Publisher: Splunk
Connector Version: 1.2.14
Product Vendor: VirusTotal
Product Name: VirusTotal v3
Product Version Supported (regex): ".*"
Minimum Product Version: 5.0.0
This app integrates with the VirusTotal cloud to implement investigative and reputation actions using v3 APIs
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a VirusTotal v3 asset in SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| apikey | required | password | VirusTotal API key |
| poll_interval | optional | numeric | Number of minutes to poll for a detonation result (Default: 5) |
| waiting_time | optional | numeric | Number of seconds to wait before polling for a detonation result (Default: 0) |
| rate_limit | optional | boolean | Limit number of requests to 4 per minute |
test connectivity - Validate the asset configuration for connectivity using supplied configuration
domain reputation - Queries VirusTotal for domain info
file reputation - Queries VirusTotal for file reputation info
get file - Downloads a file from VirusTotal, and adds it to the vault
ip reputation - Queries VirusTotal for IP info
url reputation - Queries VirusTotal for URL info
detonate url - Load a URL to Virus Total and retrieve analysis results
detonate file - Upload a file to Virus Total and retrieve the analysis results
get report - Get the results using the scan id from a detonate file or detonate url action
Validate the asset configuration for connectivity using supplied configuration
Type: test
Read only: True
No parameters are required for this action
No Output
Queries VirusTotal for domain info
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| domain | required | Domain to query | string | domain |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.domain | string | domain |
| action_result.data.*.attributes.categories.BitDefender | string | |
| action_result.data.*.attributes.categories.Comodo Valkyrie Verdict | string | |
| action_result.data.*.attributes.categories.Dr.Web | string | |
| action_result.data.*.attributes.categories.Forcepoint ThreatSeeker | string | |
| action_result.data.*.attributes.categories.Sophos | string | |
| action_result.data.*.attributes.categories.alphaMountain.ai | string | |
| action_result.data.*.attributes.categories.sophos | string | |
| action_result.data.*.attributes.creation_date | numeric | |
| action_result.data.*.attributes.jarm | string | |
| action_result.data.*.attributes.last_analysis_results.*.vendor | string | |
| action_result.data.*.attributes.last_analysis_results.*.category | string | |
| action_result.data.*.attributes.last_analysis_results.*.engine_name | string | |
| action_result.data.*.attributes.last_analysis_results.*.method | string | |
| action_result.data.*.attributes.last_analysis_results.*.result | string | |
| action_result.data.*.attributes.last_analysis_stats.harmless | numeric | |
| action_result.data.*.attributes.last_analysis_stats.malicious | numeric | |
| action_result.data.*.attributes.last_analysis_stats.suspicious | numeric | |
| action_result.data.*.attributes.last_analysis_stats.timeout | numeric | |
| action_result.data.*.attributes.last_analysis_stats.undetected | numeric | |
| action_result.data.*.attributes.last_dns_records.*.expire | numeric | |
| action_result.data.*.attributes.last_dns_records.*.flag | numeric | |
| action_result.data.*.attributes.last_dns_records.*.minimum | numeric | |
| action_result.data.*.attributes.last_dns_records.*.priority | numeric | |
| action_result.data.*.attributes.last_dns_records.*.refresh | numeric | |
| action_result.data.*.attributes.last_dns_records.*.retry | numeric | |
| action_result.data.*.attributes.last_dns_records.*.rname | string | |
| action_result.data.*.attributes.last_dns_records.*.serial | numeric | |
| action_result.data.*.attributes.last_dns_records.*.tag | string | |
| action_result.data.*.attributes.last_dns_records.*.ttl | numeric | |
| action_result.data.*.attributes.last_dns_records.*.type | string | |
| action_result.data.*.attributes.last_dns_records.*.value | string | ip |
| action_result.data.*.attributes.last_dns_records_date | numeric | |
| action_result.data.*.attributes.last_https_certificate.cert_signature.signature | string | |
| action_result.data.*.attributes.last_https_certificate.cert_signature.signature_algorithm | string | |
| action_result.data.*.attributes.last_https_certificate.extensions.1.3.6.1.4.1.11129.2.4.2 | string | sha256 |
| action_result.data.*.attributes.last_https_certificate.extensions.CA | boolean | |
| action_result.data.*.attributes.last_https_certificate.extensions.authority_key_identifier.keyid | string | sha1 |
| action_result.data.*.attributes.last_https_certificate.extensions.ca_information_access.CA Issuers | string | url |
| action_result.data.*.attributes.last_https_certificate.extensions.ca_information_access.OCSP | string | url |
| action_result.data.*.attributes.last_https_certificate.extensions.certificate_policies | string | |
| action_result.data.*.attributes.last_https_certificate.extensions.crl_distribution_points | string | url |
| action_result.data.*.attributes.last_https_certificate.extensions.extended_key_usage | string | |
| action_result.data.*.attributes.last_https_certificate.extensions.key_usage | string | |
| action_result.data.*.attributes.last_https_certificate.extensions.subject_alternative_name | string | |
| action_result.data.*.attributes.last_https_certificate.extensions.subject_key_identifier | string | sha1 |
| action_result.data.*.attributes.last_https_certificate.issuer.C | string | |
| action_result.data.*.attributes.last_https_certificate.issuer.CN | string | |
