The lookup can also use certain APIs in their lookup, like VirusTotal. Note that for the VT API to be accessible, the organization needs to be subscribed to the VT API Add-On, and a valid VT API Key needs to be set in the integrations configurations.

As visible in the example below, a metadata_rules parameter is also valid for the lookup operation. It can contain further detection rules to be applied to the metadata returned by a lookup match. In the case of VT this is a dictionary of AntiVirus vendor reports (here we test for more than 1 vendor saying the hash is bad), while in the case of a custom lookup resource it would be whatever is set as the item's metadata.

To activate VirusTotal usage, you must subscribe to the VirusTotal API in the Add-On section. Then you must set your VirusTotal API key in the Integrations section of the web interface.

VirusTotal results are cached for a limited period of time locally which reduces the usage of your API key and saves you money.

Also note that if your API Key runs out of quota with VirusTotal, hashes seen until you have quota again will be ignored.


op: lookup event: CODE_IDENTITY path: event/HASH resource: 'lcr://api/vt' metadata_rules: op: is greater than value: 1 path: / length of: true