Search IOCs on VirusTotal Faster

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Search IOCs on VirusTotal Faster

L3 Networker

We are running a playbook to search a list of IOCs on VirusTotal, the list is received by an attachment on incident creation. The playbook then exports the VirusTotal scores into the war room as a csv file. All this is achieved by manual indicator creation an enrichment. The enrichment process however takes more than an hour for only 4000 IOCs. We want this process to go faster.

 

Indicator creation and enrichment trigger from in a single automation. After indicator is created with createNewIndicator we are running the command down below to get the VirusTotal scores.

 

demisto.executeCommand('enrichIndicators', {'indicatorsValues': '1.1.1.1,8.8.8.8,..,..'})

 

1- Why does it take a lot longer than a simple python script using VirusTotal library? Does it create a container for each value to use the virustotal integration commands "ip,domain,hash" for example?

2- What is the best way to deal with this sort of automation requests? Import VirusTotal library and make api calls to VirusTotal and create the indicator with the response yourself instead of enriching with VT Integration?

 

1 REPLY 1

L3 Networker

One thing you can do to try and speed up the VirusTotal integration is removing the different relationships it searches for in the integration as seen below. Another way that you might be able to speed it up is to to use the using argument for enrichIndicator. In my instance it would look like this: !enrichIndicators indicatorsValues=103.67.197.51 using="VirusTotal (API v3)_instance_1" 

 

This limits the enrichIndicators automation to use just the VirusTotal integration rather than every integration that is configured to work with that indicator type. 

Screenshot 2023-04-25 at 9.49.44 AM.png

  • 767 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!