VirusTotal - Apps, Workflow, and Reference Fields

scenario chris works in a security operations center (soc) he is responsible for discovering and reporting malicious urls he has a list of urls that are reported to him each morning he looks up each of the urls in the list with virustotal he then uses the resulting virustotal scans to report which urls are most severe this takes up most of chris's morning each work day chris would like to use swimlane to simplify and automate this process he has already ensured that his version of swimlane has a virustotal integration he has also reviewed the virustotal report to determine which data he will want to use to feed his swimlane application(s) and workflow solution chris can resolve this scenario with the following solution build an application in swimlane that includes a reference field the application should also include a selection field that can handle multiple values chris created the incidents application, and included a reference field, virustotal results he created the severity multi select selection field and set up low, normal, high, and critical with the values list editor with the reference field selected, create a new application to reference chris selected virustotal results and then clicked create new application to reference create the application to reference from the incidents application include the fields you will use as targets when setting up task output mapping chris created two fields a url field and a field to hold the virustotal data for "positives," which is the virustotal data field that reports the # of malicious files associated to a url he named the new application virustotal results and saved the application !\[]\(/resources/images/secondary app png) back in the original incidents application, notice how the secondary application, virustotal results is now selected in the reference application field next, select the fields to reference chris clicked select fields to display and selected url and positives, from the field selection dialog the selected fields now display within the incidents virustotal results field properties next, you'll create a virustotal task, and map to the virustotal results fields chris created the task, vt url report, and defined the asset, virustotal he set up the input on the configuration tab he then created output mappings to the url and positives fields he also enabled swimlane to add reference data back to the original, parent record the virustotal results reference field now that the integration task and the applications are set up, create the workflow that will automate the url lookup and reporting processes chris reopened the incidents application and created workflow there since it is the original or parent application for this process he created a condition that holds the url list field, and a repeat that will iterate over each item in the url field he then created an action that creates a trigger to run a virustotal scan over the url the virustotal integration task returns a value to the positives field create a new workflow condition that points to the target field in order to process the action chris specified that the target field for the virustotal results field is positives he also specified that any value greater than 7 should trigger a change of severity to critical finish the workflow by setting up additional stages and actions for each value for the severity field, then click ok here is a look at the complete workflow that chris created conclusion chris can now start his day knowing that he has automated the process of searching for and reporting malicious urls