Integrating QRadar with VirusTotal

Sergii Tyshchenko
Latest posts by Sergii Tyshchenko (see all)
Sergii Tyshchenko
November 24, 2017 · 3 min read

Hello. In the last article we considered creating rules, and today I want to describe the method that will help SIEM administrators respond to possible security incidents faster.

When working with information security incidents in QRadar it is extremely important to increase operators’ and analysts’ operation speed in SOC. Usage of built-in tools provides ample opportunities, but technologies are developing, new products and platforms are emerging.
In order to make the work of IS specialists in SOC more efficient, I recommend using the “Right Click Properties” functionality. This functionality allows you to configure simple integration with different platforms to get more detailed information on those fields in logs, which are under investigation in QRadar. Integration is desirable to start with simple tasks and let’s look at the example below to understand how to do it correctly.

Integration with the public resource VirusTotal

Why do we need such integration? It will help us to automate the work of IS specialists and quickly obtain information to make conclusions about the reputation.
Before we start the integration, we need to determine which fields from the logs are required to be checked on this resource.
It is important to remember: start integration better form one or two fields, and then add all other fields you need. It is also important to remember the licensing part of the resource you plan to use in order not to violate the agreement.
So let’s get started.
For example, we chose the next fields for integration: Source IP, Hash, URL.
The first thing to do is find out the exact name of these variables in QRadar DB.
To do this, make search and add Source IP, Hash, URL fields to the search columns.
Next, just point the mouse at the column, where the necessary variable is selected.
At the bottom of the screen, in our case – on the left, a browser hint is highlighted in red.

As you can see, the variable is called sourceIP.
Next, we go via SSH to the QRadar server. Go to the /opt/qradar/conf folder.
We need the file I recommend making a backup copy of the file before modifying it.
Open the file
In the line “pluginActions =” add the name of the variables that will be displayed in the QRadar web console when you right-click on the corresponding fields in the logs.
For example:
* pluginActions = VirusTotal_Source_IP, VirusTotal_Hash, VirusTotal_URL
Then we write the following:


VirusTotal_Source_IP.text= VirusTotal Source IP Check


Then we repeat this operation in the same way for the remaining variables.
Reboot the Web Server. Admin – Advanced – Restart Web Server.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts