Virustotal Integration

XGEN SOAR Integration

With cyberattacks and the skills gap getting worse, SOCs can no longer afford to have analysts manually coordinate contextual data. Many analysts personally copy-and-paste hashes hundreds of times per day in order to check their reputation. With D3’s VirusTotal integration, you can automate that entire process to ensure that your analysts have the information they need for every incident.
VirusTotal Integration

Download Integration Guide



Integration features

1
Automatically enrich alerts with VirusTotal intelligence
2
Use VirusTotal data to inform reputation and prioritization scoring in D3
3
Build a repository of hashes, IP addresses, domain names in D3
4
Benefit from flexible configuration options

Key Use Case

#1

Automated Hash Lookups

Analysts are expected to rapidly investigate incidents without compromising the process. For many, this means manually cross-referencing and copying hashes and other data from VirusTotal. Over a year in a SOC, this means hundreds of hours per analyst plus some degree of human error. D3 automatically populates the incident record with hashes and other relevant data. An analyst can search through the D3 console, and instantly bring over additional field-data. Plus, it’s agile. You can change the integration parameters via our easy-to-use admin tool.
#2

Potential Phishing Analysis

When a potential phishing email is escalated to D3, either through an email protection system or manually by the recipient, D3 extracts the sender’s domain and the URL of any links in the message. D3 then uses VirusTotal or another integrated service to retrieve the IP address associated with the sender and/or URL. Based on the result, the D3 user can then trigger a response playbook to block the IP, blacklist the sender, notify the email recipient, and orchestrate any other appropriate actions. If the risk score is deemed low, the incident can be closed as a false positive.
X VirusTotal Integration