Current ThreatQ Version Filter

VirusTotal Retrohunt Operation

The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.

Integration Details

ThreatQuotient provides the following details for this integration:

Current Integration Version

1.0.0

Compatible with ThreatQ Versions

>= 4.43.0

Support Tier

ThreatQ Supported

Introduction

The VirusTotal Retrohunt Operation submits YARA signatures to VirusTotal Retrohunt.

The operation provides the following action:

Submit Yara - submits Yara signatures to VirusTotal Retrohunt to run against the goodware job.

The operation is compatible with Signature system objects.

Installation

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

Navigate to your integrations management page in ThreatQ.
Select the Operation option from the Type dropdown (optional).
Click on the integration entry to open its details page.

Enter the following parameters under the Configuration tab:

Parameter	Description
API Key	Your private or public VirusTotal Retrohunt API key.
Email Address To Notify	Optional - The email address to receive notifications by email.

Review any additional settings, make any changes if needed, and click on Save.
Click on the toggle switch, located above the Additional Information section, to enable it.

Actions

The operation provides the following action:

Action	Description	Object Type	Object Subtype
Submit Yara	Submits Yara signatures into VirusTotal Retrohunt	Signatures	YARA

Submit Yara

The Submit Yara action submits the Yara signature to VirusTotal Retrohunt. VirusTotal will then run the Retrohunt job against all files, or "goodware," against a set of known goodware. This is useful to know whether the YARA rules raise lots of false positives.

POST https://www.virustotal.com/api/v3/intelligence/retrohunt_jobs

Sample Response:

{
    "data": {
        "type": "retrohunt_job",
        "attributes": {
            "rules": "rule CTM_Webshell_b374k_ops {strings:\n$general1 = \"Shell\"\ncondition:\nall of ($general*) )\n}\n\n",
            "notification_email": "test@email.com",
            "corpus": "main"
        }
    }
}

Change Log

Version 1.0.0
- Initial release

PDF Guides

Document	ThreatQ Version
VirusTotal Retrohunt Operation v1.0.0	4.43.0 or Greater