Skip to content

Commit

Permalink
Update fields
Browse files Browse the repository at this point in the history
  • Loading branch information
pabloperezj committed Jul 10, 2024
1 parent f2a6b9d commit 8f84572
Show file tree
Hide file tree
Showing 6 changed files with 66 additions and 40 deletions.
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
{
"associatedToAll": true,
"caseInsensitive": true,
"cliName": "vtvendorswhichflaggedmalicious",
"cliName": "vtenginedetectionnames",
"closeForm": false,
"content": true,
"editForm": true,
"group": 2,
"hidden": false,
"id": "indicator_vt_vendors_which_flagged_malicious",
"id": "indicator_vt_engine_detection_names",
"isReadOnly": false,
"locked": false,
"name": "VT Vendors Which Flagged Malicious",
"name": "VT Engine Detection Names",
"neverSetAsRequired": false,
"ownerOnly": false,
"required": false,
Expand Down
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
{
"associatedToAll": true,
"caseInsensitive": true,
"cliName": "countvtvendorswhichflaggedmalicious",
"cliName": "vtenginedetections",
"closeForm": false,
"content": true,
"editForm": true,
"group": 2,
"hidden": false,
"id": "indicator_count_vt_vendors_which_flagged_malicious",
"id": "indicator_vt_engine_detections",
"isReadOnly": false,
"locked": false,
"name": "Count VT Vendors Which Flagged Malicious",
"name": "VT Engine Detections",
"neverSetAsRequired": false,
"ownerOnly": false,
"required": false,
Expand Down
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
{
"associatedToAll": true,
"caseInsensitive": true,
"cliName": "vtdetectionnames",
"cliName": "vtenginevendors",
"closeForm": false,
"content": true,
"editForm": true,
"group": 2,
"hidden": false,
"id": "indicator_vt_detection_names",
"id": "indicator_vt_engine_vendors",
"isReadOnly": false,
"locked": false,
"name": "VT Detection Names",
"name": "VT Engine Vendors",
"neverSetAsRequired": false,
"ownerOnly": false,
"required": false,
Expand Down
47 changes: 23 additions & 24 deletions Packs/VirusTotal/Integrations/VirusTotalV3/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -184,11 +184,10 @@ Checks the file reputation of the specified hash.
| File.Relationships.EntityAType | String | The type of the source of the relationship. |
| File.Relationships.EntityBType | String | The type of the destination of the relationship. |
| File.Malicious.Vendor | String | For malicious files, the vendor that made the decision. |
| File.Malicious.Detections | Number | For malicious files, the total number of detections. |
| File.Malicious.TotalEngines | Number | For malicious files, the total number of engines that checked the file hash. |
| File.Count VT Vendors Which Flagged Malicious | Number | Number of VT vendors which flagged the file as malicious. |
| File.VT Vendors Which Flagged Malicious | Array | VT vendors which flagged the file as malicious. |
| File.VT Detection Names | Array | VT detection names which flagged the file as malicious. |
| File.Malicious.Description | String | For malicious files, the reason that the vendor made the decision. |
| File.VTVendors.EngineDetections | Number | Number of VT vendors which flagged the file as malicious. |
| File.VTVendors.EngineVendors | Array | VT vendors which flagged the file as malicious. |
| File.VTVendors.EngineDetectionNames | Array | VT detection names which flagged the file as malicious. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | unknown | The vendor used to calculate the score. |
Expand Down Expand Up @@ -426,12 +425,12 @@ Checks the reputation of an IP address.
| IP.Relationships.Relationship | string | The name of the relationship. |
| IP.Relationships.EntityAType | string | The type of the source of the relationship. |
| IP.Relationships.EntityBType | string | The type of the destination of the relationship. |
| IP.Malicious.Vendor | unknown | For malicious IPs, the vendor that made the decision. |
| IP.Malicious.Description | unknown | For malicious IPs, the reason that the vendor made the decision. |
| IP.Malicious.Vendor | String | For malicious IPs, the vendor that made the decision. |
| IP.Malicious.Description | String | For malicious IPs, the reason that the vendor made the decision. |
| IP.VTVendors.EngineDetections | Number | Number of VT vendors which flagged the IP as malicious. |
| IP.VTVendors.EngineVendors | Array | VT vendors which flagged the IP as malicious. |
| IP.VTVendors.EngineDetectionNames | Array | VT detection names which flagged the IP as malicious. |
| IP.ASOwner | String | The autonomous system owner of the IP. |
| IP.Count VT Vendors Which Flagged Malicious | Number | Number of VT vendors which flagged the IP as malicious. |
| IP.VT Vendors Which Flagged Malicious | Array | VT vendors which flagged the IP as malicious. |
| IP.VT Detection Names | Array | VT detection names which flagged the IP as malicious. |
| DBotScore.Indicator | unknown | The indicator that was tested. |
| DBotScore.Type | unknown | The indicator type. |
| DBotScore.Vendor | unknown | The vendor used to calculate the score. |
Expand Down Expand Up @@ -660,11 +659,11 @@ Checks the reputation of a URL.
| URL.Relationships.Relationship | String | The name of the relationship. |
| URL.Relationships.EntityAType | String | The type of the source of the relationship. |
| URL.Relationships.EntityBType | String | The type of the destination of the relationship. |
| URL.Malicious.Vendor | unknown | For malicious URLs, the vendor that made the decision. |
| URL.Malicious.Description | unknown | For malicious URLs, the reason that the vendor made the decision. |
| URL.Count VT Vendors Which Flagged Malicious | Number | Number of VT vendors which flagged the URL as malicious. |
| URL.VT Vendors Which Flagged Malicious | Array | VT vendors which flagged the URL as malicious. |
| URL.VT Detection Names | Array | VT detection names which flagged the URL as malicious. |
| URL.Malicious.Vendor | String | For malicious URLs, the vendor that made the decision. |
| URL.Malicious.Description | String | For malicious URLs, the reason that the vendor made the decision. |
| URL.VTVendors.EngineDetections | Number | Number of VT vendors which flagged the URL as malicious. |
| URL.VTVendors.EngineVendors | Array | VT vendors which flagged the URL as malicious. |
| URL.VTVendors.EngineDetectionNames | Array | VT detection names which flagged the URL as malicious. |
| DBotScore.Indicator | unknown | The indicator that was tested. |
| DBotScore.Type | unknown | The indicator type. |
| DBotScore.Vendor | unknown | The vendor used to calculate the score. |
Expand Down Expand Up @@ -820,11 +819,11 @@ Checks the reputation of a domain.
| Domain.Relationships.Relationship | String | The name of the relationship. |
| Domain.Relationships.EntityAType | String | The type of the source of the relationship. |
| Domain.Relationships.EntityBType | String | The type of the destination of the relationship. |
| Domain.Malicious.Vendor | unknown | For malicious domains, the vendor that made the decision. |
| Domain.Malicious.Description | unknown | For malicious domains, the reason that the vendor made the decision. |
| Domain.Count VT Vendors Which Flagged Malicious | Number | Number of VT vendors which flagged the domain as malicious. |
| Domain.VT Vendors Which Flagged Malicious | Array | VT vendors which flagged the domain as malicious. |
| Domain.VT Detection Names | Array | VT detection names which flagged the domain as malicious. |
| Domain.Malicious.Vendor | String | For malicious domains, the vendor that made the decision. |
| Domain.Malicious.Description | String | For malicious domains, the reason that the vendor made the decision. |
| Domain.VTVendors.EngineDetections | Number | Number of VT vendors which flagged the domain as malicious. |
| Domain.VTVendors.EngineVendors | Array | VT vendors which flagged the domain as malicious. |
| Domain.VTVendors.EngineDetectionNames | Array | VT detection names which flagged the domain as malicious. |
| DBotScore.Indicator | unknown | The indicator that was tested. |
| DBotScore.Type | unknown | The indicator type. |
| DBotScore.Vendor | unknown | The vendor used to calculate the score. |
Expand Down Expand Up @@ -2562,10 +2561,10 @@ Get analysis of a private file submitted to VirusTotal.
## VT indicator fields

