VirusTotal's MISP modules get a fresh upgrade

Tldr: We upgraded the VirusTotal MISP modules and added new cool relationships.

Historically, VirusTotal provides integration to MISP through two modules (corresponding to public and VT Enterprise subscriptions) created and maintained by the community. They are used to enrich and provide additional context to indicators in the MISP platform. Additionally, we contributed with a module to export MISP events to VTGraph and more recently with a module exporting events to VTCollections. 

The freshly upgraded modules (VirusTotal and VirusTotal Public) were migrated from the old API v2 to v3, which allowed us to improve the data returned per indicator, adding detection ratio to IPs addresses and Domains. Moreover, we have added more relationships and attributes.

The following table summarizes the attributes provided by the freshly upgraded modules to enrich MISP events per type of indicator:

MISP Module	File	URL	Domain	IP
VirusTotal	Detection ratio md5,sha1,sha256 tlsh* vhash* ssdeep* imphash* ITW urls* Communicating files* Downloaded files* Referrer files*	Detection ratio Communicating files* Downloaded files* Referrer files* Resolutions* URLs*	Detection ratio* Whois Communicating files Downloaded files Referred files Subdomains Siblings Resolutions URLs*	Detection ratio* ANS Network Country Resolutions URLs
VirusTotal Public	Detection ratio tlsh* vhash* ssdeep* imphash* Communicating files* Downloaded files* Referrer files*	Detection ratio	Detection ratio* Whois Communicating files Referred files Subdomains Siblings Resolutions	Detection ratio* ANS Network Country Resolutions

* new attributes and relationships available.

Keep in mind that all these VirusTotal modules are not activated in MISP by default, so please ask your friendly MISP administrator to check them out! Stay tuned for more VirusTotal contributions into the Threat Intel ecosystem and as usual, please let us know how we can further help.

Happy Hunting!