VirusTotal (Deprecated)
VirusTotal Pack.#
This Integration is part of theDeprecated
Use VirusTotalV3 integration instead.
Analyze suspicious hashes, URLs, domains, and IP addresses.
#
Configure VirusTotal in CortexParameter | Description | Required |
---|---|---|
Server URL (e.g. https://192.168.0.1) | True | |
API Key | True | |
Source Reliability | Reliability of the source providing the intelligence data. | True |
Use system proxy settings | False | |
Trust any certificate (not secure) | False | |
File Threshold. Minimum number of positive results from VT scanners to consider the file malicious. | False | |
IP Threshold. Minimum number of positive results from VT scanners to consider the IP malicious. | False | |
URL Threshold. Minimum number of positive results from VT scanners to consider the URL malicious. | False | |
Domain Threshold. Minimum number of positive results from VT scanners to consider the domain malicious. | False | |
Preferred Vendors List. CSV list of vendors which are considered more trustworthy. | False | |
Preferred Vendor Threshold. The minimum number of highly trusted vendors required to consider a domain, IP address, URL, or file as malicious. | False | |
Determines whether to return all results, which can number in the thousands. If “true”, returns all results and overrides the fullResponse, long arguments (if set to “false”) in a command. If “false”, the fullResponse, long arguments in the command determines how results are returned. | False | |
IP Relationships | Select the list of relationships to retrieve from the API. Some of the relationships are signed with * key which indicates that they are available only when using a premium API key. | False |
Domain Relationships | Select the list of relationships to retrieve from the API. Some of the relationships are signed with * key which indicates that they are available only when using a premium API key. | False |
URL Relationships | Select the list of relationships to retrieve from the API. Some of the relationships are signed with * key which indicates that they are available only when using a premium API key. | False |
File Relationships | Select the list of relationships to retrieve from the API. Some of the relationships are signed with * key which indicates that they are available only when using a premium API key. | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
fileChecks the file reputation of the specified hash.
#
Base Commandfile
#
InputArgument Name | Description | Required |
---|---|---|
file | A CSV list of hashes of the file to query. Supports MD5, SHA1, and SHA256. | Required |
long | Whether to return full response for scans. Default is "false". Possible values are: true, false. Default is false. | Optional |
threshold | If the number of positives is higher than the threshold, the file will be considered malicious. If the threshold is not specified, the default file threshold, as configured in the instance settings, will be used. | Optional |
wait | Time (in seconds) to wait between tries if the API rate limit is reached. Default is "60". Default is 60. | Optional |
retries | Number of retries for the API rate limit. Default is "0". Default is 0. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
File.MD5 | unknown | Bad MD5 hash. |
File.SHA1 | unknown | Bad SHA1 hash. |
File.SHA256 | unknown | Bad SHA256 hash. |
File.Malicious.Vendor | unknown | For malicious files, the vendor that made the decision. |
File.Malicious.Detections | unknown | For malicious files, the total number of detections. |
File.Malicious.TotalEngines | unknown | For malicious files, the total number of engines that checked the file hash. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
File.VirusTotal.Scans.Source | unknown | Vendor used to scan the hash. |
File.VirusTotal.Scans.Detected | unknown | Scan detection for this hash (True or False). |
File.VirusTotal.Scans.Result | unknown | Scan result for this hash, for example, signature. |
File.VirusTotal.ScanID | string | Scan ID for this hash. |
File.PositiveDetections | number | Number of engines that positively detected the indicator as malicious. |
File.DetectionEngines | number | Total number of engines that checked the indicator. |
File.VirusTotal.vtLink | string | Virus Total permanent link. |
#
Command Example
#
Human Readable Output#
ipChecks the reputation of an IP address.
