IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  VirusTotal function add-on

    Posted Tue June 11, 2019 12:07 PM
    At this moment, in the current the note written does not mention the artifact you ask :
    Orchestration Engine
added a note to the Incident 06/11/2019 17:12
attachment: results detected_urls positives: False​
    And the current description information is deleting previous value of artifact description
    Description
detected_referrer_samples positives: False
detected_urls positives: True​

    I have changed the post_process_scripting of both workflows to add artifact source comments to the note and append the comment to the artifact description.

    New Example: VirusTotal Scan post_process_script:
    if results.scan.get('positives') is not None:
  msg = "positives: {} out of {} {}".format(results.scan.get('positives'), results.scan.get('total'), results.scan.get('permalink'))
elif results.scan.get('detected_urls') is not None:
  analysis = []
  for section in ['detected_referrer_samples', 'detected_communicating_samples', 'detected_urls']:
    test_for_positive = results.scan.get(section)
    if test_for_positive is not None:
      is_positive = False
      for sample in test_for_positive:
        if sample.get('positives', -1) > 0:
          is_positive = True
        
      analysis.append('{} positives: {}'.format(section, str(is_positive)))
    
  msg = '\n'.join(analysis)
else:
  msg = "{}. {}".format(results.scan['verbose_msg'], results.scan.get('permalink', ''))
  
# re-use previous artifact description
if artifact.description == None:
  lib = ""
else:
  # {u'format': u'text', u'content': u'\\r\\n10.212.21.74 found IP in Blocked IPs list: Botnet IPs'}
  item = artifact.description
  lib = item["content"]

artifact.description = str(lib) + "\r\n" + str(msg)
#artifact.description = results.results["permalink"]

# add to the note the source of the note 
# incident.addNote(helper.createRichText("<div>attachment: {} {}</div>".format("results", msg)))
incident.addNote(helper.createRichText("VirusTotal Request on {}<div>attachment: {} {}</div>".format(artifact.value,"results", msg)))



if results.scan.get('md5') is not None:
  incident.addArtifact('Malware MD5 Hash', results.scan.get('md5'), None)

if results.scan.get('sha1') is not None:
  incident.addArtifact('Malware SHA-1 Hash', results.scan.get('sha1'), None)
  
