VirusTotal Analysis

the virustotal analysis connector enables automated interactions with virustotal's services, allowing for file and url analysis directly from the swimlane platform virustotal is a renowned service for analyzing and detecting malware in files, urls, domains, and ip addresses this connector enables swimlane turbine users to automate the submission and retrieval of analysis reports, enhancing threat intelligence and incident response capabilities by integrating with virustotal analysis, users can efficiently validate and investigate potential threats, streamline security workflows, and contribute to the broader security community's knowledge base prerequisites to effectively utilize the virustotal analysis connector with swimlane turbine, ensure you have the following api key authentication with the necessary parameters url the endpoint url for the virustotal api services api key your personal api key provided by virustotal to access their services public key in order to get the api key, you must first register with the virustotal community by going here https //www virustotal com/gui/sign in then click new? join the community provide a name, email, username, and password once complete, click join us an activation link will be sent to the email you provided click on the activation link to activate your virustotal community membership return to the virustotal homepage and click the blue message icon on the lower right hand corner of the homepage this will bring up the virustotal bot window click the option, i have a feed of new files that i can upload, i want free api quota to do so a window opens where you can create a message to virustotal complete the subject and email fields and then include a simple message stating why you need a free api key once virustotal reviews your message, you can sign into your account and find your public api in the corresponding menu item, api key, under your username premium key login to your account click your username and then click api key click request premium api key fill out the request prompt on this page required fields include "company size", "company country", and "already paying customer?" virus total will respond to your request capabilities this connector has the capability to get different kinds of reports including domain, file hash, ip, and url reports virustotal is also able to scan either a file or a url analyse a url analyse file analyses get delete a private file report get a domain report get a file report get a private file report get a url for uploading large files get a url report get a widget rendering url get an ip address report get list of private files get object descriptors related to a file get objects related to a private file reanalyse file and so on asset setup the asset requires an api key to use if your organization requires the use of a proxy, then that proxy can be used during the asset setup the public api is limited to 500 requests per day and a rate of 4 requests per minute must not be used in commercial products or services must not be used in business workflows that do not contribute new files configurations virustotal api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required x apikey api key string required error status code the status codes more than 300 can also be used boolean optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions analyse a url submits a url to virustotal for comprehensive security analysis and returns the results, requiring a data body input endpoint url api/v3/urls method post input argument name type required description data body object required data body url string required url to analyse output parameter type description status code number http status code of the response reason string response reason phrase data object response data type string type of the resource id string unique identifier links object output field links self string output field self example \[ { "status code" 200, "response headers" { "content type" "application/json", "vary" "accept encoding", "content encoding" "gzip", "x cloud trace context" "bae3ee6e9bb6214c9bd1fe4cd0dab04a;o=1", "date" "wed, 06 mar 2024 15 19 50 gmt", "server" "google frontend", "cache control" "private", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "data" {} } } ] analyse file initiates a comprehensive threat analysis on specified files using virustotal, requiring the 'files' input endpoint url api/v3/files method post input argument name type required description files object required file to be analysed file string optional parameter for analyse file file name string optional name of the resource output parameter type description status code number http status code of the response reason string response reason phrase data object response data type string type of the resource id string unique identifier example \[ { "status code" 200, "response headers" { "cache control" "no cache", "content type" "application/json; charset=utf 8", "x cloud trace context" "a5acdfac6cf89cdca49f7b3fbc7f5a51", "date" "fri, 21 oct 2022 23 00 30 gmt", "server" "google frontend", "content length" "128" }, "reason" "ok", "json body" { "data" {} } } ] get analyses retrieve detailed results of a specific virustotal analysis using the provided unique analysis id endpoint url api/v3/analyses/{{id}} method get input argument name type required description id string required analyses id output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta file info object output field file info sha256 string output field sha256 url info object url endpoint for the request url string url endpoint for the request id string unique identifier data object response data attributes object output field attributes date number date value status string status value stats object output field stats harmless number output field harmless malicious number output field malicious suspicious number output field suspicious undetected number output field undetected timeout number output field timeout results object result of the operation cmc threat intelligence object output field cmc threat intelligence category string output field category result string result of the operation method string http method to use engine name string name of the resource snort ip sample list object output field snort ip sample list example \[ { "status code" 200, "response headers" { "content type" "application/json", "x cloud trace