#
Base Commandip
#
InputArgument Name | Description | Required |
---|---|---|
ip | IP address to check. | Required |
long | Whether to return a full response for detected URLs. Default is "false". Possible values are: "true" and "false". | Optional |
threshold | If the number of positives is higher than the threshold, the IP address will be considered malicious. If the threshold is not specified, the default IP threshold, as configured in the instance settings, will be used. | Optional |
sampleSize | The number of samples from each type (resolutions, detections, etc.) to display in the long format. Default is "10". | Optional |
wait | Time (in seconds) to wait between tries if the API rate limit is reached. Default is "60". | Optional |
retries | Number of retries for the API rate limit. Default is "0". | Optional |
fullResponse | Whether to return all results, which can be thousands. We recommend that you don't return full results in playbooks. Possible values are: "true" and "false". Default is "false". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IP.Address | unknown | Bad IP address. |
IP.ASN | unknown | Bad IP ASN. |
IP.Geo.Country | unknown | Bad IP country. |
IP.Malicious.Vendor | unknown | For malicious IPs, the vendor that made the decision. |
IP.Malicious.Description | unknown | For malicious IPs, the reason that the vendor made the decision. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
IP.VirusTotal.DownloadedHashes | unknown | Latest files that were detected by at least one antivirus solution, and were downloaded by VirusTotal from the IP address. |
IP.VirusTotal.UnAVDetectedDownloadedHashes | unknown | Latest files that were not detected by any antivirus solution, and were downloaded by VirusTotal from the specified IP address. |
IP.VirusTotal.DetectedURLs | unknown | Latest URLs hosted in this IP address that were detected by at least one URL scanner. |
IP.VirusTotal.CommunicatingHashes | unknown | Latest detected files that communicate with this IP address. |
IP.VirusTotal.UnAVDetectedCommunicatingHashes | unknown | Latest undetected files that communicate with this IP address. |
IP.VirusTotal.Resolutions.hostname | unknown | Domains that resolved to the specified IP address. |
IP.VirusTotal.ReferrerHashes | unknown | Latest detected files that embed this IP address in their strings. |
IP.VirusTotal.UnAVDetectedReferrerHashes | unknown | Latest undetected files that embed this IP address in their strings. |
IP.VirusTotal.Resolutions.last_resolved | unknown | Last resolution times of the domains that resolved to the specified IP address. |
#
Command Example
#
Human Readable Output#
urlChecks the reputation of a URL.
#
Base Commandurl
#
InputArgument Name | Description | Required |
---|---|---|
url | A comma-separated list of URLs to check. This command will not work properly on URLs containing commas. | Required |
sampleSize | The number of samples from each type (resolutions, detections, etc.) to display for long format. Default is "10". | Optional |
long | Whether to return the full response for the detected URLs. Possible values are: "true" and "false". Default is "false". | Optional |
threshold | If the number of positives is higher than the threshold, the URL will be considered malicious. If the threshold is not specified, the default URL threshold, as configured in the instance settings, will be used. | Optional |
submitWait | Time (in seconds) to wait if the URL does not exist and is submitted for scanning. Default is "0". | Optional |
wait | Time (in seconds) to wait between tries if the API rate limit is reached. Default is "60". | Optional |
retries | Number of retries for the API rate limit. Default is "0". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
URL.Data | unknown | Bad URLs found. |
URL.Malicious.Vendor | unknown | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | unknown | For malicious URLs, the reason that the vendor made the decision. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
URL.VirusTotal.Scans.Source | unknown | Vendor that scanned this URL. |
URL.VirusTotal.Scans.Detected | unknown | Scan detection for this URL (True or False). |
URL.VirusTotal.Scans.Result | unknown | Scan result for this URL, for example, signature. |
URL.DetectionEngines | number | Total number of engines that checked the indicator. |
URL.PositiveDetections | number | Number of engines that positively detected the indicator as malicious. |
url.VirusTotal.ScanID | string | Scan ID for this URL. |
File.VirusTotal.vtLink | string | Virus Total permanent link. |
#
Command Example!url url=https://example.com using=vt
#
Context Example#
Human Readable Outputhttps://example.com#
VirusTotal URL Reputation for:Last scan date: 2021-04-13 12:06:32 Total scans: 87 Positive scans: 2 VT Link: https://example.com
#
domainChecks the reputation of a domain.
#
Base Commanddomain
#
InputArgument Name | Description | Required |
---|---|---|
domain | Domain name to check. | Required |
long | Whether to return the full response for detected URLs. Default is "false". Possible values are: true, false. Default is false. | Optional |
sampleSize | The number of samples from each type (resolutions, detections, etc.) to display for long format. Default is 10. | Optional |
threshold | If the number of positives is higher than the threshold, the domain will be considered malicious. If the threshold is not specified, the default domain threshold, as configured in the instance settings, will be used. | Optional |
wait | Time (in seconds) to wait between tries if the API rate limit is reached. Default is "60". Default is 60. | Optional |
retries | Number of retries for API rate limit. Default is "0". Default is 0. | Optional |
