Open GuillaumeRoss opened 2 years ago
As a first step towards Option 1, let's do a video showing how you can go from building such a query (as a policy or a label) to looking at the results and pasting a hash into virustotal. That'll get us thinking about how to design it, and also immediately help people in the community make the connection that this is possible.
Goal
TODO VirusTotal can provide valuable information around files, especially files that get executed. VirusTotal has a FREE API (can't be used in commercial products) and a paid API. Through the paid API, you can search, but you can also submit files, which is useful if VirusTotal had not seem them before. These types of services typically have information for multiple indicator of compromise types (URL, Domain name, IP address, file hash, etc), but in this ticket we focus on files and file hashes.
VirusTotal also has a search interface on their website, which you can throw many different searches at.
There are other similar providers, like Opswat, other threat intelligence providers like ReversingLabs with similar data, so I believe we should take the approach where:
For #2, interesting features would be:
If we decide to work on this, we should first define the complete UX of how people will use it both in the UI and at the API level.