if results.scan.get('sha256') is not None:
  incident.addArtifact('Malware SHA-256 Hash', results.scan.get('sha256'), None)
# domain results
# {'scan': {u'domain_siblings': [], u'BitDefender domain info': u'This URL domain/host was seen to host badware at some point in time', u'undetected_downloaded_samples': [], u'whois': None, u'detected_downloaded_samples': [], u'response_code': 1, u'verbose_msg': u'Domain found in dataset', u'Forcepoint ThreatSeeker category': u'malicious web sites', u'undetected_urls': [], u'resolutions': [{u'last_resolved': u'2017-12-04 19:48:01', u'ip_address': u'185.61.138.74'}], u'detected_urls': [{u'url': u'http://amazon-sicherheit.kunden-ueberpruefung.xyz/', u'positives': 7, u'total': 67, u'scan_date': u'2018-08-01 13:28:18'}, {u'url': u'https://amazon-sicherheit.kunden-ueberpruefung.xyz/', u'positives': 7, u'total': 67, u'scan_date': u'2018-06-06 21:49:59'}, {u'url': u'http://amazon-sicherheit.kunden-ueberpruefung.xyz/favicon.ico', u'positives': 7, u'total': 65, u'scan_date': u'2017-07-16 02:19:48'}, {u'url': u'http://amazon-sicherheit.kunden-ueberpruefung.xyz/,http:/amazon-sicherheit,http:/amazon-sicherheit.kunden-ueberpruefung.xyz', u'positives': 9, u'total': 65, u'scan_date': u'2017-06-14 07:52:22'}, {u'url': u'http://amazon-sicherheit.kunden-ueberpruefung.xyz/information/', u'positives': 7, u'total': 64, u'scan_date': u'2017-06-12 13:42:45'}, {u'url': u'http://amazon-sicherheit.kunden-ueberpruefung.xyz/,http:/amazon-sicherheit/', u'positives': 8, u'total': 64, u'scan_date': u'2017-05-21 09:01:11'}, {u'url': u'http://amazon-sicherheit.kunden-ueberpruefung.xyz/,http:/amazon-sicherheit', u'positives': 9, u'total': 64, u'scan_date': u'2017-05-18 06:46:46'}], u'categories': [u'malicious web sites']}}
# url results
# {'scan': {u'permalink': u'https://www.virustotal.com/url/518c9fe795d329ad2871dc8f003fba8ad6428ad7c936ec35da38b6f7f5e79f54/analysis/1533139178/', u'resource': u'http://frsc0016.geico.net:3000/', u'url': u'http://frsc0016.geico.net:3000/', u'response_code': 1, u'scan_date': u'2018-08-01 15:59:38', u'scan_id': u'518c9fe795d329ad2871dc8f003fba8ad6428ad7c936ec35da38b6f7f5e79f54-1533139178', u'verbose_msg': u'Scan request successfully queued, come back later for the report'}}
# {'scan': {u'permalink': u'https://www.virustotal.com/url/518c9fe795d329ad2871dc8f003fba8ad6428ad7c936ec35da38b6f7f5e79f54/analysis/1533173246/', u'resource': u'http://frsc0016.geico.net:3000', u'url': u'http://frsc0016.geico.net:3000/', u'response_code': 1, u'scan_date': u'2018-08-02 01:27:26', u'scan_id': u'518c9fe795d329ad2871dc8f003fba8ad6428ad7c936ec35da38b6f7f5e79f54-1533173246', u'verbose_msg': u'Scan finished, scan information embedded in this object', u'filescan_id': None, u'positives': 0, u'total': 67, u'scans': {u'CLEAN MX': {u'detected': False, u'result': u'clean site'}, u'DNS8': {u'detected': False, u'result': u'clean site'}, u'VX Vault': {u'detected': False, u'result': u'clean site'}, u'ZDB Zeus': {u'detected': False, u'result': u'clean site'}, u'Tencent': {u'detected': False, u'result': u'clean site'}, u'AutoShun': {u'detected': False, u'result': u'unrated site'}, u'Netcraft': {u'detected': False, u'result': u'unrated site'}, u'PhishLabs': {u'detected': False, u'result': u'unrated site'}, u'Zerofox': {u'detected': False, u'result': u'clean site'}, u'K7AntiVirus': {u'detected': False, u'result': u'clean site'}, u'Virusdie External Site Scan': {u'detected': False, u'result': u'clean site'}, u'Quttera': {u'detected': False, u'result': u'clean site'}, u'AegisLab WebGuard': {u'detected': False, u'result': u'clean site'}, u'MalwareDomainList': {u'detected': False, u'result': u'clean site', u'detail': u'http://www.malwaredomainlist.com/mdl.php?search=frsc0016.geico.net'}, u'ZeusTracker': {u'detected': False, u'result': u'clean site', u'detail': u'https://zeustracker.abuse.ch/monitor.php?host=frsc0016.geico.net'}, u'zvelo': {u'detected': False, u'result': u'clean site'}, u'Google Safebrowsing': {u'detected': False, u'result': u'clean site'}, u'Kaspersky': {u'detected': False, u'result': u'unrated site'}, u'BitDefender': {u'detected': False, u'result': u'clean site'}, u'Dr.Web': {u'detected': False, u'result': u'clean site'}, u'Certly': {u'detected': False, u'result': u'clean site'}, u'G-Data': {u'detected': False, u'result': u'clean site'}, u'C-SIRT': {u'detected': False, u'result': u'clean site'}, u'OpenPhish': {u'detected': False, u'result': u'clean site'}, u'Malware Domain Blocklist': {u'detected': False, u'result': u'clean site'}, u'MalwarePatrol': {u'detected': False, u'result': u'clean site'}, u'Webutation': {u'detected': False, u'result': u'clean site'}, u'Trustwave': {u'detected': False, u'result': u'clean site'}, u'Web Security Guard': {u'detected': False, u'result': u'clean site'}, u'CyRadar': {u'detected': False, u'result': u'clean site'}, u'desenmascara.me': {u'detected': False, u'result': u'clean site'}, u'ADMINUSLabs': {u'detected': False, u'result': u'clean