Building Best-of-Both-Worlds Automation and Threat Intel With Swimlane and VirusTotal – Part One

2 Minute Read

With extensive out-of-the-box integrations and an API-first architecture, Swimlane enables simple interoperability with any organization’s existing security stack. Integrations for new and custom applications can also be easily developed using common scripting languages and a RESTful API.

The new partnership between Swimlane and VirusTotal is a great example of this approach in action. In this two part blog series, we’ll start by taking a look at how we work together, and in part two, we’ll share step-by-step guidance for users looking to go live with this powerful technology integration.

VirusTotal’s new VT Augment Widget feature gives Swimlane and other applications the ability to display up-to-date threat intelligence from right within the Swimlane platform, as well as returning immediately actionable intelligence detection ratios.

This empowers analysts to drill down into the latest, most actionable intelligence and allows us to automate initial classification and triage from a single API call.

How it works

In order to integrate the new VT Augment functionality into Swimlane, we first had to decide how to architect the solution. The following workflow was decided upon, where:

  1. A Source Alert such as a Phishing Email or XDR Alert enters the Swimlane Platform

  2. Swimlane parses the Source Alert for actionable indicators of compromise (IOCs):
    1. External IP addresses

    2. Domains

    3. URLs

    4. File Hashes (SHA1/SHA256/MD5)

3. Swimlane uses our organization’s API key to make a query to the VT Augment /widget/url endpoint, passing the following parameters:

  1. query: The IOC for which we wish to obtain reputation information (required)

  2. fg1: The desired hex color of the main Widget text (optional)

  3. bg1: The desired primary background color in hex (optional)

  4. bg2: The desired secondary background color in hex (optional)

  5. bd1: The desired border color in hex (optional)

4. The VT Augment endpoint responds with the following data points in JSON format:

  1. url: The URL to use as an iframe src to display the VT Augment Widget

  2. detection ratio:
  3. detections: Number of positive VT engine detections

  4. total: Number of engines scanned against

5. The returned detection ratio can be used to power initial determination of the IOC’s maliciousness, and any automations based on prioritization or automatic determination of the IOC’s nature.

    6. The returned URL is embedded in an iframe in a Swimlane Widget, where it remains ready for manual analysis

      7. When an analyst opens the Threat Intelligence Record for the IOC, the Widget automatically renders, displaying the full results of the investigation from VirusTotal’s VT Augment /widget/html endpoint.

        This workflow is documented in the following diagram:

        In part two, we’ll walk through the process of adding VT Augment functionality to a Threat Intelligence Application in Swimlane.

        Request a Live Demo