Publisher: Splunk
Connector Version: 1.2.14
Product Vendor: VirusTotal
Product Name: VirusTotal v3
Product Version Supported (regex): ".*"
Minimum Product Version: 5.0.0
This app integrates with the VirusTotal cloud to implement investigative and reputation actions using v3 APIs
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a VirusTotal v3 asset in SOAR.
VARIABLE | REQUIRED | TYPE | DESCRIPTION |
---|---|---|---|
apikey | required | password | VirusTotal API key |
poll_interval | optional | numeric | Number of minutes to poll for a detonation result (Default: 5) |
waiting_time | optional | numeric | Number of seconds to wait before polling for a detonation result (Default: 0) |
rate_limit | optional | boolean | Limit number of requests to 4 per minute |
test connectivity - Validate the asset configuration for connectivity using supplied configuration
domain reputation - Queries VirusTotal for domain info
file reputation - Queries VirusTotal for file reputation info
get file - Downloads a file from VirusTotal, and adds it to the vault
ip reputation - Queries VirusTotal for IP info
url reputation - Queries VirusTotal for URL info
detonate url - Load a URL to Virus Total and retrieve analysis results
detonate file - Upload a file to Virus Total and retrieve the analysis results
get report - Get the results using the scan id from a detonate file or detonate url action
Validate the asset configuration for connectivity using supplied configuration
Type: test
Read only: True
No parameters are required for this action
No Output
Queries VirusTotal for domain info
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
domain | required | Domain to query | string | domain |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.domain | string | domain |
action_result.data.*.attributes.categories.BitDefender | string | |
action_result.data.*.attributes.categories.Comodo Valkyrie Verdict | string | |
action_result.data.*.attributes.categories.Dr.Web | string | |
action_result.data.*.attributes.categories.Forcepoint ThreatSeeker | string | |
action_result.data.*.attributes.categories.Sophos | string | |
action_result.data.*.attributes.categories.alphaMountain.ai | string | |
action_result.data.*.attributes.categories.sophos | string | |
action_result.data.*.attributes.creation_date | numeric | |
action_result.data.*.attributes.jarm | string | |
action_result.data.*.attributes.last_analysis_results.*.vendor | string | |
action_result.data.*.attributes.last_analysis_results.*.category | string | |
action_result.data.*.attributes.last_analysis_results.*.engine_name | string | |
action_result.data.*.attributes.last_analysis_results.*.method | string | |
action_result.data.*.attributes.last_analysis_results.*.result | string | |
action_result.data.*.attributes.last_analysis_stats.harmless | numeric | |
action_result.data.*.attributes.last_analysis_stats.malicious | numeric | |
action_result.data.*.attributes.last_analysis_stats.suspicious | numeric | |
action_result.data.*.attributes.last_analysis_stats.timeout | numeric | |
action_result.data.*.attributes.last_analysis_stats.undetected | numeric | |
action_result.data.*.attributes.last_dns_records.*.expire | numeric | |
action_result.data.*.attributes.last_dns_records.*.flag | numeric | |
action_result.data.*.attributes.last_dns_records.*.minimum | numeric | |
action_result.data.*.attributes.last_dns_records.*.priority | numeric | |
action_result.data.*.attributes.last_dns_records.*.refresh | numeric | |
action_result.data.*.attributes.last_dns_records.*.retry | numeric | |
action_result.data.*.attributes.last_dns_records.*.rname | string | |
action_result.data.*.attributes.last_dns_records.*.serial | numeric | |
action_result.data.*.attributes.last_dns_records.*.tag | string | |
action_result.data.*.attributes.last_dns_records.*.ttl | numeric | |
action_result.data.*.attributes.last_dns_records.*.type | string | |
action_result.data.*.attributes.last_dns_records.*.value | string | ip |
action_result.data.*.attributes.last_dns_records_date | numeric | |
action_result.data.*.attributes.last_https_certificate.cert_signature.signature | string | |
action_result.data.*.attributes.last_https_certificate.cert_signature.signature_algorithm | string | |
action_result.data.*.attributes.last_https_certificate.extensions.1.3.6.1.4.1.11129.2.4.2 | string | sha256 |
action_result.data.*.attributes.last_https_certificate.extensions.CA | boolean | |
action_result.data.*.attributes.last_https_certificate.extensions.authority_key_identifier.keyid | string | sha1 |
action_result.data.*.attributes.last_https_certificate.extensions.ca_information_access.CA Issuers | string | url |
action_result.data.*.attributes.last_https_certificate.extensions.ca_information_access.OCSP | string | url |
action_result.data.*.attributes.last_https_certificate.extensions.certificate_policies | string | |
action_result.data.*.attributes.last_https_certificate.extensions.crl_distribution_points | string | url |
action_result.data.*.attributes.last_https_certificate.extensions.extended_key_usage | string | |
action_result.data.*.attributes.last_https_certificate.extensions.key_usage | string | |
action_result.data.*.attributes.last_https_certificate.extensions.subject_alternative_name | string | |
action_result.data.*.attributes.last_https_certificate.extensions.subject_key_identifier | string | sha1 |
action_result.data.*.attributes.last_https_certificate.issuer.C | string | |
action_result.data.*.attributes.last_https_certificate.issuer.CN | string | |
