-
Notifications
You must be signed in to change notification settings - Fork 160
table_config_threatfeed_virustotal
Database Overview ####configs_threatfeed_virustotal table
The FIDO threat score is based on a configurable scale, i.e., 1-to-100, 1-to-1000, 1-to-10000. As more feeds are integrated then more data points are added and therefore the scale should be able to scale accordingly. In this table you configure FIDO to score the different types of returns based on your needs. This is based on if the total number of positive returns exceeds the different return 'score' values and then how much each return will 'weight' the threat score. Multipliers are then used to round the score back down so as to fit into the 1%-100% value for alert purposes. For example, if you're using 1-to-1000 scale, then once all data points are retrieved a score of 900 would equal 90% when a FIDO alert is sent out.
apikey | string | %value% |
API key used to pull information from VirusTotal.
trojanscore | integer | %value% |
For hash based lookups, the number returns coming back from a hash report specified as a Trojan.
trojanweight | integer | %value% |
The value added to the threat score if the total returns for Trojans is exceeded for hash based lookups.
regularscore | integer | %value% |
For hash based lookups, the number returns coming back from a hash report specified as a generic malware.
regularweight | integer | %value% |
The value added to the threat score if the total returns for generic malware is exceeded for hash based lookups.
urlregularscore | integer | %value% |
For URL based lookups, the number returns coming back from a URL report specified as being a malware site.
urlregularweight | integer | %value% |
The value added to the threat score if the total returns for malware site is exceeded.
detecteddownloadscore | integer | %value% |
For the correlated IP report, the number of returns which is equal to or greater than before incrementing the threat score.
detecteddownloadweight | integer | %value% |
The value added to the threat score if the total returns for downloads from an IP report is exceeded.
detectedcommscore | integer | %value% |
For the correlated IP report, the number of returns which is equal to or greater than before incrementing the threat score.
detectedcommweight | integer | %value% |
The value added to the threat score if the total returns for detected communications from an IP report is exceeded.
detectedurlscore | integer | %value% |
For the correlated IP report, the number of returns which is equal to or greater than before incrementing the threat score.
detectedurlweight | integer | %value% |
The value added to the threat score if the total returns for detected malicious URLs from an IP report is exceeded.
feedweight | integer | %value% |
When multiple feeds are configured this integer value will be used to weight certain feeds either higher or lower than the other feeds.
trojanmultiplier | integer | %value% |
Integer value used to offset the total number of possible data points which would come back from threat feeds. This value will take the total number accumulated from the Trojan threat score and multiply it by this value.
regularmultiplier | integer | %value% |
Integer value used to offset the total number of possible data points which would come back from threat feeds. This value will take the total number accumulated from the regular threat score and multiply it by this value.
urlmultiplier | integer | %value% |
Integer value used to offset the total number of possible data points which would come back from threat feeds. This value will take the total number accumulated from the Trojan threat score and multiply it by this value.
detecteddownloadmultiplier | integer | %value% |
Integer value used to offset the total number of possible data points which would come back from threat feeds. This value will take the total number accumulated from the IP detected download threat score and multiply it by this value.
detectedcommmultiplier | integer | %value% |
Integer value used to offset the total number of possible data points which would come back from threat feeds. This value will take the total number accumulated from the IP detected communication threat score and multiply it by this value.
detectedurlmultiplier | integer | %value% |
Integer value used to offset the total number of possible data points which would come back from threat feeds. This value will take the total number accumulated from the IP detected url threat score and multiply it by this value.