Alert Center enrichment with VirusTotal threat context now generally available
Earlier this year, Google pre-announced an integration between the Alert Center and VirusTotal. Currently, the Google Workspace Alert Center provides admins with actionable, real-time alerts and insights regarding security-related activity in their domain. With the VirusTotal (now part of Google Cloud) integration, admins have the ability to dig into their alerts at a deeper level.
When an Alert Center notification contains a supported VirusTotal entity, such as a domain, file attachment hash, or IP address, the VirusTotal report enrichment widget (VT Augment) is available directly in the Alert Center. For paid VirusTotal subscribers, an enhanced version of the report will automatically populate.
The Standard version of VirusTotal reports includes the following:
- Observable identification—Identifiers and characteristics allowing you to reference the threat and share it with other analysts (for example, file hashes).
- Threat reputation—Maliciousness assessments coming from 70+ security vendors, including antivirus solutions, security companies, network blocklists, and more.
- Threat time spread—Key dates that enable you to understand when a given threat was first observed in-the-wild and how long it’s been active.
- Domain/IP Whois lookup—Registrar and registrant details for domains, as well as ownership and network range information for IP addresses.
- Domain and server security-relevant metadata—HTTPS certificates for web servers, DNS resolution records, and web server HTTP headers.
The Enhanced version of VirusTotal reports includes additional features such as:
- Multi-angular detection—Additional threat analysis coming from crowdsourced rule matches and community scoring (for example: YARA, Sigma, and IDS rules).
- Related indicators of compromise (IOCs)—Examples of IOCs include a network infrastructure distributing a malware file, servers acting as a command-and-control for a given threat, malicious URLs seen under a given domain, domains seen behind a given IP address, and more.
- Interactive threat graph—Graphical format that maps out entire threat campaigns by visualizing the relationships between IOCs.
- Security-relevant metadata—Includes software publisher information, identification of malicious macros in documents, popularity ranks for domains, domain content categorization, and more.
- In-the-wild details—Geographical and time-spread details for threats, common attacker deception techniques, and more, through VirusTotal submission metadata.
- Suspicious attribute pivoting—Clickable details in VirusTotal reports, allowing you to explore the global VirusTotal dataset for other threats that share the same properties.
Visit the Help Center and learn more about using VirusTotal security threat context and reputation reports from the Alert Center to power improved threat identification, expedited investigations & decision making, enhanced threat remediation, and proactive defense.
Why it’s important
The VirusTotal integration provides an added layer of investigation on top of existing alerts, empowering admins to take deeper look into threats and potential abuse, helping them better protect their organization and data.
VirusTotal provides an investigation layer on top of alerts but isn’t being used directly for detection or alerting. No customer information is shared from Google to VirusTotal unless an admin clicks to retrieve a VirusTotal report for a specific entity.
The VirusTotal report has two versions: Standard and Enhanced. Standard reports are displayed for admins who have the alert center privilege. The Enhanced version is automatically shown for paid VirusTotal subscribers who have an active virustotal.com login session with their VT Enterprise user account.
For existing VT Enterprise customers, viewing VirusTotal reports within the alert center does NOT use any of your VT Enterprise quota. If an admin opens the VirusTotal website to do more research from the Alert Center, that would count towards standard quota usage in the same way as directly visiting virustotal.com.
- Admins: VirusTotal reports are available to administrators who have the Alert Center privilege. Visit the Help Center to learn more about using VirusTotal reports in the Alert Center.
- End users: There is no end user impact.
- Rapid Release and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) beginning on July 26, 2021.
- Available to Google Workspace Business Plus, Enterprise Standard, Enterprise Plus, Education Fundamentals and Education Plus customers
- Not available to Google Workspace Essentials, Business Starter, Business Standard, Enterprise Essentials, Frontline, and Nonprofits, as well as G Suite Basic and Business customers