action_result.data.*.attributes.last_https_certificate.issuer.O | string | |
action_result.data.*.attributes.last_https_certificate.issuer.OU | string | |
action_result.data.*.attributes.last_https_certificate.public_key.algorithm | string | |
action_result.data.*.attributes.last_https_certificate.public_key.ec.oid | string | |
action_result.data.*.attributes.last_https_certificate.public_key.ec.pub | string | |
action_result.data.*.attributes.last_https_certificate.serial_number | string | md5 |
action_result.data.*.attributes.last_https_certificate.signature_algorithm | string | |
action_result.data.*.attributes.last_https_certificate.size | numeric | |
action_result.data.*.attributes.last_https_certificate.subject.C | string | |
action_result.data.*.attributes.last_https_certificate.subject.CN | string | |
action_result.data.*.attributes.last_https_certificate.subject.L | string | |
action_result.data.*.attributes.last_https_certificate.subject.O | string | |
action_result.data.*.attributes.last_https_certificate.subject.ST | string | |
action_result.data.*.attributes.last_https_certificate.thumbprint | string | sha1 |
action_result.data.*.attributes.last_https_certificate.thumbprint_sha256 | string | sha256 |
action_result.data.*.attributes.last_https_certificate.validity.not_after | string | |
action_result.data.*.attributes.last_https_certificate.validity.not_before | string | |
action_result.data.*.attributes.last_https_certificate.version | string | |
action_result.data.*.attributes.last_https_certificate_date | numeric | |
action_result.data.*.attributes.last_modification_date | numeric | |
action_result.data.*.attributes.last_update_date | numeric | |
action_result.data.*.attributes.popularity_ranks.Alexa.rank | numeric | |
action_result.data.*.attributes.popularity_ranks.Alexa.timestamp | numeric | |
action_result.data.*.attributes.popularity_ranks.Cisco Umbrella.rank | numeric | |
action_result.data.*.attributes.popularity_ranks.Cisco Umbrella.timestamp | numeric | |
action_result.data.*.attributes.popularity_ranks.Majestic.rank | numeric | |
action_result.data.*.attributes.popularity_ranks.Majestic.timestamp | numeric | |
action_result.data.*.attributes.popularity_ranks.Quantcast.rank | numeric | |
action_result.data.*.attributes.popularity_ranks.Quantcast.timestamp | numeric | |
action_result.data.*.attributes.popularity_ranks.Statvoo.rank | numeric | |
action_result.data.*.attributes.popularity_ranks.Statvoo.timestamp | numeric | |
action_result.data.*.attributes.registrar | string | |
action_result.data.*.attributes.reputation | numeric | |
action_result.data.*.attributes.total_votes.harmless | numeric | |
action_result.data.*.attributes.total_votes.malicious | numeric | |
action_result.data.*.attributes.whois | string | |
action_result.data.*.attributes.whois_date | numeric | |
action_result.data.*.id | string | domain |
action_result.data.*.links.self | string | url |
action_result.data.*.type | string | |
action_result.summary.harmless | numeric | |
action_result.summary.malicious | numeric | |
action_result.summary.suspicious | numeric | |
action_result.summary.undetected | numeric | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Queries VirusTotal for file reputation info
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | File hash to query | string | hash sha256 sha1 md5 |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.hash | string | hash sha256 sha1 md5 |
action_result.data.*.attributes.authentihash | string | |
action_result.data.*.attributes.creation_date | numeric | |
action_result.data.*.attributes.first_submission_date | numeric | |
action_result.data.*.attributes.last_analysis_date | numeric | |
action_result.data.*.attributes.last_analysis_results.*.vendor | string | |
action_result.data.*.attributes.last_analysis_results.*.category | string | |
action_result.data.*.attributes.last_analysis_results.*.engine_name | string | |
action_result.data.*.attributes.last_analysis_results.*.engine_update | string | |
action_result.data.*.attributes.last_analysis_results.*.engine_version | string | |
action_result.data.*.attributes.last_analysis_results.*.method | string | |
action_result.data.*.attributes.last_analysis_results.*.result | string | |
action_result.data.*.attributes.last_analysis_stats.confirmed-timeout | numeric | |
action_result.data.*.attributes.last_analysis_stats.failure | numeric | |
action_result.data.*.attributes.last_analysis_stats.harmless | numeric | |
action_result.data.*.attributes.last_analysis_stats.malicious | numeric | |
action_result.data.*.attributes.last_analysis_stats.suspicious | numeric | |
action_result.data.*.attributes.last_analysis_stats.timeout | numeric | |
action_result.data.*.attributes.last_analysis_stats.type-unsupported | numeric | |
action_result.data.*.attributes.last_analysis_stats.undetected | numeric | |
action_result.data.*.attributes.last_modification_date | numeric | |
action_result.data.*.attributes.last_submission_date | numeric | |
action_result.data.*.attributes.magic | string | |
action_result.data.*.attributes.md5 | string | md5 |
action_result.data.*.attributes.meaningful_name | string | |
action_result.data.*.attributes.names | string | |
action_result.data.*.attributes.pe_info.entry_point | numeric | |
action_result.data.*.attributes.pe_info.imphash | string | |
action_result.data.*.attributes.pe_info.import_list.*.library_name | string | |
action_result.data.*.attributes.pe_info.machine_type | numeric | |
action_result.data.*.attributes.pe_info.resource_details.*.chi2 | numeric | |
