Enhancing CoPilot with VirusTotal Integration: A Step-by-Step Guide
In this blog post, we’ll explore the latest update to CoPilot, which integrates VirusTotal enrichment into Indicators of Compromise (IOCs). This powerful enhancement enables security analysts to quickly assess threats using VirusTotal data directly within CoPilot. Follow along to implement this feature in your environment.
Overview of the VirusTotal Integration
The new update introduces the ability to enrich IOCs with data from VirusTotal, leveraging their API for real-time threat intelligence. With this integration, analysts can:
- Query VirusTotal for details on IOCs such as IP addresses, domains, file hashes, and URLs.
- View key insights like the number of engines marking an IOC as malicious or harmless.
- Access additional metadata, including WHOIS information, directly from the CoPilot interface.
— -
Step-by-Step Implementation
1. Prepare Your Environment
To get started, ensure you have the latest version of CoPilot. Begin by updating your environment variables:
- Locate your `.env` file and add the following variables:
VIRUS_TOTAL_URL=<VirusTotal API URL>
VIRUS_TOTAL_API_KEY=<Your API Key>
• If you don’t already have an API key, sign up for a free VirusTotal account to generate one. Note that the free plan has usage limits: 4 requests per minute, 500 per day.
Save the file and restart CoPilot to apply the changes:
- docker compose down
- docker compose pull
- docker compose up -d
2. Configure VirusTotal in CoPilot
Once CoPilot is running:
- Log in to the CoPilot web UI.
- Navigate to the Connectors tab.
- Locate the VirusTotal configuration section and update it with your API key.
- Save the changes. CoPilot will validate your key, displaying a “Verified” flag if successful.
Enriching IOCs with VirusTotal Data
1. Create or Update Your Source
To utilize the VirusTotal integration, you’ll need a data source configured within CoPilot:
• If you already have a source (e.g., Wazuh logs), edit it to include IOC field mappings.
• Map the field containing IOCs, such as IP addresses, file hashes, or URLs, to the appropriate field in CoPilot.
For example:
• Firewall Logs: Map fields like dst_ipv4 for destination IPs.
• Graylog Pipelines: Map fields auto-generated during IOC detections.
2. Enrich Alerts with VirusTotal
1. Navigate to the Incident Management section in CoPilot.
2. Open an alert and switch to the new IOC tab.
3. Add a new IOC manually:
• Specify the IOC type (e.g., IP, domain, file hash).
• Input the value (e.g., 1.1.1.1).
• Add a description for context.
4. Click the Enrich with VirusTotal button to fetch data from VirusTotal.
The enrichment process will provide:
• The count of engines marking the IOC as malicious or harmless.
- Metadata such as WHOIS information and threat details.
Conclusion
The VirusTotal integration in CoPilot provides security teams with enhanced threat intelligence capabilities. By following the steps outlined in this guide, you can enrich your alerts with valuable context, improving incident response efficiency.
We hope this walkthrough has been helpful. Stay tuned for more updates, and let us know how you’re leveraging VirusTotal in your security workflows!
Need Help?
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Website: https://www.socfortress.co/
Contact Us: https://www.socfortress.co/contact_form.html
目录
最新
- SOCFortress: Reflecting on 2024 Achievements and Our Roadmap for 2025
- SOCFortress Integrations — FortiEMS (Fortinet Endpoint Management Server)
- Enhancing CoPilot with VirusTotal Integration: A Step-by-Step Guide
- FortiClient Vulnerability in Windows Systems — Exploitation to Steal VPN Credentials via DEEPDATA
- CVE-2024–0012 PAN-OS: Authentication Bypass in the Management Web Interface
- 2023 Top Routinely Exploited Vulnerabilities
- Enhancing Wazuh Efficiency with AI: Meet the New AI Analyst in SOCFortress CoPilot
- SOCFortress Integrations — IBM Hardware Management Console (HMC)