site'}, u'Malwarebytes hpHosts': {u'detected': False, u'result': u'clean site'}, u'Opera': {u'detected': False, u'result': u'clean site'}, u'AlienVault': {u'detected': False, u'result': u'clean site'}, u'Emsisoft': {u'detected': False, u'result': u'clean site'}, u'Malc0de Database': {u'detected': False, u'result': u'clean site', u'detail': u'http://malc0de.com/database/index.php?search=frsc0016.geico.net'}, u'malwares.com URL checker': {u'detected': False, u'result': u'clean site'}, u'Phishtank': {u'detected': False, u'result': u'clean site'}, u'Malwared': {u'detected': False, u'result': u'clean site'}, u'Avira': {u'detected': False, u'result': u'clean site'}, u'NotMining': {u'detected': False, u'result': u'unrated site'}, u'CyberCrime': {u'detected': False, u'result': u'clean site'}, u'Antiy-AVL': {u'detected': False, u'result': u'clean site'}, u'Forcepoint ThreatSeeker': {u'detected': False, u'result': u'clean site'}, u'FraudSense': {u'detected': False, u'result': u'clean site'}, u'Comodo Site Inspector': {u'detected': False, u'result': u'clean site'}, u'Malekal': {u'detected': False, u'result': u'clean site'}, u'ESET': {u'detected': False, u'result': u'clean site'}, u'Sophos': {u'detected': False, u'result': u'unrated site'}, u'Yandex Safebrowsing': {u'detected': False, u'result': u'clean site', u'detail': u'http://yandex.com/infected?l10n=en&url=http://frsc0016.geico.net:3000/'}, u'SecureBrain': {u'detected': False, u'result': u'clean site'}, u'Nucleon': {u'detected': False, u'result': u'clean site'}, u'Sucuri SiteCheck': {u'detected': False, u'result': u'clean site'}, u'Blueliv': {u'detected': False, u'result': u'clean site'}, u'ZCloudsec': {u'detected': False, u'result': u'clean site'}, u'SCUMWARE.org': {u'detected': False, u'result': u'clean site'}, u'ThreatHive': {u'detected': False, u'result': u'clean site'}, u'FraudScore': {u'detected': False, u'result': u'clean site'}, u'Rising': {u'detected': False, u'result': u'clean site'}, u'URLQuery': {u'detected': False, u'result': u'clean site'}, u'StopBadware': {u'detected': False, u'result': u'unrated site'}, u'Fortinet': {u'detected': False, u'result': u'clean site'}, u'ZeroCERT': {u'detected': False, u'result': u'clean site'}, u'Spam404': {u'detected': False, u'result': u'clean site'}, u'securolytics': {u'detected': False, u'result': u'clean site'}, u'Baidu-International': {u'detected': False, u'result': u'clean site'}}}}
# ip results
# {'scan': {u'country': u'CN', u'response_code': 1, u'as_owner': u'CNCGROUP China169 Backbone', u'verbose_msg': u'IP address in dataset', u'resolutions': [], u'detected_urls': [], u'asn': u'4837'}}
# {'scan': {u'asn': u'39743', u'undetected_referrer_samples': [{u'positives': 0, u'total': 59, u'sha256': u'25d6e157f52899bb80d76f2620fd3e40d94229147d718e77454539ae89b991c5'}], u'country': u'RO', u'response_code': 1, u'as_owner': u'Voxility S.R.L.', u'detected_referrer_samples': [{u'date': u'2018-03-01 12:23:54', u'positives': 1, u'total': 70, u'sha256': u'2025815e09ab99c4abdec66402ee3cbaaaa13700fb7bc83e1ec5df2b9b40d7fa'}], u'verbose_msg': u'IP address in dataset', u'detected_urls': [{u'url': u'http://109.163.234.2/', u'positives': 1, u'total': 67, u'scan_date': u'2018-07-23 03:40:50'}, {u'url': u'http://109.163.234.2:443/', u'positives': 1, u'total': 67, u'scan_date': u'2018-07-23 03:40:01'}, {u'url': u'https://109.163.234.2/', u'positives': 1, u'total': 68, u'scan_date': u'2016-08-10 10:23:09'}], u'detected_communicating_samples': [{u'date': u'2017-04-02 03:37:37', u'positives': 30, u'total': 62, u'sha256': u'31227cad8b8e9f154371eef25773a8b33ac1e067da188943cba1756e6551c612'}, {u'date': u'2014-06-15 11:08:54', u'positives': 11, u'total': 54, u'sha256': u'21da33807c1bf3891ea6aa4163711970706a57facf5b4739ab3c5d55ed3e9775'}], u'resolutions': [{u'last_resolved': u'2018-05-28 10:41:56', u'hostname': u'hessel0.torservers.net'}]}}
# hash results
# {'scan': {u'scan_id': u'4e7267dd4ce5a0a780a836040f91e042dff0d8c0c5f26cb4dcb9ec6635265812-1493150616', u'sha1': u'cd9d22df6e8db01333f13e03422647551f191f8c', u'resource': u'cd9d22df6e8db01333f13e03422647551f191f8c', u'response_code': 1, u'scan_date': u'2017-04-25 20:03:36', u'permalink': u'https://www.virustotal.com/file/4e7267dd4ce5a0a780a836040f91e042dff0d8c0c5f26cb4dcb9ec6635265812/analysis/1493150616/', u'verbose_msg': u'Scan finished, information embedded', u'sha256': u'4e7267dd4ce5a0a780a836040f91e042dff0d8c0c5f26cb4dcb9ec6635265812', u'positives': 0, u'total': 