VirusTotal Integration
  • 11 Jul 2023
  • 1 Minute to read
  • Contributors
  • Dark
    Light
  This documentation version is deprecated, please click here for the latest version.

VirusTotal Integration

  • Dark
    Light

Article summary

You can easily integrate LimaCharlie with VirusTotal to enhance your data enrichment and detections. You will need a VirusTotal API key in order to utilize this add-on.

VirusTotal Data Caching

The free tier of VirusTotal allows four lookups per minute via the API. LimaCharlie employs a global cache of VirusTotal requests which should significantly reduce costs if you are using VirusTotal at scale. VirusTotal requests are cached for 3 days.

Once you have your VirusTotal API key, you can add it to the integrations section of the LimaCharlie web app.

image.png

Once you have entered your API key, you can then create a D&R rule to perform a lookup of a hash. For example, the following rule will let you know if there is a hit from VirusTotal on a hash with at least two different engines.

path: event/HASH
op: lookup
resource: 'lcr://api/vt'
event: CODE_IDENTITY
metadata_rules:
  path: /
  value: 2
  length of: true
  op: is greater than

Was this article helpful?