VirusTotal connector

The VirusTotal connector communicates with the VirusTotal API for file scanning, URL and domain analysis, result retrieval, and threat intelligence lookups.

Create connectors in Kibana

You can create connectors in Stack Management > Connectors. For example:

Connector configuration

VirusTotal connectors have the following configuration properties:

API Key: The VirusTotal API key for authentication.

Test connectors

You can test connectors as you're creating or editing the connector in Kibana.

The VirusTotal connector has the following actions:

Scan File Hash

Look up a file hash (MD5, SHA-1, or SHA-256) to get scan results.

Hash (required): File hash (minimum 32 characters).

Scan URL

Submit a URL for analysis and get scan results, or look up a bare domain report.

URL (required): Absolute URL to scan, or bare domain to look up. For example, https://example.com/path or example.com.

Get analysis results

Retrieve VirusTotal analysis results or reports without using a generic HTTP connector.

ID (required): VirusTotal analysis ID, URL, domain, IP address, or file hash.
Resource type (optional): One of analysis, url, domain, ip, or file. Defaults to analysis.

Submit File

Submit a file for analysis.

File (required): Base64-encoded file content.
Filename (optional): Original filename.

Get IP Report

Get reputation and details about an IP address.

IP (required): IPv4 address.

Workflow examples

Submit a URL, wait for analysis to complete, and retrieve the analysis results:

		steps:
  - name: scan_url
    type: virustotal.scanUrl
    connector-id: <connector-id>
    with:
      url: https://suspicious.example.com

  - name: wait_for_analysis
    type: wait
    with:
      duration: 30s

  - name: get_analysis_results
    type: virustotal.getAnalysisResults
    connector-id: <connector-id>
    with:
      id: '{{ steps.scan_url.output.id }}'
		
	

Look up a bare domain without adding API keys or VirusTotal URLs to the workflow:

		steps:
  - name: scan_domain
    type: virustotal.scanUrl
    connector-id: <connector-id>
    with:
      url: acme.example

  - name: get_domain_results
    type: virustotal.getAnalysisResults
    connector-id: <connector-id>
    with:
      id: acme.example
      resourceType: domain
		
	

Connector networking configuration

Use the Action configuration settings to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use xpack.actions.customHostSettings to set per-host configurations.

Get API credentials

To use the VirusTotal connector, you need an API key:

Go to VirusTotal.
Sign up for an account or log in.
Navigate to your API Key page.
Copy your API key. For free accounts, you'll have rate limits. Consider upgrading to a premium account for higher limits.
Copy the API key to configure the connector.