Thursday, November 04, 2021

Automate and Augment Case Management, Threat Intelligence and Enrichment

One of the most usual use cases for integrating Threat Intelligence into your security stack revolves around enriching threat data. This helps incident responders, SOC analysts and threat intel teams properly assess how bad the situation is and what to do next. Unfortunately, many times the data we use for alert triaging is too simplistic. Threat intelligence should be compliant, actionable, relatable and easy! But also provide the full needed context when needed.

In our previous post we introduced VT Augment as our solution to help integrate VirusTotal full contextual data into 3rd-party products. Swimlane was one of the first to integrate VT Augment into their solution, and today we want to discuss how to leverage such integrations into your day to day operations.

But before we continue, we encourage you to join us next November 10, 2021 at 4pm UTC for our joint webinar with Swimlane to learn more on this topic.

Automating response to threats

Orchestration, automation and response (SOAR) capabilities are adopted and required in most security stacks. They allow to automate common tasks such as enriching threat alerts, and to also automate the response when integrating with additional tools. For the examples in this post, we will be using Swimlane, which integrates VirusTotal. 

A typical case would be automating the answer provided when facing suspicious indicators (hash, URL, IP or domain) showing up in our detection systems. For instance, a first simple approach for quick triage would be we creating a workflow based on the number of AV detections just to make sure the incident will be automatically remediated before proceeding with a deeper investigation, if needed:

It could be that these first signals are not strong enough to make an educated decision. Analyst would need to have additional context which in this case is provided by VT Augment. The following capture shows how VirusTotal enriches the domain information available for the analyst, showing IPs it resolved, detected URLs and Whois information, among others:  

Depending on the type of IOC there will be different information available. For instance, for a suspicious file an analyst might be interested in checking for specific AV verdicts in order to understand what kind of threat it represents. Other less technical information such as the first time it was seen in VirusTotal can also be useful to understand if we are handling a potential new threat.

Integrating contextual threat intelligence where needed

VirusTotal integrates with dozens of vendors. Some notable examples include CrowdStrike Falcon which uses a dedicated plugin, or Google Workspace Alert Center. Ultimately, VT Augment and VT API allow integration with any system helping organise workflows to properly respond to any threat.


Threat Intelligence data should be relevant in the context it is being used. Automating routine tasks using the right indicators helps mitigate most cases automatically. This should be complemented with providing all the relevant information at the fingertips of the analysts to make the right decisions. 

We keep working on providing contextual threat intelligence data that makes a difference to our partners in the security industry. If you need help integrating VirusTotal in your product, please let us know.

Happy hunting!


Post a Comment