| action_result.data.*.attributes.last_https_certificate.issuer.O | string | |
| action_result.data.*.attributes.last_https_certificate.issuer.OU | string | |
| action_result.data.*.attributes.last_https_certificate.public_key.algorithm | string | |
| action_result.data.*.attributes.last_https_certificate.public_key.ec.oid | string | |
| action_result.data.*.attributes.last_https_certificate.public_key.ec.pub | string | |
| action_result.data.*.attributes.last_https_certificate.serial_number | string | md5 |
| action_result.data.*.attributes.last_https_certificate.signature_algorithm | string | |
| action_result.data.*.attributes.last_https_certificate.size | numeric | |
| action_result.data.*.attributes.last_https_certificate.subject.C | string | |
| action_result.data.*.attributes.last_https_certificate.subject.CN | string | |
| action_result.data.*.attributes.last_https_certificate.subject.L | string | |
| action_result.data.*.attributes.last_https_certificate.subject.O | string | |
| action_result.data.*.attributes.last_https_certificate.subject.ST | string | |
| action_result.data.*.attributes.last_https_certificate.thumbprint | string | sha1 |
| action_result.data.*.attributes.last_https_certificate.thumbprint_sha256 | string | sha256 |
| action_result.data.*.attributes.last_https_certificate.validity.not_after | string | |
| action_result.data.*.attributes.last_https_certificate.validity.not_before | string | |
| action_result.data.*.attributes.last_https_certificate.version | string | |
| action_result.data.*.attributes.last_https_certificate_date | numeric | |
| action_result.data.*.attributes.last_modification_date | numeric | |
| action_result.data.*.attributes.last_update_date | numeric | |
| action_result.data.*.attributes.popularity_ranks.Alexa.rank | numeric | |
| action_result.data.*.attributes.popularity_ranks.Alexa.timestamp | numeric | |
| action_result.data.*.attributes.popularity_ranks.Cisco Umbrella.rank | numeric | |
| action_result.data.*.attributes.popularity_ranks.Cisco Umbrella.timestamp | numeric | |
| action_result.data.*.attributes.popularity_ranks.Majestic.rank | numeric | |
| action_result.data.*.attributes.popularity_ranks.Majestic.timestamp | numeric | |
| action_result.data.*.attributes.popularity_ranks.Quantcast.rank | numeric | |
| action_result.data.*.attributes.popularity_ranks.Quantcast.timestamp | numeric | |
| action_result.data.*.attributes.popularity_ranks.Statvoo.rank | numeric | |
| action_result.data.*.attributes.popularity_ranks.Statvoo.timestamp | numeric | |
| action_result.data.*.attributes.registrar | string | |
| action_result.data.*.attributes.reputation | numeric | |
| action_result.data.*.attributes.total_votes.harmless | numeric | |
| action_result.data.*.attributes.total_votes.malicious | numeric | |
| action_result.data.*.attributes.whois | string | |
| action_result.data.*.attributes.whois_date | numeric | |
| action_result.data.*.id | string | domain |
| action_result.data.*.links.self | string | url |
| action_result.data.*.type | string | |
| action_result.summary.harmless | numeric | |
| action_result.summary.malicious | numeric | |
| action_result.summary.suspicious | numeric | |
| action_result.summary.undetected | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Queries VirusTotal for file reputation info
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| hash | required | File hash to query | string | hash sha256 sha1 md5 |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.hash | string | hash sha256 sha1 md5 |
| action_result.data.*.attributes.authentihash | string | |
| action_result.data.*.attributes.creation_date | numeric | |
| action_result.data.*.attributes.first_submission_date | numeric | |
| action_result.data.*.attributes.last_analysis_date | numeric | |
| action_result.data.*.attributes.last_analysis_results.*.vendor | string | |
| action_result.data.*.attributes.last_analysis_results.*.category | string | |
| action_result.data.*.attributes.last_analysis_results.*.engine_name | string | |
| action_result.data.*.attributes.last_analysis_results.*.engine_update | string | |
| action_result.data.*.attributes.last_analysis_results.*.engine_version | string | |
| action_result.data.*.attributes.last_analysis_results.*.method | string | |
| action_result.data.*.attributes.last_analysis_results.*.result | string | |
| action_result.data.*.attributes.last_analysis_stats.confirmed-timeout | numeric | |
| action_result.data.*.attributes.last_analysis_stats.failure | numeric | |
| action_result.data.*.attributes.last_analysis_stats.harmless | numeric | |
| action_result.data.*.attributes.last_analysis_stats.malicious | numeric | |
| action_result.data.*.attributes.last_analysis_stats.suspicious | numeric | |
| action_result.data.*.attributes.last_analysis_stats.timeout | numeric | |
| action_result.data.*.attributes.last_analysis_stats.type-unsupported | numeric | |
| action_result.data.*.attributes.last_analysis_stats.undetected | numeric | |
| action_result.data.*.attributes.last_modification_date | numeric | |
| action_result.data.*.attributes.last_submission_date | numeric | |
| action_result.data.*.attributes.magic | string | |
| action_result.data.*.attributes.md5 | string | md5 |
| action_result.data.*.attributes.meaningful_name | string | |
| action_result.data.*.attributes.names | string | |
| action_result.data.*.attributes.pe_info.entry_point | numeric | |
| action_result.data.*.attributes.pe_info.imphash | string | |
| action_result.data.*.attributes.pe_info.import_list.*.library_name | string | |
| action_result.data.*.attributes.pe_info.machine_type | numeric | |
| action_result.data.*.attributes.pe_info.resource_details.*.chi2 | numeric | |
