Breadcrumbs

VirusTotal Integration

  1. Log in to the LogRhythm NDR UI.

  2. Click the Settings tab, click Vulnerability, and then click VirusTotal.
    The VirusTotal integration page appears.

  3. Enter the credentials obtained from VirusTotal:
    URL
    API Key

  4. To verify the credentials have been entered correctly, click Test.
    If the information is correct, "VirusTotal Check Success" appears. Otherwise, "VirusTotal Check Failed" appears, meaning the credentials need to be re-entered and re-verified. 

  5. Click the Update button. 
    VirusTotal is now integrated.

  6. To open a VirusTotal entry, click the Hunt tab, and then click Activity.

  7. In the searchbar, enter entry_type:*Artifact*.
    The following artifact-based entries based on VirusTotal appear:
    IpInvestigationArtifact
    DomainInvestigationArtifact
    FileInvestigationArtifact
    UrlInvestigationArtifact

IpInvestigationArtifact

  1. For more details on IpInvestigationArtifact, do one of the following:
    Click IpInvestigationArtifact in the legend of the diagram.Enter "entry_type:*IpInvestigationArtifact*" in the searchbar.All entries related to IpInvestigationArtifact appear.

  2. Click the + icon to the left of the Timestamp for an IpInvestigationArtifact entry.
    Two tabs appear below that event.

  3. Click the JSON tab.
    The JSON tab appears showing a list of values.

  4. For more details on that particular IP obtained by VirusTotal, click _source, and then click ip_info.

DomainInvestigationArtifact

  1. For more details on DomainInvestigationArtifact, do one of the following:
    Click DomainInvestigationArtifact in the legend of the diagram.Enter *DomainInvestigationArtifact* in the searchbar.All entries related to DomainInvestigationArtifact appear.

  2. Click the + icon to the left of the Timestamp for a DomainInvestigationArtifact entry.
    Two tabs appear below that event.

  3. Click the JSON tab.

  4. For more details on that particular domain obtained by VirusTotal, click _score, and then click domain_info.

FileInvestigationArtifact

  1. For more more details on FileInvestigationArtifact, do one of the following:Click FileInvestigationArtifact in the legend of the diagram.In the searchbar, enter entry_type:*FileInvestigationArtifact*.All entries related to FileInvestigationArtifact appear.

  2. Click the + icon to the left of the Timestamp for an FileInvestigationArtifact entry.
    Two tabs appear below that event.

  3. Click the JSON tab.

  4. For more details on that particular file obtained by VirusTotal, click _score, and then click file_info.

UrlInvestigationArtifact

  1. For more details on UrlInvestigationArtifact, do one of the following: Click UrlInvestigationArtifact in the legend of the diagram.In the searchbar, enter entry_type:*UrlInvestigationArtifact*.All entries related to UrlInvestigationArtifact appear.

  2. Click the + icon to the left of the Timestamp for a UrlInvestigationArtifact entry.
    Two tabs appear below that event.

  3. Click the JSON tab.

  4. For more details on that particular URL obtained by VirusTotal, click _source, and then click url_info.