Detecting Malicious URLs with DNIF and VirusTotal

Detecting Malicious URLs

How can you cut down on detection time and automate the process to make it more efficient?

How to Get Started

The below mentioned query can be used to detect and raise a module/alert

_fetch * from event where $Duration=1h group count_unique $URL limit 4
>>_lookup virustotal get_url_report $URL
>>_checkif int_compare $VTPositives > 1 include
>>_raise module virustotal malicious_url_detected $URL 3 10m
>>_trigger template_group virustotal malicious_url_detected_alert notify_group groupname


It’s always recommended to purchase a license to VirusTotal services if the services are to run in a production environment. If the idea is to test the services as part of a POC (Proof Of Concept) then the free VirusTotal API key would suffice. We’ve shared one use-case showcasing the combined capabilities and benefits of integration plugin built by the DNIF Team in collaboration with VirusTotal. Would love to hear if you’ve created any use cases around VirusTotal and DNIF. Please share in comments below.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



The “Open” Big Data Analytics platform that offers solutions to the world’s most challenging cyber security problems with real-time data analytics.