61, u'md5': u'54562fe4ac3a071639d000512ecc6967', u'scans': {u'Bkav': {u'detected': False, u'version': u'1.3.0.8876', u'result': None, u'update': u'20170425'}, u'MicroWorld-eScan': {u'detected': False, u'version': u'12.0.250.0', u'result': None, u'update': u'20170425'}, u'nProtect': {u'detected': False, u'version': u'2017-04-25.02', u'result': None, u'update': u'20170425'}, u'CMC': {u'detected': False, u'version': u'1.1.0.977', u'result': None, u'update': u'20170421'}, u'CAT-QuickHeal': {u'detected': False, u'version': u'14.00', u'result': None, u'update': u'20170425'}, u'ALYac': {u'detected': False, u'version': u'1.0.1.9', u'result': None, u'update': u'20170425'}, u'Malwarebytes': {u'detected': False, u'version': u'2.1.1.1115', u'result': None, u'update': u'20170425'}, u'VIPRE': {u'detected': False, u'version': u'57624', u'result': None, u'update': u'20170425'}, u'SUPERAntiSpyware': {u'detected': False, u'version': u'5.6.0.1032', u'result': None, u'update': u'20170425'}, u'TheHacker': {u'detected': False, u'version': u'6.8.0.5.1468', u'result': None, u'update': u'20170424'}, u'K7GW': {u'detected': False, u'version': u'10.9.23121', u'result': None, u'update': u'20170425'}, u'K7AntiVirus': {u'detected': False, u'version': u'10.9.23125', u'result': None, u'update': u'20170425'}, u'Invincea': {u'detected': False, u'version': u'6.3.0.25213', u'result': None, u'update': u'20170413'}, u'Baidu': {u'detected': False, u'version': u'1.0.0.2', u'result': None, u'update': u'20170424'}, u'Cyren': {u'detected': False, u'version': u'5.4.30.7', u'result': None, u'update': u'20170425'}, u'Symantec': {u'detected': False, u'version': u'1.3.0.0', u'result': None, u'update': u'20170425'}, u'ESET-NOD32': {u'detected': False, u'version': u'15311', u'result': None, u'update': u'20170425'}, u'TrendMicro-HouseCall': {u'detected': False, u'version': u'9.900.0.1004', u'result': None, u'update': u'20170425'}, u'Paloalto': {u'detected': False, u'version': u'1.0', u'result': None, u'update': u'20170425'}, u'ClamAV': {u'detected': False, u'version': u'0.99.2.0', u'result': None, u'update': u'20170425'}, u'Kaspersky': {u'detected': False, u'version': u'15.0.1.13', u'result': None, u'update': u'20170425'}, u'BitDefender': {u'detected': False, u'version': u'7.2', u'result': None, u'update': u'20170425'}, u'NANO-Antivirus': {u'detected': False, u'version': u'1.0.74.16482', u'result': None, u'update': u'20170425'}, u'AegisLab': {u'detected': False, u'version': u'4.2', u'result': None, u'update': u'20170425'}, u'Avast': {u'detected': False, u'version': u'8.0.1489.320', u'result': None, u'update': u'20170425'}, u'Tencent': {u'detected': False, u'version': u'1.0.0.1', u'result': None, u'update': u'20170425'}, u'Ad-Aware': {u'detected': False, u'version': u'3.0.3.1010', u'result': None, u'update': u'20170425'}, u'Emsisoft': {u'detected': False, u'version': u'4.0.0.834', u'result': None, u'update': u'20170425'}, u'Comodo': {u'detected': False, u'version': u'26976', u'result': None, u'update': u'20170425'}, u'F-Secure': {u'detected': False, u'version': u'11.0.19100.45', u'result': None, u'update': u'20170425'}, u'DrWeb': {u'detected': False, u'version': u'7.0.28.2020', u'result': None, u'update': u'20170425'}, u'Zillya': {u'detected': False, u'version': u'2.0.0.3263', u'result': None, u'update': u'20170425'}, u'TrendMicro': {u'detected': False, u'version': u'9.740.0.1012', u'result': None, u'update': u'20170425'}, u'McAfee-GW-Edition': {u'detected': False, u'version': u'v2015', u'result': None, u'update': u'20170425'}, u'Sophos': {u'detected': False, u'version': u'4.98.0', u'result': None, u'update': u'20170425'}, u'Ikarus': {u'detected': False, u'version': u'0.1.5.2', u'result': None, u'update': u'20170425'}, u'F-Prot': {u'detected': False, u'version': u'4.7.1.166', u'result': None, u'update': u'20170425'}, u'Jiangmin': {u'detected': False, u'version': u'16.0.100', u'result': None, u'update': u'20170425'}, u'Webroot': {u'detected': False, u'version': u'1.0.0.207', u'result': None, u'update': u'20170425'}, u'Avira': {u'detected': False, u'version': u'8.3.3.4', u'result': None, u'update': u'20170425'}, u'Fortinet': {u'detected': False, u'version': u'5.4.233.0', u'result': None, u'update': u'20170425'}, u'Antiy-AVL': {u'detected': False, u'version': u'1.0.0.1', u'result': None, u'update': u'20170425'}, u'Kingsoft': {u'detected': False, u'version': u'2013.8.14.323', u'result': None, u'update': u'20170425'}, u'Endgame': {u'detected': False, u'version': u'0.4.1', u'result': None, u'update': u'20170419'}, u'Arcabit': {u'detected': False, u'version': u'1.0.0.802', u'result': None, u'update': u'20170425'}, u'ViRobot': {u'detected': False, u'version': u'2014.3.20.0', u'result': None, u'update': u'20170425'}, u'ZoneAlarm': {u'detected': False, u'version': u'1.0', u'result': None, u'update': u'20170425'}, u'Microsoft': {u'detected': False, u'version': u'1.1.13701.0', u'result': None, u'update': u'20170425'}, u'AhnLab-V3': {u'detected': False, u'version': u'3.9.0.17342', u'result': None, u'update': u'20170425'}, u'McAfee': {u'detected': False, u'version': u'6.0.6.653', u'result': None, u'update': u'20170425'}, u'AVware': {u'detected': False, u'version': u'1.5.0.42', u'result': None, u'update': u'20170425'}, u'VBA32': {u'detected': False, u'version': u'3.12.26.4', u'result': None, u'update': u'20170421'}, u'Zoner': {u'detected': False, u'version': u'1.0', u'result': None, u'update': u'20170425'}, u'Rising': {u'detected