action_result.data.*.attributes.pe_info.resource_details.*.entropy | numeric | |
action_result.data.*.attributes.pe_info.resource_details.*.filetype | string | |
action_result.data.*.attributes.pe_info.resource_details.*.lang | string | |
action_result.data.*.attributes.pe_info.resource_details.*.sha256 | string | |
action_result.data.*.attributes.pe_info.resource_details.*.type | string | |
action_result.data.*.attributes.pe_info.resource_langs.ENGLISH US | numeric | |
action_result.data.*.attributes.pe_info.resource_langs.RUSSIAN | numeric | |
action_result.data.*.attributes.pe_info.resource_types.RT_BITMAP | numeric | |
action_result.data.*.attributes.pe_info.resource_types.RT_DIALOG | numeric | |
action_result.data.*.attributes.pe_info.resource_types.RT_MANIFEST | numeric | |
action_result.data.*.attributes.pe_info.resource_types.RT_MENU | numeric | |
action_result.data.*.attributes.pe_info.resource_types.RT_VERSION | numeric | |
action_result.data.*.attributes.pe_info.rich_pe_header_hash | string | |
action_result.data.*.attributes.pe_info.sections.*.chi2 | numeric | |
action_result.data.*.attributes.pe_info.sections.*.entropy | numeric | |
action_result.data.*.attributes.pe_info.sections.*.flags | string | |
action_result.data.*.attributes.pe_info.sections.*.md5 | string | |
action_result.data.*.attributes.pe_info.sections.*.name | string | |
action_result.data.*.attributes.pe_info.sections.*.raw_size | numeric | |
action_result.data.*.attributes.pe_info.sections.*.virtual_address | numeric | |
action_result.data.*.attributes.pe_info.sections.*.virtual_size | numeric | |
action_result.data.*.attributes.pe_info.timestamp | numeric | |
action_result.data.*.attributes.popular_threat_classification.popular_threat_category.*.count | numeric | |
action_result.data.*.attributes.popular_threat_classification.popular_threat_category.*.value | string | |
action_result.data.*.attributes.popular_threat_classification.popular_threat_name.*.count | numeric | |
action_result.data.*.attributes.popular_threat_classification.popular_threat_name.*.value | string | |
action_result.data.*.attributes.popular_threat_classification.suggested_threat_label | string | |
action_result.data.*.attributes.reputation | numeric | |
action_result.data.*.attributes.sandbox_verdicts.Tencent HABO.* | string | |
action_result.data.*.attributes.sha1 | string | sha1 |
action_result.data.*.attributes.sha256 | string | sha256 |
action_result.data.*.attributes.signature_info.* | string | |
action_result.data.*.attributes.size | numeric | |
action_result.data.*.attributes.ssdeep | string | |
action_result.data.*.attributes.tags | string | |
action_result.data.*.attributes.times_submitted | numeric | |
action_result.data.*.attributes.tlsh | string | |
action_result.data.*.attributes.total_votes.harmless | numeric | |
action_result.data.*.attributes.total_votes.malicious | numeric | |
action_result.data.*.attributes.trid.*.file_type | string | |
action_result.data.*.attributes.trid.*.probability | numeric | |
action_result.data.*.attributes.type_description | string | |
action_result.data.*.attributes.type_extension | string | |
action_result.data.*.attributes.type_tag | string | |
action_result.data.*.attributes.unique_sources | numeric | |
action_result.data.*.attributes.vhash | string | |
action_result.data.*.id | string | sha256 |
action_result.data.*.links.self | string | url |
action_result.data.*.type | string | |
action_result.summary.harmless | numeric | |
action_result.summary.malicious | numeric | |
action_result.summary.suspicious | numeric | |
action_result.summary.undetected | numeric | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Downloads a file from VirusTotal, and adds it to the vault
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | Hash of file to get | string | hash sha256 sha1 md5 |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.hash | string | hash sha256 sha1 md5 |
action_result.data | string | |
action_result.summary | string | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Queries VirusTotal for IP info
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip | required | IP to query | string | ip ipv6 |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.ip | string | ip ipv6 |
action_result.data.*.attributes.as_owner | string | |
action_result.data.*.attributes.asn | numeric | |
action_result.data.*.attributes.continent | string | |
action_result.data.*.attributes.country | string | |
action_result.data.*.attributes.crowdsourced_context.*.detail | string | |
action_result.data.*.attributes.crowdsourced_context.*.severity | string | |
action_result.data.*.attributes.crowdsourced_context.*.source | string | |
action_result.data.*.attributes.crowdsourced_context.*.timestamp | numeric | |
action_result.data.*.attributes.crowdsourced_context.*.title | string | |
action_result.data.*.attributes.jarm | string | |
action_result.data.*.attributes.last_analysis_results.*.vendor | string | |
action_result.data.*.attributes.last_analysis_results.*.category | string | |
action_result.data.*.attributes.last_analysis_results.*.engine_name | string | |
action_result.data.*.attributes.last_analysis_results.*.method | string | |
action_result.data.*.attributes.last_analysis_results.*.result | string | |
action_result.data.*.attributes.last_analysis_stats.harmless | numeric | |
action_result.data.*.attributes.last_analysis_stats.malicious | numeric | |
action_result.data.*.attributes.last_analysis_stats.suspicious | numeric | |