| action_result.data.*.attributes.pe_info.resource_details.*.entropy | numeric | |
| action_result.data.*.attributes.pe_info.resource_details.*.filetype | string | |
| action_result.data.*.attributes.pe_info.resource_details.*.lang | string | |
| action_result.data.*.attributes.pe_info.resource_details.*.sha256 | string | |
| action_result.data.*.attributes.pe_info.resource_details.*.type | string | |
| action_result.data.*.attributes.pe_info.resource_langs.ENGLISH US | numeric | |
| action_result.data.*.attributes.pe_info.resource_langs.RUSSIAN | numeric | |
| action_result.data.*.attributes.pe_info.resource_types.RT_BITMAP | numeric | |
| action_result.data.*.attributes.pe_info.resource_types.RT_DIALOG | numeric | |
| action_result.data.*.attributes.pe_info.resource_types.RT_MANIFEST | numeric | |
| action_result.data.*.attributes.pe_info.resource_types.RT_MENU | numeric | |
| action_result.data.*.attributes.pe_info.resource_types.RT_VERSION | numeric | |
| action_result.data.*.attributes.pe_info.rich_pe_header_hash | string | |
| action_result.data.*.attributes.pe_info.sections.*.chi2 | numeric | |
| action_result.data.*.attributes.pe_info.sections.*.entropy | numeric | |
| action_result.data.*.attributes.pe_info.sections.*.flags | string | |
| action_result.data.*.attributes.pe_info.sections.*.md5 | string | |
| action_result.data.*.attributes.pe_info.sections.*.name | string | |
| action_result.data.*.attributes.pe_info.sections.*.raw_size | numeric | |
| action_result.data.*.attributes.pe_info.sections.*.virtual_address | numeric | |
| action_result.data.*.attributes.pe_info.sections.*.virtual_size | numeric | |
| action_result.data.*.attributes.pe_info.timestamp | numeric | |
| action_result.data.*.attributes.popular_threat_classification.popular_threat_category.*.count | numeric | |
| action_result.data.*.attributes.popular_threat_classification.popular_threat_category.*.value | string | |
| action_result.data.*.attributes.popular_threat_classification.popular_threat_name.*.count | numeric | |
| action_result.data.*.attributes.popular_threat_classification.popular_threat_name.*.value | string | |
| action_result.data.*.attributes.popular_threat_classification.suggested_threat_label | string | |
| action_result.data.*.attributes.reputation | numeric | |
| action_result.data.*.attributes.sandbox_verdicts.Tencent HABO.* | string | |
| action_result.data.*.attributes.sha1 | string | sha1 |
| action_result.data.*.attributes.sha256 | string | sha256 |
| action_result.data.*.attributes.signature_info.* | string | |
| action_result.data.*.attributes.size | numeric | |
| action_result.data.*.attributes.ssdeep | string | |
| action_result.data.*.attributes.tags | string | |
| action_result.data.*.attributes.times_submitted | numeric | |
| action_result.data.*.attributes.tlsh | string | |
| action_result.data.*.attributes.total_votes.harmless | numeric | |
| action_result.data.*.attributes.total_votes.malicious | numeric | |
| action_result.data.*.attributes.trid.*.file_type | string | |
| action_result.data.*.attributes.trid.*.probability | numeric | |
| action_result.data.*.attributes.type_description | string | |
| action_result.data.*.attributes.type_extension | string | |
| action_result.data.*.attributes.type_tag | string | |
| action_result.data.*.attributes.unique_sources | numeric | |
| action_result.data.*.attributes.vhash | string | |
| action_result.data.*.id | string | sha256 |
| action_result.data.*.links.self | string | url |
| action_result.data.*.type | string | |
| action_result.summary.harmless | numeric | |
| action_result.summary.malicious | numeric | |
| action_result.summary.suspicious | numeric | |
| action_result.summary.undetected | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Downloads a file from VirusTotal, and adds it to the vault
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| hash | required | Hash of file to get | string | hash sha256 sha1 md5 |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.hash | string | hash sha256 sha1 md5 |
| action_result.data | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Queries VirusTotal for IP info
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ip | required | IP to query | string | ip ipv6 |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.ip | string | ip ipv6 |
| action_result.data.*.attributes.as_owner | string | |
| action_result.data.*.attributes.asn | numeric | |
| action_result.data.*.attributes.continent | string | |
| action_result.data.*.attributes.country | string | |
| action_result.data.*.attributes.crowdsourced_context.*.detail | string | |
| action_result.data.*.attributes.crowdsourced_context.*.severity | string | |
| action_result.data.*.attributes.crowdsourced_context.*.source | string | |
| action_result.data.*.attributes.crowdsourced_context.*.timestamp | numeric | |
| action_result.data.*.attributes.crowdsourced_context.*.title | string | |
| action_result.data.*.attributes.jarm | string | |
| action_result.data.*.attributes.last_analysis_results.*.vendor | string | |
| action_result.data.*.attributes.last_analysis_results.*.category | string | |
| action_result.data.*.attributes.last_analysis_results.*.engine_name | string | |
| action_result.data.*.attributes.last_analysis_results.*.method | string | |
| action_result.data.*.attributes.last_analysis_results.*.result | string | |
| action_result.data.*.attributes.last_analysis_stats.harmless | numeric | |
| action_result.data.*.attributes.last_analysis_stats.malicious | numeric | |
| action_result.data.*.attributes.last_analysis_stats.suspicious | numeric | |
| action_result.data.*.attributes.last_analysis_stats.timeout | numeric | |
| action_result.data.*.attributes.last_analysis_stats.undetected | numeric | |
| action_result.data.*.attributes.last_https_certificate.cert_signature.signature | string | |
| action_result.data.*.attributes.last_https_certificate.cert_signature.signature_algorithm | string | |
| action_result.data.*.attributes.last_https_certificate.extensions.1.3.6.1.4.1.11129.2.4.2 | string | |
| action_result.data.*.attributes.last_https_certificate.extensions.CA | boolean | |
| action_result.data.*.attributes.last_https_certificate.extensions.authority_key_identifier.keyid | string | |
| action_result.data.*.attributes.last_https_certificate.extensions.ca_information_access.CA Issuers | string | |
| action_result.data.*.attributes.last_https_certificate.extensions.ca_information_access.OCSP | string | |
| action_result.data.*.attributes.last_https_certificate.extensions.subject_key_identifier | string | |
| action_result.data.*.attributes.last_https_certificate.issuer.* | string | |
| action_result.data.*.attributes.last_https_certificate.public_key.algorithm | string | |
| action_result.data.*.attributes.last_https_certificate.public_key.rsa.exponent | string | |
| action_result.data.*.attributes.last_https_certificate.public_key.rsa.key_size | numeric | |
| action_result.data.*.attributes.last_https_certificate.public_key.rsa.modulus | string | |
| action_result.data.*.attributes.last_https_certificate.serial_number | string | |
| action_result.data.*.attributes.last_https_certificate.signature_algorithm | string | |
| action_result.data.*.attributes.last_https_certificate.size | numeric | |
| action_result.data.*.attributes.last_https_certificate.subject.CN | string | |
| action_result.data.*.attributes.last_https_certificate.thumbprint | string | |
| action_result.data.*.attributes.last_https_certificate.thumbprint_sha256 | string | |
| action_result.data.*.attributes.last_https_certificate.validity.not_after | string | |
| action_result.data.*.attributes.last_https_certificate.validity.not_before | string | |
| action_result.data.*.attributes.last_https_certificate.version | string | |
| action_result.data.*.attributes.last_https_certificate_date | numeric | |
| action_result.data.*.attributes.last_modification_date | numeric | |
| action_result.data.*.attributes.network | string | |
| action_result.data.*.attributes.regional_internet_registry | string | |
| action_result.data.*.attributes.reputation | numeric | |
| action_result.data.*.attributes.total_votes.harmless | numeric | |
| action_result.data.*.attributes.total_votes.malicious | numeric | |
| action_result.data.*.attributes.whois | string | |
| action_result.data.*.attributes.whois_date | numeric | |
| action_result.data.*.id | string | ip |
| action_result.data.*.links.self | string | url |
| action_result.data.*.type | string | |
| action_result.summary.harmless | numeric | |
| action_result.summary.malicious | numeric | |
| action_result.summary.suspicious | numeric | |
| action_result.summary.undetected | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Queries VirusTotal for URL info
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| url | required | URL to query | string | url domain |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.url | string | url domain |
| action_result.data.*.attributes.categories.* | string | |
| action_result.data.*.attributes.categories.Dr.Web | string | |
| action_result.data.*.attributes.categories.alphaMountain.ai | string | |
| action_result.data.*.attributes.first_submission_date | numeric | |
| action_result.data.*.attributes.last_analysis_date | numeric | |
| action_result.data.*.attributes.last_analysis_results.*.vendor | string | |
| action_result.data.*.attributes.last_analysis_results.*.category | string | |
| action_result.data.*.attributes.last_analysis_results.*.engine_name | string | |
| action_result.data.*.attributes.last_analysis_results.*.method | string | |
| action_result.data.*.attributes.last_analysis_results.*.result | string | |
| action_result.data.*.attributes.last_analysis_stats.harmless | numeric | |
| action_result.data.*.attributes.last_analysis_stats.malicious | numeric | |
| action_result.data.*.attributes.last_analysis_stats.suspicious | numeric | |
| action_result.data.*.attributes.last_analysis_stats.timeout | numeric | |
| action_result.data.*.attributes.last_analysis_stats.undetected | numeric | |
| action_result.data.*.attributes.last_final_url | string | |
| action_result.data.*.attributes.last_http_response_code | numeric | |
| action_result.data.*.attributes.last_http_response_content_length | numeric | |
| action_result.data.*.attributes.last_http_response_content_sha256 | string | |
| action_result.data.*.attributes.last_http_response_cookies.* | string | |
| action_result.data.*.attributes.last_http_response_headers.* | string | |
| action_result.data.*.attributes.last_modification_date | numeric | |
| action_result.data.*.attributes.last_submission_date | numeric | |
| action_result.data.*.attributes.reputation | numeric | |
| action_result.data.*.attributes.times_submitted | numeric | |
| action_result.data.*.attributes.title | string | |
| action_result.data.*.attributes.total_votes.harmless | numeric | |
| action_result.data.*.attributes.total_votes.malicious | numeric | |
| action_result.data.*.attributes.trackers.ScoreCard Research Beacon.*.id | string | |
| action_result.data.*.attributes.trackers.ScoreCard Research Beacon.*.timestamp | numeric | |
| action_result.data.*.attributes.trackers.ScoreCard Research Beacon.*.url | string | |
| action_result.data.*.attributes.trackers.Yahoo Dot Tags.*.timestamp | numeric | |
