Skip to main content

VirusTotal

VirusTotal is a comprehensive platform for analyzing files, URLs, domains, and IP addresses to detect malicious content using multiple antivirus engines and URL scanning tools. It empowers security teams with real-time threat intelligence and detailed analysis, enhancing their ability to identify and respond to emerging cyber threats efficiently.

Arcanna - VirusTotal Integration

By integrating with VirusTotal, Arcanna enriches security events with comprehensive threat intelligence, enhancing the accuracy and speed of incident analysis and response.

Steps to configure VirusTotal integration:

Prerequisites

How to connect

Go to VirusTotal account:

  1. Select API key tab from the top-right menu: vt-api-key
  2. Copy API key to the clipboard for further used in Arcanna: copy-vt-api-key

Go to Arcanna instance:

  1. Create the VirusTotal integration:

    • Go to the Integrations tab
    • Search for the VirusTotal integration and click on it: vt-api-key
    • Fill in all the fields as shown below, using your own API Key and Title, then click Confirm: vt-api-key
    • If using both VirusTotal and Open Threat Intelligence, you can enable the option to bypass VirusTotal to reduce VT quota usage.
    • Arcanna features a caching mechanism designed to optimize quota usage. The cache supports up to 10,000 fields or a retention period of 7 days, whichever is reached first.

  2. Create an Arcanna job using VirusTotal integration:

    • Go to AI Jobs tab and click Create job:
    • Complete the Title and select an input integration. For testing purposes, we used the Elasticsearch input integration with a test index named virustotal-demo-index:
    integration-create
    • Expand Threat intelligence tab and click Add +:
    integration-create
    • Search for VirusTotal integration. For testing, we use the IOC field source.ip from our test document:
    integration-create
    • Click Save and run to save and start the job.

  3. (Option 2) Add and configure VirusTotal integration from Flows page:

    • Assuming an AI job has already been created, click on Flows:
    flows-tab
    • On the Flows page, click Add integration +, search for VirusTotal, and select the IOCs to be investigated:
    flows-tab
    • From the Flows page, it is easier to observe the pipeline order of integration (e.g., threat intelligence preceding the AI Decision model). Additionally, the integration can be Enabled/Disabled as desired:
    flows-tab

  4. Testing VirusTotal enrichment:

    • Start the job by clicking Start job
    • Go to the job's Event Explorer page. Expand the event and navigate to the Event Overview tab. Here, you can observe the threat intelligence and its result (e.g., the specific source.ip flagged as malicious): event-overview
    • Switch to the Structured tab. Here, you can observe the fields added to the event by the VirusTotal integration. Note that the general is_malicious flag is set to True: event-overview
    • Go to the Decision Points page. Here, the added fields can be selected for use as features in the Arcanna AI model. Typically, the field of interest is arcanna.ioc.global.result, which contains the overall malicious result. event-overview