Back to Integrations
integration integration
integration VirusTotal node
HTTP Request

Integrate VirusTotal with 500+ apps and services

Unlock VirusTotal's full potential with n8n, connecting it to similar Cybersecurity apps and over 1000 other services. Automate cybersecurity workflows by monitoring threats, managing incident responses, and securing data across platforms. Use n8n's pre-authenticated HTTP request node to construct adaptable and scalable workflows between VirusTotal and your stack. All within a building experience you will love.

Create workflows with VirusTotal integrations

799 integrations
Sort by:
Popularity
NameOldestNewest

Popular ways to use VirusTotal integration

HTTP Request node
Merge node
+8

Venafi Cloud Slack Cert Bot

Enhance Security Operations with the Venafi Slack CertBot! Venafi Presentation - Watch Video Our Venafi Slack CertBot is strategically designed to facilitate immediate security operations directly from Slack. This tool allows end users to request Certificate Signing Requests that are automatically approved or passed to the Secops team for manual approval depending on the Virustotal analysis of the requested domain. Not only does this help centralize requests, but it helps an organization maintain the security certifications by allowing automated processes to log and analyze requests in real time. Workflow Highlights: Interactive Modals**: Utilizes Slack modals to gather user inputs for scan configurations and report generation, providing a user-friendly interface for complex operations. Dynamic Workflow Execution**: Integrates seamlessly with Venafi to execute CSR generation and if any issues are found, AI can generate a custom report that is then passed to a slack teams channel for manual approval with the press of a single button. Operational Flow: Parse Webhook Data**: Captures and parses incoming data from Slack to understand user commands accurately. Execute Actions**: Depending on the user's selection, the workflow triggers other actions within the flow like automatic Virustotal Scanning. Respond to Slack**: Ensures that every interaction is acknowledged, maintaining a smooth user experience by managing modal popups and sending appropriate responses. Setup Instructions: Verify that Slack and Qualys API integrations are correctly configured for seamless interaction. Customize the modal interfaces to align with your organization's operational protocols and security policies. Test the workflow to ensure that it responds accurately to Slack commands and that the integration with Qualys is functioning as expected. Need Assistance? Explore Venafi's Documentation or get help from the n8n Community for more detailed guidance on setup and customization. Deploy this bot within your Slack environment to significantly enhance the efficiency and responsiveness of your security operations, enabling proactive management of CSR's.
HTTP Request node
Merge node
Slack node
+4

Phishing Analysis - URLScan.io and VirusTotal

This n8n workflow automates the analysis of email messages received in a Microsoft Outlook inbox to identify indicators of compromise (IOCs), specifically suspicious URLs. It can be triggered manually or scheduled to run daily at midnight. The workflow begins by retrieving up to 100 read email messages from the Outlook inbox. However, there seems to be a configuration issue as it should retrieve unread messages, not read ones. It then marks these messages as read to avoid processing them again in the future. The messages are then split into individual items using the Split In Batches node for sequential processing. For each email, the workflow analyzes its content to find URLs, which are considered potential IOCs. If URLs are found, the workflow proceeds to check these URLs for potential threats using two services, URLScan.io and VirusTotal, in parallel. In the first path, URLScan.io scans each URL, and if there are no errors, the results from URLScan.io and VirusTotal are merged. If there are errors, the workflow waits 1 minute before attempting to retrieve the URLScan results again. The loop then continues for the next email. In the second path, VirusTotal is used to scan the URLs, and the results are retrieved. Finally, the workflow checks if the data field is not empty, filtering out items where no data was found. It then sends a summarized Slack message to report details about the analyzed email, including the subject, sender, date, URLScan report URL, and VirusTotal verdict for URLs that were reported as malicious. Potential issues during setup include configuring the Outlook node to retrieve unread messages, resolving a configuration issue in the VirusTotal node, and handling authentication and API keys for both URLScan.io and VirusTotal nodes. Additionally, proper error handling and testing with various email content types and URLs are essential to ensure the workflow accurately identifies IOCs and reports them to the Slack channel.
HTTP Request node
Slack node
Jira Software node
+2

Analyze CrowdStrike Detections - Search for IOCs in VirusTotal - Create a Ticket in Jira, and Post a Message in Slack

This n8n workflow automates the handling of security detections from CrowdStrike, streamlining incident response and notification processes. The workflow is triggered daily at midnight by the Schedule Trigger node. It begins by fetching recent security detections from CrowdStrike using an HTTP Request node. The response is then split into individual detections for further processing. Each detection is enriched by querying the CrowdStrike API for detailed information using another HTTP Request node. The workflow then processes these detections sequentially using the Split In Batches node. Next, it looks up behavioral information associated with each detection in VirusTotal using two HTTP Request nodes. One node queries VirusTotal based on SHA256 values, and the other based on IOC (Indicator of Compromise) values. The workflow includes a 1-second pause using the Wait node to prevent rate limiting when making requests to the VirusTotal API. Subsequently, the workflow sets fields with relevant details from both CrowdStrike and VirusTotal, including detection links, confidence scores, filenames, usernames, and more. These details are concatenated using an Item Lists node for each detection. The final step involves creating Jira issues for each detection, including summaries with CrowdStrike alert severity and hostnames, as well as descriptions that incorporate information from CrowdStrike and VirusTotal. Information about this issue is then sent via a Slack message to a Slack user. Potential issues during setup might include configuring the Schedule Trigger node to trigger at the correct time zone and handling potential rate limiting from the VirusTotal API, which could lead to throttled requests. Additionally, the note about a possible typo in the URL for the Virustotal nodes should be addressed to ensure correct API calls. The Jira node may need to be replaced with the latest version for compatibility. Properly configuring API credentials and handling errors that may occur during API requests are essential for a smooth workflow operation. Careful testing with sample data is recommended to validate the workflow's functionality and ensure it aligns with your organization's security incident response processes.