| action_result.data.*.attributes.trackers.Yahoo Dot Tags.*.url | string | |
| action_result.data.*.attributes.url | string | |
| action_result.data.*.id | string | |
| action_result.data.*.links.self | string | |
| action_result.data.*.type | string | |
| action_result.summary.harmless | numeric | |
| action_result.summary.malicious | numeric | |
| action_result.summary.scan_id | string | virustotal scan id |
| action_result.summary.suspicious | numeric | |
| action_result.summary.undetected | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Load a URL to Virus Total and retrieve analysis results
Type: investigate
Read only: True
detonate url will send a URL to Virus Total for analysis. Virus Total, however, takes an indefinite amount of time to complete this scan. This action will poll for the results for a short amount of time. If it can not get the finished results in this amount of time, it will fail and return in the summary scan id. This should be used with the get report action to finish the scan.
If you attempt to upload a URL which has already been scanned by Virus Total, it will not rescan the URL but instead will return those already existing results.
Wait time parameter will be considered only if the given URL has not been previously submitted to the VirusTotal Server. For the wait time parameter, the priority will be given to the action parameter over the asset configuration parameter.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| url | required | URL to detonate | string | url domain |
| wait_time | optional | Number of seconds to wait | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.url | string | url domain |
| action_result.parameter.wait_time | numeric | |
| action_result.data.*.attributes.categories.* | string | |
| action_result.data.*.attributes.categories.Dr.Web | string | |
| action_result.data.*.attributes.first_submission_date | numeric | |
| action_result.data.*.attributes.last_analysis_date | numeric | |
| action_result.data.*.attributes.last_analysis_results.*.vendor | string | |
| action_result.data.*.attributes.last_analysis_results.*.category | string | |
| action_result.data.*.attributes.last_analysis_results.*.engine_name | string | |
| action_result.data.*.attributes.last_analysis_results.*.method | string | |
| action_result.data.*.attributes.last_analysis_results.*.result | string | |
| action_result.data.*.attributes.last_analysis_stats.harmless | numeric | |
| action_result.data.*.attributes.last_analysis_stats.malicious | numeric | |
| action_result.data.*.attributes.last_analysis_stats.suspicious | numeric | |
| action_result.data.*.attributes.last_analysis_stats.timeout | numeric | |
| action_result.data.*.attributes.last_analysis_stats.undetected | numeric | |
| action_result.data.*.attributes.last_final_url | string | |
| action_result.data.*.attributes.last_http_response_code | numeric | |
| action_result.data.*.attributes.last_http_response_content_length | numeric | |
| action_result.data.*.attributes.last_http_response_content_sha256 | string | |
| action_result.data.*.attributes.last_http_response_cookies.* | string | |
| action_result.data.*.attributes.last_http_response_headers.* | string | |
| action_result.data.*.attributes.last_modification_date | numeric | |
| action_result.data.*.attributes.last_submission_date | numeric | |
| action_result.data.*.attributes.reputation | numeric | |
| action_result.data.*.attributes.times_submitted | numeric | |
| action_result.data.*.attributes.title | string | |
| action_result.data.*.attributes.total_votes.harmless | numeric | |
| action_result.data.*.attributes.total_votes.malicious | numeric | |
| action_result.data.*.attributes.url | string | |
| action_result.data.*.data.attributes.date | numeric | |
| action_result.data.*.data.attributes.results.*.category | string | |
| action_result.data.*.data.attributes.results.*.engine_name | string | |
| action_result.data.*.data.attributes.results.*.method | string | |
| action_result.data.*.data.attributes.results.*.result | string | |
| action_result.data.*.data.attributes.stats.harmless | numeric | |
| action_result.data.*.data.attributes.stats.malicious | numeric | |
| action_result.data.*.data.attributes.stats.suspicious | numeric | |
| action_result.data.*.data.attributes.stats.timeout | numeric | |
| action_result.data.*.data.attributes.stats.undetected | numeric | |
| action_result.data.*.data.attributes.status | string | |
| action_result.data.*.data.id | string | virustotal scan id |
| action_result.data.*.data.type | string | |
| action_result.data.*.id | string | |
| action_result.data.*.links.self | string | |
| action_result.data.*.meta.url_info.id | string | sha256 |
| action_result.data.*.meta.url_info.url | string | url |
| action_result.data.*.type | string | |
| action_result.summary.harmless | numeric | |
| action_result.summary.malicious | numeric | |
| action_result.summary.scan_id | string | virustotal scan id |
| action_result.summary.scan_id | string | |
| action_result.summary.suspicious | numeric | |
| action_result.summary.undetected | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Upload a file to Virus Total and retrieve the analysis results
Type: investigate
Read only: True
detonate file will send a file to Virus Total for analysis. Virus Total, however, takes an indefinite amount of time to complete this scan. This action will poll for the results for a short amount of time. If it can not get the finished results in this amount of time, it will fail and return in the summary scan id. This should be used with the get report action to finish the scan.
If you attempt to upload a file which has already been scanned by Virus Total, it will not rescan the file but instead will return those already existing results.
Wait time parameter will be considered only if the given file has not been previously submitted to the VirusTotal Server. For the wait time parameter, the priority will be given to the action parameter over the asset configuration parameter.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| vault_id | required | The Vault ID of the file to scan | string | vault id sha1 |
| wait_time | optional | Number of seconds to wait | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.vault_id | string | vault id sha1 |
| action_result.parameter.wait_time | numeric | |
| action_result.data.*.attributes.androguard.AndroguardVersion | string | |
| action_result.data.*.attributes.androguard.AndroidApplication | numeric | |
| action_result.data.*.attributes.androguard.AndroidApplicationError | boolean | |
| action_result.data.*.attributes.androguard.AndroidApplicationInfo | string | |
| action_result.data.*.attributes.androguard.AndroidVersionCode | string | |
| action_result.data.*.attributes.androguard.AndroidVersionName | string | |
| action_result.data.*.attributes.androguard.MinSdkVersion | string | |
| action_result.data.*.attributes.androguard.Package | string | |
| action_result.data.*.attributes.androguard.RiskIndicator.APK.* | numeric | |
| action_result.data.*.attributes.androguard.RiskIndicator.PERM.* | numeric | |
| action_result.data.*.attributes.androguard.TargetSdkVersion | string | |
| action_result.data.*.attributes.androguard.VTAndroidInfo | numeric | |
| action_result.data.*.attributes.androguard.certificate.Issuer.* | string | |
| action_result.data.*.attributes.androguard.certificate.Subject.* | string | |
| action_result.data.*.attributes.androguard.certificate.serialnumber | string | |
| action_result.data.*.attributes.androguard.certificate.thumbprint | string | |
| action_result.data.*.attributes.androguard.certificate.validfrom | string | |
| action_result.data.*.attributes.androguard.certificate.validto | string | |
| action_result.data.*.attributes.androguard.main_activity | string | |
| action_result.data.*.attributes.androguard.permission_details.android.permission.*.full_description | string | |
| action_result.data.*.attributes.androguard.permission_details.android.permission.*.permission_type | string | |
| action_result.data.*.attributes.androguard.permission_details.android.permission.*.short_description | string | |
| action_result.data.*.attributes.androguard.permission_details.com.ibm.android.analyzer.test.*.full_description | string | |
| action_result.data.*.attributes.androguard.permission_details.com.ibm.android.analyzer.test.*.permission_type | string | |
| action_result.data.*.attributes.androguard.permission_details.com.ibm.android.analyzer.test.*.short_description | string | |
| action_result.data.*.attributes.authentihash | string | |
| action_result.data.*.attributes.bundle_info.lowest_datetime | string | |
| action_result.data.*.attributes.bundle_info.highest_datetime | string | |
| action_result.data.*.attributes.bundle_info.num_children | numeric | |
| action_result.data.*.attributes.bundle_info.uncompressed_size | numeric | |
| action_result.data.*.attributes.bundle_info.type | string | |
| action_result.data.*.attributes.bundle_info.extensions.* | numeric | |
| action_result.data.*.attributes.bundle_info.file_types.* | numeric | |
| action_result.data.*.attributes.bytehero_info | string | |
| action_result.data.*.attributes.creation_date | numeric | |
| action_result.data.*.attributes.crowdsourced_ids_results.*.alert_severity | string | |
| action_result.data.*.attributes.crowdsourced_ids_results.*.rule_category | string | |
| action_result.data.*.attributes.crowdsourced_ids_results.*.rule_id | string | |
| action_result.data.*.attributes.crowdsourced_ids_results.*.rule_msg | string | |
| action_result.data.*.attributes.crowdsourced_ids_results.*.rule_raw | string | |
| action_result.data.*.attributes.crowdsourced_ids_results.*.rule_source | string | |
| action_result.data.*.attributes.crowdsourced_ids_results.*.rule_url | string | |
| action_result.data.*.attributes.crowdsourced_ids_stats.* | numeric | |
| action_result.data.*.attributes.first_seen_itw_date | numeric | |
| action_result.data.*.attributes.first_submission_date | numeric | |
| action_result.data.*.attributes.html_info.iframes.*.attributes.* | string | |
| action_result.data.*.attributes.html_info.scripts.*.attributes.src | string | |
| action_result.data.*.attributes.last_analysis_date | numeric | |
| action_result.data.*.attributes.last_analysis_results.*.vendor | string | |
