- Home
- Play books
- VirusTotal - URL reputation check
VirusTotal - URL reputation check
In this page
Playbook Description
This playbook checks url reputation, calculates risk score, Fetch malicious url list, Fetch url hash, if hash found, check hash reputation, check risk score, fetch malicious file list, validate file reputation response.
MITRE D3FEND mapping
| Tactics | Techniques |
|---|---|
| D3-Detect | D3-UA |
Playbook input type
Log
Prerequisites
Basic license
Playbook creation input
connectionName - Connection name of VirusTotal
Dependencies
Extensions - VirusTotal
- virustotal_urlReputation
- virustotal_fileReputation
- virustotal_calculateRiskScore
Connections
VirusTotal connection - Need to connect with VirusTotal API and fetch access key to check the malware URL/File details.
Execution workflow
- Checks the URL reputation.
- Calculates the risk score.
- Fetches malicious URL list.
- Fetches the URL file hash.
- If file hash exists, checks file hash reputation.
- Checks file hash risk score.
- Fetches malicious file list.
Post execution procedure
- Verify policy enforcement: Confirm that the newly created or updated firewall policies are successfully enforced across all Windows, Linux, and macOS endpoints, and that the malicious IP is effectively blocked.
- Validate rule group assignment: Ensure that the correct rule groups are attached to the corresponding firewall policies and applied to the intended host group.
- Handling false positives: If subsequent analysis determines that the blocked IP address is not malicious, promptly remove the IP from the firewall rule group and re-enforce the updated policies to restore normal access.
