At VirusTotal we are actively working on expanding integrations with the most popular tools used by the infosec community.
Today we are thrilled to announce tighter integration with MISP through our most recent feature to track threat campaigns and malware toolkits, VT Collections. We have created two new workflows:
The ability to export VT Collections to STIX 2, a well-known threat intel exchange format.
Functionality to create a collection from IoCs contained in a MISP Event.
This will allow the exchange of IoCs bidirectionally between MISP and VirusTotal.
VT Collection to MISP
You can export all IOCs contained in a collection using the top-right corner export icon, click on it and select Download all IoCs as STIX:
This will generate a json file that can be imported into MISP using the left menu option, Import from…
MISP Event to VT Collection
To tackle this part of the workflow we have developed a new MISP Module called VirusTotal Collections. This module uses the event exporting option to send IoCs to VirusTotal and create the collection.
To create a collection from a MISP Event you can use the Download as… button while inspecting an Event, choose VirusTotal Collections as an export format option.
After a few seconds you will get a text file confirming the export process has finished. In the text file you can find the url of the new collection.
And that’s it. If you are a MISP user, ping your MISP instance admin to activate the export module and tell us what you think about this integration in this form (2 minutes).
With Palo Alto Networks’ Cortex XSOAR as your champion and VirusTotal as the sharpened blade, your SOC will decimate threats and reduce analyst strain. Together, VirusTotal and Cortex XSOAR enable your security and IT teams to discover context and solve incidents in a cost effective way.
Join us next March 31stfor an expert-led discussion on leveraging threat intelligence in your SOC. Register here.
VirusTotal Cortex XSOAR packs enable you to:
Orchestrate custom threat feeds through Cortex XSOAR to perform live IoC matching and launch retroactive threat hunts from your SIEM or historical log archives.
Leverage improved and early detection with crowdsourced {Yara, SIGMA, IDS} threat reputation for files, domains, IPs, and URLs.
Streamline your triage process with prioritized SOC alerts based on severity and threat categories.
Inform your EDR platform by feeding it highly relevant and undetected threats identified with VirusTotal YARA.
Not only that. Our new improved VirusTotal packs allow you to create custom IOC feeds. You can simply create your own VT Hunting Livehunt rules and feed them into XSOAR. Here you can learn how:
Check out the four XSOAR VirusTotal content packs and discover which is right for you, and try one for free through the Cortex XSOAR Marketplace platform. New to Cortex XSOAR? Download the Community Edition to discover how VirusTotal and XSOAR can work for you!
Building a Champion SOC
The quest to best protect an organization requires several top-of-the-line weapons for an analyst to wield. To handle the daily torrent of alerts and threats, security teams need access to the sharpest, most up-to-date threat intelligence to provide the missing critical pieces of information like files, URLs, domains, and more. Unfortunately, security teams rarely have the time or resources to maintain a full arsenal of rich, ingestible intelligence.
To provide security teams with the best tools to combat threat actors, VirusTotal and Cortex XSOAR are thrilled to streamline threat intelligence through the Cortex XSOAR Marketplace. As one of the largest threat intelligence services in the world, VirusTotal is expanding its research, enrichment, and malware hunting capabilities to XSOAR - a market leading Security Orchestration Automation and Response platform for unified case management, automation, and real time collaboration.
With one click installation, your security team can easily and accurately pull the necessary context to surface threats in your system. Subscribe to VirusTotal from the XSOAR Marketplace to access the VirusTotal API directly for critical context regarding your incident response and alert management. With advanced orchestration from Cortex XSOAR, your SOC can create custom threat feeds and very easily plug them straight into your security stack to search for both current and retroactive breaches.
VirusTotal offers four content packs each with a monthly allotment of lookups. Starter gives 5,000 lookups per month, Respond gives 150,000, Enrich gives 1 million, and Triage gives 100 million. Leverage these powerful solutions to seamlessly enrich your alerts with cost-effective confidence. Furthermore, IoC matching is driven by the real-time view of the threat landscape as seen by VirusTotal, powered by millions of users each month. This unparalleled enrichment provides confident, accurate context for unrivaled global visibility into threats.
As a final note, please note that both Palo Alto Networks Cortex XSOAR Marketplace points customers and any other user can still provision custom premium API keys from VirusTotal and operate XSOAR with these. The new VirusTotal XSOAR packs do not replace existing workflows or licensing options.