action_result.data.*.attributes.last_analysis_stats.timeout | numeric | |
action_result.data.*.attributes.last_analysis_stats.undetected | numeric | |
action_result.data.*.attributes.last_https_certificate.cert_signature.signature | string | |
action_result.data.*.attributes.last_https_certificate.cert_signature.signature_algorithm | string | |
action_result.data.*.attributes.last_https_certificate.extensions.1.3.6.1.4.1.11129.2.4.2 | string | |
action_result.data.*.attributes.last_https_certificate.extensions.CA | boolean | |
action_result.data.*.attributes.last_https_certificate.extensions.authority_key_identifier.keyid | string | |
action_result.data.*.attributes.last_https_certificate.extensions.ca_information_access.CA Issuers | string | |
action_result.data.*.attributes.last_https_certificate.extensions.ca_information_access.OCSP | string | |
action_result.data.*.attributes.last_https_certificate.extensions.subject_key_identifier | string | |
action_result.data.*.attributes.last_https_certificate.issuer.* | string | |
action_result.data.*.attributes.last_https_certificate.public_key.algorithm | string | |
action_result.data.*.attributes.last_https_certificate.public_key.rsa.exponent | string | |
action_result.data.*.attributes.last_https_certificate.public_key.rsa.key_size | numeric | |
action_result.data.*.attributes.last_https_certificate.public_key.rsa.modulus | string | |
action_result.data.*.attributes.last_https_certificate.serial_number | string | |
action_result.data.*.attributes.last_https_certificate.signature_algorithm | string | |
action_result.data.*.attributes.last_https_certificate.size | numeric | |
action_result.data.*.attributes.last_https_certificate.subject.CN | string | |
action_result.data.*.attributes.last_https_certificate.thumbprint | string | |
action_result.data.*.attributes.last_https_certificate.thumbprint_sha256 | string | |
action_result.data.*.attributes.last_https_certificate.validity.not_after | string | |
action_result.data.*.attributes.last_https_certificate.validity.not_before | string | |
action_result.data.*.attributes.last_https_certificate.version | string | |
action_result.data.*.attributes.last_https_certificate_date | numeric | |
action_result.data.*.attributes.last_modification_date | numeric | |
action_result.data.*.attributes.network | string | |
action_result.data.*.attributes.regional_internet_registry | string | |
action_result.data.*.attributes.reputation | numeric | |
action_result.data.*.attributes.total_votes.harmless | numeric | |
action_result.data.*.attributes.total_votes.malicious | numeric | |
action_result.data.*.attributes.whois | string | |
action_result.data.*.attributes.whois_date | numeric | |
action_result.data.*.id | string | ip |
action_result.data.*.links.self | string | url |
action_result.data.*.type | string | |
action_result.summary.harmless | numeric | |
action_result.summary.malicious | numeric | |
action_result.summary.suspicious | numeric | |
action_result.summary.undetected | numeric | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Queries VirusTotal for URL info
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
url | required | URL to query | string | url domain |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.url | string | url domain |
action_result.data.*.attributes.categories.* | string | |
action_result.data.*.attributes.categories.Dr.Web | string | |
action_result.data.*.attributes.categories.alphaMountain.ai | string | |
action_result.data.*.attributes.first_submission_date | numeric | |
action_result.data.*.attributes.last_analysis_date | numeric | |
action_result.data.*.attributes.last_analysis_results.*.vendor | string | |
action_result.data.*.attributes.last_analysis_results.*.category | string | |
action_result.data.*.attributes.last_analysis_results.*.engine_name | string | |
action_result.data.*.attributes.last_analysis_results.*.method | string | |
action_result.data.*.attributes.last_analysis_results.*.result | string | |
action_result.data.*.attributes.last_analysis_stats.harmless | numeric | |
action_result.data.*.attributes.last_analysis_stats.malicious | numeric | |
action_result.data.*.attributes.last_analysis_stats.suspicious | numeric | |
action_result.data.*.attributes.last_analysis_stats.timeout | numeric | |
action_result.data.*.attributes.last_analysis_stats.undetected | numeric | |
action_result.data.*.attributes.last_final_url | string | |
action_result.data.*.attributes.last_http_response_code | numeric | |
action_result.data.*.attributes.last_http_response_content_length | numeric | |
action_result.data.*.attributes.last_http_response_content_sha256 | string | |
action_result.data.*.attributes.last_http_response_cookies.* | string | |
action_result.data.*.attributes.last_http_response_headers.* | string | |
action_result.data.*.attributes.last_modification_date | numeric | |
action_result.data.*.attributes.last_submission_date | numeric | |
action_result.data.*.attributes.reputation | numeric | |
action_result.data.*.attributes.times_submitted | numeric | |
action_result.data.*.attributes.title | string | |
action_result.data.*.attributes.total_votes.harmless | numeric | |
action_result.data.*.attributes.total_votes.malicious | numeric | |
action_result.data.*.attributes.trackers.ScoreCard Research Beacon.*.id | string | |
action_result.data.*.attributes.trackers.ScoreCard Research Beacon.*.timestamp | numeric | |
action_result.data.*.attributes.trackers.ScoreCard Research Beacon.*.url | string | |
action_result.data.*.attributes.trackers.Yahoo Dot Tags.*.timestamp | numeric | |