Supported API Endpoints for VirusTotal

To set up VirusTotal integration, add the HTTP Request node to your workflow canvas and authenticate it using a predefined credential type. This allows you to perform custom operations, without additional authentication setup. The HTTP Request node makes custom API calls to VirusTotal to query the data you need using the URLs you provide.

See the example here

GetFileReport
Retrieve the latest report on a file.
GET
/files/{file_id}
ScanFile
Send a file for scanning.
POST
/files
GetFileBehaviours
Retrieve a file's behaviors observed during sandbox execution.
GET
/files/{file_id}/behaviours
GetFileComments
Retrieve comments on a file.
GET
/files/{file_id}/comments
AddFileComment
Post a comment on a file.
POST
/files/{file_id}/comments

Take a look at the VirusTotal official documentation to get a full list of all API endpoints

GetURLReport
Retrieve the latest report on a URL.
GET
/urls/{url_id}
ScanURL
Send a URL for scanning.
POST
/urls
GetURLComments
Retrieve comments on a URL.
GET
/urls/{url_id}/comments
AddURLComment
Post a comment on a URL.
POST
/urls/{url_id}/comments
GetURLVotes
Retrieve votes on a URL.
GET
/urls/{url_id}/votes

Take a look at the VirusTotal official documentation to get a full list of all API endpoints

GetDomainReport
Retrieve the latest report on a domain.
GET
/domains/{domain}
GetDomainComments
Retrieve comments on a domain.
GET
/domains/{domain}/comments
AddDomainComment
Post a comment on a domain.
POST
/domains/{domain}/comments
GetDomainResolutions
Retrieve the resolutions of a domain.
GET
/domains/{domain}/resolutions
GetDomainSiblings
Retrieve the siblings of a domain.
GET
/domains/{domain}/siblings

Take a look at the VirusTotal official documentation to get a full list of all API endpoints

GetIPAddressReport
Retrieve the latest report on an IP address.
GET
/ip_addresses/{ip_address}
GetIPAddressComments
Retrieve comments on an IP address.
GET
/ip_addresses/{ip_address}/comments
AddIPAddressComment
Post a comment on an IP address.
POST
/ip_addresses/{ip_address}/comments
GetIPAddressResolutions
Retrieve the resolutions of an IP address.
GET
/ip_addresses/{ip_address}/resolutions
GetIPAddressHistorical
Retrieve the historical data of an IP address.
GET
/ip_addresses/{ip_address}/historical

Take a look at the VirusTotal official documentation to get a full list of all API endpoints

VirusTotal node
HTTP Request

About VirusTotal

VirusTotal is an online service owned by Google that analyzes files and URLs for malware and security threats. It aggregates antivirus scan results from multiple engines, providing users with a comprehensive assessment of potential threats, aiding in cybersecurity and threat intelligence efforts.

Related categories

Similar integrations

  • ZScaler ZIA node
  • Cisco Secure Endpoint node
  • Carbon Black node
  • QRadar node
  • Cisco Umbrella node
  • Kibana node
  • Fortinet FortiGate node
  • Imperva WAF node
  • MIST node
  • Sekoia node
Use case

The SOAR platform you want

Mountains of monotonous tasks make building and monitoring your workflows a chore. Not anymore.

Learn more

Over 3000 companies switch to n8n every single week

Connect VirusTotal with your company’s tech stack and create automation workflows

FAQ about VirusTotal integrations

  • How can I set up VirusTotal integration in n8n?

      To use VirusTotal integration in n8n, start by adding the HTTP Request node to your workflow canvas and authenticate it using a predefined credential type. This allows you to perform custom operations, without additional authentication setup. Once connected, you can make custom API calls to VirusTotal to query the data you need using the URLs you provide, for example: you can create new records in VirusTotal by making a POST request to the appropriate endpoint, such as uploading files for scanning. Additionally, you can retrieve previous scan results by sending a GET request with the specific resource ID, allowing for efficient tracking of threats over time. To update records, you may use the PUT method where applicable, ensuring you are specifying the correct resource parameters.

  • Do I need any special permissions or API keys to integrate VirusTotal with n8n?

  • Can I combine VirusTotal with other apps in n8n workflows?

  • What are some common use cases for VirusTotal integrations with n8n?

  • How does n8n’s pricing model benefit me when integrating VirusTotal?

We're using the @n8n_io cloud for our internal automation tasks since the beta started. It's awesome! Also, support is super fast and always helpful. 🤗

in other news I installed @n8n_io tonight and holy moly it’s good

it’s compatible with EVERYTHING

Last week I automated much of the back office work for a small design studio in less than 8hrs and I am still mind-blown about it.

n8n is a game-changer and should be known by all SMBs and even enterprise companies.