Wazuh is an open-source security platform that combines Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) capabilities.
It helps security teams collect, analyze, and correlate security events from endpoints, servers, cloud workloads, containers, and network devices.
Organizations use Wazuh for:
- Log analysis and threat detection
- File Integrity Monitoring (FIM)
- Vulnerability detection
- Security configuration assessment
- Incident response automation
- Regulatory compliance monitoring
One of Wazuh’s biggest strengths is its ability to integrate with external threat intelligence sources, allowing security teams to enrich alerts with additional context and make faster, more informed decisions.
Wazuh official integrations documentation: https://documentation.wazuh.com/current/user-manual/manager/integration-with-external-apis.html
If you’re new to the platform, check out our How to Configure File Integrity Monitoring (FIM) in Wazuh to understand how Wazuh detects file changes and suspicious activity.
What is VirusTotal?
VirusTotal is a threat intelligence platform owned by Google that analyzes files, URLs, domains, and IP addresses using dozens of antivirus engines and security vendors.
Instead of relying on a single malware scanner, VirusTotal aggregates verdicts from multiple security engines, helping analysts quickly determine whether a file or indicator has been associated with malicious activity.
Security teams commonly use VirusTotal to:
- Analyze suspicious files
- Validate indicators of compromise (IOCs)
- Investigate malware samples
- Perform threat hunting
- Enrich SIEM alerts with reputation data
According to VirusTotal, its platform combines detections from dozens of security vendors and continuously updates threat intelligence data, making it one of the most widely used malware reputation services in the industry.
What You’ll Learn in This Guide
In this tutorial, you’ll learn:
- How the Wazuh-VirusTotal integration works
- Prerequisites required before configuration
- How to obtain a VirusTotal API key
- How to configure the integration on a Wazuh Manager
- How to verify that VirusTotal lookups are working correctly
- How to test the integration using known malware samples
- Troubleshooting tips for common integration issues
- Best practices for optimizing VirusTotal usage and API limits
By the end of this guide, you’ll have a fully functional threat intelligence workflow that automatically enriches Wazuh alerts with VirusTotal reputation data.
For a complete guide, see The Complete Wazuh Integration Guide.
If you’re already customizing Wazuh detections, you may also find this helpful: How to Create Custom Detection Rules in Wazuh (With Examples)
Why Integrate Wazuh with VirusTotal?
On its own, Wazuh can detect suspicious file activity and generate alerts.
However, a file hash alone does not immediately tell analysts whether the file is malicious.
By integrating VirusTotal with Wazuh, every detected file can be automatically checked against VirusTotal’s threat intelligence database.
This provides instant context about:
- Known malware detections
- Reputation scores
- Security vendor verdicts
- Previously observed threats
- Threat classifications
Instead of manually copying hashes into VirusTotal during investigations, analysts receive enriched alerts directly inside Wazuh.
This dramatically reduces investigation time and helps security teams prioritize genuine threats over false positives.
Benefits of Threat Intelligence Enrichment
Threat intelligence enrichment transforms raw security events into actionable security insights.
Key benefits include:
Faster Threat Detection
Security analysts can immediately identify whether a detected file has been flagged by multiple security vendors without performing manual research.
Reduced Alert Fatigue
Threat intelligence context helps analysts focus on high-risk alerts instead of investigating every file equally.
Improved Incident Response
Analysts can quickly determine whether a file is associated with known malware families and take appropriate remediation actions.
Better Threat Hunting
Threat hunters gain additional context that can reveal attack patterns and previously unseen threats.
Enhanced SOC Efficiency
Research from the cybersecurity organization SANS Institute consistently highlights threat intelligence enrichment as a key capability for improving Security Operations Center (SOC) effectiveness and reducing mean time to detection (MTTD).
Understanding the Wazuh and VirusTotal Integration
What the Integration Does
The Wazuh-VirusTotal integration automatically submits file hashes detected by Wazuh to VirusTotal and enriches alerts with threat intelligence information.
This allows analysts to see whether a file has been identified as malicious by security vendors without leaving the Wazuh dashboard.
File Hash Reputation Lookups
Whenever Wazuh detects a monitored file event, it can extract the file’s cryptographic hash (typically MD5, SHA1, or SHA256).
That hash is then queried against VirusTotal’s threat intelligence database.
If VirusTotal has previously analyzed the file, it returns detailed reputation information including:
- Detection counts
- Antivirus verdicts
- Malware classifications
- Community reputation data
- Historical observations
Malware Detection Enrichment
Traditional alerts only tell you that a file exists or has changed.
