Migrate from VirusTotal

How to move from VirusTotal integrations to the Google Threat Intelligence ones.

This migration guide assumes that you are already familiar with using VirusTotal integrations. If you're not, please refer to the table below to access the relevant documentation for each Google Threat Intelligence integration.

Equivalent integrations:


Google Threat Intelligence for Splunk

This add-on has been designed to mimic the behavior of VT4Splunk as closely as possible to facilitate migration from it. Below are described the most significative differences from the VirusTotal integration.

Commands

The main enrichment command is called gti (former vt4splunk) and it can be used in the same way as in the VT integration. Refer to the add-on documentation to learn more.

The commands vtdeleteiocs, vtadversaryupdate, vtmitreupdate are now called gtideleteiocs, gtiadversaryupdate, gtimitreupdate.

Dashboards

1 - Threat Intelligence

You can retrieve the GTI assessment (threat score, verdict, and severity) for each IoC. Additionally, you can drill down by the GTI verdict by clicking on the new pie chart.

Integrations Pie Chart

2 - Adversary Intelligence

You can select the origin of the collections, in VT4SPlunk the collections showed in this dashboard are solely provided by the community. In this add-on you receive additional curated collections from Partners and Google Threat Intelligence teams as Mandiant.

Integrations Select Origin

Google Threat Intelligence for Cortex XSOAR

This pack has been designed to mimic the behavior of the VirusTotal (API v3) integration as closely as possible, making migration from it seamless. All commands available in the VirusTotal integration are included here with a new prefix, but their functionality remains unchanged:

  • gti-comments-add
  • gti-file-scan-upload-url
  • gti-comments-delete
  • gti-comments-get
  • gti-comments-get-by-id
  • gti-search
  • gti-file-sandbox-report
  • gti-passive-dns-data
  • gti-analysis-get
  • gti-file-sigma-analysis
  • gti-privatescanning-file
  • gti-privatescanning-file-scan
  • gti-privatescanning-analysis-get
  • gti-url-scan-and-analysis-get
  • gti-file-scan-and-analysis-get
  • gti-private-file-scan-and-analysis-get

In addition, we've included a new command, gti-assessment-get, which retrieves the GTI assessment (threat score, verdict, and severity) for a given entity. This information is also included in the responses of the file, url, ip, and domain commands provided by the integration.

We've also added commands to retrieve curated information for a given entity:

  • gti-curated-malware-families-get
  • gti-curated-campaigns-get
  • gti-curated-threat-actors-get

Google Threat Intelligence for MISP

This expansion module complements the VirusTotal one rather than replacing it. It allows you to enrich IoCs found in MISP event attributes (similar to the VirusTotal module) with Google TI assessments (threat score, verdict, and severity). If you still require VirusTotal engine verdicts, please use both modules together.