Admin Guide

Synapse-VirusTotal Admin Guide

Configuration

Synapse-VirusTotal requires a VirusTotal API key. For information on how to sign up, please visit the VirusTotal API documentation.

Setting API key for global use

To set-up a global API key:

> virustotal.setup.apikey myapikey
Setting Synapse-VirusTotal API key for all users.

Using per-user API keys

A user may set-up their own API key:

> virustotal.setup.apikey --self myapikey
Setting Synapse-VirusTotal API key for the current user.

Dependencies

Synapse-VirusTotal requires the following Power-Ups to be installed:

Name   : synapse-fileparser
Version: >=4.2.1,<5.0.0
Desc   : Synapse-FileParser is required for parsing VirusTotal YARA rules, which is a
requirement for using the virustotal.livehunt.files command.

Synapse-VirusTotal will conflict with the following Power-Ups:

Name   : vt
Version: any
Desc   : Synapse-VirusTotal conflicts with a deprecated Power-Up named "virustotal".

Permissions

Package (synapse-virustotal) defines the following permissions:
power-ups.virustotal.user        : Controls user access to Synapse-VirusTotal. ( default: false )

You may add rules to users/roles directly from storm:

> auth.user.addrule visi power-ups.virustotal.user
Added rule power-ups.virustotal.user to user visi.

or:

> auth.role.addrule ninjas power-ups.virustotal.user
Added rule power-ups.virustotal.user to role ninjas.

Exported APIs

Synapse-VirusTotal does not currently export any APIs.

Node Actions

Synapse-VirusTotal provides the following node actions in Optic:

Name : communicating files
Desc : Get communicating files data from VirusTotal
Forms: inet:fqdn, inet:ipv4

Name : downloaded files
Desc : Get downloaded files data from VirusTotal
Forms: inet:fqdn, inet:ipv4, inet:url

Name : enrich
Desc : Get report data from VirusTotal
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256, inet:fqdn, inet:ipv4, inet:url

Name : pdns
Desc : Get passive DNS information from VirusTotal
Forms: inet:fqdn, inet:ipv4

Name : urls
Desc : Get URLs data from VirusTotal
Forms: inet:fqdn, inet:ipv4

Name : file behavior
Desc : Get sandbox execution data from VirusTotal
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256

Name : file download
Desc : Download file bytes from VirusTotal
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256

Name : file report
Desc : Get file report data from VirusTotal
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256

Name : in the wild URLs
Desc : Get "in the wild" URL data from VirusTotal
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256

Name : ssl history
Desc : Get historical SSL certificate data from VirusTotal
Forms: inet:fqdn, inet:ipv4

Name : whois history
Desc : Get historical WHOIS records from VirusTotal
Forms: inet:fqdn, inet:ipv4

Onload Events

Synapse-VirusTotal uses the onload event to run required data migrations.

On-demand Migrations

AV Hit Migration

The previously available migrateAvHit() function in the virustotal module has been deprecated. It does not perform any migrations and will simply print a warning message indicating that the it:av:filehit migration is now automatic.