context" "9329b5c3a5d9b073bf06159442868317", "date" "wed, 12 oct 2022 18 39 23 gmt", "server" "google frontend", "content length" "21095" }, "reason" "ok", "json body" { "meta" {}, "data" {} } } ] delete a private file report removes a private file and associated data from virustotal storage by using the provided file id, with optional storage only deletion endpoint url api/v3/private/files/{{file id}} method delete input argument name type required description file id string required file's sha 256 only from storage boolean optional if true, only the file will be deleted from storage, but the generated reports and analyses won't output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 200, "response headers" { "content type" "text/html; charset=utf 8", "x cloud trace context" "39a82051ea701901ee7da8de8e56bd36", "date" "wed, 12 jun 2024 07 21 32 gmt", "server" "google frontend", "content length" "0" }, "reason" "ok", "response text" "" } ] get a domain report retrieve a comprehensive report for a specific domain from virustotal analysis, detailing security data and activity logs endpoint url /api/v3/domains/{{domain}} method get input argument name type required description domain string required domain name output parameter type description status code number http status code of the response reason string response reason phrase data object response data id string unique identifier type string type of the resource links object output field links self string output field self attributes object output field attributes total votes object output field total votes harmless number output field harmless malicious number output field malicious last https certificate object output field last https certificate cert signature object output field cert signature signature algorithm string output field signature algorithm signature string output field signature extensions object output field extensions key usage array output field key usage extended key usage array output field extended key usage ca boolean output field ca subject key identifier string unique identifier authority key identifier object unique identifier ca information access object output field ca information access subject alternative name array name of the resource certificate policies array output field certificate policies 1 3 6 1 4 1 11129 2 4 2 string output field 1 3 6 1 4 1 11129 2 4 2 example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" {} } } ] get a file report retrieve a detailed report on a file's attributes and security assessments from virustotal using the file's unique id endpoint url /api/v3/files/{{id}} method get input argument name type required description id string required sha 256, sha 1 or md5 identifying the file output parameter type description status code number http status code of the response reason string response reason phrase data object response data id string unique identifier type string type of the resource links object output field links self string output field self attributes object output field attributes last modification date number date value last analysis stats object output field last analysis stats malicious number output field malicious suspicious number output field suspicious undetected number output field undetected harmless number output field harmless timeout number output field timeout confirmed timeout number output field confirmed timeout failure number output field failure type unsupported number type of the resource tags array output field tags magic string output field magic last analysis date number date value md5 string output field md5 ssdeep string output field ssdeep sha256 string output field sha256 threat severity object output field threat severity example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" {} } } ] get a private file report retrieve a detailed report for a privately scanned file on virustotal using the provided unique file id endpoint url api/v3/private/files/{{file id}} method get input argument name type required description file id string required file's sha 256 output parameter type description status code number http status code of the response reason string response reason phrase data object response data id string unique identifier type string type of the resource links object output field links self string output field self attributes object output field attributes md5 string output field md5 ssdeep string output field ssdeep threat severity object output field threat severity version number output field version threat severity level string output field threat severity level threat severity data object response data last analysis date string date value level description string output field level description type extension string type of the resource sandbox verdicts object output field sandbox verdicts os x sandbox object output field os x sandbox category string output field category malware classification array output field malware classification sandbox name string name of the resource confidence number unique identifier zenbox object output field zenbox category string output field category example \[ { "status code" 200, "response headers" { "content type" "application/json", "vary" "accept encoding", "content encoding" "gzip", "x cloud trace context" "3d66aba4cb4dcee73a3382e699c91f80", "date" "wed, 12 jun 2024 04 52 01 gmt", "server" "google frontend", "cache control" "private", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "data" {} } } ] get a url for uploading large files obtain a single use url from virustotal analysis for submitting large files for scanning and analysis endpoint url api/v3/private/files/upload url method get output parameter type description status code number http status code of the response reason string response reason phrase data string response data example \[ { "status code" 200, "response headers" { "content type" "application/json", "vary" "accept encoding", "content encoding" "gzip", "x cloud trace context" "7f353f9791ca00df94952eaf34e7250b", "date" "wed, 12 jun 2024 04 34 32 gmt", "server" "google frontend", "cache control" "private", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "data" "https //www virustotal com/ ah/upload/ammfu6y1ddqrvv nd2t8rzto8bafauyiy9bm2emlqq " } } ] get a url report retrieve a detailed url report from virustotal analysis using the unique identifier endpoint url /api/v3/urls/{{id}} method get input argument name type required description id string