Contents x
    VirusTotal Integration
    • 05 Oct 2024
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    VirusTotal Integration

    • Updated on 05 Oct 2024
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    You can easily integrate LimaCharlie with VirusTotal to enhance your data enrichment and detections. You will need a VirusTotal API key in order to utilize this add-on.

    VirusTotal Data Caching

    The free tier of VirusTotal allows four lookups per minute via the API. LimaCharlie employs a global cache of VirusTotal requests which should significantly reduce costs if you are using VirusTotal at scale. VirusTotal requests are cached for 3 days.

    Once you have your VirusTotal API key, you can add it to the integrations section of the LimaCharlie web app.

    image.png

    Once you have entered your API key, you can then create a D&R rule to perform a lookup of a hash. For example, the following rule will let you know if there is a hit from VirusTotal on a hash with at least two different engines.

    path: event/HASH
op: lookup
resource: 'lcr://api/vt'
event: CODE_IDENTITY
metadata_rules:
  path: /
  value: 2
  length of: true
  op: is greater than

    Was this article helpful?
    Related articles
    What's Next