ITDR
Enrichment Configuration Guide for VirusTotal
This configuration guide provides information on prerequisites and how to integrate Zscaler ITDR with VirusTotal to enhance events generated in the Zscaler ITDR Admin Portal with additional context.
VirusTotal aggregates various antivirus products and online scan engines to analyze suspicious files, URLs, and IP addresses to detect threats. VirusTotal runs the forwarded file or hash through multiple antivirus engines and rulesets to generate enriched reports with detailed results.
Prerequisites
Before you configure enrichment integration, ensure that you have:
- Network connectivity from the ITDR Admin Portal to the VirusTotal API server.
- An active VirusTotal account.
Obtained the VirusTotal API key.
Configuring Enrichment Integration with VirusTotal
To configure enrichment integration with VirusTotal:
- Go to Orchestrate > Enrich.
Locate VirusTotal in the table, and click the Edit icon under the Actions column.
In the VirusTotal window:
- Select Enabled.
- Enter the VirusTotal API key.
Click Save.
Enrichment integration with VirusTotal is enabled.
After enrichment integration is enabled, you can see the data from VirusTotal on the Event Logs page. The additional fields created in the event logs are prefixed with vt:
- vt.positives
- vt.total
- vt.names
- vt.error
- vt.permalink