Skip to content
English
Sign in
Contact us
  • There are no suggestions because the search field is empty.

Creating a VirusTotal IP address lookup

This article outlines the process of automating VirusTotal IP address report using Cydarm. By integrating Cydarm with VirusTotal, you can streamline your threat intelligence workflow and gain valuable insights into potential threats.

Overview

Cydarm can be used to trigger automated lookups against other platforms, VirusTotal in this instance, for analysis purposes.

This article details how to configure the automated lookup, define what triggers the lookup, and write the desired response body from the lookup which will be added to the case notes.

Prerequisites

VirusTotal Connector has been configured.

VirusTotal configuration instructions

1. Create connector

If you haven't done so, you will need to create a Connector using the VirusTotal Connector instructions.

2. Create a triggered automation

2.1. Choose a Trigger

  • Navigate to Triggered Automations under Settings and click  Create Triggered Automation
  • Name the trigger and provide a description
  • Select the STIX data created trigger type
  • Click Next

2.2. Select actions and connectors

  • The condition field allows you to control when a platform event will execute. For checking an IP address, you will need to set the condition to check it was a ipv4-addr STIX observable created

  • Condition: set the value to event.observable.type == "ipv4-addr"

  • Choose the Send a generic webhook action

  • Select the Virus Total connector you created earlier

  • Activate the automation

  • Click Next

2.3. Configure template

  • In the webhook settings, add the following:

    • URL Path: ip_addresses/{{event.observable.ipv4_address.value }} 

    • Method: GET

    • Content-Type: application/json

    • Header: x-apikey with the value  {{ connector.config.api_key }}

    • There is no Request Template requirement for this API 

2.4. Configure the response processing (optional):

  • If you want to process the VirusTotal response, enable response processing.

  • Check the Process response in Cydarm

    • Set the expected response code to 200

    • Use a template to extract and format the desired information from the response (e.g., malicious votes, harmless votes, suggested label, type tags)

3. Optional configurations

1. Convert fetched timestamp format to YYYY-MM-DD:

{{ #epochToRFC3339 }} {{ response.body.data.attributes.creation_date }} {{ /epochToRFC3339 }}

4. Sample response template  

{{#response.body}}
{{#data}}
IP Address {{id}}
{{#attributes}}
last_analysis_date: {{last_analysis_date}}
Whois: {{whois}}
{{NetName}}
{{/attributes}}
[Link to result]({{links.self}})
{{/data}}
{{/response.body}}

  • Click Submit.

Related articles

Cydarm API documentation