| action_result.data.*.attributes.last_analysis_results.*.category | string | |
| action_result.data.*.attributes.last_analysis_results.*.engine_name | string | |
| action_result.data.*.attributes.last_analysis_results.*.engine_update | string | |
| action_result.data.*.attributes.last_analysis_results.*.engine_version | string | |
| action_result.data.*.attributes.last_analysis_results.*.method | string | |
| action_result.data.*.attributes.last_analysis_results.*.result | string | |
| action_result.data.*.attributes.last_analysis_stats.confirmed-timeout | numeric | |
| action_result.data.*.attributes.last_analysis_stats.failure | numeric | |
| action_result.data.*.attributes.last_analysis_stats.harmless | numeric | |
| action_result.data.*.attributes.last_analysis_stats.malicious | numeric | |
| action_result.data.*.attributes.last_analysis_stats.suspicious | numeric | |
| action_result.data.*.attributes.last_analysis_stats.timeout | numeric | |
| action_result.data.*.attributes.last_analysis_stats.type-unsupported | numeric | |
| action_result.data.*.attributes.last_analysis_stats.undetected | numeric | |
| action_result.data.*.attributes.last_modification_date | numeric | |
| action_result.data.*.attributes.last_submission_date | numeric | |
| action_result.data.*.attributes.magic | string | |
| action_result.data.*.attributes.md5 | string | md5 |
| action_result.data.*.attributes.meaningful_name | string | |
| action_result.data.*.attributes.names | string | |
| action_result.data.*.attributes.packers.F-PROT | string | |
| action_result.data.*.attributes.pdf_info.* | numeric | |
| action_result.data.*.attributes.pe_info.entry_point | numeric | |
| action_result.data.*.attributes.pe_info.imphash | string | |
| action_result.data.*.attributes.pe_info.import_list.*.library_name | string | |
| action_result.data.*.attributes.pe_info.machine_type | numeric | |
| action_result.data.*.attributes.pe_info.overlay.* | string | |
| action_result.data.*.attributes.pe_info.resource_details.*.chi2 | numeric | |
| action_result.data.*.attributes.pe_info.resource_details.*.entropy | numeric | |
| action_result.data.*.attributes.pe_info.resource_details.*.filetype | string | |
| action_result.data.*.attributes.pe_info.resource_details.*.lang | string | |
| action_result.data.*.attributes.pe_info.resource_details.*.sha256 | string | |
| action_result.data.*.attributes.pe_info.resource_details.*.type | string | |
| action_result.data.*.attributes.pe_info.resource_langs.CHINESE SIMPLIFIED | numeric | |
| action_result.data.*.attributes.pe_info.resource_types.RT_BITMAP | numeric | |
| action_result.data.*.attributes.pe_info.resource_types.RT_CURSOR | numeric | |
| action_result.data.*.attributes.pe_info.resource_types.RT_GROUP_CURSOR | numeric | |
| action_result.data.*.attributes.pe_info.resource_types.RT_MENU | numeric | |
| action_result.data.*.attributes.pe_info.resource_types.RT_VERSION | numeric | |
| action_result.data.*.attributes.pe_info.rich_pe_header_hash | string | |
| action_result.data.*.attributes.pe_info.sections.*.chi2 | numeric | |
| action_result.data.*.attributes.pe_info.sections.*.entropy | numeric | |
| action_result.data.*.attributes.pe_info.sections.*.flags | string | |
| action_result.data.*.attributes.pe_info.sections.*.md5 | string | |
| action_result.data.*.attributes.pe_info.sections.*.name | string | |
| action_result.data.*.attributes.pe_info.sections.*.raw_size | numeric | |
| action_result.data.*.attributes.pe_info.sections.*.virtual_address | numeric | |
| action_result.data.*.attributes.pe_info.sections.*.virtual_size | numeric | |
| action_result.data.*.attributes.pe_info.timestamp | numeric | |
| action_result.data.*.attributes.popular_threat_classification.popular_threat_category.*.count | numeric | |
| action_result.data.*.attributes.popular_threat_classification.popular_threat_category.*.value | string | |
| action_result.data.*.attributes.popular_threat_classification.popular_threat_name.*.count | numeric | |
| action_result.data.*.attributes.popular_threat_classification.popular_threat_name.*.value | string | |
| action_result.data.*.attributes.popular_threat_classification.suggested_threat_label | string | |
| action_result.data.*.attributes.reputation | numeric | |
| action_result.data.*.attributes.sandbox_verdicts.Lastline.* | string | |
| action_result.data.*.attributes.sandbox_verdicts.Tencent HABO.* | string | |
| action_result.data.*.attributes.sha1 | string | sha1 |
| action_result.data.*.attributes.sha256 | string | sha256 |
| action_result.data.*.attributes.signature_info.* | string | |
| action_result.data.*.attributes.size | numeric | |
| action_result.data.*.attributes.ssdeep | string | |
| action_result.data.*.attributes.tags | string | |
