Configuring reputation sources

Reputation is a service that queries reputation providers for threat intelligence about given file hashes. You can configure one or more reputation sources to build a repository of reputation data.

View reputation scan status

The Providers section of the Reputation Overview page shows the total number of reputation items, and the following information about each reputation source:

  • Items: total number of reputation items on this reputation source
  • New: reputation items that still need to be scanned on this reputation source
  • Processed: reputation items scanned on this reputation source
  • Rescanning: reputation items that are rescanning on this reputation source
  • Malicious Items: malicious reputation items on this reputation source
  • Malicious %: percentage of malicious items out of total reputation items

For configured providers, the Actions column contains an Enable or Disable button, depending on the current state of the provider.

Configure Palo Alto Networks WildFire reputation source

You can use Palo Alto Networks firewall security policies to capture suspicious files and forward them to the WildFire system for threat analysis. If the file is malware, the status is reported back to the firewall.

After the WildFire analysis is completed, the reputation service can query the results and update the reputation data.

Prerequisites

  • A subscription to Cloud WildFire (wildfire.paloaltonetworks.com) or a configured WF-500 WildFire appliance.
  • Palo Alto Networks Firewall with or without Panorama.

Configure settings

  1. In the Providers section, click Configure Provider in the Palo Alto Networks WildFire row.
  2. Select Enabled to enable the reputation source.
  3. Specify the settings for Palo Alto Networks WildFire, including the URL for your WildFire instance and the API key.
  4. Adjust the settings for Batch Size, Maximum API Calls Per Minute, and Maximum API Calls Per Day according to your agreement with Palo Alto Networks. The Maximum Hashes Processed Per Day value is automatically calculated based on these configured settings.
  5. Select Use Tanium Module Server Proxy Setting to use the proxy setting defined on the Tanium Module Server.
  6. Click Save.

Configure Recorded Future reputation source

Recorded Future is a cloud-based reputation service provider. The reputation service sends reputation items to the Recorded Future API and returns the results to the reputation database.

Prerequisites

You must already have a Recorded Future API token. If you have not already registered for Recorded Future access, contact their sales team at recordedfuture.com.

Configure settings

  1. In the Providers section, click Configure Provider in the Recorded Future row.
  2. Select Enabled to enable the reputation source.
  3. Specify the settings for Recorded Future, including the URL and API key.
  4. Adjust the settings for Batch Size, Maximum API Calls Per Minute, and Maximum API Calls Per Day according to your agreement with Recorded Future. The Maximum Hashes Processed Per Day value is automatically calculated based on these configured settings.
  5. Adjust the Positive Threshold, which is the risk score as determined by Recorded Future. The default value is 65, which means that any hash with a Recorded Future risk score of 65 or higher is considered malicious by Reputation.

    Recorded Future risk scores are determined as follows:

    • Very Malicious: risk score of 90-99
    • Malicious: risk score of 65-89
    • Suspicious: risk score of 25-64
    • Unusual: risk score of 5-24
    • No current evidence of risk: risk score of zero

    Setting Positive Threshold to 0 results in the maximum number of reports for malicious items. Setting Threat Level to 99 results in the fewest number of reports for malicious items.

  6. Select Use Tanium Module Server Proxy Setting to use the proxy setting that is defined on the Tanium Module Server.
  7. Click Save.

Configure ReversingLabs A1000 reputation source

ReversingLabs is an application that companies can install locally to analyze files and provide reputation results through API requests or a web interface.

Prerequisites

You must already have a ReversingLabs API token. If you have not already registered for ReversingLabs access, contact their sales team at reversinglabs.com.

To get an API key:

  1. Sign in to ReversingLabs.
  2. Click the User Profile icon.

  3. Select Administration.

  4. Click Tokens.

Configure settings

  1. In the Providers section, click Configure Provider in the ReversingLabs A1000 row.
  2. Select Enabled to enable the reputation source.
  3. Specify the settings for ReversingLabs A1000, including the URL for your API access and your API Token.
  4. Adjust the settings for New/Pending Hashes Per Query, Maximum API Calls Per Minute, and Maximum API Calls Per Day according to your API agreement with ReversingLabs and your network requirements. The Maximum Hashes Processed Per Day value is automatically calculated based on these configured settings.
  5. Select Use Tanium Module Server Proxy Setting to use the proxy setting defined on the Tanium Module Server.
  6. Click Save.

Configure ReversingLabs TitaniumCloud reputation source

ReversingLabs TitaniumCloud is an online service that analyzes files, hashes, and URLs to identify viruses, worms, trojans, and other kinds of malicious content that is detected by anti-virus software and website scanners. The reputation service sends reputation items to the ReversingLabs API and returns the results to the reputation database.

Prerequisites

You must already have a ReversingLabs TitaniumCloud account. If you have not already registered for ReversingLabs TitaniumCloud access, contact their sales team at reversinglabs.com.

Configure settings

  1. In the Providers section, click Configure Provider in the ReversingLabs TitaniumCloud row.
  2. Select Enabled to enable the reputation source.
  3. Add your ReversingLabs TitaniumCloud credentials: the URL for your API access, your Username, and your Password.
  4. Adjust the settings for New/Pending Hashes Per Query, Maximum API Calls Per Minute, and Maximum API Calls Per Day according to your API agreement with ReversingLabs and your network requirements. The Maximum Hashes Processed Per Day value is automatically calculated based on these configured settings.
  5. Select Use Tanium Module Server Proxy Setting to use the proxy setting defined on the Tanium Module Server.
  6. To reduce the number of items reported as malicious, expand Advanced and adjust the settings for Threat Level and Trust Factor.




    Setting Threat Level to 0 and Trust Factor to 0 results in the maximum number of reports for malicious items. Setting Threat Level to 5 and Trust Factor to 5 results in the fewest number of reports for malicious items.

  7. Click Save.

Configure VirusTotal reputation source

VirusTotal is an online service that analyzes files, hashes, and URLs to identify viruses, worms, trojans, and other kinds of malicious content that is detected by antivirus engines and website scanners. The reputation service sends reputation items to the VirusTotal API and returns the results to the reputation database.

Prerequisites

Register for a VirusTotal API key at virustotal.com. VirusTotal makes their catalog available for query with an API key. Refer to the VirusTotal API use policy to determine which type of API key is appropriate.

To get the API key on the VirusTotal website, sign in and click your_user_image > Settings > API Key.

Configure settings

  1. In the Providers section, click Configure Provider in the VirusTotal row.
  2. Select Enabled to enable the reputation source.
  3. Specify settings for VirusTotal, including the API key.
  4. Adjust the settings for Batch Size, Maximum API Calls Per Minute, and Maximum API Calls Per Day according to your agreement with VirusTotal. The Maximum Hashes Processed Per Day value is automatically calculated based on these configured settings.
  5. Adjust the Positive Threshold, which is a number of positive reports that must be on the hash to be considered a potential threat or malware.
    The likelihood that VirusTotal reports might include false positive indicators is higher when the value is set lower.

    Example: If you set the value to 3, then three VirusTotal engines must report an item as malicious for the item to be sent to Connect.

    Setting the value to 0 disables the threshold. If any VirusTotal engine reports that item as malicious, the item is sent to Reputation.

    Reputation results for VirusTotal are determined as follows:

    • Malicious: if the number of positives is greater than the threshold
    • Suspicious: if the number of positives is greater than zero, but less than the threshold
    • Non-malicious: if the number of positives is zero
    • Unknown: if there is no data

  6. Select Use Tanium Module Server Proxy Setting to use the proxy setting defined on the Tanium Module Server.
  7. Click Save.