3 indicator fields have been added to all indicator types:
- **Count VT Vendors Which Flagged Malicious**. Number. Number of VT vendors which flagged the indicator as malicious.
- **VT Vendors Which Flagged Malicious**. Array. VT vendors which flagged the indicator as malicious.
- **VT Detection Names. Array**. VT detection names which flagged the indicator as malicious.
- **VT Engine Detections**. Number. Number of VT vendors which flagged the indicator as malicious.
- **VT Engine Vendors**. Array. VT vendors which flagged the indicator as malicious.
- **VT Engine Detection Names**. Array. VT detection names which flagged the indicator as malicious.

To display the new fields in indicators, navigate to `Settings -> Objects Setup -> Indicators -> Types`. Select the desired indicator type, for example, `File`. Click on `Edit` and, under `Custom Fields`, choose the desired field and add the corresponding path. For instance, if you select the `VT Detection Names` field for the `File` indicator type, add the path `File.VT Detection Names`. This will enable the field to be populated in the indicator data.
To display the new fields in indicators, navigate to `Settings -> Objects Setup -> Indicators -> Types`. Select the desired indicator type, for example, `File`. Click on `Edit` and, under `Custom Fields`, choose the desired field and add the corresponding path. For instance, if you select the `VT Engine Detections` field for the `File` indicator type, add the path `File.VTVendors.EngineDetections`. This will enable the field to be populated in the indicator data.