| action_result.data.*.attributes.times_submitted | numeric | |
| action_result.data.*.attributes.tlsh | string | |
| action_result.data.*.attributes.total_votes.harmless | numeric | |
| action_result.data.*.attributes.total_votes.malicious | numeric | |
| action_result.data.*.attributes.trid.*.file_type | string | |
| action_result.data.*.attributes.trid.*.probability | numeric | |
| action_result.data.*.attributes.type_description | string | |
| action_result.data.*.attributes.type_extension | string | |
| action_result.data.*.attributes.type_tag | string | |
| action_result.data.*.attributes.unique_sources | numeric | |
| action_result.data.*.attributes.vhash | string | |
| action_result.data.*.data.attributes.date | numeric | |
| action_result.data.*.data.attributes.results.*.category | string | |
| action_result.data.*.data.attributes.results.*.engine_name | string | |
| action_result.data.*.data.attributes.results.*.engine_update | string | |
| action_result.data.*.data.attributes.results.*.engine_version | string | |
| action_result.data.*.data.attributes.results.*.method | string | |
| action_result.data.*.data.attributes.results.*.result | string | |
| action_result.data.*.data.attributes.stats.confirmed-timeout | numeric | |
| action_result.data.*.data.attributes.stats.failure | numeric | |
| action_result.data.*.data.attributes.stats.harmless | numeric | |
| action_result.data.*.data.attributes.stats.malicious | numeric | |
| action_result.data.*.data.attributes.stats.suspicious | numeric | |
| action_result.data.*.data.attributes.stats.timeout | numeric | |
| action_result.data.*.data.attributes.stats.type-unsupported | numeric | |
| action_result.data.*.data.attributes.stats.undetected | numeric | |
| action_result.data.*.data.attributes.status | string | |
| action_result.data.*.data.id | string | virustotal scan id |
| action_result.data.*.data.type | string | |
| action_result.data.*.id | string | sha256 |
| action_result.data.*.links.self | string | url |
| action_result.data.*.meta.file_info.md5 | string | md5 |
| action_result.data.*.meta.file_info.name | string | |
| action_result.data.*.meta.file_info.sha1 | string | sha1 |
| action_result.data.*.meta.file_info.sha256 | string | sha256 |
| action_result.data.*.meta.file_info.size | numeric | |
| action_result.data.*.type | string | |
| action_result.summary.harmless | numeric | |
| action_result.summary.malicious | numeric | |
| action_result.summary.scan_id | string | virustotal scan id |
| action_result.summary.scan_id | string | |
| action_result.summary.suspicious | numeric | |
| action_result.summary.undetected | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get the results using the scan id from a detonate file or detonate url action
Type: investigate
Read only: True
For the wait time parameter, the priority will be given to the action parameter over the asset configuration parameter.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| scan_id | required | Scan ID | string | virustotal scan id |
| wait_time | optional | Number of seconds to wait | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.scan_id | string | virustotal scan id |
| action_result.parameter.wait_time | numeric | |
| action_result.data.*.data.attributes.date | numeric | |
| action_result.data.*.data.attributes.results.*.category | string | |
| action_result.data.*.data.attributes.results.*.engine_name | string | |
| action_result.data.*.data.attributes.results.*.engine_update | string | |
| action_result.data.*.data.attributes.results.*.engine_version | string | |
| action_result.data.*.data.attributes.results.*.method | string | |
| action_result.data.*.data.attributes.results.*.result | string | |
| action_result.data.*.data.attributes.stats.harmless | numeric | |
| action_result.data.*.data.attributes.stats.malicious | numeric | |
| action_result.data.*.data.attributes.stats.suspicious | numeric | |
| action_result.data.*.data.attributes.stats.timeout | numeric | |
| action_result.data.*.data.attributes.stats.undetected | numeric | |
| action_result.data.*.data.attributes.status | string | |
| action_result.data.*.data.id | string | |
| action_result.data.*.data.links.self | string | url |
| action_result.data.*.data.type | string | |
| action_result.data.*.meta.url_info.url | string | |
| action_result.data.*.meta.file_info.sha256 | string | |
| action_result.data.*.meta.url_info.id | string | sha256 |
| action_result.summary.harmless | numeric | |
| action_result.summary.malicious | numeric | |
| action_result.summary.scan_id | string | |
| action_result.summary.suspicious | numeric | |
| action_result.summary.undetected | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |