationship File Threshold

 

ColeLisko_4-1667413446095.png



This section focuses on “Preferred Vendor List” and “Preferred Vendor Threshold”. 

 

Remember earlier when we talked about “source reliability”? VirusTotal itself isn’t scoring indicators for you; they are aggregating the results of many sources of information, which is why it is increasingly important to specify trusted vendors within the integration configuration settings.

VirusTotal also says that it is “not responsible for false positives generated by any of the resources it uses. False positive issues should be addressed directly with the company or individual behind the product under consideration”. I bring this up because it directly applies to the “Preferred Vendor List” and “Preferred Vendor Threshold” fields that you can fill out within the VirusTotal integration. Because VirusTotal is an information aggregator, it is important to have a conversation internal to your organization about which tools you trust and plug them into the “Preferred Vendor List” field. 

 

Let’s move on to the last set of fields for the XSOAR / VirusTotal integration. 

 

4. Relationship Settings in XSOAR

 

  • IP Relationships
  • Domain Relationships
  • URL Relationships
  • File Relationships

 

ColeLisko_5-1667413446106.png

 

You’ll need to be using the premium version of VirusTotal to leverage Relationship functionalities within XSOAR. If you refer to the documentation page on the XSOAR website you’ll find the following: 

 

“If the organization is using the premium subscription of VirusTotal, you can use the premium API analysis. The premium API analysis will check 3 file relationships of each indicator (domain, url, and ip).

  • If the relationship is found to be malicious, the indicator will be considered malicious.
  • If the relationship is found to be suspicious and the basic score is suspicious, the indicator will be considered malicious.
  • If the relationship is found to be suspicious, the indicator will be considered suspicious.

 

The premium API analysis can call up to 4 API calls per indicator. If you want to decrease the use of the API quota, you can disable it.”

 

You can read more about this integration on the Cortex XSOAR VirusTotal (API v3) documentation page. 

 

VirusTotal also has the ability to aggregate relationship information surrounding various different indicators that are submitted to the platform. XSOAR has the ability to bring this information in for the analyst and present it to them in a visual way and or utilize it in a playbook for automation purposes later on. The fields IP Relationships, Domain Relationships, URL Relationships, and File Relationships all specify the types of relationships you want to see surrounding an indicator should any exist.

 

It is recommended to review the relationship items that are pre-populated for you in this integration by default. Curtailing these relationships could help analysts focus more on what a specific organization's security concerns are. Leaving them as is will bring in a lot of relationships (should they exist) surrounding your submissions. However, it is important to note that bringing in information that isn’t needed to thoroughly conduct an investigation could result in wasted analyst time. 

 

In Summary

 

I’ll leave you with this — in order to use the VirusTotal integration to its fullest you must do a few things:

 

  1. Determine if you are using the premium version or the free version as this will ultimately impact how you use the integration
  2. Determine who your trusted sources are that contribute to VirusTotal (do this through having conversations with the people who know the requirements, risks, and current security posture within your organization)
  3. Establish a threshold for “malicious”. This will most likely require additional conversation within your enterprise. Having these conversations upfront will save analyst time on the backend. 
  4. Determine the kind of relationships you are interested in seeing from each unique indicator type

 

By implementing the recommendations in this article, you will ultimately save on analyst resources and provide your team with high-fidelity data throughout each one of their investigations. 

 


*Keep in mind this article was written in October 2022 and the integration may have had updates since then.

 

5 Comments
  • 9102 Views
  • 5 comments
  • 6 Likes
Register or Sign-in
Labels
Top Liked Authors