VirusTotal Integration

VirusTotal is a free service that inspects items with over 70 antivirus (AV) scanner and URL/domain blocked list services, in addition to a myriad of tools to extract signals from the submitted content. In the incident response process, it allows users to query a URL, IP address, domain or file hash to gain additional context from the AV scanners and services as to the threats associated with the sample.

Users can register for a free VirusTotal account and receive an API key. For production usage, they can purchase a membership with higher API rate limits. This optional module allows users with a paid VirusTotal API key to include VirusTotal query results in any investigation. Attempts to use the low-volume free key will be largely unsuccessful and are not supported by Cisco TAC.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the VirusTotal integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The VirusTotal integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the VirusTotal integration in Cisco XDR.

You can perform the following tasks after you integrate VirusTotal with Cisco XDR:

  • Investigations - Start a new investigation by searching on suspicious indicators of compromise to extract observables for enrichment. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know VirusTotal has recent information. For details, see Investigate.