FortiSOAR Discussions
adem_netsys
Contributor

VirusTotal

When you search for a certain ip block in the virustotal address, it produces a few results, but it says zero in the reputation section in soar. how can we solve this in soar?

1 Solution
malayamanas_FTNT

VT may not provide reputation score, every time.

But, we can look at "last_analysis_stats" and "last_analysis_results" to know more and take a decision.

 

malayamanas_FTNT_0-1676545302327.png

 

MALAYA MANAS PANDA
Professional Services Consultant

View solution in original post

6 REPLIES 6
malayamanas_FTNT

Hello Adem, Good Day!

 

Please share screenshot for your question.

 

Thanks

MALAYA MANAS PANDA
Professional Services Consultant
adem_netsys

Hello, 

 

It returns a total of 9 results on the Virustotal site, but it shows up as zero in this soar playbook.

 

adem_netsys_0-1676537388753.pngadem_netsys_1-1676537541895.png

 

Thank you

malayamanas_FTNT

Hello

 

You can use jinja expression to further process last_analysis_results from VT.

 

malayamanas_FTNT_1-1676541619900.png

 

malayamanas_FTNT_2-1676541689573.png

 

Below jinja code finds out total numbers of malicious from different TIP sources.

 

{{vars.steps.Get_IP_Reputation.data.attributes['last_analysis_stats'].malicious}}

MALAYA MANAS PANDA
Professional Services Consultant
adem_netsys

Hello,

 

yes when i did this the total number showed up but there is no way to do it in reputatiton?

malayamanas_FTNT

VT may not provide reputation score, every time.

But, we can look at "last_analysis_stats" and "last_analysis_results" to know more and take a decision.

 

malayamanas_FTNT_0-1676545302327.png

 

MALAYA MANAS PANDA
Professional Services Consultant
adem_netsys

Thank you so much, You've been very helpful.