Nov 3, 2021
Building Best-of-Both-Worlds Automation and Threat Intel With Swimlane and VirusTotal – Part One
Read More
In part one of this blog series, we introduced the new technology integration between Swimlane and VirusTotal. This is an exciting development that empowers analysts to drill down into the latest, most actionable intelligence and allows us to automate initial classification and triage from a single API call.
This time, we’re taking a step-by-step look at the process for users who want to add VT Augment functionality to a Threat Intelligence Application in Swimlane.
First up, we need:
-
A Swimlane instance with a Threat Intelligence Application
-
The Swimlane VirusTotal Plugin >=3.1.0
-
A Swimlane Asset for the VirusTotal Plugin that uses your API key
-
The Swimlane iframe Widget
From there, start by building the Plugin Task that will drive Detection Ratios and the VT Augment Widget:
-
Ensure that you are using a version of the VT Plugin >= 3.1.0 (update if necessary).
-
On the Integrations > Tasks screen, create a Task for your Threat Intelligence Application that uses the “Get Augment Widget URL” Plugin Action, and give it a name, like “Get VT Augment Widget URL”
3.
4. General Tab: Select your VirusTotal Asset.
5. Configuration Tab: Select a Record field that contains an IOC of one of the aforementioned types.
6. Outputs Tab: Select “Map to New Fields” and save/approve the default field types.
7. Save the Task.
8. Go to the Application Editor and edit your Threat Intelligence Application and arrange the newly created VT – Get Augment Widget URL Fields. Feel free to place these fields in a Support Tab or other not-readily-visible place, since their values will be used in a widget rather than displayed in the fields themselves.
9. Note and save the FIELD KEY name of the “Augment Widget URL” Field. This should look like “augment-widget-url”
10. Add a 50% wide Section to one of the main display areas in your Threat Intelligence Application and click “Hide Section Border.”
11. Add a Widget and an Integration Button to the newly created Section. Name the Widget “VT Augment Widget” and name the Integration Button “VT – Get Augment Widget URL” or whatever your recently created Integration Task is called. Link the Integration Task to the Integration button.
12. Edit the Widget and paste in the code you copied from the Swimlane Widget Repo. Save if prompted.
13. Ensure that the variable URL_FIELD references the same field name for your “Augment Widget URL” Field, i.e. “augment-widget-url” and save.
14. Save the Application and move to the Workflow Editor.
15. Create a Workflow Condition off the root node that checks whether your Indicator field is populated (or use an existing similar condition if available)
16. Add an Action that triggers your “Get Augment Widget URL” Integration Task:
17. Save the Workflow.
18. Create a new Threat Intelligence Record and populate the Indicator field with an IP address (i.e. “13.37.13.37”) and save. You should see a message that says something like “No URL Provided” in your widget until the newly-created Integration Task runs. Once the Task runs, you should see embedded VirusTotal results inside your Threat Intelligence record.
19. If you come back to this record more than three days after its creation, you will see a different result in your widget — a notification from VirusTotal that the results have gone stale and require refreshing. When this occurs, use the Integration Task Button you created earlier to refresh the URL and the results while viewing the Record.
20. If you wish, attach the Detection Result fields (Detections and Total) to other workflow conditions that can automate determinations and actions based on whatever thresholding you desire.
As you can see, integrating the VirusTotal VT Augment Widget into Swimlane is quick and easy. The returned detection ratios provide actionable, automatable values to drive orchestrations, and the VT Augment Widget itself provides detailed context, information about tested engines, IOC details, and Graphs all from right within Swimlane. This gives the automation platform as well as your analysts exactly what they need to drive a succinct and effective investigation.
