VirusTotal
Data enrichment and reputation scoring for files, URLs, IPs, and domains with the VirusTotal integration pack.
The VirusTotal pack provides 5 nodes for querying the VirusTotal API. Use these nodes to enrich data points — IP addresses, domains, file hashes, and URLs — in your automation patterns.
Connection setup
- Go to the Connections page in the DRAGOPS dashboard.
- Select VirusTotal from the provider list.
- Enter your VirusTotal API Key. You can find this in your VirusTotal account under your profile settings.
- Select Save.
The API key is sent as an x-apikey header on every request. DRAGOPS encrypts the key at rest and only decrypts it at execution time.
Available nodes
All VirusTotal nodes are in the VirusTotal category in the node library.
| Node | Description | Inputs | Outputs |
|---|---|---|---|
| Get IP Report | Retrieve reputation data for an IP address | IP Address (string) | Data (object), Status (integer) |
| Get Domain Report | Retrieve reputation data for a domain name | Domain (string) | Data (object), Status (integer) |
| Get File Report | Retrieve scan results for a file by hash | File Hash (string) | Data (object), Status (integer) |
| Get URL Report | Retrieve scan results for a URL by ID | URL ID (string) | Data (object), Status (integer) |
| Scan URL | Submit a URL for scanning | URL (string) | Analysis Data (object), Status (integer) |
Every node also has execution pins (exec in and exec out) for controlling the execution flow.
Output data
The Data output pin returns the data object from the VirusTotal API response. This object contains attributes like last_analysis_stats, reputation, country, and as_owner (for IP reports) or last_analysis_results (for file and URL reports). Use Get Property nodes to extract the specific fields you need.
The Status output pin returns the HTTP status code (200 for success, 404 for not found, 429 for rate limit exceeded).
Example: Enrich an IP address
This pattern receives an IP address via webhook and retrieves its VirusTotal report:
- Add an On Webhook trigger node.
- Add a Get Property node. Set the Key to
ip. Wire On Webhook's Body output to Get Property's Object input. - Add a Get IP Report node from the VirusTotal category. Wire Get Property's Value output to the IP Address input pin.
- Add a Log node. Wire Get IP Report's Data output to Log's Message input.
- Wire the execution flow: On Webhook → Get Property → Get IP Report → Log.
When you send a POST request with {"ip": "8.8.8.8"} to the webhook URL, the pattern retrieves the VirusTotal report for that IP and logs the result.
Tips
- Rate limits. The VirusTotal free tier allows 4 requests per minute and 500 per day. The premium API has higher limits. If you exceed the limit, the node returns a 429 status code. Use a Branch node to check the Status output and handle rate limiting gracefully.
- URL IDs. The Get URL Report node expects a URL ID, not a raw URL. The URL ID is the base64url-encoded URL without trailing
=padding. You can obtain this ID from the Scan URL node's response or compute it using a Base64 URL Encode node. - File hashes. The Get File Report node accepts SHA-256, SHA-1, or MD5 hashes. SHA-256 is recommended for accuracy.
Related
- Jira — issue tracking integration pack
- Integration packs — how packs work
- Connect external services — credential storage and the connections system
- Use integration pack nodes — step-by-step guide for using pack nodes