Universal IOC Lookup in VirusTotal
Check any hash, URL, domain, or IP against VirusTotal and return a clean verdict for analysts.
Overview
A lightweight building-block playbook that accepts any Indicator of Compromise and returns the VirusTotal verdict in a standardized format. Use it on its own for quick lookups, or chain it into larger incident response playbooks as an enrichment step.
Who this is for: Every SOC analyst, from tier-1 to threat hunter
Why automate this
Every SOC needs a fast, consistent way to ask 'is this malicious?' without manually pasting indicators into the VirusTotal web UI. This playbook gives you a reusable primitive you can invoke from anywhere: other playbooks, Slack commands, or automated triage flows.
How it works
- 01
Accept the IOC as input with auto-detected type (hash, URL, domain, IP)
- 02
Call the VirusTotal API with the appropriate endpoint
- 03
Parse the verdict, detection count, and first-seen timestamp
- 04
Return the structured verdict for the caller to consume
Impact
Standardized VirusTotal lookups across all playbooks
Eliminates manual copy-paste into the VT web UI
Returns structured data that's easy to chain into bigger flows
Can be exposed as a Slack slash command for instant analyst access
Related playbooks
Keep automating
Outlook Phishing Detection with VirusTotal
Scan every inbound Outlook email for malicious URLs and attachments, delete threats, and notify Slack.
Gmail Phishing Detection with VirusTotal
Scan incoming Gmail messages for malicious links and attachments, delete threats, and alert security.
Multi-Source Phishing Email Analysis
Analyze phishing emails with EmailRep, URLScan, and VirusTotal to produce a comprehensive threat report.
Bring this playbook into your SOC
See Deployer Workflows in action with a live walkthrough of this playbook. We'll show you how to connect your SIEM, EDR, and ticketing tools in under 15 minutes.