To integrate Virus Total API with Query:

  • Create your VirusTotal API key in your VirusTotal account.
  • Add a VirusTotal connection source in Query with the required connection parameters.
  • Test the integration with Test connection link.
  • Perform searches for indicators of compromise such as external IP addresses, URLS, File signatures, and domains.


VirusTotal is a free service that analyzes files and URLs for viruses, worms, trojans and other kinds of malicious content. By integrating with Query, you can:

  • Get threat intelligence on indicators of compromise such as IP addresses, URLs, domains and file signatures.


Make sure you have the following connection parameters to add VirusTotal as a connection source in Query.

VirusTotal Setup

Start by setting up your first federated connection. Click the Connections link, then Add Connection:

VirusTotal API Key

  • Create or login to Under your profile settings select API Keys.
  • Create your VirusTotal API key and copy the key and/or save it to a secure location.
    • Name The name of the connection as it appears in the Query UI
    • Platform Instance VirusTotal
    • API Key Paste the API key from above
    • Base URL false
  • Click Test Connection . If no errors were noted, the connection was successful!
  • Click Save.
  • You will now see you have one data connection setup for VirusTotal.

NOTE: You may have multiple connections of the same type, each with their own API keys or credentials. For example, if you have 5 instances of a data lake, like Splunk, in different regions you may configure a connection for all 5 data lakes.

Test your connection with search

  • Click the magnifing glass icon on the left pane.
  • In the search box at the top, type or click Domain equals

  • Note the above example has only one connection for VirusTotal.
  • Results:

If you are receiving results, your first connection is complete!

Adding a connection in Query

To setup VirusTotal connection see the Getting Started section of this guide.