required url identifier or base64 representation of url to scan (w/o padding) output parameter type description status code number http status code of the response reason string response reason phrase data object response data id string unique identifier type string type of the resource links object output field links self string output field self attributes object output field attributes last analysis results object result of the operation artists against 419 object output field artists against 419 method string http method to use engine name string name of the resource category string output field category result string result of the operation acronis object output field acronis method string http method to use engine name string name of the resource category string output field category result string result of the operation last analysis date number date value first submission date number date value last final url string url endpoint for the request html meta object output field html meta og\ image array output field og \ image fb\ app id array unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" {} } } ] get a widget rendering url generates a temporary url for virustotal visualizations, valid for 72 hours, using the specified 'query' parameter endpoint url /api/v3/widget/url method get input argument name type required description query string required a file hash (md5, sha1 or sha256), url, ip address or a domain fg1 string optional theme primary foreground color in hex notation bg1 string optional theme primary background color in hex notation bg2 string optional theme secondary background color in hex notation bd1 string optional theme border color output parameter type description status code number http status code of the response reason string response reason phrase data object response data id string unique identifier url string url endpoint for the request detection ratio object output field detection ratio detections number output field detections total number output field total type string type of the resource found boolean output field found example \[ { "status code" 200, "response headers" { "content type" "application/json", "vary" "accept encoding", "content encoding" "gzip", "x cloud trace context" "aaf8e85aaa1d10216fbefad5e8a52ab1", "date" "mon, 06 may 2024 09 51 26 gmt", "server" "google frontend", "cache control" "private", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "data" {} } } ] get an ip address report retrieve a comprehensive report for a specified ip address from virustotal analysis, detailing detected urls, samples, and associated data endpoint url /api/v3/ip addresses/{{ip}} method get input argument name type required description ip string required ip address output parameter type description status code number http status code of the response reason string response reason phrase data object response data id string unique identifier type string type of the resource links object output field links self string output field self attributes object output field attributes last https certificate object output field last https certificate cert signature object output field cert signature signature algorithm string output field signature algorithm signature string output field signature extensions object output field extensions authority key identifier object unique identifier subject key identifier string unique identifier subject alternative name array name of the resource certificate policies array output field certificate policies key usage array output field key usage extended key usage array output field extended key usage crl distribution points array output field crl distribution points ca information access object output field ca information access ca boolean output field ca 1 3 6 1 4 1 11129 2 4 2 string output field 1 3 6 1 4 1 11129 2 4 2 validity object unique identifier not after string output field not after example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" {} } } ] get list of private files retrieve a sorted list of private files analyzed by sha256 within virustotal analysis endpoint url api/v3/private/files method get input argument name type required description limit number optional maximum number of files to retrieve (40 max) cursor string optional continuation cursor output parameter type description status code number http status code of the response reason string response reason phrase data array response data id string unique identifier type string type of the resource links object output field links self string output field self attributes object output field attributes type tags array type of the resource magic string output field magic type tag string type of the resource expiration number output field expiration last analysis date number date value exiftool object output field exiftool ziprequiredversion string output field ziprequiredversion mimetype string type of the resource zipcrc string output field zipcrc filetype string type of the resource zipcompression string output field zipcompression zipuncompressedsize string output field zipuncompressedsize zipcompressedsize string output field zipcompressedsize filetypeextension string type of the resource zipfilename string name of the resource zipbitflag string output field zipbitflag zipmodifydate string date value example \[ { "status code" 200, "response headers" { "content type" "application/json", "vary" "accept encoding", "content encoding" "gzip", "x cloud trace context" "325dd351a80d08ba6930d367d8333377", "date" "wed, 12 jun 2024 03 56 23 gmt", "server" "google frontend", "cache control" "private", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "data" \[], "meta" {}, "links" {} } } ] get object descriptors related to a file retrieve related descriptors for a file in virustotal using its unique id and specified relationship type, with required path parameters endpoint url api/v3/private/files/{{file id}}/relationships/{{relationship}} method get input argument name type required description file id string required file's sha 256 relationship string required relationship name limit number optional maximum number of related objects to retrieve cursor string optional continuation cursor output parameter type description status code number http status code of the response reason string response reason phrase data array response data type string type of the resource id string unique identifier context attributes object output