action_result.data.*.attributes.trackers.Yahoo Dot Tags.*.url | string | |
action_result.data.*.attributes.url | string | |
action_result.data.*.id | string | |
action_result.data.*.links.self | string | |
action_result.data.*.type | string | |
action_result.summary.harmless | numeric | |
action_result.summary.malicious | numeric | |
action_result.summary.scan_id | string | virustotal scan id |
action_result.summary.suspicious | numeric | |
action_result.summary.undetected | numeric | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Load a URL to Virus Total and retrieve analysis results
Type: investigate
Read only: True
detonate url will send a URL to Virus Total for analysis. Virus Total, however, takes an indefinite amount of time to complete this scan. This action will poll for the results for a short amount of time. If it can not get the finished results in this amount of time, it will fail and return in the summary scan id. This should be used with the get report action to finish the scan.
If you attempt to upload a URL which has already been scanned by Virus Total, it will not rescan the URL but instead will return those already existing results.
Wait time parameter will be considered only if the given URL has not been previously submitted to the VirusTotal Server. For the wait time parameter, the priority will be given to the action parameter over the asset configuration parameter.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
url | required | URL to detonate | string | url domain |
wait_time | optional | Number of seconds to wait | numeric |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.url | string | url domain |
action_result.parameter.wait_time | numeric | |
action_result.data.*.attributes.categories.* | string | |
action_result.data.*.attributes.categories.Dr.Web | string | |
action_result.data.*.attributes.first_submission_date | numeric | |
action_result.data.*.attributes.last_analysis_date | numeric | |
action_result.data.*.attributes.last_analysis_results.*.vendor | string | |
action_result.data.*.attributes.last_analysis_results.*.category | string | |
action_result.data.*.attributes.last_analysis_results.*.engine_name | string | |
action_result.data.*.attributes.last_analysis_results.*.method | string | |
action_result.data.*.attributes.last_analysis_results.*.result | string | |
action_result.data.*.attributes.last_analysis_stats.harmless | numeric | |
action_result.data.*.attributes.last_analysis_stats.malicious | numeric | |
action_result.data.*.attributes.last_analysis_stats.suspicious | numeric | |
action_result.data.*.attributes.last_analysis_stats.timeout | numeric | |
action_result.data.*.attributes.last_analysis_stats.undetected | numeric | |
action_result.data.*.attributes.last_final_url | string | |
action_result.data.*.attributes.last_http_response_code | numeric | |
action_result.data.*.attributes.last_http_response_content_length | numeric | |
action_result.data.*.attributes.last_http_response_content_sha256 | string | |
action_result.data.*.attributes.last_http_response_cookies.* | string | |
action_result.data.*.attributes.last_http_response_headers.* | string | |
action_result.data.*.attributes.last_modification_date | numeric | |
action_result.data.*.attributes.last_submission_date | numeric | |
action_result.data.*.attributes.reputation | numeric | |
action_result.data.*.attributes.times_submitted | numeric | |
action_result.data.*.attributes.title | string | |
action_result.data.*.attributes.total_votes.harmless | numeric | |
action_result.data.*.attributes.total_votes.malicious | numeric | |
action_result.data.*.attributes.url | string | |
action_result.data.*.data.attributes.date | numeric | |
action_result.data.*.data.attributes.results.*.category | string | |
action_result.data.*.data.attributes.results.*.engine_name | string | |
action_result.data.*.data.attributes.results.*.method | string | |
action_result.data.*.data.attributes.results.*.result | string | |
action_result.data.*.data.attributes.stats.harmless | numeric | |
action_result.data.*.data.attributes.stats.malicious | numeric | |
action_result.data.*.data.attributes.stats.suspicious | numeric | |
action_result.data.*.data.attributes.stats.timeout | numeric | |
action_result.data.*.data.attributes.stats.undetected | numeric | |
action_result.data.*.data.attributes.status | string | |
action_result.data.*.data.id | string | virustotal scan id |
action_result.data.*.data.type | string | |
action_result.data.*.id | string | |
action_result.data.*.links.self | string | |
action_result.data.*.meta.url_info.id | string | sha256 |
action_result.data.*.meta.url_info.url | string | url |
action_result.data.*.type | string | |
action_result.summary.harmless | numeric | |
action_result.summary.malicious | numeric | |
action_result.summary.scan_id | string | virustotal scan id |
action_result.summary.scan_id | string | |
action_result.summary.suspicious | numeric | |
action_result.summary.undetected | numeric | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Upload a file to Virus Total and retrieve the analysis results
Type: investigate
Read only: True
detonate file will send a file to Virus Total for analysis. Virus Total, however, takes an indefinite amount of time to complete this scan. This action will poll for the results for a short amount of time. If it can not get the finished results in this amount of time, it will fail and return in the summary scan id. This should be used with the get report action to finish the scan.
