Skip to content
English
Sign in
Contact us
  • There are no suggestions because the search field is empty.

Creating a VirusTotal domain lookup

This article outlines the process of automating VirusTotal domain lookups using Cydarm. By integrating Cydarm with VirusTotal, you can streamline your analysis workflows and gain insights into potential threats.

Overview

Cydarm can be used to trigger automated lookups against other platforms, VirusTotal in this instance, for analysis purposes.

This article details how to configure the automated lookup, define what triggers the automation, and write the desired response body from the lookup, which will be added to the case notes.

Prerequisites

VirusTotal Connector has been configured.

VirusTotal configuration instructions 

1. Create connector

If you haven't done so, you will need to create a Connector using the VirusTotal Connector instructions.

2. Create a trigger: 

  • Navigate to Triggered Automations under Settings and click  Create Triggered Automation
  • Name the trigger and provide a description
  • Select the STIX data created trigger type
  • Click Next

3. Actions and connectors

  • The condition field allows you to control when a platform event will execute. For checking an Domain name, you will need to set the condition to check it was a domain-name STIX observable created.

  • Condition: set the value to event.observable.type == "domain-name"

  • Choose the Send a generic webhook action.

  • Select the Virus Total connector you created earlier.

  • Activate the automation.

  • Click Next

4. Configure template

  • In the webhook settings, add the following:

  • URL Path: domains/{{ event.observable.domain_name.value }}
  • Method: GET
  • Content-Type: application/json
  • Header: x-apikey with the value  {{ connector.config.api_key }}
  • There is no Request Template requirement for this API. 

5. Configure the response processing (optional):

  • If you want to process the VirusTotal response, enable response processing. 

  • Check the Process response in Cydarm

    • Set the expected response code to 200

    • Use a template to extract and format the desired information from the response

Optional configurations

1. Convert fetched timestamp format to YYYY-MM-DD:

{{ #epochToRFC3339 }} {{ response.body.data.attributes.creation_date }} {{ /epochToRFC3339 }}

Sample response template  

{{#response.body}}
{{#data}}
type: {{type}}
value: {{id}}
{{#attributes}}
tags: {{tags}
whois: {{whois}}
votes: 
     harmless: {{total_votes.harmless}}
     malicious: {{total_votes.malicious}}
{{/attributes}}
[Link to result]({{links.self}})
{{/data}}
{{/response.body}}

  • Click ‘Submit’

3. How to use triggered actions in a Cydarm case

When you're in a case, you can add a hash to a case, which will then send it to VirusTotal for analysis.

  1. Click the Add Item button

    A form will pop-up for data entry

  2. SelectData

  3. SelectDomain Name

  4. Enter value: Paste the domain into the field.

  5. Enter name: Name the domain

  6. Enter description: Describe the domain with contextual information.
  7. Click Save

  8. The triggered action will fetch data from VirusTotal, and add it to the case thread.

  9. Clicking onLink to result will open a browser tab with the VirusTotal result.

 

Related articles For detailed technicl information please refer to our Cydarm API documentation.