October 23, 2018 / by Mervin Marks / In threat-intelligence /

VirusTotal Integration with DNIF

A simple VirusTotal integration with DNIF allows you to call VirusTotal API in DNIF and then use DNIF to fetch the VirusTotal data and analyse suspicious files and URLs to facilitate faster detection of viruses and enable SOC teams to work more efficiently.

I’m assuming no introduction is required for VirusTotal; VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content. On the other side we have DNIF; a Next-Gen SIEM tool with SOAR capabilities that specialises in real-time threat hunting in complex environments. It monitors logs and metrics from every component in the IT environment to detect and correlate insights across data silos, hence empowering users to find known or unknown threats in real-time, with automations for data enrichment, threat validation and incident response.

The bad guys keep finding out new vulnerabilities, let’s face it, that’s their job. The job of a security analyst (the good guys) on the other hand is to figure out, not only how to defend themselves from known threats (bad guys), but to also be prepared and vigilant on new and unknown vulnerability exploits.

Using the integration plugin built by the DNIF team in collaboration with VirusTotal, we can trigger scanning services from VirusTotal based on activities observed in an enterprise environment. This basically means we catch new Url’s, Domains, IP Addresses and File Hashes on the fly and validate them via VirusTotal using their API. The validated information is then automatically sent back to the Security professionals of the SOC teams for further action.

Now, there are two ways you could do this…one is the manual way the second is through automation. In the manual process your assuming the SOC personnel will pick up random information for validation and run a query that would provide a detailed report similar to the automated process. In the automated process you could sit back and focus on other more important things.

How to integrate DNIF with VirusTotal?

Here’s a step-by-step instruction for using VirusTotal API with DNIF -

The VirusTotal API is found on github at (https://github.com/dnif/lookup-virustotal)

1. Login to your Data Store and Correlator containers, here is the help guide to access your DNIF instance via SSH.

2. Move to the /dnif/<Deployment-key/lookup_plugins folder path.

DNIF deployment folder

3. Clone using the following command git clone https://github.com/dnif/lookup-virustotal.git virustotal

4. Move to the /dnif/<Deployment-key/lookup_plugins/virustotal/ folder path and open dnifconfig.yml configuration file. Replace the tag: <Add_your_api_key_here> with your VirusTotal api key

lookup_plugin: VT_API_KEY:

Once this is done… you’re ready for action!

URL scan reports

The URL for which you want to retrieve the most recent report. VirusTotal will retrieve the most recent report on the given URL. You may also specify a scan_id (sha256-timestamp as returned by the URL submission API) to access a specific report.

The Query is as follows:-

_fetch $Url from threatsample limit 1
>>_lookup virustotal get_url_report $Url

Sample Output:-

DNIF URL scan report

To understand the structure of the data, please click the following link: (https://github.com/dnif/lookup-virustotal)

Retrieve Domain reports

The domain for which you want to retrieve the report, Input Required: a domain name.

The Query is as follows:-

_fetch $Domain from threatsample limit 1
>>_lookup virustotal get_domain_report $Domain

Sample Output:-

domain scan report

To understand the structure of the data, please click the following link : (https://github.com/dnif/lookup-virustotal)

Retrieve IP address reports

The IP address for which you want to retrieve the report, Input Required: a valid IPv4 address in dotted quad notation, for the time being only IPv4 addresses are supported.

The Query is as follows:

_fetch $SrcIP from threatsample limit 1
>>_lookup virustotal get_ip_report $SrcIP

Sample Output:-

ip scan report

To understand the structure of the data please click the following link : (https://github.com/dnif/lookup-virustotal)

Retrieve file scan reports by MD5/SHA-1/SHA-256 hash

File report of MD5/SHA-1/SHA-256 hash for which you want to retrieve the most recent antivirus report

Input required: a md5/sha1/sha256 hash will retrieve the most recent report on a given sample

The Query is as follows:

_fetch $Filehash from threatsample limit 1
>>_lookup virustotal get_filehash_report $Filehash

Sample Output:-

file scan report

In the next blog, I’ll tell about how we can Detect malicious URLs with DNIF and VirusTotal.