': False, u'version': u'28.0.0.1', u'result': None, u'update': u'20170425'}, u'Yandex': {u'detected': False, u'version': u'5.5.1.3', u'result': None, u'update': u'20170424'}, u'SentinelOne': {u'detected': False, u'version': u'1.0.0.154', u'result': None, u'update': u'20170330'}, u'GData': {u'detected': False, u'version': u'A:25.12056B:25.9393', u'result': None, u'update': u'20170425'}, u'AVG': {u'detected': False, u'version': u'16.0.0.4776', u'result': None, u'update': u'20170425'}, u'Panda': {u'detected': False, u'version': u'4.6.4.2', u'result': None, u'update': u'20170424'}, u'CrowdStrike': {u'detected': False, u'version': u'1.0', u'result': None, u'update': u'20170130'}, u'Qihoo-360': {u'detected': False, u'version': u'1.0.0.1120', u'result': None, u'update': u'20170425'}}}}
# file scan
# {'scan': {u'permalink': u'https://www.virustotal.com/file/97be2d515e01ba66091148456b392f7539b43ab1ba412c493107e93aeda1536a/analysis/1533171813/', u'sha1': u'9a419d1a7d4a515d03db7f08fdd27e11ae896b11', u'resource': u'97be2d515e01ba66091148456b392f7539b43ab1ba412c493107e93aeda1536a', u'response_code': 1, u'scan_id': u'97be2d515e01ba66091148456b392f7539b43ab1ba412c493107e93aeda1536a-1533171813', u'verbose_msg': u'Scan request successfully queued, come back later for the report', u'sha256': u'97be2d515e01ba66091148456b392f7539b43ab1ba412c493107e93aeda1536a', u'md5': u'd6e447ddcc6f74cac89322ff25e7835e'}}
# {'scan': {u'scan_id': u'97be2d515e01ba66091148456b392f7539b43ab1ba412c493107e93aeda1536a-1533171813', u'sha1': u'9a419d1a7d4a515d03db7f08fdd27e11ae896b11', u'resource': u'97be2d515e01ba66091148456b392f7539b43ab1ba412c493107e93aeda1536a', u'response_code': 1, u'scan_date': u'2018-08-02 01:03:33', u'permalink': u'https://www.virustotal.com/file/97be2d515e01ba66091148456b392f7539b43ab1ba412c493107e93aeda1536a/analysis/1533171813/', u'verbose_msg': u'Scan finished, information embedded', u'sha256': u'97be2d515e01ba66091148456b392f7539b43ab1ba412c493107e93aeda1536a', u'positives': 48, u'total': 68, u'md5': u'd6e447ddcc6f74cac89322ff25e7835e', u'scans': {u'Bkav': {u'detected': True, u'version': u'1.3.0.9466', u'result': u'HW32.Packed.C390', u'update': u'20180801'}, u'MicroWorld-eScan': {u'detected': True, u'version': u'14.0.297.0', u'result': u'Adware.GenericKD.30431884', u'update': u'20180802'}, u'CMC': {u'detected': False, u'version': u'1.1.0.977', u'result': None, u'update': u'20180801'}, u'CAT-QuickHeal': {u'detected': False, u'version': u'14.00', u'result': None, u'update': u'20180801'}, u'McAfee': {u'detected': True, u'version': u'6.0.6.653', u'result': u'RDN/Generic PUP.x', u'update': u'20180802'}, u'Cylance': {u'detected': True, u'version': u'2.3.1.101', u'result': u'Unsafe', u'update': u'20180802'}, u'Zillya': {u'detected': False, u'version': u'2.0.0.3607', u'result': None, u'update': u'20180801'}, u'TheHacker': {u'detected': False, u'version': u'6.8.0.5.3467', u'result': None, u'update': u'20180730'}, u'K7GW': {u'detected': True, u'version': u'10.56.27942', u'result': u'Trojan ( 0051506d1 )', u'update': u'20180802'}, u'K7AntiVirus': {u'detected': True, u'version': u'10.56.27942', u'result': u'Trojan ( 0051506d1 )', u'update': u'20180801'}, u'TrendMicro': {u'detected': True, u'version': u'10.0.0.1040', u'result': u'TROJ_GEN.R002C0OCL18', u'update': u'20180802'}, u'Baidu': {u'detected': False, u'version': u'1.0.0.2', u'result': None, u'update': u'20180801'}, u'Babable': {u'detected': False, u'version': u'9107201', u'result': None, u'update': u'20180725'}, u'F-Prot': {u'detected': False, u'version': u'4.7.1.166', u'result': None, u'update': u'20180802'}, u'Symantec': {u'detected': True, u'version': u'1.6.0.0', u'result': u'PUA.Gen.2', u'update': u'20180801'}, u'TotalDefense': {u'detected': False, u'version': u'37.1.62.1', u'result': None, u'update': u'20180801'}, u'TrendMicro-HouseCall': {u'detected': True, u'version': u'9.950.0.1006', u'result': u'TROJ_GEN.R002C0OCL18', u'update': u'20180801'}, u'Avast': {u'detected': True, u'version': u'18.4.3895.0', u'result': u'Win32:Malware-gen', u'update': u'20180801'}, u'ClamAV': {u'detected': False, u'version': u'0.100.1.0', u'result': None, u'update': u'20180801'}, u'GData': {u'detected': True, u'version': u'A:25.17963B:25.12867', u'result': u'Adware.GenericKD.30431884', u'update': u'20180802'}, u'Kaspersky': {u'detected': True, u'version': u'15.0.1.13', u'result': u'not-a-virus:HEUR:RiskTool.Win32.Generic', u'update': u'20180802'}, u'BitDefender': {u'detected': True, u'version': u'7.2', u'result': u'Adware.GenericKD.30431884', u'update': u'20180802'}, u'NANO-Antivirus': {u'detected': True, u'version': u'1.0.116.23366', u'result': u'Riskware.Win32.Mlw.eyrsjw', u'update': u'20180802'}, u'ViRobot': {u'detected': True, u'version': u'2014.3.20.0', u'result': u'Trojan.Win32.S.Agent.710144.I', u'update': u'20180801'}, u'AegisLab': {u'detected': False, u'version': u'4.2', u'result': None, u'update': u'20180801'}, u'Rising': {u'detected': True, u'version': u'25.0.0.24', u'result': u'Trojan.Azden!8.F0E3 (CLOUD)', u'update': u'20180802'}, u'Ad-Aware': {u'detected': True, u'version': u'3.0.5.370', u'result': u'Adware.GenericKD.30431884', u'update': u'20180802'}, u'Sophos': {u'detected': True, u'version': u'4.98.0', u'result': u'Generic PUA JK (PUA)', u'update': u'20180802'}, u'Comodo': {u'detected': True, u'version': u'29451', u'result': u'ApplicUnwnt', u'update': u'20180801'}, u'F-Secure': {u'detected': True, u'version': u'11.0.19100.45', u'result': u'Adware.GenericKD.30431884', u'update': u'20180801'}, u'DrWeb': {u'detected': True, u'version': u'7.0.33.6080', u'result': u'Trojan.KeyLogger.40115', u'update': u'20180802'}, u'VIPRE': {u'detected': True, u'version': u'68554', u'result': u'Trojan.Win32.Generic!BT', u'update': u'20180802'}, u'Invincea': {u'detected': True, u'version': u'6.3.5.26121', u'result': u'heuristic', u'update': u'20180717'}, u'McAfee-GW-Edition': {u'detected': True, u'version': u'v2017.3010', u'result': u'BehavesLike.Win32.Ramnit.jc', u'update': u'20180802'}, u'Emsisoft': {u'detected': True, u'version': u'2018.4.0.1029', u'result': u'Adware.GenericKD.30431884 (B)', u'update': u'20180802'}, u'Ikarus': {u'detected': False, u'version': u'0.1.5.2', u'result': None, u'update': u'20180801'}, u'Cyren': {u'detected': True, u'version': u'6.0.0.4', u'result': u'W32/Trojan.FSWK-1704', u'update': u'20180801'}, u'Jiangmin': {u'detected': True, u'version': u'16.0.100', u'result': u'RiskTool.Agent.wc', u'update': u'20180801'}, u'Webroot': {u'detected': True, u'version': u'1.0.0.403', u'result': u'W32.Malware.Gen', u'update': u'20180802'}, u'Avira': {u'detected': True, u'version': u'8.3.3.6', u'result': u'HEUR/AGEN.1000279', u'update': u'20180801'}, u'MAX': {u'detected': False, u'version': u'2017.11.15.1', u'result': None, u'update': u'20180802'}, u'Antiy-AVL': {u'detected': True, u'version': u'3.0.0.1', u'result': u'RiskWare[RiskTool]/Win32.Agent', u'update': u'20180802'}, u'Kingsoft': {u'detected': False, u'version': u'2013.8.14.323', u'result': None, u'update': u'20180802'}, u'Endgame': {u'detected': True, u'version': u'3.0.1', u'result': u'malicious (high confidence)', u'update': u'20180730'}, u'Arcabit': {u'detected': False, u'version': u'1.0.0.831', u'result': None, u'update': u'20180801'}, u'SUPERAntiSpyware': {u'detected': False, u'version': u'5.6.0.1032', u'result': None, u'update': u'20180801'}, u'ZoneAlarm': {u'detected': True, u'version': u'1.0', u'result': u'not-a-virus:HEUR:RiskTool.Win32.Generic', u'update': u'20180802'}, u'Avast-Mobile': {u'detected': False, u'version': u'180801-02', u'result': None, u'update': u'20180801'}, u'Microsoft': {u'detected': True, u'version': u'1.1.15100.1', u'result': u'PUA:Win32/Presenoker', u'update': u'20180801'}, u'AhnLab-V3': {u'detected': True, u'version': u'3.13.1.21616', u'result': u'Malware/Gen.Generic.C2426212', u'update': u'20180801'}, u'ALYac': {u'detected': True, u'version': u'1.1.1.5', u'result': u'Adware.GenericKD.30431884', u'update': u'20180801'}, u'AVware': {u'detected': True, u'version': u'1.6.0.52', u'result': u'Trojan.Win32.Generic!BT', u'update': u'20180727'}, u'TACHYON': {u'detected': True, u'version': u'2018-08-01.02', u'result': u'Trojan/W32.CoinMiner.710144', u'update': u'20180801'}, u'VBA32': {u'detected': True, u'version': u'3.12.32.0', u'result': u'Trojan.Keyloggerger', u'update': u'20180801'}, u'Malwarebytes': {u'detected': True, u'version': u'2.1.1.1115', u'result': u'Trojan.MalPack', u'update': u'20180801'}, u'Panda': {u'detected': True, u'version': u'4.6.4.2', u'result': u'Trj/GdSda.A', u'update': u'20180801'}, u'Zoner': {u'detected': False, u'version': u'1.0', u'result': None, u'update': u'20180801'}, u'ESET-NOD32': {u'detected': True, u'version': u'17814', u'result': u'a variant of Win32/Packed.Autoit.X suspicious', u'update': u'20180802'}, u'Tencent': {u'detected': False, u'version': u'1.0.0.1', u'result': None, u'update': u'20180802'}, u'Yandex': {u'detected': True, u'version': u'5.5.1.3', u'result': u'Riskware.Agent!', u'update': u'20180731'}, u'SentinelOne': {u'detected': True, u'version': u'1.0.17.227', u'result': u'static engine - malicious', u'update': u'20180701'}, u'eGambit': {u'detected': False, u'version': None, u'result': None, u'update': u'20180802'}, u'Fortinet': {u'detected': False, u'version': u'5.4.247.0', u'result': None, u'update': u'20180801'}, u'AVG': {u'detected': True, u'version': u'18.4.3895.0', u'result': u'Win32:Malware-gen', u'update': u'20180801'}, u'Cybereason': {u'detected': True, u'version': u'1.2.27', u'result': u'malicious.a7d4a5', u'update': u'20180225'}, u'Paloalto': {u'detected': True, u'version': u'1.0', u'result': u'generic.ml', u'update': u'20180802'}, u'CrowdStrike': {u'detected': True, u'version': u'1.0', u'result': u'malicious_confidence_100% (D)', u'update': u'20180723'}, u'Qihoo-360': {u'detected': True, u'version': u'1.0.0.1120', u'result': u'Win32/Virus.RiskTool.734', u'update': u'20180802'}}}}​