If you attempt to upload a file which has already been scanned by Virus Total, it will not rescan the file but instead will return those already existing results.
Wait time parameter will be considered only if the given file has not been previously submitted to the VirusTotal Server. For the wait time parameter, the priority will be given to the action parameter over the asset configuration parameter.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
vault_id | required | The Vault ID of the file to scan | string | vault id sha1 |
wait_time | optional | Number of seconds to wait | numeric |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.vault_id | string | vault id sha1 |
action_result.parameter.wait_time | numeric | |
action_result.data.*.attributes.androguard.AndroguardVersion | string | |
action_result.data.*.attributes.androguard.AndroidApplication | numeric | |
action_result.data.*.attributes.androguard.AndroidApplicationError | boolean | |
action_result.data.*.attributes.androguard.AndroidApplicationInfo | string | |
action_result.data.*.attributes.androguard.AndroidVersionCode | string | |
action_result.data.*.attributes.androguard.AndroidVersionName | string | |
action_result.data.*.attributes.androguard.MinSdkVersion | string | |
action_result.data.*.attributes.androguard.Package | string | |
action_result.data.*.attributes.androguard.RiskIndicator.APK.* | numeric | |
action_result.data.*.attributes.androguard.RiskIndicator.PERM.* | numeric | |
action_result.data.*.attributes.androguard.TargetSdkVersion | string | |
action_result.data.*.attributes.androguard.VTAndroidInfo | numeric | |
action_result.data.*.attributes.androguard.certificate.Issuer.* | string | |
action_result.data.*.attributes.androguard.certificate.Subject.* | string | |
action_result.data.*.attributes.androguard.certificate.serialnumber | string | |
action_result.data.*.attributes.androguard.certificate.thumbprint | string | |
action_result.data.*.attributes.androguard.certificate.validfrom | string | |
action_result.data.*.attributes.androguard.certificate.validto | string | |
action_result.data.*.attributes.androguard.main_activity | string | |
action_result.data.*.attributes.androguard.permission_details.android.permission.*.full_description | string | |
action_result.data.*.attributes.androguard.permission_details.android.permission.*.permission_type | string | |
action_result.data.*.attributes.androguard.permission_details.android.permission.*.short_description | string | |
action_result.data.*.attributes.androguard.permission_details.com.ibm.android.analyzer.test.*.full_description | string | |
action_result.data.*.attributes.androguard.permission_details.com.ibm.android.analyzer.test.*.permission_type | string | |
action_result.data.*.attributes.androguard.permission_details.com.ibm.android.analyzer.test.*.short_description | string | |
action_result.data.*.attributes.authentihash | string | |
action_result.data.*.attributes.bundle_info.lowest_datetime | string | |
action_result.data.*.attributes.bundle_info.highest_datetime | string | |
action_result.data.*.attributes.bundle_info.num_children | numeric | |
action_result.data.*.attributes.bundle_info.uncompressed_size | numeric | |
action_result.data.*.attributes.bundle_info.type | string | |
action_result.data.*.attributes.bundle_info.extensions.* | numeric | |
action_result.data.*.attributes.bundle_info.file_types.* | numeric | |
action_result.data.*.attributes.bytehero_info | string | |
action_result.data.*.attributes.creation_date | numeric | |
action_result.data.*.attributes.crowdsourced_ids_results.*.alert_severity | string | |
action_result.data.*.attributes.crowdsourced_ids_results.*.rule_category | string | |
action_result.data.*.attributes.crowdsourced_ids_results.*.rule_id | string | |
action_result.data.*.attributes.crowdsourced_ids_results.*.rule_msg | string | |
action_result.data.*.attributes.crowdsourced_ids_results.*.rule_raw | string | |
action_result.data.*.attributes.crowdsourced_ids_results.*.rule_source | string | |
action_result.data.*.attributes.crowdsourced_ids_results.*.rule_url | string | |
action_result.data.*.attributes.crowdsourced_ids_stats.* | numeric | |
action_result.data.*.attributes.first_seen_itw_date | numeric | |
action_result.data.*.attributes.first_submission_date | numeric | |
action_result.data.*.attributes.html_info.iframes.*.attributes.* | string | |
action_result.data.*.attributes.html_info.scripts.*.attributes.src | string | |
action_result.data.*.attributes.last_analysis_date | numeric | |
action_result.data.*.attributes.last_analysis_results.*.vendor | string | |
