In this installment of the Tips and Insights series, Todd Bane explains the capabilities of the FireEye Security Orchestrators (FSO) VirusTotal plugin.
Hi my name is Todd Bane and I’m a Technical Initiatives Manager here at FireEye’s Deployment and Integration Group. Today I’m going to show you the capabilities of the FireEye Security Orchestrators VirusTotal plug-in. Let’s begin. When leveraging this plug-in in a course of action a VirusTotal account with an associated API key will be required to perform any interactions with the API. This will need to be supplied when creating the device in FSO. The FSO VirusTotal plug-in leverages VT’s API command set. This command set consists of lookupindicator,downloadFileByHash and submitFile. The lookupindicator command allows submission types as input parameters such as domains, fileHashes, MD5, SHA-1 and 256, IPAddresses and urlValues. The input parameters also include suspiciousTriggercount which details the minimum hit count to flag domains suspicious. The default is set to three. rawJSON, where if true, the command will only return the JSON for the results allowing the playbook custom scripts to parse and filter fields as required. forceScan, where if true, the plug-in will automatically submit the resource for analysis if no report is found for it in the VirusTotal database. And maxResolutions which are the maximum number of latest passive DNS resolutions. Available output parameters of the plug-in are VTLookUp which is the VirusTotal response for look up indicators.
rawJSON which is the VirusTotal response in JSON format. hasSuspiciousObject which is a boolean response to whether there was a suspicious global object. success which is a boolean response to the status of execution. statusMsg which is a user friendly status to display or pass along in the course of action. I will now show an example of an indicator look up with this plug-in based on an event from an abuse mail inbox course of action. Here in the recent activity we can see an example of the VirusTotal look up performed through an abuse mail inbox look up. In this course of action an abuse email inbox is when a user submits a phishing email for analysis. The email is pulled and information is extracted out of the email and submitted to VirusTotal. In this example we performed a domain lookup. And here we can see the VirusTotal response from that domain look up. I hope you found this demonstration useful in assisting with your efforts automating and tuned for more FireEye tips and insights.