    New Example: VirusTotal Scan (Attachment) post_process_script:
    if results.scan.get('positives') is not None:
  msg = "<p>positives: {} out of {}</p> <a target='blank' href='{}'>VirusTotal Link</a>".format(results.scan.get('positives'), results.scan.get('total'), results.scan.get('permalink'))
elif results.scan.get('detected_urls') is not None:
  analysis = []
  for section in ['detected_referrer_samples', 'detected_communicating_samples', 'detected_urls']:
    test_for_positive = results.scan.get(section)
    if test_for_positive is not None:
      is_positive = False
      for sample in test_for_positive:
        if sample.get('positives', -1) > 0:
          is_positive = True
        
      analysis.append('{} positives: {}'.format(section, str(is_positive)))
    
  msg = '\n'.join(analysis)
else:
  msg = "<p>{}.</p> <a target='blank' href='{}'>VirusTotal Link</a>".format(results.scan['verbose_msg'], results.scan.get('permalink', ''))

# add to the note the source of the note 
# incident.addNote(helper.createRichText("<div>attachment: {} {}</div>".format("results", msg)))
incident.addNote(helper.createRichText("VirusTotal Request on {}<div>attachment: {} {}</div>".format(str(attachment.name),"results", msg)))

if results.scan.get('md5') is not None:
  incident.addArtifact('Malware MD5 Hash', results.scan.get('md5'), None)

if results.scan.get('sha1') is not None:
  incident.addArtifact('Malware SHA-1 Hash', results.scan.get('sha1'), None)
  