Threat intelligence enrichment adds valuable context such as:
- Whether the file is known malware
- How many vendors detected it
- Which malware family it belongs to
- Whether it has been observed in previous attacks
This context significantly improves analyst decision-making during investigations.
Automated Threat Intelligence Checks
Without integration, analysts typically perform these steps manually:
- Copy the file hash from the alert.
- Open VirusTotal.
- Search for the hash.
- Review results.
- Return to the SIEM.
The integration automates this entire process and embeds the results directly into the Wazuh alert workflow.
This reduces investigation time and ensures threat intelligence checks occur consistently across all monitored systems.
Enhanced Security Alerts
A standard file monitoring alert might simply report:
File created: suspicious.exe
An enriched alert can additionally show:
- VirusTotal detection ratio
- Malware classification
- Vendor verdicts
- Reputation indicators
- Threat confidence information
This gives analysts immediate insight into the severity of the event.
Common Use Cases
Detecting Malicious Files on Endpoints
When a user downloads or executes a suspicious file, Wazuh can detect the file event and automatically determine whether the file is associated with known malware.
This provides early warning before the threat spreads across the environment.
Investigating Suspicious Executables
Security analysts frequently encounter unknown executable files during investigations.
Instead of manually researching every executable, VirusTotal enrichment immediately provides:
- Reputation data
- Vendor detections
- Threat classifications
This helps determine whether further investigation is necessary.
Validating Indicators of Compromise (IOCs)
File hashes are among the most common indicators of compromise used in threat intelligence reports.
The Wazuh-VirusTotal integration allows organizations to automatically validate these indicators against a continuously updated intelligence source.
Supporting Incident Response Workflows
During an incident, analysts often need to answer critical questions quickly:
- Is this file malicious?
- Has it been seen before?
- How many vendors detect it?
- Is it associated with ransomware or known malware?
VirusTotal enrichment helps answer these questions within seconds, accelerating containment and remediation efforts.
How the Integration Works
The integration follows a straightforward workflow that begins when Wazuh detects a file-related event.
1. Wazuh Detects a File Event
A file event is generated through File Integrity Monitoring (FIM) or another monitoring mechanism.
Examples include:
- File creation
- File modification
- File deletion
- New executable detection
2. Wazuh Extracts the File Hash
Wazuh calculates the file’s cryptographic hash and includes it in the generated alert.
Hashes serve as unique identifiers that can be used to determine whether the file has been previously analyzed.
3. Integrator Sends the Hash to VirusTotal
The Wazuh Integrator component receives the alert and submits the hash to the VirusTotal API using your configured API key.
The request occurs automatically without analyst intervention.
4. VirusTotal Returns Reputation Data
VirusTotal searches its intelligence database for the submitted hash and returns information such as:
- Detection statistics
- Malware classifications
- Security vendor results
- Reputation indicators
- Analysis metadata
5. Wazuh Generates an Enriched Alert
Wazuh appends the VirusTotal intelligence data to the original alert and stores the enriched event.
The final alert provides both:
- The original security event
- Threat intelligence context from VirusTotal
This enables analysts to make faster, more accurate decisions when triaging security incidents.
Prerequisites
Before integrating Wazuh with VirusTotal, make sure your environment meets the necessary requirements.
Having the proper components in place will help ensure a smooth deployment and avoid troubleshooting issues later.
Wazuh Deployment Requirements
Wazuh Manager Installed and Operational
The VirusTotal integration runs on the Wazuh Manager, not the endpoint agents.
Therefore, you must have a functioning Wazuh deployment with the manager installed and processing events successfully.
Before proceeding, verify that:
- The Wazuh Manager is running
- Agents are connected
- Alerts are being generated
- The Wazuh dashboard is accessible
If you’re still building your Wazuh deployment, consider reviewing our : How to Install a Wazuh Agent on Windows Server.
Wazuh Agents Reporting Successfully
The integration relies on alerts generated by agents.
If agents are disconnected or failing to report data, VirusTotal lookups will never occur.
Confirm that:
- Agents appear as active
- Logs are being collected
- Syscheck events are visible
- File Integrity Monitoring is functioning correctly
Administrative Access to the Wazuh Server
You’ll need administrative privileges to:
- Modify configuration files
- Restart services
- Review logs
- Test the integration
For Linux deployments, root or sudo access is typically required.
VirusTotal Requirements
VirusTotal Account
A VirusTotal account is required before you can access the API.
Registration is free and only takes a few minutes.
API Key Access
The integration communicates with VirusTotal through its API.