fullResponse | Whether to return all results, which can be thousands. Default is "false". We recommend that you don't return full results in playbooks. Possible values are: true, false. Default is false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Domain.Name | unknown | Bad domain found. |
Domain.Malicious.Vendor | unknown | For malicious domains, the vendor that made the decision. |
Domain.Malicious.Description | unknown | For malicious domains, the reason that the vendor made the decision. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
Domain.VirusTotal.DownloadedHashes | unknown | Hashes of files that were downloaded from this domain. |
Domain.VirusTotal.CommunicatingHashes | unknown | Hashes of files that communicated with this domain in a sandbox. |
Domain.VirusTotal.Resolutions.ip_address | unknown | IP addresses that resolved to this domain. |
Domain.VirusTotal.Whois | unknown | Whois report. |
Domain.VirusTotal.Subdomains | unknown | Subdomains. |
Domain.VirusTotal.UnAVDetectedDownloadedHashes | unknown | Latest files that were not detected by any antivirus solution, and were downloaded by VirusTotal from the specified IP address. |
Domain.VirusTotal.DetectedURLs | unknown | Latest URLs hosted in this domain address that were detected by at least one URL scanner. |
Domain.VirusTotal.ReferrerHashes | unknown | Latest detected files that embed this domain address in their strings. |
Domain.VirusTotal.UnAVDetectedReferrerHashes | unknown | Latest undetected files that embed this domain address in their strings. |
Domain.VirusTotal.UnAVDetectedCommunicatingHashes | unknown | Latest undetected files that communicated with this domain in a sandbox. |
Domain.VirusTotal.Resolutions.last_resolved | unknown | Last resolution times of the IP addresses that resolve to this domain. |
#
Command Example!domain domain=example.com using=vt
#
Context Example#
Human Readable Output#
VirusTotal Domain Reputation for: example.com#
Domain categories: undefinedVT Link: example.com Detected URL count: 100 Detected downloaded sample count: 0 Undetected downloaded sample count: 9 Detected communicating sample count: 100 Undetected communicating sample count: 100 Detected referrer sample count: 100 Undetected referrer sample count: 100 Resolutions count: 4
#
Whois LookupCreation Date: 1995-08-14T04:00:00Z DNSSEC: signedDelegation Domain Name: EXAMPLE.COM Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: A.IANA-SERVERS.NET Name Server: B.IANA-SERVERS.NET Registrar IANA ID: 376 Registrar URL: http://example.example.org Registrar WHOIS Server: whois.iana.org Registrar: RESERVED-Internet Assigned Numbers Authority Registry Domain ID: 2336799_DOMAIN_COM-VRSN Registry Expiry Date: 2021-08-13T04:00:00Z Updated Date: 2020-08-14T07:02:37Z created: 1992-01-01 domain: EXAMPLE.COM organisation: Internet Assigned Numbers Authority source: IANA
#
file-scanSubmits a file for scanning.
#
Base Commandfile-scan
#
InputArgument Name | Description | Required |
---|---|---|
entryID | The file entry ID to submit. | Required |
uploadURL | Private API extension. Special upload URL for files larger than 32 MB. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
vtScanID | unknown | Scan IDs of the submitted files. |
vtLink | string | Virus Total permanent link. |
#
Command Example
#
Human Readable Output#
file-rescanRe-scans an already submitted file. This avoids having to upload the file again.
#
Base Commandfile-rescan
#
InputArgument Name | Description | Required |
---|---|---|
file | Hash of the file to re-scan. Supports MD5, SHA1, and SHA256. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
vtScanID | unknown | Scan IDs of the submitted files. |
vtLink | string | Virus Total permanent link. |
#
Command Example
#
Human Readable Output#
url-scanScans a specified URL.
#
Base Commandurl-scan
#
InputArgument Name | Description | Required |
---|---|---|
url | The URL to scan. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
vtScanID | unknown | Scan IDs of the submitted URLs. |
vtLink | string | Virus Total permanent link. |
#
Command Example!url-scan url=https://example.com using=vt
#
Context Example#
Human Readable Outputhttps://example.com/#
VirusTotal URL scan for:Scan ID: 0f115db062b7c0dd030b16878c99dea5c354b49dc37b38eb8846179c7783e9d7-1618315592 Scan Date: 2021-04-13 12:16:00
#
vt-comments-addAdds comments to files and URLs.
#
Base Commandvt-comments-add
#
InputArgument Name | Description | Required |
---|---|---|
resource | The file hash (MD5, SHA1, or SHA256) or URL on which you're commenting. | Required |
comment | The actual review, which you can tag by using the "#" twitter-like syntax, for example, #disinfection #zbot, and reference users using the "@" syntax, for example, @VirusTotalTeam). | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!vt-comments-add resource=paloaltonetworks.com resource_type=domain comment="this is a comment" using=vt
#
Human Readable OutputInvalid resource
#
vt-file-scan-upload-urlPrivate API. Get a special URL for files larger than 32 MB.
#
Base Commandvt-file-scan-upload-url
#
InputArgument Name | Description | Required |
---|
#
Context OutputPath | Type | Description |
---|---|---|
vtUploadURL | unknown | The special upload URL for large files. |
#
Command Example
#
Human Readable Output#
vt-comments-getPrivate API. Retrieves comments for a given resource.
#
Base Commandvt-comments-get
#
InputArgument Name | Description | Required |
---|---|---|
resource | The file hash (MD5, SHA1, orSHA256) or URL from which you're retrieving comments. | Required |
before | Datetime token in the format YYYYMMDDHHMISS. You can use this for paging. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!vt-comments-get resource=https://paloaltonetworks.com using=vt