Knowledge Management
Highlighted

VirusTotal API scan in workflow (http request)

Explorer

Hello All,

I am working on a solution that requires a "workflow action" to give a drop down when searching against a "url" field when a search has been initiated for a User's URL/web history.

We are filtering results from a security appliance for web traffic / firewall filtering.

We use VirusTotal for the bulk of our URL scans for remediation. I would like to click on the "Event Action (Verbose Mode)" and click on the custom VirusTotal workflow that I created. We have a functioning WHOIS workflow function and it is working beautifully. But VirusTotal has certain restrictions on how data is fed to them via their website.

I would love to have this function like the "WHOIS" search and pop the results via the VirusTotal website.

I have researched all that I can so far, I do have a public API for searching if needed.

Does anyone have any information on what to do next? I have listed below some examples for what VirusTotal provides.

https://www.virustotal.com/vtapi/v2/file/scan/upload_url?apikey=

https://www.virustotal.com/vtapi/v2/url/scan

  • Thanks Everyone!
0 Karma
Highlighted

Re: VirusTotal API scan in workflow (http request)

Communicator

Hello,

Configure the workflow action in post mode, URI: https://www.virustotal.com/vtapi/v2/url/scan

Post Arguments:
apikey = your_apikey
url = $field$

It will open a json response with a perma link to your analysis.

0 Karma
Highlighted

Re: VirusTotal API scan in workflow (http request)

Explorer

This worked GREAT!!! Thanks for your help, however I would love to take the HTTPS response from Virustotal and run it in a separate browser window if possible.

0 Karma
Highlighted

Re: VirusTotal API scan in workflow (http request)

Communicator

Your welcome. Upvote/answer will be appreciated.

Yep, that will be better but I think it would be far away from workflow action capacity.

Maybe this app can help, but I did not test it.
https://splunkbase.splunk.com/app/3446/#/details

0 Karma
Highlighted

Re: VirusTotal API scan in workflow (http request)

Explorer

"elpred0 · 7 hours ago More...
Hello,

Configure the workflow action in post mode, URI: https://www.virustotal.com/vtapi/v2/url/scan

Post Arguments:
apikey = your_apikey
url = $field$

It will open a json response with a perma link to your analysis."

View solution in original post