Admin Guide
Synapse-VirusTotal Admin Guide
Configuration
Synapse-VirusTotal requires a VirusTotal API key. For information on how to sign up, please visit the VirusTotal API documentation.
Setting API key for global use
To set-up a global API key:
> virustotal.setup.apikey myapikey
Setting Synapse-VirusTotal API key for all users.
Using per-user API keys
A user may set-up their own API key:
> virustotal.setup.apikey --self myapikey
Setting Synapse-VirusTotal API key for the current user.
Dependencies
Synapse-VirusTotal requires the following Power-Ups to be installed:
Name : synapse-fileparser
Version: >=4.2.1,<5.0.0
Desc : Synapse-FileParser is required for parsing VirusTotal YARA rules, which is a
requirement for using the virustotal.livehunt.files command.
Synapse-VirusTotal will conflict with the following Power-Ups:
Name : vt
Version: any
Desc : Synapse-VirusTotal conflicts with a deprecated Power-Up named "virustotal".
Permissions
Package (synapse-virustotal) defines the following permissions:
power-ups.virustotal.user : Controls user access to Synapse-VirusTotal. ( default: false )
You may add rules to users/roles directly from storm:
> auth.user.addrule visi power-ups.virustotal.user
Added rule power-ups.virustotal.user to user visi.
or:
> auth.role.addrule ninjas power-ups.virustotal.user
Added rule power-ups.virustotal.user to role ninjas.
Exported APIs
Synapse-VirusTotal does not currently export any APIs.
Node Actions
Synapse-VirusTotal provides the following node actions in Optic:
Name : communicating files
Desc : Get communicating files data from VirusTotal
Forms: inet:fqdn, inet:ipv4
Name : downloaded files
Desc : Get downloaded files data from VirusTotal
Forms: inet:fqdn, inet:ipv4, inet:url
Name : enrich
Desc : Get report data from VirusTotal
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256, inet:fqdn, inet:ipv4, inet:url
Name : pdns
Desc : Get passive DNS information from VirusTotal
Forms: inet:fqdn, inet:ipv4
Name : urls
Desc : Get URLs data from VirusTotal
Forms: inet:fqdn, inet:ipv4
Name : file behavior
Desc : Get sandbox execution data from VirusTotal
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256
Name : file download
Desc : Download file bytes from VirusTotal
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256
Name : file report
Desc : Get file report data from VirusTotal
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256
Name : in the wild URLs
Desc : Get "in the wild" URL data from VirusTotal
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256
Name : ssl history
Desc : Get historical SSL certificate data from VirusTotal
Forms: inet:fqdn, inet:ipv4
Name : whois history
Desc : Get historical WHOIS records from VirusTotal
Forms: inet:fqdn, inet:ipv4
Onload Events
Synapse-VirusTotal does not use any onload events.
On-demand Migrations
AV Hit Migration
To run the migration across all views, use the query yield $lib.import(virustotal).migrateAvHit().
Views are migrated in dependency order, and no nodes will be yielded.
Alternatively, yield $lib.import(virustotal).migrateAvHit(global=$lib.false)
will run the migration in the current view. The migrated nodes will be yielded from the query.
This function will migrate the following nodes:
it:av:filehitnodes created from sample reports toit:av:scan:result, which includes copying edges and tags. Note that the migratedit:av:scan:resultnodes will not deconflict with those created from subsequent command runs.URL/FQDN/IPv4 AV scan results captured as
meta:rulenodes toit:av:scan:result. Edges and tags are not copied, and the migratedit:av:scan:resultnodes will not deconflict with those created from subsequent command runs.