VirusTotal Data Source

Follow the instructions below to create a new data flow that ingests data from a VirusTotal source in Nexla.

Virustotal

Create a New Data Flow

1. To create a new data flow, navigate to the Integrate section, and click the New Data Flow button. Then, select the desired flow type from the list, and click the Create button.

2. Select the VirusTotal connector tile from the list of available connectors. Then, select the credential that will be used to connect to the VirusTotal instance, and click Next; or, create a new VirusTotal credential for use in this flow.

3. In Nexla, VirusTotal data sources can be created using pre-built endpoint templates, which expedite source setup for common VirusTotal endpoints. Each template is designed specifically for the corresponding VirusTotal endpoint, making source configuration easy and efficient.
   • To configure this source using a template, follow the instructions in Configure Using a Template.

VirusTotal sources can also be configured manually, allowing you to ingest data from VirusTotal endpoints not included in the pre-built templates or apply further customizations to exactly suit your needs.
• To configure this source manually, follow the instructions in Configure Manually.

Configure Using a Template

Nexla provides pre-built templates that can be used to rapidly configure data sources to ingest data from common VirusTotal endpoints. Each template is designed specifically for the corresponding VirusTotal endpoint, making data source setup easy and efficient.

Endpoint Settings

• Select the endpoint from which this source will fetch data from the Endpoint pulldown menu. Available endpoint templates are listed in the expandable boxes below. Click on an endpoint to see more information about it and how to configure your data source for this endpoint.

  Get Domain Information

  This endpoint template retrieves VirusTotal information about one internet domain name from your VirusTotal account. Use this template when you need to access domain security information, threat intelligence, or domain metadata for analysis, reporting, or integration purposes.

  • Enter the Domain Name in the Domain Name field. This should be the internet domain name for which you want VirusTotal information. The Domain Name determines which domain's information will be retrieved.

  This endpoint returns VirusTotal information about one internet domain name from your VirusTotal account, including security analysis, threat intelligence, reputation data, and other domain metadata.

  For detailed information about domain information, API response structures, and available domain data, see the VirusTotal API documentation.

  Get Domain Information from Lookup

  This endpoint template retrieves VirusTotal information about internet domain names stored in a Nexla lookup table. Use this template when you need to batch fetch domain security information for multiple domains from a lookup table for analysis, reporting, or integration purposes.

  • Select the Lookup for fetching Domain Names from the Lookup for fetching Domain Names pulldown menu. This should be the Nexla Lookup that contains Domain Names to iterate over. The Lookup determines which domain names will be used to fetch information.
  • Enter the Domain Name column name in Lookup in the Domain Name column name in Lookup field. This should be the column name in the lookup table that contains the domain names. The Domain Name column name determines which column will be used to extract domain names from the lookup table.

  This endpoint retrieves VirusTotal information about internet domain names stored in a Nexla lookup table, allowing you to batch fetch domain security information for multiple domains efficiently. The endpoint iterates over the lookup table and fetches information for each domain name in the specified column.

  For detailed information about domain information, API response structures, and available domain data, see the VirusTotal API documentation.

  Get URL Information

  This endpoint template retrieves VirusTotal information about one URL from your VirusTotal account. URL must be a VirusTotal URL identifier or base64 representation of URL to scan (without padding). Use this template when you need to access URL security information, threat intelligence, or URL metadata for analysis, reporting, or integration purposes.

  • Enter the URL Identifier in the URL Identifier field. This should be a VirusTotal URL identifier or base64 representation of URL to scan (without padding). The URL Identifier determines which URL's information will be retrieved.

  This endpoint returns VirusTotal information about one URL from your VirusTotal account, including security analysis, threat intelligence, reputation data, and other URL metadata. The URL must be a VirusTotal URL identifier or base64 representation of URL to scan (without padding).

  For detailed information about URL information, API response structures, and available URL data, see the VirusTotal API documentation.

  Get URL Information from Lookup

  This endpoint template retrieves VirusTotal information about URLs stored in a Nexla lookup table. URLs must be VirusTotal URL identifiers or base64 representation of URLs to scan (without padding). Use this template when you need to batch fetch URL security information for multiple URLs from a lookup table for analysis, reporting, or integration purposes.

  • Select the Lookup for fetching URL Identifiers from the Lookup for fetching URL Identifiers pulldown menu. This should be the Nexla Lookup that contains URL Identifiers to iterate over. The Lookup determines which URL identifiers will be used to fetch information.
  • Enter the URL Identifier column name in Lookup in the URL Identifier column name in Lookup field. This should be the column name in the lookup table that contains the URL identifiers. The URL Identifier column name determines which column will be used to extract URL identifiers from the lookup table.

  This endpoint retrieves VirusTotal information about URLs stored in a Nexla lookup table, allowing you to batch fetch URL security information for multiple URLs efficiently. URLs must be VirusTotal URL identifiers or base64 representation of URLs to scan (without padding). The endpoint iterates over the lookup table and fetches information for each URL identifier in the specified column.

  For detailed information about URL information, API response structures, and available URL data, see the VirusTotal API documentation.

  Get IP Address Information

  This endpoint template retrieves VirusTotal information about an IP address from your VirusTotal account. Use this template when you need to access IP address security information, threat intelligence, or IP address metadata for analysis, reporting, or integration purposes.