field context attributes type string type of the resource paths array output field paths present in public vt boolean output field present in public vt meta object output field meta count number count value links object output field links self string output field self related string output field related example \[ { "status code" 200, "response headers" { "content type" "application/json", "vary" "accept encoding", "content encoding" "gzip", "x cloud trace context" "4239f00ca721d6927f7ee1e940e1438f", "date" "wed, 12 jun 2024 05 57 26 gmt", "server" "google frontend", "cache control" "private", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "data" \[], "meta" {}, "links" {} } } ] get objects related to a private file retrieve related urls, domains, ips, or hashes for a private file in virustotal using the file id and relationship type endpoint url api/v3/private/files/{{file id}}/{{relationship}} method get input argument name type required description file id string required file's sha 256 relationship string required relationship name limit number optional maximum number of related objects to retrieve cursor string optional continuation cursor output parameter type description status code number http status code of the response reason string response reason phrase data array response data id string unique identifier type string type of the resource error object error message if any code string output field code message string response message context attributes object output field context attributes type string type of the resource paths array output field paths present in public vt boolean output field present in public vt meta object output field meta count number count value links object output field links self string output field self example \[ { "status code" 200, "response headers" { "content type" "application/json", "vary" "accept encoding", "content encoding" "gzip", "x cloud trace context" "41bf3f664c70d59d47cb30fb747a07c2", "date" "wed, 12 jun 2024 05 26 16 gmt", "server" "google frontend", "cache control" "private", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "data" \[], "meta" {}, "links" {} } } ] reanalyse file initiates a new analysis of a previously submitted file in virustotal using the unique file identifier endpoint url api/v3/files/{{id}}/analyse method post input argument name type required description id string required sha 256, sha 1 or md5 identifying the file output parameter type description status code number http status code of the response reason string response reason phrase data object response data type string type of the resource id string unique identifier example \[ { "status code" 200, "response headers" { "cache control" "no cache", "content type" "application/json; charset=utf 8", "x cloud trace context" "5af2481b95d0acad2274bdbc5533dd7a", "date" "wed, 12 oct 2022 18 42 18 gmt", "server" "google frontend", "content length" "128" }, "reason" "ok", "json body" { "data" {} } } ] reanalyse url initiates a fresh analysis of a specified url in virustotal using the provided id to update its threat intelligence data endpoint url api/v3/urls/{{id}}/analyse method post input argument name type required description id string required id of url submission to reanalyse output parameter type description status code number http status code of the response reason string response reason phrase data object response data type string type of the resource id string unique identifier links object output field links self string output field self example \[ { "status code" 200, "response headers" { "content type" "application/json", "vary" "accept encoding", "content encoding" "gzip", "x cloud trace context" "8bef927cda509c116ee788b7ad5ea4e3", "date" "wed, 06 mar 2024 15 51 25 gmt", "server" "google frontend", "cache control" "private", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "data" {} } } ] rescan a private file initiates a new analysis of a private file on virustotal using the provided sha 256 hash and returns the analysis results endpoint url api/v3/private/files/{{file sha256}}/analyse method post input argument name type required description file sha256 string required file's sha256 hash interaction sandbox string optional select the sandbox desired for interactive use interaction timeout number optional interaction timeout in seconds, minimum value is 60 (1 minute ) max value is 1800 (30 minutes) output parameter type description status code number http status code of the response reason string response reason phrase data object response data type string type of the resource id string unique identifier links object output field links self string output field self example \[ { "status code" 200, "response headers" { "content type" "application/json", "vary" "accept encoding", "content encoding" "gzip", "x cloud trace context" "d8a0c33bc1243c12385518c093fab11b", "date" "wed, 12 jun 2024 06 16 48 gmt", "server" "google frontend", "cache control" "private", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "data" {} } } ] retrieve the widgets html content retrieve the html content of a widget report from virustotal analysis using the specified token endpoint url /ui/widget/html/{{token}} method get input argument name type required description token string required this token is provided by the previous endpoint /widget/url headers object required http headers for the request user agent string required user agent output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "thu, 2 may 2024 20 37 23 gmt" }, "reason" "ok" } ] search iocs & comments conduct a comprehensive search in virustotal for domains, ip addresses, files, urls, and comments using the 'query' parameter endpoint url api/v3/search method get input argument name type required description query string required query to search output parameter type description status code number http status code of the response reason string response reason phrase data array response data attributes object output field attributes last dns records array output field last dns records type string type of the resource value string value for the parameter ttl number output field ttl priority number output field priority rname string name of the resource retry number output field retry refresh number output field refresh minimum number output field minimum expire number output field expire serial number output field serial jarm string output field jarm whois string output