if results.scan.get('sha256') is not None:
  incident.addArtifact('Malware SHA-256 Hash', results.scan.get('sha256'), None)
# domain results
# file scan
# {'scan': {u'permalink': u'https://www.virustotal.com/file/97be2d515e01ba66091148456b392f7539b43ab1ba412c493107e93aeda1536a/analysis/1533171813/', u'sha1': u'9a419d1a7d4a515d03db7f08fdd27e11ae896b11', u'resource': u'97be2d515e01ba66091148456b392f7539b43ab1ba412c493107e93aeda1536a', u'response_code': 1, u'scan_id': u'97be2d515e01ba66091148456b392f7539b43ab1ba412c493107e93aeda1536a-1533171813', u'verbose_msg': u'Scan request successfully queued, come back later for the report', u'sha256': u'97be2d515e01ba66091148456b392f7539b43ab1ba412c493107e93aeda1536a', u'md5': u'd6e447ddcc6f74cac89322ff25e7835e'}}
# {'scan': {u'scan_id': u'97be2d515e01ba66091148456b392f7539b43ab1ba412c493107e93aeda1536a-1533171813', u'sha1': u'9a419d1a7d4a515d03db7f08fdd27e11ae896b11', u'resource': u'97be2d515e01ba66091148456b392f7539b43ab1ba412c493107e93aeda1536a', u'response_code': 1, u'scan_date': u'2018-08-02 01:03:33', u'permalink': u'https://www.virustotal.com/file/97be2d515e01ba66091148456b392f7539b43ab1ba412c493107e93aeda1536a/analysis/1533171813/', u'verbose_msg': u'Scan finished, information embedded', u'sha256': u'97be2d515e01ba66091148456b392f7539b43ab1ba412c493107e93aeda1536a', u'positives': 48, u'total': 68, u'md5': u'd6e447ddcc6f74cac89322ff25e7835e', u'scans': {u'Bkav': {u'detected': True, u'version': u'1.3.0.9466', u'result': u'HW32.Packed.C390', u'update': u'20180801'}, u'MicroWorld-eScan': {u'detected': True, u'version': u'14.0.297.0', u'result': u'Adware.GenericKD.30431884', u'update': u'20180802'}, u'CMC': {u'detected': False, u'version': u'1.1.0.977', u'result': None, u'update': u'20180801'}, u'CAT-QuickHeal': {u'detected': False, u'version': u'14.00', u'result': None, u'update': u'20180801'}, u'McAfee': {u'detected': True, u'version': u'6.0.6.653', u'result': u'RDN/Generic PUP.x', u'update': u'20180802'}, u'Cylance': {u'detected': True, u'version': u'2.3.1.101', u'result': u'Unsafe', u'update': u'20180802'}, u'Zillya': {u'detected': False, u'version': u'2.0.0.3607', u'result': None, u'update': u'20180801'}, u'TheHacker': {u'detected': False, u'version': u'6.8.0.5.3467', u'result': None, u'update': u'20180730'}, u'K7GW': {u'detected': True, u'version': u'10.56.27942', u'result': u'Trojan ( 0051506d1 )', u'update': u'20180802'}, u'K7AntiVirus': {u'detected': True, u'version': u'10.56.27942', u'result': u'Trojan ( 0051506d1 )', u'update': u'20180801'}, u'TrendMicro': {u'detected': True, u'version': u'10.0.0.1040', u'result': u'TROJ_GEN.R002C0OCL18', u'update': u'20180802'}, u'Baidu': {u'detected': False, u'version': u'1.0.0.2', u'result': None, u'update': u'20180801'}, u'Babable': {u'detected': False, u'version': u'9107201', u'result': None, u'update': u'20180725'}, u'F-Prot': {u'detected': False, u'version': u'4.7.1.166', u'result': None, u'update': u'20180802'}, u'Symantec': {u'detected': True, u'version': u'1.6.0.0', u'result': u'PUA.Gen.2', u'update': u'20180801'}, u'TotalDefense': {u'detected': False, u'version': u'37.1.62.1', u'result': None, u'update': u'20180801'}, u'TrendMicro-HouseCall': {u'detected': True, u'version': u'9.950.0.1006', u'result': u'TROJ_GEN.R002C0OCL18', u'update': u'20180801'}, u'Avast': {u'detected': True, u'version': u'18.4.3895.0', u'result': u'Win32:Malware-gen', u'update': u'20180801'}, u'ClamAV': {u'detected': False, u'version': u'0.100.1.0', u'result': None, u'update': u'20180801'}, u'GData': {u'detected': True, u'version': u'A:25.17963B:25.12867', u'result': u'Adware.GenericKD.30431884', u'update': u'20180802'}, u'Kaspersky': {u'detected': True, u'version': u'15.0.1.13', u'result': u'not-a-virus:HEUR:RiskTool.Win32.Generic', u'update': u'20180802'}, u'BitDefender': {u'detected': True, u'version': u'7.2', u'result': u'Adware.GenericKD.30431884', u'update': u'20180802'}, u'NANO-Antivirus': {u'detected': True, u'version': u'1.0.116.23366', u'result': u'Riskware.Win32.Mlw.eyrsjw', u'update': u'20180802'}, u'ViRobot': {u'detected': True, u'version': u'2014.3.20.0', u'result': u'Trojan.Win32.S.Agent.710144.I', u'update': u'20180801'}, u'AegisLab': {u'detected': False, u'version': u'4.2', u'result': None, u'update': u'20180801'}, u'Rising': {u'detected': True, u'version': u'25.0.0.24', u'result': u'Trojan.Azden!8.F0E3 (CLOUD)', u'update': u'20180802'}, u'Ad-Aware': {u'detected': True, u'version': u'3.0.5.370', u'result': u'Adware.GenericKD.30431884', u'update': u'20180802'}, u'Sophos': {u'detected': True, u'version': u'4.98.0', u'result': u'Generic PUA JK (PUA)', u'update': u'20180802'}, u'Comodo': {u'detected': True, u'version': u'29451', u'result': u'ApplicUnwnt', u'update': u'20180801'}, u'F-Secure': {u'detected': True, u'version': u'11.0.19100.45', u'result': u'Adware.GenericKD.30431884', u'update': u'20180801'}, u'DrWeb': {u'detected': True, u'version': u'7.0.33.6080', u'result': u'Trojan.KeyLogger.40115', u'update': u'20180802'}, u'VIPRE': {u'detected': True, u'version': u'68554', u'result': u'Trojan.Win32.Generic!BT', u'update': u'20180802'}, u'Invincea': {u'detected': True, u'version': u'6.3.5.26121', u'result': u'heuristic', u'update': u'20180717'}, u'McAfee-GW-Edition': {u'detected': True, u'version': u'v2017.3010', u'result': u'BehavesLike.Win32.Ramnit.jc', u'update': u'20180802'}, u'Emsisoft': {u'detected': True, u'version': u'2018.4.0.1029', u'result': u'Adware.GenericKD.30431884 (B)', u'update': u'20180802'}, u'Ikarus': {u'detected': False, u'version': u'0.1.5.2', u'result': None, u'update': u'20180801'}, u'Cyren': {u'detected': True, u'version': u'6.0.0.4', u'result': u'W32/Trojan.FSWK-1704', u'update': u'20180801'}, u'Jiangmin': {u'detected': True, u'version': u'16.0.100', u'result': u'RiskTool.Agent.wc', u'update': u'20180801'}, u'Webroot': {u'detected': True, u'version': u'1.0.0.403', u'result': u'W32.Malware.Gen', u'update': u'20180802'}, u'Avira': {u'detected': True, u'version': u'8.3.3.6', u'result': u'HEUR/AGEN.1000279', u'update': u'20180801'}, u'MAX': {u'detected': False, u'version': u'2017.11.15.1', u'result': None, u'update': u'20180802'}, u'Antiy-AVL': {u'detected': True, u'version': u'3.0.0.1', u'result': u'RiskWare[RiskTool]/Win32.Agent', u'update': u'20180802'}, u'Kingsoft': {u'detected': False, u'version': u'2013.8.14.323', u'result': None, u'update': u'20180802'}, u'Endgame': {u'detected': True, u'version': u'3.0.1', u'result': u'malicious (high confidence)', u'update': u'20180730'}, u'Arcabit': {u'detected': False, u'version': u'1.0.0.831', u'result': None, u'update': u'20180801'}, u'SUPERAntiSpyware': {u'detected': False, u'version': u'5.6.0.1032', u'result': None, u'update': u'20180801'}, u'ZoneAlarm': {u'detected': True, u'version': u'1.0', u'result': u'not-a-virus:HEUR:RiskTool.Win32.Generic', u'update': u'20180802'}, u'Avast-Mobile': {u'detected': False, u'version': u'180801-02', u'result': None, u'update': u'20180801'}, u'Microsoft': {u'detected': True, u'version': u'1.1.15100.1', u'result': u'PUA:Win32/Presenoker', u'update': u'20180801'}, u'AhnLab-V3': {u'detected': True, u'version': u'3.13.1.21616', u'result': u'Malware/Gen.Generic.C2426212', u'update': u'20180801'}, u'ALYac': {u'detected': True, u'version': u'1.1.1.5', u'result': u'Adware.GenericKD.30431884', u'update': u'20180801'}, u'AVware': {u'detected': True, u'version': u'1.6.0.52', u'result': u'Trojan.Win32.Generic!BT', u'update': u'20180727'}, u'TACHYON': {u'detected': True, u'version': u'2018-08-01.02', u'result': u'Trojan/W32.CoinMiner.710144', u'update': u'20180801'}, u'VBA32': {u'detected': True, u'version': u'3.12.32.0', u'result': u'Trojan.Keyloggerger', u'update': u'20180801'}, u'Malwarebytes': {u'detected': True, u'version': u'2.1.1.1115', u'result': u'Trojan.MalPack', u'update': u'20180801'}, u'Panda': {u'detected': True, u'version': u'4.6.4.2', u'result': u'Trj/GdSda.A', u'update': u'20180801'}, u'Zoner': {u'detected': False, u'version': u'1.0', u'result': None, u'update': u'20180801'}, u'ESET-NOD32': {u'detected': True, u'version': u'17814', u'result': u'a variant of Win32/Packed.Autoit.X suspicious', u'update': u'20180802'}, u'Tencent': {u'detected': False, u'version': u'1.0.0.1', u'result': None, u'update': u'20180802'}, u'Yandex': {u'detected': True, u'version': u'5.5.1.3', u'result': u'Riskware.Agent!', u'update': u'20180731'}, u'SentinelOne': {u'detected': True, u'version': u'1.0.17.227', u'result': u'static engine - malicious', u'update': u'20180701'}, u'eGambit': {u'detected': False, u'version': None, u'result': None, u'update': u'20180802'}, u'Fortinet': {u'detected': False, u'version': u'5.4.247.0', u'result': None, u'update': u'20180801'}, u'AVG': {u'detected': True, u'version': u'18.4.3895.0', u'result': u'Win32:Malware-gen', u'update': u'20180801'}, u'Cybereason': {u'detected': True, u'version': u'1.2.27', u'result': u'malicious.a7d4a5', u'update': u'20180225'}, u'Paloalto': {u'detected': True, u'version': u'1.0', u'result': u'generic.ml', u'update': u'20180802'}, u'CrowdStrike': {u'detected': True, u'version': u'1.0', u'result': u'malicious_confidence_100% (D)', u'update': u'20180723'}, u'Qihoo-360': {u'detected': True, u'version': u'1.0.0.1120', u'result': u'Win32/Virus.RiskTool.734', u'update': u'20180802'}}}}​

    Quick res file to update examples: Download additional .res file to import

    It should be added by default in a new version of the functions? no ?

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------


  • 2.  RE: VirusTotal function add-on

    Posted Tue June 11, 2019 04:56 PM
    Hi Benoit,

    Thanks for providing us with these improved VirusTotal post processor scripts!

    I have created JIRA ticket INT-1501 to track this issue and make sure that it gets in the next release.

    AnnMarie

    ------------------------------
    AnnMarie Norcross
    ------------------------------

    Original Message


Related Content