  • Enter the IP Address in the IP Address field. This should be the IP address for which you want VirusTotal information. The IP Address determines which IP address's information will be retrieved.

  This endpoint returns VirusTotal information about an IP address from your VirusTotal account, including security analysis, threat intelligence, reputation data, and other IP address metadata.

  For detailed information about IP address information, API response structures, and available IP address data, see the VirusTotal API documentation.

  Get IP Address Information from Lookup

  This endpoint template retrieves VirusTotal information about IP addresses stored in a Nexla lookup table. Use this template when you need to batch fetch IP address security information for multiple IP addresses from a lookup table for analysis, reporting, or integration purposes.

  • Select the Lookup for fetching IP Addresses from the Lookup for fetching IP Addresses pulldown menu. This should be the Nexla Lookup that contains IP Addresses to iterate over. The Lookup determines which IP addresses will be used to fetch information.
  • Enter the IP Address column name in Lookup in the IP Address column name in Lookup field. This should be the column name in the lookup table that contains the IP addresses. The IP Address column name determines which column will be used to extract IP addresses from the lookup table.

  This endpoint retrieves VirusTotal information about IP addresses stored in a Nexla lookup table, allowing you to batch fetch IP address security information for multiple IP addresses efficiently. The endpoint iterates over the lookup table and fetches information for each IP address in the specified column.

  For detailed information about IP address information, API response structures, and available IP address data, see the VirusTotal API documentation.

Endpoint Testing

Once the selected endpoint template has been configured, Nexla can retrieve a sample of the data that will be fetched according to the current settings. This allows users to verify that the source is configured correctly before saving.

• To test the current endpoint configuration, click the Test button to the right of the endpoint selection menu. Sample data will be fetched & displayed in the Endpoint Test Result panel on the right.

• If the sample data is not as expected, review the selected endpoint and associated settings, and make any necessary adjustments. Then, click the Test button again, and check the sample data to ensure that the correct information is displayed.

Configure Manually

VirusTotal data sources can be manually configured to ingest data from any valid VirusTotal API endpoint. Manual configuration provides maximum flexibility for accessing endpoints not covered by pre-built templates or when you need custom API configurations.

With manual configuration, you can also create more complex VirusTotal sources, such as sources that use chained API calls to fetch data from multiple endpoints or sources that require custom authentication headers or request parameters.

API Method

1. To manually configure this source, select the Advanced tab at the top of the configuration screen.

2. Select the API method that will be used for calls to the VirusTotal API from the Method pulldown menu. The most common methods are:

   • GET: For retrieving data from the API (most common for VirusTotal data sources)

API Endpoint URL

3. Enter the URL of the VirusTotal API endpoint from which this source will fetch data in the Set API URL field. This should be the complete URL including the protocol (https://) and any required path parameters.

Ensure the API endpoint URL is correct and accessible with your current credentials. You can test the endpoint using the Test button after configuring the URL.

Path to Data

If only a subset of the data that will be returned by API endpoint is needed, you can designate the part(s) of the response that should be included in the Nexset(s) produced from this source by specifying the path to the relevant data within the response. This is particularly useful when API responses contain metadata, pagination information, or other data that you don't need for your analysis.

For example, when a request call is used to fetch security information, the API will typically return an object with security data, along with metadata, in the response. By entering the path to the relevant data, you can configure Nexla to extract the specific information you need.

Path to Data is essential when VirusTotal API responses have nested structures. Without specifying the correct path, Nexla might not be able to properly parse and organize your data into usable records.

• To specify which data should be treated as relevant in responses from this source, enter the path to the relevant data in the Set Path to Data in Response field.

  • For responses in JSON format enter the JSON path that points to the object or array that should be treated as relevant data. JSON paths use dot notation (e.g., $ to access the root object, or $.data to access a nested data object).

  • For responses in XML format, enter the XPath that points to the object/array containing relevant data. XPath uses slash notation (e.g., /response/data to access data elements within a response element).

  Path to Data Example:

  If the VirusTotal API response is in JSON format and includes a root object that contains the relevant data, the path to the response would be entered as $.

Autogenerate Path Suggestions

Nexla can also autogenerate data path suggestions based on the response from the API endpoint. These suggested paths can be used as-is or modified to exactly suit your needs.

• To use this feature, click the Test button next to the Set API URL field to fetch a sample response from the API endpoint. Suggested data paths generated based on the content & format of the response will be displayed in the Suggestions box below the Set Path to Data in Response field.

• Click on a suggestion to automatically populate the Set Path to Data in Response field with the corresponding path. The populated path can be modified directly within the field if further customization is needed.

  

Endpoint Testing (Manual Configuration)

After configuring all settings for the selected endpoint, Nexla can retrieve a sample of the data that will be fetched according to the current configuration. This allows users to verify that the source is configured correctly before saving.

• To test the current endpoint configuration, click the Test button to the right of the endpoint selection menu. Sample data will be fetched & displayed in the Endpoint Test Result panel on the right.

• If the sample data is not as expected, review the selected endpoint and associated settings, and make any necessary adjustments. Then, click the Test button again, and check the sample data to ensure that the correct information is displayed.

Save & Activate the Source

1. Once all of the relevant steps in the above sections have been completed, click the Create button in the upper right corner of the screen to save and create the new VirusTotal data source. Nexla will now begin ingesting data from the configured endpoint and will organize any data that it finds into one or more Nexsets.