Skip to main content

Enable VirusTotal Enrichment

The VirusTotal Enrichment enriches Signals based on queries it runs against VirusTotal.


This feature requires the VirusTotal Premium API.

For each Insight created, the enrichment checks the Records in the Signals that contribute to that Insight, looking for the values found in certain Record attributes that contain IP addresses, URLs, hostnames, or hashes. These are the fields the enrichment examines:

  • srcDevice_ip
  • dstDevice_ip
  • http_url
  • http_hostname
  • http_url_rootDomain
  • dns_query
  • file_hash_imphash
  • file_hash_md5
  • file_hash_prehash
  • file_hash_sha1
  • file_hash_sha256
  • file_hash_ssdeep

The enrichment looks up each value it finds in VirusTotal, calling the VirusTotal API to do so. When a Record value has a match in VirusTotal, the enrichment writes the response to Cloud SIEM, where you can view it the Signal’s Enrichment tab. For an example, see Example VirusTotal Enrichment.


VirusTotal enrichments are only added to Signals that are part of an Insight.

Configure VirusTotal enrichment

  1. In the top menu select Configuration, and then under Integrations select Enrichment.
  2. On the Enrichment page, click the pencil icon for VirusTotal.
    Edit button on the VirusTotal enrichment
  3. On the Edit VirusTotal Configuration popup, enter your VirusTotal API Key, and click Update.
    Edit VirusTotal Configuration pop-up

Example VirusTotal enrichment

Example VirusTotal enrichment
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.