icon-pdfDownload PDF lhs-panel
lhs-panel Click here to expand

VirusTotal

Advanced threat analytics add-on in EventLog Analyzer

Note: VirusTotal is one of the largest live threat feeds that consolidates risk scores of IPs, URLs, Domains, and files from a wide range of security vendors. This integration in EventLog Analyzer follows the Bring Your Own Key(BYOK) model. If you have bought VirusTotal access separately, you can use your API key and analyze threat sources in EventLog Analyzer.

VirusTotal terms of service:

Users can access VirusTotal API in two ways:

  1. Public API: Provides free access with specific limitations, including constraints on request frequency and access with lower priority.
  2. Premium API: Provides exclusive access without limitations on request frequency and prioritized access, complemented by additional benefits.

Recommendation: For business workflows it is recommended to use Premium API for integration.

To learn more about VirusTotal, their terms of service, privacy policy, and API usage, please visit their website.

Configuration

Note: Please refer to VirusTotal's privacy policy to understand how user-submitted data is utilized for analysis, as well as their policies on data processing, sharing, retention, and deletion.

Once you have purchased the Advanced Threat Analytics add-on and applied the license, head to the Advanced Threat Analytics page.

Navigation: Settings → Admin Settings → Management→ Threat Feeds→Advanced Threat Analytics → VirusTotal → Integrate

virustotal

To get the API key:

  1. Visit https://www.virustotal.com and sign up for a VirusTotal account.
  2. Sign in to VirusTotal and find your API key and go to your Username→ Settings→API Key.
  3. Use the API Key provided by VirusTotal for integrating with EventLog Analyzer.

    4. virustotal

  4. Paste the API key and click on Connect to finish configuring VirusTotal.

    5. virustotal

Analysis

In EventLog Analyzer, users can access the data from VirusTotal through the Incident Workbench. Learn how to invoke the Incident Workbench from different dashboards of EventLog Analyzer.

virustotal

Note: To understand the different terminologies used in the VirusTotal reports, please use the Help Card in the bottom left corner.

virustotal

Select any IP, URL, or Domain to analyze in the Workbench. You can access the following data:

  • VirusTotal Info

    This section contains the Detection Score of the Threat Source, which is the number of security vendors who have flagged the source as risky out of all the security vendors. Along with this, the basic details and the geo info of the Threat Source are also available.

    virustotal

  • Security Vendor analysis

    This section contains the individual analysis of 85+ security vendors such as SOCRadar, Fortinet, Forcepoint ThreatSeeker, and ArcSight Threat Intelligence.

    virustotal

    • Click on the search icon in the top left corner to filter based on Security Vendor, Analysis Category, and Analysis Result.

    virustotal

    Here are the Analysis Categories:

    • Malicious
    • Suspicious
    • Harmless
    • Undetected
    • Timeout

    virustotal

  • Whois Info

    This section contains the Whois information of the threat source domain.

    virustotal

  • SSL Certificate

    This section contains details of the SSL certificate issued to the Threat Source and who issued it.

    virustotal

  • Related Files

    This section maps the relationship of the files to the IP address in following ways:

    • Files communicating with the IP address
    • Files downloaded from the IP address
    • Files containing the IP address

    virustotal

    virustotal

  • Resolutions

    This section contains the past and current IP resolutions for a particular domain.

    virustotal

On this page

Copyright © 2020, ZOHO Corp. All Rights Reserved.

Get download link