field whois last https certificate date number date value tags array output field tags file name string name of the resource file string output field file popularity ranks object output field popularity ranks majestic object output field majestic timestamp number output field timestamp rank number output field rank example \[ { "status code" 200, "response headers" { "content type" "application/json", "x cloud trace context" "d877bd014fdf9d7d969c9c0bf0863748", "date" "fri, 20 jan 2023 15 22 01 gmt", "server" "google frontend", "content length" "35417" }, "reason" "ok", "json body" { "data" \[], "links" {} } } ] search and analyse conduct a comprehensive search and analysis of domains, ips, files, urls, and comments in virustotal using the 'query' parameter endpoint url api/v3/search method get input argument name type required description query string required query to search time delay in sec number optional time delay in seconds between analyses url and get analyses output parameter type description status code number http status code of the response reason string response reason phrase data object response data id string unique identifier type string type of the resource links object output field links self string output field self item string output field item attributes object output field attributes status string status value date number date value stats object output field stats malicious number output field malicious suspicious number output field suspicious undetected number output field undetected harmless number output field harmless timeout number output field timeout results object result of the operation artists against 419 object output field artists against 419 method string http method to use engine name string name of the resource category string output field category result string result of the operation acronis object output field acronis method string http method to use example \[ { "status code" 200, "response headers" { "content type" "application/json", "vary" "accept encoding", "content encoding" "gzip", "x cloud trace context" "61a85eaebe158a5dffe86589e322fee5", "date" "fri, 06 sep 2024 14 11 40 gmt", "server" "google frontend", "cache control" "private", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "data" {}, "meta" {} } } ] submit private url submission submit a private url to virustotal for analysis with the required data body input endpoint url /api/v3/private/urls method post input argument name type required description data body object required response data url string required url endpoint for the request output parameter type description status code number http status code of the response reason string response reason phrase data object response data type string type of the resource id string unique identifier links object output field links self string output field self example \[ { "status code" 200, "response headers" { "content type" "application/json", "vary" "accept encoding", "content encoding" "gzip", "x cloud trace context" "19810ab866940083c6b64e2a0bbeab58", "date" "thu, 04 jul 2024 08 24 11 gmt", "server" "google frontend", "cache control" "private", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "data" {} } } ] upload a private file privately upload a file to virustotal for analysis, requiring the file as form data endpoint url api/v3/private/files method post input argument name type required description data body object optional response data disable sandbox string optional if true, then the file won't be detonated in sandbox environments enable internet string optional if the file should have internet access when running in sandboxes intercept tls string optional intercept https/tls/ssl communication intercept https to view encypted urls, hostnames and http headers this is detectable by any sample that checks certificates, and makes ja3 hashes unusable command line string optional command line arguments to use when running the file in sandboxes password string optional optional, password to decompress and scan a file contained in a protected zip file retention period days number optional optional, number of days the report and file are kept in vt (between 1 and 28) if not set it defaults to the group's retention policy preference interaction sandbox string optional select the sandbox desired for interactive use interaction timeout number optional interaction timeout in seconds, minimum value 60(1 minute) max value 1800(30 minutes) storage region string optional optional, storage region where the file will be stored by default uses the group's private scanning storage region preference files object required privately upload and analyse a file file string optional parameter for upload a private file file name string optional name of the resource output parameter type description status code number http status code of the response reason string response reason phrase data object response data type string type of the resource id string unique identifier links object output field links self string output field self example \[ { "status code" 200, "response headers" { "content type" "application/json", "vary" "accept encoding", "content encoding" "gzip", "x cloud trace context" "7f353f9791ca00df94952eaf34e7250b", "date" "wed, 12 jun 2024 04 34 32 gmt", "server" "google frontend", "cache control" "private", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "data" {} } } ] response headers header description example alt svc http response header alt svc h3=" 443 "; ma=2592000,h3 29=" 443 "; ma=2592000 cache control directives for caching mechanisms private content encoding http response header content encoding gzip content length the length of the response body in bytes 128 content type the media type of the resource application/json date the date and time at which the message was originated wed, 06 mar 2024 15 19 50 gmt server information about the software used by the origin server google frontend transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding via http response header via 1 1 google x cloud trace context http response header x cloud trace context 981d2bf7135204b6b1f9db0a4dab0419 notes for more information on virustotal virustotal documentation https //developers virustotal com/v3 0/ public api vs premium api https //developers virustotal com/v3 0/reference#public vs premium api obtaining public api key https //support virustotal com/hc/en us/articles/115002088769 please give me an api key