VirusTotal Threat Intelligence

It's always been a challenge for SOC teams to cut down on time taken for threat detection and automate appropriate remediation processes. A simple VirusTotal API integration with DNIF allows SOC teams to fetch VirusTotal data and analyse files and URLs enabling them to work more efficiently.

Create security incidents and respond faster

Visualize, validate and respond to threats faster with automation playbooks.

From left to right, top to bottom, these widgets use VirusTotal to display the following details:

  • Top Countries: This widget displays the source countries from which activities are being logged.
  • Top Destination Ports: This widget shows the destination ports of logged events.
  • Top Blacklisted IPs: This widget displays the blacklisted IPs from which logged events originated.
  • Top Threat Seeker Categories: This widget displays information regarding domains and the Threat Seeker categories they belong to.
  • Top Malicious URLs: This widget displays details about malicious URLs after validating them with VirusTotal.

What if your SIEM could automatically enrich, validate and respond to threats in real time based on known Indicators of Compromise(IOCs)?

Why Integrate DNIF with VirusTotal

VirusTotal analyzes files and URLs for viruses, worms, Trojans and other kinds of malicious content. They promote collaboration between members of the antivirus industry, researchers and end users of all kinds in an effort to make the internet a safer place. From Fortune 500 companies to governments and leading security firms, VirusTotal’s ever-growing community includes a diverse range of entities.

VirusTotal is not just an antivirus aggregator, it characterises and helps in validating URLs, Domain names, IP addresses and file hashes.

Files, URL’s can be submitted via several different means but with VirusTotals API integration with DNIF, you can now validate directly from the DNIF web console.


Key Benefits

In some cases, just visiting a website may be enough for a user to get infected. Websites may host drive-by downloads or use social engineering to trick users into installing fake antivirus solutions, Trojans masquerading as video players, and so on. DNIF’s integration with VirusTotal provides following benefits:

  • Malware signatures are updated frequently by VirusTotal through its associated antivirus companies, ensuring DNIF has the latest signatures.
  • When a user requests validation for a domain, DNIF calls the VirusTotal API. VirusTotal checks its databases, including databases from antivirus companies and other third parties, and returns the result to DNIF.. As soon as any contributor to VirusTotal’s databases blacklists a URL, this is immediately reflected in DNIF.
  • URLs and file hashes can be sent to VirusTotal using the API to retrieve corresponding reports in real time. These reports are ingested and parsed in DNIF to be viewed directly from the console.
  • VirusTotal shares fields like VT Positive that indicates the number of scans that have returned with a positive response.
  • You can also check the names of antivirus solutions that reported/flagged a particular file hash, URL, domain or IP as malicious.

Threat Intelligence / Related Blogs