Note that the field will not automatically appear in the indicator's layout. To make it visible, go to `Settings -> Objects Setup -> Indicators -> Layouts`, select the desired layout (e.g., `File Indicator`), click `Detach` if needed, and then edit the layout to include the new field.
11 changes: 8 additions & 3 deletions Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.py
Original file line number Diff line number Diff line change
Expand Up @@ -120,14 +120,19 @@ def to_context(self):
context = super().to_context()
file_context = context[super().CONTEXT_PATH]

file_context['VTVendors'] = {}

if self.count_vt_vendors_which_flagged_malicious is not None:
file_context['Count VT Vendors Which Flagged Malicious'] = self.count_vt_vendors_which_flagged_malicious
file_context['VTVendors']['EngineDetections'] = self.count_vt_vendors_which_flagged_malicious

if self.vt_vendors_which_flagged_malicious is not None:
file_context['VT Vendors Which Flagged Malicious'] = self.vt_vendors_which_flagged_malicious
file_context['VTVendors']['EngineVendors'] = self.vt_vendors_which_flagged_malicious

if self.vt_detection_names is not None:
file_context['VT Detection Names'] = self.vt_detection_names
file_context['VTVendors']['EngineDetectionNames'] = self.vt_detection_names

if not file_context['VTVendors']:
file_context.pop('VTVendors', None)

return context

Expand Down
30 changes: 26 additions & 4 deletions Packs/VirusTotal/Integrations/VirusTotalV3/VirusTotalV3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -245,10 +245,14 @@ script:
type: string
- contextPath: File.Malicious.Vendor
description: For malicious files, the vendor that made the decision.
- contextPath: File.Malicious.Detections
description: For malicious files, the total number of detections.
- contextPath: File.Malicious.TotalEngines
description: For malicious files, the total number of engines that checked the file hash.
- contextPath: File.Malicious.Description
description: For malicious files, the reason that the vendor made the decision.
- contextPath: File.VTVendors.EngineDetections
description: Number of VT vendors which flagged the file as malicious.
- contextPath: File.VTVendors.EngineVendors
description: VT vendors which flagged the file as malicious.
- contextPath: File.VTVendors.EngineDetectionNames
description: VT detection names which flagged the file as malicious.
- contextPath: DBotScore.Indicator
description: The indicator that was tested.
- contextPath: DBotScore.Type
Expand Down Expand Up @@ -491,6 +495,12 @@ script:
description: For malicious IPs, the vendor that made the decision.
- contextPath: IP.Malicious.Description
description: For malicious IPs, the reason that the vendor made the decision.
- contextPath: IP.VTVendors.EngineDetections
description: Number of VT vendors which flagged the IP as malicious.
- contextPath: IP.VTVendors.EngineVendors
description: VT vendors which flagged the IP as malicious.
- contextPath: IP.VTVendors.EngineDetectionNames
description: VT detection names which flagged the IP as malicious.
- contextPath: IP.ASOwner
description: The autonomous system owner of the IP.
type: String
Expand Down Expand Up @@ -588,6 +598,12 @@ script:
description: For malicious URLs, the vendor that made the decision.
- contextPath: URL.Malicious.Description
description: For malicious URLs, the reason that the vendor made the decision.
- contextPath: URL.VTVendors.EngineDetections
description: Number of VT vendors which flagged the URL as malicious.
- contextPath: URL.VTVendors.EngineVendors
description: VT vendors which flagged the URL as malicious.
- contextPath: URL.VTVendors.EngineDetectionNames
description: VT detection names which flagged the URL as malicious.
- contextPath: URL.Relationships.EntityA
description: The source of the relationship.
type: string
Expand Down Expand Up @@ -730,6 +746,12 @@ script:
description: For malicious domains, the vendor that made the decision.
- contextPath: Domain.Malicious.Description
description: For malicious domains, the reason that the vendor made the decision.
- contextPath: Domain.VTVendors.EngineDetections
description: Number of VT vendors which flagged the domain as malicious.
- contextPath: Domain.VTVendors.EngineVendors
description: VT vendors which flagged the domain as malicious.
- contextPath: Domain.VTVendors.EngineDetectionNames
description: VT detection names which flagged the domain as malicious.
- contextPath: Domain.Relationships.EntityA
description: The source of the relationship.
type: string
Expand Down

0 comments on commit 8f84572

Please sign in to comment.