MENU
      Contents x
      VirusTotal
      • 16 Apr 2025
      • 1 Minute to read
      • Print
      • Dark
      Contents

      VirusTotal

      • Updated on 16 Apr 2025
      • 1 Minute to read
      • Print
      • Dark
      Article summary

      API Keys

      The VirusTotal API key is added via the integrations menu within LimaCharlie.

      Usage

      With the vt add-on subscribed and a VirusTotal API Key configured in the Integrations page, VirusTotal can be used as an API-based lookup.

      event: CODE_IDENTITY
op: lookup
path: event/HASH
resource: 'lcr://api/vt'
metadata_rules:
  op: is greater than
  value: 1
  path: /
  length of: true
      YAML

      Step-by-step, this rule will do the following:

      • Upon seeing a CODE_IDENTITY event, retrieve the event/HASH value and send it to VirusTotal via the api/vt resource.

      • Upon receiving a response from api/vt, evaluate it using metadata_rules to see if the length of the response is greater than 1 (in this case meaning that more than 1 vendor reporting a hash is bad).

      Was this article helpful?
      Related articles
      What's Next