Skip to main content

VirusTotal XSOAR Triage

VirusTotal premium paid pack - The Triage pack is limited to 100M lookups per month

Learn about Private Offer

VirusTotal XSOAR Triage (Large)

This pack gives you access to 100M (100,000,000) monthly lookups in VirusTotal’s premium API and is recommended for teams looking to systematically enrich and contextualize security telemetry events, perform automatic alert triage (false positive discarding, alert prioritization, etc.), conduct multiple forensic analyses and incident response engagements every month and make the most of your VirusTotal access across the entire organization.

What. VirusTotal is the richest and most actionable crowdsourced threat intelligence platform on the planet. It equips security teams with comprehensive context and cutting edge functionality to proactively protect their networks from cybersecurity threats.

Why. Security teams are often confronted with an unknown file/URL/domain/IP address and asked to make sense of an attack. Without further context, it is virtually impossible to determine attribution, build effective defenses against other strains of the attack, or understand the impact of a given threat in your organization. Through API and web based interaction with VirusTotal, security analysts can rapidly build a picture of an incident and then use those insights to neutralize other attacks.

Outcome. Faster, more confident, more accurate and more cost-effective security operations.

Where. On-premise, in the cloud, in your hosting, in your corporate network, everywhere.

What we solve for leaders.

Security team challenges Solving with VirusTotal + XSOAR
Alert fatigue + quality & speed of IR handling. PANW survey data shows that SOC analysts are only able to handle 14% of alerts generated by security tools. Eradicate analyst burnout through automation. Automate false positive discarding and alert prioritization, optimize SOC resources. Malicious+Benign info.
Lack of context & missed threats. Reliance on reactive threat feeds. Only information about internal systems and users, no in-the-wild contextual details. Improved and early detection. Track threats going forward with YARA. Crowdsourced threat reputation for files/hashes, domains, IPs and URLs coming from over 90 security vendors.
Finding and maintaining security talent. There is a shortage of qualified security candidates; recruiting + retaining these is an endemic challenge Juniors operating as advanced threat hunters. Automate repetitive tasks with playbooks, elevate SOC Level 1 effectiveness. Faster, more confident and more accurate decisions. Greater productivity.
Budget constraints. Cybersecurity isn’t top of mind at many organizations when budget line items are getting funded. Difficult to prove ROI. Condense & lower costs + Increase toolset ROI. One-stop-shop for everything threat intelligence related (domains, IPs, URLs, files). Take your SIEM, IDS, EDR, Firewall, etc. to the next level.

Use cases.

  • Automatic security telemetry enrichment. Event contextualization. Alert prioritization. False positive discarding. True positive confirmation. Automated hunting.
  • Incident response & forensic analysis. Blast radius identification. Generation of remediative IoCs. Context expansion beyond your internal network.
  • Threat Intelligence & advanced hunting. Unknown threat discovery. Campaign & adversary monitoring. Preventative IoCs.
  • Brand & corporate infrastructure monitoring. Phishing campaign tracking. Brand impersonation alerts. Attack surface compromise identification.
  • Vulnerability prioritization. Smart risk-driven patching. Vulnerability weaponization monitoring. Vulnerability landscape exploration.
  • Red teaming & ethical hacking. Automatic reconnaissance/passive fingerprinting operations. Breach & attack simulation. Security stack validation.

Example questions we answer.

  • Is a given {file, hash, domain, IP, URL} malicious according to the security industry? How widely known and detected is it?
  • Has a given IP address been part of a given threat campaign? What domains have resolved historically to such IP (passive DNS)? Who owns the IP? etc.
  • Is a given domain part of a threat’s network infrastructure? Are there any other domains registered by the same threat actor? What types of threats are connected with the given domain? How does the industry categorize the domain (CnC, exploit, phishing, …)? etc.
  • Is a given URL part of a phishing attack? Does it deliver malware? Does the server side setup exhibit any commonalities that allow me to pivot to other setups operated by the same attacker?
  • Are there any IoCs that can be used to block or hunt for a given malware file or variants of its family/campaign? What does the file do when executed in a sandbox? etc.
  • Is some fake/malicious mobile application making use of my logo/brand? What are the latest set of newly registered domains that seem to be typosquatting my site? Are there any potential phishing websites making use of my site’s title/favicon?
  • Is a vulnerability (CVE) that appeared in my environment being currently leveraged by malware? How popular is it?

Technical capabilities

  • Threat reputation for {files, hashes, domains, IPs, URLs} coming from over 90 security vendors (antivirus solutions, nextgen EDRs, domain blocklists, network perimeter solutions, etc.).
  • Multi-angular detection for files via crowdsourced {YARA, SIGMA, IDS} rules.
  • Allowlist (benign) information through the aggregation of goodware indicators and provenance details.
  • Dynamic analysis for files through detonation in multiple home-grown and 3rd-party partner sandbox solutions.
  • Extended file context and metadata through static analysis tools such as sigcheck’s authenticode signature extractor, MS Office macro VBA dissectors, Didier Stevens’ PDF tools, etc.
  • Community comments and assessments coming from over 2M monthly users of the free public site.
  • Threat graph schema tying together the files, domains, IPs and URLs in the dataset through relationships such as downloaded files, communicating files, passive DNS resolutions, etc.
  • Passive DNS information listing historical domains seen behind a given IP address and detailing all infrastructure changes for a given domain.
  • Whois lookup information for domains and IP addresses, including pivoting based on Whois properties such as registrant details (if available).
  • Historical SSL certificate information for domains and IPs.
  • Vulnerability intelligence by tagging files with CVEs that they might be exploiting and allowing searches and alerts based on CVEs.
  • Custom threat intelligence feeds (ransomware, APTs, first stage delivery vectors, OS X malware, IoT, etc.) by filtering VirusTotal’s real-time file flux with VT HUNTING Livehunt YARA rules.
  • Operational and strategic intelligence through crowdsourcing of OSINT sources digging into threat campaigns and threat actors.
  • Advanced faceted/elastic searches over the {file, domain, IP, URL} corpus to identify IoCs that match certain criteria, e.g. list all MS Office documents that when opened launch a powershell script and end up exhibiting network communication.
  • Download any file in the VirusTotal corpus and reroute it to other analysis systems you own.

Popular tasks

  • Enrich (context + reputation) IoCs (domains, IPs, URLs, attachments) found in suspicious emails entering your organization, escalate to the pertinent SOC function.
  • Scan suspicious files seen in your organization and get a second opinion that complements your corporate security stack.
  • Automatically discard false positive alerts recorded in your organization’s SIEM, sparing SOC resources.
  • Automatically confirm true positive alerts recorded in your organization’s SIEM.
  • Rank and prioritize SOC alerts based on severity and threat categories (trojan > adware > PUA).
  • Append an additional layer of context to your alert/incident tickets so that SOC analysts can perform faster and more confident decision making.
  • Feed your network perimeter defenses (Firewall, IDS, web proxy, etc.) with additional IoCs related to an incident or tracked via YARA rules.
  • Create custom IoC feeds (ransomware, APTs, IoT, etc.) with VT HUNTING Livehunt (YARA) and automatically match them against your security logs/SIEM/etc.
  • Cover blindspots in your EDR by feeding it lists of highly relevant and undetected threats identified through the use of YARA in VirusTotal.
  • Derive scores based on malicious observations and relationships for IPs transacting with your business.
  • Assign a severity score to issues identified in a vulnerability scan of your networks.

Additional information

Note: This pack subscription includes an API key generated by VirusTotal. VirusTotal will directly email the end user within 24 hours instructions for obtaining the key. The user then simply pastes the key into the “VirusTotal” free pack to allow it to function. If you need help or did not receive the key, please contact Deleting or unsubscribing from this pack will invalidate the API key/access at the end of the month.




Cortex XSOAR


CertificationRead more
Supported ByPartner
CreatedDecember 20, 2021
Last ReleaseDecember 20, 2021

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.