Contents x
      VirusTotal 3.0.1
      • 06 Apr 2025
      • 3 Minutes to read
      • Dark
        Light
      • PDF
      Contents

      VirusTotal 3.0.1

      • Updated on 06 Apr 2025
      • 3 Minutes to read
      • Dark
        Light
      • PDF
      Article summary

      VirusTotal - 3.0.1

      tags: python | Anti-Virus Aggregator | VirusTotal Enterprise API

      Table of Contents

      Description

      Integration with VirusTotal supports CDC users by providing enrichments for IP address, URL, domain, hash (MD5/SHA/SHA256), and files - to ascertain if they are identified as malicious or have been associated with any malicious activity reported using VirusTotal services. This enables CDC users to make informed decisions regarding incident response.

      VirusTotal is an online service that analyzes suspicious IP addresses, files, and URLs to detect malware and malicious content using antivirus engines and website scanners. It can also be used as a means to detect false positives.

      Virus Total offers for every object - i.e., files, URLs, domains, IP addresses, etc. - additional related information in the form of relationship information. We have enabled access to such supporting relationship information such as comments, referrer files, downloaded files, resolutions, related comments, and URLs - via the CDC Chat command.

      We use custom adaptive cards to display large amounts of threat data in a meaningful and intuitive GUI, to facilitate the easy understanding of complex enriched data regarding the parameters provided by users.

      Integration Type:Enrichment
      Information read:Vulnerability data from the Qualys Vulnerability Management tool for a given IP address.
      API Supported:API V2.0
      Input:IP address details in CLI, selection of network if required.
      Output:Detailed PDF report containing vulnerability data for a given IP and network details in input.

      CDC Command Lines

      • enrich_file_hash_cli
        Get information from VirusTotal about a certain file hash.
      OptionTypeDescriptionRequired
      metadataobjectCommand metadata.True
      file_hashstringA single file hash to look up if it is a threat (MD5, SHA1, SHA256).True
      • get_ip_address_investigation_enrichment_cli
        The CLI of the CDC, to pull IP address relationship details from Virus Total. It contains an IP address as mandatory, and relationships as optional parameters. You can enter one relationships, or comma separated multiple relationships. If no details are provided, all relationships will be shown. The relationships values are as [comments,related_comments,downloaded_files,referrer_files,resolutions,urls]
      OptionTypeDescriptionRequired
      metadataobjectCommand metadata.True
      ipstringA single IP against which various relationship details get pulled.True
      relationshipsstringComma separated relationship value details.False
      • re_analyse_file_hash_cli
        Get re-analyzed information from VirusTotal about a certain file hash.
      OptionTypeDescriptionRequired
      metadataobjectCommand metadata.True
      file_hashstringA single file hash to look up if it is a threat (MD5, SHA1, SHA256).True
      • enrich_domain_cli
        Get information from VirusTotal about a certain domain.
      OptionTypeDescriptionRequired
      metadataobjectcommand metadataTrue
      domainstringA single domain to look up if it is a threat.True
      • enrich_ip_cli
        Get information from VirusTotal about a certain IP.
      OptionTypeDescriptionRequired
      metadataobjectcommand metadataTrue
      ipstringA single IP to look up if it is a threat.True
      • enrich_url_cli
        Get information from VirusTotal about a certain URL.
      OptionTypeDescriptionRequired
      metadataobjectCommand metadataTrue
      urlstringA single URL to look up if it is a threat.True

      Workflows

      • post_get_ip_address_investigation_enrichment
        The CLI of the CDC, to pull the IP address relationship details from Virus Total. It contains an IP address as mandatory and relationships as optional parameters. You can enter one relationship, or comma separated multiple relationships. If no details are provided, all relationships will be shown. The relationships values are as [comments,related_comments,downloaded_files,referrer_files,resolutions,urls]

      • post_enrich_domain
        Post enrich-domain in CDC by ID of incident/message/channel.

      • post_enrich_ip
        Post enrich-ip in CDC by ID of incident/message/channel.

      • post_enrich_url
        Post enrich-url in CDC by ID of incident/message/channel.

      Rules

      No rules

      Sensors

      No sensors

      Triggers

      No triggers

      Known Issues

      • The time taken by the re-analyze API to return re-analyzed results for some file hashes is more than 300 seconds.
        The delay is kept configurable for "/virus_total re_analyse_file_hash_cli --file_hash=[file_hash]* --delay=[delay]",
        and can be configured using "virus_total_re_analyse_delay" datastore key.
      Was this article helpful?
      What's Next