* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/)
* [Playbook of the Week](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/)
* Playbook of the Week: Aut...

# Playbook of the Week: Automating Artifact Analysis with VirusTotal and Cortex XSOAR

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-automating-artifact-analysis-with-virustotal-and-cortex-xsoar%2F)  
[](https://twitter.com/share?text=Playbook+of+the+Week%3A+Automating+Artifact+Analysis+with+VirusTotal+and+Cortex+XSOAR&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-automating-artifact-analysis-with-virustotal-and-cortex-xsoar%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-automating-artifact-analysis-with-virustotal-and-cortex-xsoar%2F&title=Playbook+of+the+Week%3A+Automating+Artifact+Analysis+with+VirusTotal+and+Cortex+XSOAR&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-artifact-analysis-with-virustotal-and-cortex-xsoar/&ts=markdown)  
\[\](mailto:?subject=Playbook of the Week: Automating Artifact Analysis with VirusTotal and Cortex XSOAR)  
Link copied  
By [Guy Liberman](https://www.paloaltonetworks.com/blog/author/guy-liberman/?ts=markdown "Posts by Guy Liberman")  
Jan 27, 2023  
4 minutes  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Automation](https://www.paloaltonetworks.com/blog/tag/automation/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[Security Automation](https://www.paloaltonetworks.com/blog/tag/security-automation/?ts=markdown)  
[security orchestration](https://www.paloaltonetworks.com/blog/tag/security-orchestration/?ts=markdown)  
[security playbooks](https://www.paloaltonetworks.com/blog/tag/security-playbooks/?ts=markdown)  
[VirusTotal](https://www.paloaltonetworks.com/blog/tag/virustotal/?ts=markdown)

The rapidly changing cyberthreat landscape is a significant challenge for many organizations. With new threats constantly emerging, it can be difficult for organizations to keep up and effectively protect themselves and their assets. This is especially true given the complexity and scale of many modern threats.

Indicator and artifact analysis is essential in cybersecurity investigations (e.g., URLs, files, etc.). Analyzing URLs and files helps determine whether they contain malware or other malicious content. This is important in the early stages of an investigation, as identifying and containing threats as quickly as possible can help to minimize damage.

In addition to identifying threats, URL and file analysis can help security professionals understand how threats are being delivered and how they operate. For example, security professionals can determine how the URL is being used to deliver malware or other threats. Similarly, by analyzing the content of a malicious file, security professionals can determine how the file is being used to compromise systems or steal sensitive data. URL and file analysis can also be used to track the source of threats, which can be helpful in tracking down and creating attributions.

Many organizations use [VirusTotal](https://www.virustotal.com/gui/home/upload) online services to analyze and identify artifacts. The service leverages an extensive database of known malware and advanced analysis tools. VirusTotal inspects its roughly 3.6B samples with over 70 antivirus scanners, URL/domain blocklisting services, and a myriad of tools to extract signals from the studied content.

### **Unlocking the True Power of VirusTotal with Cortex XSOAR**

[Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar) integrates with VirusTotal to automatically analyze suspicious hashes, URLs, domains, and IP addresses, enhancing threat detection and response capabilities. This enables you to check for an immediate verdict, detonate artifacts, and get extended context from VirusTotal without manual effort.
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/01/word-image-178724-1-1.png)
The integration comes with out-of-the-box playbooks to help you quickly integrate VirusTotal into your operations.

### **See It In Action**

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/01/word-image-178724-2-1.png)
Figure 1: URL detonation playbook

When using VirusTotal to run the URL detonation playbook, the response provided is very detailed, helping to address many actions that manual work may overlook or ignore if deemed irrelevant.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/01/word-image-178724-3.png)
Figure 2: URL analysis

### **The Full Value of VirusTotal and XSOAR**

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/01/word-image-178724-4.png)

The VirusTotal integration includes an extensive list of supported commands that can be executed from Cortex XSOAR as part of an automation or in a playbook:

* [ip](https://xsoar.pan.dev/docs/reference/integrations/virus-total-api-v3#ip) - Checks the reputation of an IP address.
* [url](https://xsoar.pan.dev/docs/reference/integrations/virus-total-api-v3#url) - Checks the reputation of a URL.
* [domain](https://xsoar.pan.dev/docs/reference/integrations/virus-total-api-v3#domain) - Checks the reputation of a domain.
* [url-scan](https://xsoar.pan.dev/docs/reference/integrations/virus-total-api-v3#url-scan-1) - Scans a specified URL. Use the vt-analysis-get command to get the scan results.
* [vt-comments-add](https://xsoar.pan.dev/docs/reference/integrations/virus-total-api-v3#vt-comments-add) - Adds comments to files and URLs.
* [vt-file-scan-upload-url](https://xsoar.pan.dev/docs/reference/integrations/virus-total-api-v3#vt-file-scan-upload-url-1) - Premium API. Get a special URL for files larger than 32 MB.
* [vt-comments-delete](https://xsoar.pan.dev/docs/reference/integrations/virus-total-api-v3#vt-comments-delete) - Delete a comment.
* [vt-comments-get](https://xsoar.pan.dev/docs/reference/integrations/virus-total-api-v3#vt-comments-get-1) - Retrieves comments for a given resource.
* [vt-comments-get-by-id](https://xsoar.pan.dev/docs/reference/integrations/virus-total-api-v3#vt-comments-get-by-id) - Retrieves a comment by comment ID.
* [vt-search](https://xsoar.pan.dev/docs/reference/integrations/virus-total-api-v3#vt-search) - Search for an indicator in VirusTotal.
* [vt-file-sandbox-report](https://xsoar.pan.dev/docs/reference/integrations/virus-total-api-v3#vt-file-sandbox-report) - Retrieves a behavioral relationship of the given file hash.
* [vt-passive-dns-data](https://xsoar.pan.dev/docs/reference/integrations/virus-total-api-v3#vt-passive-dns-data) - Returns passive DNS records by indicator.
* [vt-analysis-get](https://xsoar.pan.dev/docs/reference/integrations/virus-total-api-v3#vt-analysis-get) - Retrieves resolutions of the given IP.
* [vt-file-sigma-analysis](https://xsoar.pan.dev/docs/reference/integrations/virus-total-api-v3#vt-file-sigma-analysis) - Retrieves the result of the last Sigma analysis.

### **Conclusion**

VirusTotal is a valuable tool that provides extensive malware analysis capabilities and helps organizations significantly improve their ability to identify and respond to threats. Using the integration with Cortex XSOAR helps reduce the time it takes to verify a threat, collect data for analysis, and act upon it. For more information on the VirusTotal content pack, refer to the [pack documentation](https://cortex.marketplace.pan.dev/marketplace/details/virustotalTriage/?).

To learn more about how you can automate security operations with Cortex XSOAR, check out our virtual self-guided [XSOAR Product Tour](https://www.paloaltonetworks.com/resources/infographics/xsoar-product-tour)

We also host virtual and in-person events, so check [here](https://www.paloaltonetworks.com/resources/cortex-events) for upcoming ones.

*** ** * ** ***

## Related Blogs

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Cloud Cryptojacking Response](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-cloud-cryptojacking-response/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the week: Uncover Your RDP Secrets](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-uncover-your-rdp-secrets/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Cloud Token Theft Response](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-cloud-token-theft-response/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook Of The Week - Fending Off Living Off the Land Attacks](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-fending-off-living-off-the-land-attacks/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook Of The Week - New Features for Better Response to Phishing Campaigns](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-new-features-for-better-response-to-phishing-campaigns/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the week: Streamlining SOC Communications](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-streamlining-soc-communications/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language