Admin Guide

Synapse-VirusTotal Admin Guide

Configuration

Synapse-VirusTotal requires a VirusTotal API key. For information on how to sign up, please visit the VirusTotal API documentation.

Setting API key for global use

To set-up a global API key:

> virustotal.setup.apikey myapikey
Setting Synapse-VirusTotal API key for all users.

Using per-user API keys

A user may set-up their own API key:

> virustotal.setup.apikey --self myapikey
Setting Synapse-VirusTotal API key for the current user.

Dependencies

Synapse-VirusTotal requires the following Power-Ups to be installed:

Name   : synapse-fileparser
Version: >=4.2.1,<5.0.0
Desc   : Synapse-FileParser is required for parsing VirusTotal YARA rules, which is a
requirement for using the virustotal.livehunt.files command.

Synapse-VirusTotal will conflict with the following Power-Ups:

Name   : vt
Version: any
Desc   : Synapse-VirusTotal conflicts with a deprecated Power-Up named "virustotal".

Permissions

Package (synapse-virustotal) defines the following permissions:
power-ups.virustotal.user        : Controls user access to Synapse-VirusTotal. ( default: false )

You may add rules to users/roles directly from storm:

> auth.user.addrule visi power-ups.virustotal.user
Added rule power-ups.virustotal.user to user visi.

or:

> auth.role.addrule ninjas power-ups.virustotal.user
Added rule power-ups.virustotal.user to role ninjas.

Exported APIs

Synapse-VirusTotal does not currently export any APIs.

Node Actions

Synapse-VirusTotal provides the following node actions in Optic:

Name : communicating files
Desc : Get communicating files data from VirusTotal
Forms: inet:fqdn, inet:ipv4

Name : downloaded files
Desc : Get downloaded files data from VirusTotal
Forms: inet:fqdn, inet:ipv4, inet:url

Name : enrich
Desc : Get report data from VirusTotal
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256, inet:fqdn, inet:ipv4, inet:url

Name : pdns
Desc : Get passive DNS information from VirusTotal
Forms: inet:fqdn, inet:ipv4

Name : urls
Desc : Get URLs data from VirusTotal
Forms: inet:fqdn, inet:ipv4

Name : file behavior
Desc : Get sandbox execution data from VirusTotal
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256

Name : file download
Desc : Download file bytes from VirusTotal
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256

Name : file report
Desc : Get file report data from VirusTotal
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256

Name : in the wild URLs
Desc : Get "in the wild" URL data from VirusTotal
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256

Name : ssl history
Desc : Get historical SSL certificate data from VirusTotal
Forms: inet:fqdn, inet:ipv4

Name : whois history
Desc : Get historical WHOIS records from VirusTotal
Forms: inet:fqdn, inet:ipv4

Onload Events

Synapse-VirusTotal does not use any onload events.

On-demand Migrations

AV Hit Migration

To run the migration across all views, use the query yield $lib.import(virustotal).migrateAvHit(). Views are migrated in dependency order, and no nodes will be yielded.

Alternatively, yield $lib.import(virustotal).migrateAvHit(global=$lib.false) will run the migration in the current view. The migrated nodes will be yielded from the query.

This function will migrate the following nodes:

  • it:av:filehit nodes created from sample reports to it:av:scan:result, which includes copying edges and tags. Note that the migrated it:av:scan:result nodes will not deconflict with those created from subsequent command runs.

  • URL/FQDN/IPv4 AV scan results captured as meta:rule nodes to it:av:scan:result. Edges and tags are not copied, and the migrated it:av:scan:result nodes will not deconflict with those created from subsequent command runs.