After creating your account, VirusTotal provides an API key that authenticates requests originating from your Wazuh Manager.
Keep this key secure because anyone with access to it can consume your API quota.
Understanding API Rate Limits
VirusTotal limits how many API requests can be performed within a given time period.
If your environment generates a high volume of file integrity events, you may exceed these limits and receive API throttling errors.
Understanding these restrictions before deployment helps avoid unexpected interruptions.
Network Requirements
Internet Connectivity from the Wazuh Manager
The Wazuh Manager must be able to communicate with VirusTotal’s API endpoints.
Without internet connectivity, reputation lookups will fail even if the integration is configured correctly.
Verify that the server can:
- Resolve external DNS names
- Reach VirusTotal over HTTPS
- Establish outbound connections
Firewall Rules Allowing Outbound API Requests
Many organizations restrict outbound traffic from security infrastructure.
Ensure your firewall permits outbound HTTPS traffic from the Wazuh Manager to VirusTotal’s API services.
Common requirements include:
- TCP port 443 access
- DNS resolution capability
- Outbound HTTPS communication
Obtaining a VirusTotal API Key
Create a VirusTotal Account
Visit the VirusTotal website and register for an account if you do not already have one.
After verifying your email address, you’ll gain access to your profile and API settings.
Generate an API Key
After logging in:
- Open your profile settings.
- Navigate to the API Key section.
- Copy your personal API key.
- Store the key securely.
You’ll use this value later when configuring Wazuh.
A typical API key resembles:
1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdefNever share your API key publicly or commit it to version control systems.
Understand API Usage Limits
Before enabling automated lookups, it’s important to understand how VirusTotal enforces API consumption limits.
Public API Limitations
The free VirusTotal API is suitable for:
- Small labs
- Home environments
- Security testing
- Learning purposes
However, it includes strict request limitations.
Because File Integrity Monitoring can generate many events, large environments may quickly exhaust their quota.
According to VirusTotal documentation, users should carefully monitor API consumption and avoid excessive automated submissions.
Premium API Considerations
Organizations with:
- Large endpoint deployments
- Active SOC teams
- Continuous monitoring requirements
- High alert volumes
may benefit from a VirusTotal Premium subscription.
Premium tiers typically provide:
- Higher request limits
- Additional intelligence capabilities
- Advanced hunting features
- Expanded threat context
The additional capacity can significantly improve scalability in enterprise environments.
Avoiding Rate-Limit Issues
To minimize API exhaustion:
- Monitor only critical directories
- Avoid scanning temporary folders
- Exclude frequently changing files
- Limit lookups to high-value events
- Use targeted File Integrity Monitoring policies
These practices reduce unnecessary queries while preserving visibility into meaningful security events.
Configuring Wazuh to Use VirusTotal
Once you’ve obtained your VirusTotal API key, the next step is configuring Wazuh to perform automated reputation lookups.
The integration is configured within the Wazuh Manager’s primary configuration file.
Locate the Wazuh Configuration File
The main Wazuh configuration file is:
/var/ossec/etc/ossec.confThis file controls:
- Agent communication
- Integrations
- Monitoring policies
- Alerting behavior
- Threat intelligence connections
Before making changes, create a backup:
cp /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.bakThis allows you to restore the previous configuration if needed.
Edit the ossec.conf File
Open the file using your preferred editor:
sudo nano /var/ossec/etc/ossec.confAdd the following integration block:
<integration>
<name>virustotal</name>
<api_key>YOUR_API_KEY</api_key>
<group>syscheck</group>
<alert_format>json</alert_format>
</integration>Replace:
YOUR_API_KEYwith your actual VirusTotal API key.
Save the file when finished.
Understanding the Configuration Parameters
Each element within the integration block controls a specific aspect of the VirusTotal integration.
<name>
<name>virustotal</name>This specifies the integration type.
Wazuh includes a built-in VirusTotal integration module, and the value must remain:
virustotalChanging the value will prevent the integration from loading correctly.
<api_key>
<api_key>YOUR_API_KEY</api_key>This field contains your VirusTotal API key.
Wazuh uses this credential when sending reputation requests to VirusTotal.
Best practices include:
- Restricting file permissions
- Rotating keys periodically
- Avoiding exposure in screenshots or documentation
<group>
<group>syscheck</group>This determines which alert group triggers VirusTotal lookups.
The syscheck group is commonly used because it contains File Integrity Monitoring alerts.
When a file modification or creation event occurs, Wazuh can automatically submit the associated hash to VirusTotal.
<alert_format>
<alert_format>json</alert_format>This instructs Wazuh to send alert data in JSON format.
JSON provides structured event information that the integration can process efficiently.
Restarting Wazuh Services
After saving the configuration, restart the Wazuh Manager to apply the changes.
Restart the Wazuh Manager
Execute:
systemctl restart wazuh-managerThis reloads the configuration and activates the VirusTotal integration.
Verify Successful Startup
Check the service status:
systemctl status wazuh-managerA healthy service should show:
active (running)with no startup failures.
Check for Configuration Errors
If the service fails to start:
- Review the service status output.
- Inspect the manager logs.
- Validate XML syntax.
- Confirm the integration block is properly nested.
Common issues include:
- Missing closing tags
- Invalid XML formatting
- Incorrect API key placement
- Typographical errors
If Wazuh fails to start after a configuration change, our Wazuh Agent Not Connecting to Manager? 12 Fixes That Actually Work contains several troubleshooting techniques that are also useful when diagnosing manager communication issues.
Configuring File Integrity Monitoring for VirusTotal Lookups
Why FIM Is Required
The VirusTotal integration is most commonly triggered by File Integrity Monitoring (FIM) events generated by Wazuh Syscheck.
Without FIM:
- File changes are not detected.
- File hashes are not generated.
- VirusTotal lookups are never initiated.
In other words, FIM provides the events that power the entire threat intelligence workflow.
For a complete overview of FIM capabilities, see our How to Configure File Integrity Monitoring (FIM) in Wazuh.
Configure Syscheck Monitoring
Open:
/var/ossec/etc/ossec.confLocate the Syscheck section and add monitored directories.
Example:
<syscheck>
<directories check_all="yes" realtime="yes">
/home
/var/www
</directories>
</syscheck>This configuration enables:
- Real-time monitoring
- Hash generation
- File modification detection
- New file detection
Whenever a monitored file changes, Wazuh can perform a VirusTotal lookup on the associated hash.
Select Critical Directories
Not every directory needs monitoring.
Focusing on high-value locations reduces noise and conserves VirusTotal API requests.
User Download Folders
Downloads are a common source of malware infections.
Examples include:
/home/*/Downloads
C:\Users\*\DownloadsThese directories often contain:
- Email attachments
- Downloaded installers
- Browser downloads
Web Application Directories
Web servers frequently become targets for malware uploads and web shell deployments.
Examples:
/var/www
/opt/webappsMonitoring these paths can help detect:
- Unauthorized uploads
- Web shells
- Malicious scripts
Shared Network Locations
Shared folders often act as malware propagation points.
Examples:
/samba
/shares
/mnt/storageMonitoring these areas improves visibility into lateral movement and malicious file distribution.
Application Installation Paths
Many attackers attempt to place malicious binaries inside application directories.
Examples:
/opt
/usr/local
Program FilesMonitoring installation paths can reveal persistence mechanisms and unauthorized software deployments.
Testing the VirusTotal Integration
After configuration is complete, verify that Wazuh is successfully communicating with VirusTotal.
Generate a Test Event
The easiest test method is creating a new file inside a monitored directory.
Example:
touch /home/testfile.txtThis should trigger a File Integrity Monitoring event.
Trigger a File Integrity Monitoring Alert
Once the file is created:
- Wait for Syscheck processing.
- Open the Wazuh Dashboard.
- Review recent alerts.
- Locate the file modification event.
The alert should contain file hash information that can be submitted to VirusTotal.
Verify VirusTotal Queries
After the FIM alert is generated:
- Open the Wazuh dashboard.
- Locate the event.
- Review alert details.
- Confirm VirusTotal enrichment data is present.
Successful enrichments typically include:
- Detection counts
- Reputation results
- Malware classifications
- Threat intelligence metadata
Review Integration Logs
The integration process is logged by Wazuh.
Useful log locations include:
/var/ossec/logs/integrations.logYou may also review:
/var/ossec/logs/ossec.logfor additional troubleshooting information.
Confirm Successful API Responses
A healthy integration should show:
- Successful API requests
- Reputation data returned from VirusTotal
- Enriched alerts visible in Wazuh
- No authentication or rate-limit errors
If API responses are missing, verify:
- The API key is valid
- Internet access is available
- Firewall rules permit outbound HTTPS
- VirusTotal rate limits have not been exceeded
At this point, Wazuh should automatically enrich File Integrity Monitoring alerts with VirusTotal threat intelligence, providing analysts with immediate context about potentially malicious files.

Be First to Comment