action_result.data.*.attributes.last_analysis_results.*.category | string | |
action_result.data.*.attributes.last_analysis_results.*.engine_name | string | |
action_result.data.*.attributes.last_analysis_results.*.engine_update | string | |
action_result.data.*.attributes.last_analysis_results.*.engine_version | string | |
action_result.data.*.attributes.last_analysis_results.*.method | string | |
action_result.data.*.attributes.last_analysis_results.*.result | string | |
action_result.data.*.attributes.last_analysis_stats.confirmed-timeout | numeric | |
action_result.data.*.attributes.last_analysis_stats.failure | numeric | |
action_result.data.*.attributes.last_analysis_stats.harmless | numeric | |
action_result.data.*.attributes.last_analysis_stats.malicious | numeric | |
action_result.data.*.attributes.last_analysis_stats.suspicious | numeric | |
action_result.data.*.attributes.last_analysis_stats.timeout | numeric | |
action_result.data.*.attributes.last_analysis_stats.type-unsupported | numeric | |
action_result.data.*.attributes.last_analysis_stats.undetected | numeric | |
action_result.data.*.attributes.last_modification_date | numeric | |
action_result.data.*.attributes.last_submission_date | numeric | |
action_result.data.*.attributes.magic | string | |
action_result.data.*.attributes.md5 | string | md5 |
action_result.data.*.attributes.meaningful_name | string | |
action_result.data.*.attributes.names | string | |
action_result.data.*.attributes.packers.F-PROT | string | |
action_result.data.*.attributes.pdf_info.* | numeric | |
action_result.data.*.attributes.pe_info.entry_point | numeric | |
action_result.data.*.attributes.pe_info.imphash | string | |
action_result.data.*.attributes.pe_info.import_list.*.library_name | string | |
action_result.data.*.attributes.pe_info.machine_type | numeric | |
action_result.data.*.attributes.pe_info.overlay.* | string | |
action_result.data.*.attributes.pe_info.resource_details.*.chi2 | numeric | |
action_result.data.*.attributes.pe_info.resource_details.*.entropy | numeric | |
action_result.data.*.attributes.pe_info.resource_details.*.filetype | string | |
action_result.data.*.attributes.pe_info.resource_details.*.lang | string | |
action_result.data.*.attributes.pe_info.resource_details.*.sha256 | string | |
action_result.data.*.attributes.pe_info.resource_details.*.type | string | |
action_result.data.*.attributes.pe_info.resource_langs.CHINESE SIMPLIFIED | numeric | |
action_result.data.*.attributes.pe_info.resource_types.RT_BITMAP | numeric | |
action_result.data.*.attributes.pe_info.resource_types.RT_CURSOR | numeric | |
action_result.data.*.attributes.pe_info.resource_types.RT_GROUP_CURSOR | numeric | |
action_result.data.*.attributes.pe_info.resource_types.RT_MENU | numeric | |
action_result.data.*.attributes.pe_info.resource_types.RT_VERSION | numeric | |
action_result.data.*.attributes.pe_info.rich_pe_header_hash | string | |
action_result.data.*.attributes.pe_info.sections.*.chi2 | numeric | |
action_result.data.*.attributes.pe_info.sections.*.entropy | numeric | |
action_result.data.*.attributes.pe_info.sections.*.flags | string | |
action_result.data.*.attributes.pe_info.sections.*.md5 | string | |
action_result.data.*.attributes.pe_info.sections.*.name | string | |
action_result.data.*.attributes.pe_info.sections.*.raw_size | numeric | |
action_result.data.*.attributes.pe_info.sections.*.virtual_address | numeric | |
action_result.data.*.attributes.pe_info.sections.*.virtual_size | numeric | |
action_result.data.*.attributes.pe_info.timestamp | numeric | |
action_result.data.*.attributes.popular_threat_classification.popular_threat_category.*.count | numeric | |
action_result.data.*.attributes.popular_threat_classification.popular_threat_category.*.value | string | |
action_result.data.*.attributes.popular_threat_classification.popular_threat_name.*.count | numeric | |
action_result.data.*.attributes.popular_threat_classification.popular_threat_name.*.value | string | |
action_result.data.*.attributes.popular_threat_classification.suggested_threat_label | string | |
action_result.data.*.attributes.reputation | numeric | |
action_result.data.*.attributes.sandbox_verdicts.Lastline.* | string | |
action_result.data.*.attributes.sandbox_verdicts.Tencent HABO.* | string | |
action_result.data.*.attributes.sha1 | string | sha1 |
action_result.data.*.attributes.sha256 | string | sha256 |
action_result.data.*.attributes.signature_info.* | string | |
action_result.data.*.attributes.size | numeric | |
action_result.data.*.attributes.ssdeep | string | |
action_result.data.*.attributes.tags | string | |
action_result.data.*.attributes.times_submitted | numeric | |
action_result.data.*.attributes.tlsh | string | |
action_result.data.*.attributes.total_votes.harmless | numeric | |
action_result.data.*.attributes.total_votes.malicious | numeric | |
action_result.data.*.attributes.trid.*.file_type | string | |
action_result.data.*.attributes.trid.*.probability | numeric | |
action_result.data.*.attributes.type_description | string | |
action_result.data.*.attributes.type_extension | string | |
action_result.data.*.attributes.type_tag | string | |
action_result.data.*.attributes.unique_sources | numeric | |
action_result.data.*.attributes.vhash | string | |
action_result.data.*.data.attributes.date | numeric | |
action_result.data.*.data.attributes.results.*.category | string | |
action_result.data.*.data.attributes.results.*.engine_name | string | |
action_result.data.*.data.attributes.results.*.engine_update | string | |
action_result.data.*.data.attributes.results.*.engine_version | string | |
action_result.data.*.data.attributes.results.*.method | string | |
action_result.data.*.data.attributes.results.*.result | string | |
action_result.data.*.data.attributes.stats.confirmed-timeout | numeric | |
action_result.data.*.data.attributes.stats.failure | numeric | |
action_result.data.*.data.attributes.stats.harmless | numeric | |
action_result.data.*.data.attributes.stats.malicious | numeric | |
action_result.data.*.data.attributes.stats.suspicious | numeric | |
action_result.data.*.data.attributes.stats.timeout | numeric | |
action_result.data.*.data.attributes.stats.type-unsupported | numeric | |
action_result.data.*.data.attributes.stats.undetected | numeric | |
action_result.data.*.data.attributes.status | string | |
action_result.data.*.data.id | string | virustotal scan id |
action_result.data.*.data.type | string | |
action_result.data.*.id | string | sha256 |
action_result.data.*.links.self | string | url |
action_result.data.*.meta.file_info.md5 | string | md5 |
action_result.data.*.meta.file_info.name | string | |
action_result.data.*.meta.file_info.sha1 | string | sha1 |
action_result.data.*.meta.file_info.sha256 | string | sha256 |
action_result.data.*.meta.file_info.size | numeric | |
action_result.data.*.type | string | |
action_result.summary.harmless | numeric | |
action_result.summary.malicious | numeric | |
action_result.summary.scan_id | string | virustotal scan id |
action_result.summary.scan_id | string | |
action_result.summary.suspicious | numeric | |
action_result.summary.undetected | numeric | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Get the results using the scan id from a detonate file or detonate url action
Type: investigate
Read only: True
For the wait time parameter, the priority will be given to the action parameter over the asset configuration parameter.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
scan_id | required | Scan ID | string | virustotal scan id |
wait_time | optional | Number of seconds to wait | numeric |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.scan_id | string | virustotal scan id |
action_result.parameter.wait_time | numeric | |
action_result.data.*.data.attributes.date | numeric | |
action_result.data.*.data.attributes.results.*.category | string | |
action_result.data.*.data.attributes.results.*.engine_name | string | |
action_result.data.*.data.attributes.results.*.engine_update | string | |
action_result.data.*.data.attributes.results.*.engine_version | string | |
action_result.data.*.data.attributes.results.*.method | string | |
action_result.data.*.data.attributes.results.*.result | string | |
action_result.data.*.data.attributes.stats.harmless | numeric | |
action_result.data.*.data.attributes.stats.malicious | numeric | |
action_result.data.*.data.attributes.stats.suspicious | numeric | |
action_result.data.*.data.attributes.stats.timeout | numeric | |
action_result.data.*.data.attributes.stats.undetected | numeric | |
action_result.data.*.data.attributes.status | string | |
action_result.data.*.data.id | string | |
action_result.data.*.data.links.self | string | url |
action_result.data.*.data.type | string | |
action_result.data.*.meta.url_info.url | string | |
action_result.data.*.meta.file_info.sha256 | string | |
action_result.data.*.meta.url_info.id | string | sha256 |
action_result.summary.harmless | numeric | |
action_result.summary.malicious | numeric | |
action_result.summary.scan_id | string | |
action_result.summary.suspicious | numeric | |
action_result.summary.undetected | numeric | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |