Contents x
    VirusTotal
    • 28 Oct 2025
    • 1 Minute to read
    • Print
    • Dark
      Light
    Contents

    VirusTotal

    • Updated on 28 Oct 2025
    • 1 Minute to read
    • Print
    • Dark
      Light
    Article summary

    API Keys

    Subscription Required

    A VirusTotal subscription is required to utilize this service.

    The VirusTotal API key is added via the integrations menu within LimaCharlie.

    The API key follows this format:

    api_key

    Example:

    1234abcdnotarealkey9283

    Usage

    With the vt add-on subscribed and a VirusTotal API Key configured in the Integrations page, VirusTotal can be used as an API-based lookup.

    event: CODE_IDENTITY
op: lookup
path: event/HASH
resource: hive://lookup/vt
metadata_rules:
  op: is greater than
  value: 1
  path: /
  length of: true

    Step-by-step, this rule will do the following:

    • Upon seeing a CODE_IDENTITY event, retrieve the event/HASH value and send it to VirusTotal via the api/vt resource.

    • Upon receiving a response from api/vt, evaluate it using metadata_rules to see if the length of the response is greater than 1 (in this case meaning that more than 1 vendor reporting a hash is bad).

    Was this article helpful?
    Related articles
    What's Next