Skip to main content

VirusTotal

VirusTotal is a comprehensive platform for analyzing files, URLs, domains, and IP addresses to detect malicious content using multiple antivirus engines and URL scanning tools. It empowers security teams with real-time threat intelligence and detailed analysis, enhancing their ability to identify and respond to emerging cyber threats efficiently.

Arcanna - VirusTotal Integration

Arcanna.ai is a decision intelligence platform leveraging NLP, deep learning, and user feedback to assist security teams in decision-making, learning from incident resolutions, and scaling their capacity to achieve a truly autonomous Security Operations Center (SOC). By integrating with VirusTotal, Arcanna.ai enhances the ability to analyze and act on threat intelligence with improved accuracy and efficiency.

By integrating with VirusTotal, Arcanna.ai enriches security events with comprehensive threat intelligence, enhancing the accuracy and speed of incident analysis and response.

Steps to configure VirusTotal integration:

Prerequisites

  • Arcanna.ai - Arcanna.ai can be deployed in the cloud (AWS), or on-premise. For setup, you can follow this user guide. For flexibility reasons, Arcanna.ai is exporting the AI processed alerts to an internal Elasticsearch/Opensearch data warehouse, that needs be installed at the same time with Arcanna.ai. You can use an Elasticsearch/Opensearch instance you already have, or a new one dedicated just for Arcanna.ai backend.

  • A valid VirusTotal account.

How to connect

Go to VirusTotal account:

  1. Select API key tab from the top right menu: vt-api-key
  2. Copy API key to clipboard to be further used in Arcanna.ai copy-vt-api-key

Go to Arcanna.ai instance:

  1. Create the VirusTotal integration:

    • Go to the Integrations tab
    • Search for VirusTotal integration and click on it vt-api-key
    • Fill in all the fields as shown below, using your own API Key and Title, then press Confirm. vt-api-key

  2. Create an Arcanna.ai job using VirusTotal integration:

    • Go to AI Jobs tab and click Create job
    • Complete the Title and select an input integration, for testing we considered Elasticsearch input integration and a testing index virustotal-demo-index
    integration-create
    • Expand Threat intelligence tab and click Add +.
    integration-create
    • Search for VirusTotal integration. For testing we consider IOC field source.ip from our testing document.
    integration-create
    • Click Save and run to save and start the job.

  3. (Option 2) Add and configure VirusTotal integration from Flows page:

    • Considering we already have an AI job created, click on Flows.
    flows-tab
    • Now on Flows page click Add integration +, search for VirusTotal and select IOCs to be investigated. flows-tab
    • From Flows page is easier to observe the pipeline order of integration (e.g. threat intelligence before the AI Decision model). Also the integration can be Enabled/Disabled as desired. flows-tab

  4. Testing VirusTotal enrichment:

    • Start the job by clicking Start job
    • Go to job Event Explorer page. Expand the event and go to Event Overview tab. We can observe the threat intelligence and its result (specific source.ip considered malicious). event-overview
    • Change to Structured tab. We can observe the fields added to the event by the VirusTotal integration. Observe the general "is_malicious" flag is True. event-overview