How to Integrate Wazuh with VirusTotal for Threat Intelligence

Wazuh is an open-source security platform that combines Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) capabilities.

It helps security teams collect, analyze, and correlate security events from endpoints, servers, cloud workloads, containers, and network devices.

Organizations use Wazuh for:

• Log analysis and threat detection
• File Integrity Monitoring (FIM)
• Vulnerability detection
• Security configuration assessment
• Incident response automation
• Regulatory compliance monitoring

One of Wazuh’s biggest strengths is its ability to integrate with external threat intelligence sources, allowing security teams to enrich alerts with additional context and make faster, more informed decisions.

Wazuh official integrations documentation: https://documentation.wazuh.com/current/user-manual/manager/integration-with-external-apis.html

If you’re new to the platform, check out our How to Configure File Integrity Monitoring (FIM) in Wazuh to understand how Wazuh detects file changes and suspicious activity.

What is VirusTotal?

VirusTotal is a threat intelligence platform owned by Google that analyzes files, URLs, domains, and IP addresses using dozens of antivirus engines and security vendors.

Instead of relying on a single malware scanner, VirusTotal aggregates verdicts from multiple security engines, helping analysts quickly determine whether a file or indicator has been associated with malicious activity.

Security teams commonly use VirusTotal to:

• Analyze suspicious files
• Validate indicators of compromise (IOCs)
• Investigate malware samples
• Perform threat hunting
• Enrich SIEM alerts with reputation data

According to VirusTotal, its platform combines detections from dozens of security vendors and continuously updates threat intelligence data, making it one of the most widely used malware reputation services in the industry.

What You’ll Learn in This Guide

In this tutorial, you’ll learn:

• How the Wazuh-VirusTotal integration works
• Prerequisites required before configuration
• How to obtain a VirusTotal API key
• How to configure the integration on a Wazuh Manager
• How to verify that VirusTotal lookups are working correctly
• How to test the integration using known malware samples
• Troubleshooting tips for common integration issues
• Best practices for optimizing VirusTotal usage and API limits

By the end of this guide, you’ll have a fully functional threat intelligence workflow that automatically enriches Wazuh alerts with VirusTotal reputation data.

If you’re already customizing Wazuh detections, you may also find this helpful: How to Create Custom Detection Rules in Wazuh (With Examples)

Why Integrate Wazuh with VirusTotal?

On its own, Wazuh can detect suspicious file activity and generate alerts.

However, a file hash alone does not immediately tell analysts whether the file is malicious.

By integrating VirusTotal with Wazuh, every detected file can be automatically checked against VirusTotal’s threat intelligence database.

This provides instant context about:

• Known malware detections
• Reputation scores
• Security vendor verdicts
• Previously observed threats
• Threat classifications

Instead of manually copying hashes into VirusTotal during investigations, analysts receive enriched alerts directly inside Wazuh.

This dramatically reduces investigation time and helps security teams prioritize genuine threats over false positives.

Benefits of Threat Intelligence Enrichment

Threat intelligence enrichment transforms raw security events into actionable security insights.

Key benefits include:

Faster Threat Detection

Security analysts can immediately identify whether a detected file has been flagged by multiple security vendors without performing manual research.

Reduced Alert Fatigue

Threat intelligence context helps analysts focus on high-risk alerts instead of investigating every file equally.

Improved Incident Response

Analysts can quickly determine whether a file is associated with known malware families and take appropriate remediation actions.

Better Threat Hunting

Threat hunters gain additional context that can reveal attack patterns and previously unseen threats.

Enhanced SOC Efficiency

Research from the cybersecurity organization SANS Institute consistently highlights threat intelligence enrichment as a key capability for improving Security Operations Center (SOC) effectiveness and reducing mean time to detection (MTTD).

Understanding the Wazuh and VirusTotal Integration

What the Integration Does

The Wazuh-VirusTotal integration automatically submits file hashes detected by Wazuh to VirusTotal and enriches alerts with threat intelligence information.

This allows analysts to see whether a file has been identified as malicious by security vendors without leaving the Wazuh dashboard.

File Hash Reputation Lookups

Whenever Wazuh detects a monitored file event, it can extract the file’s cryptographic hash (typically MD5, SHA1, or SHA256).

That hash is then queried against VirusTotal’s threat intelligence database.

If VirusTotal has previously analyzed the file, it returns detailed reputation information including:

• Detection counts
• Antivirus verdicts
• Malware classifications
• Community reputation data
• Historical observations

Malware Detection Enrichment

Traditional alerts only tell you that a file exists or has changed.

Threat intelligence enrichment adds valuable context such as:

• Whether the file is known malware
• How many vendors detected it
• Which malware family it belongs to
• Whether it has been observed in previous attacks

This context significantly improves analyst decision-making during investigations.

Automated Threat Intelligence Checks

Without integration, analysts typically perform these steps manually:

1. Copy the file hash from the alert.
2. Open VirusTotal.
3. Search for the hash.
4. Review results.
5. Return to the SIEM.

The integration automates this entire process and embeds the results directly into the Wazuh alert workflow.

This reduces investigation time and ensures threat intelligence checks occur consistently across all monitored systems.

Enhanced Security Alerts

A standard file monitoring alert might simply report:

File created: suspicious.exe

An enriched alert can additionally show:

• VirusTotal detection ratio
• Malware classification
• Vendor verdicts
• Reputation indicators
• Threat confidence information

This gives analysts immediate insight into the severity of the event.

Common Use Cases

Detecting Malicious Files on Endpoints

When a user downloads or executes a suspicious file, Wazuh can detect the file event and automatically determine whether the file is associated with known malware.

This provides early warning before the threat spreads across the environment.

Investigating Suspicious Executables

Security analysts frequently encounter unknown executable files during investigations.

Instead of manually researching every executable, VirusTotal enrichment immediately provides:

• Reputation data
• Vendor detections
• Threat classifications

This helps determine whether further investigation is necessary.

Validating Indicators of Compromise (IOCs)

File hashes are among the most common indicators of compromise used in threat intelligence reports.

The Wazuh-VirusTotal integration allows organizations to automatically validate these indicators against a continuously updated intelligence source.

Supporting Incident Response Workflows

During an incident, analysts often need to answer critical questions quickly:

• Is this file malicious?
• Has it been seen before?
• How many vendors detect it?
• Is it associated with ransomware or known malware?

VirusTotal enrichment helps answer these questions within seconds, accelerating containment and remediation efforts.

How the Integration Works

The integration follows a straightforward workflow that begins when Wazuh detects a file-related event.

1. Wazuh Detects a File Event

A file event is generated through File Integrity Monitoring (FIM) or another monitoring mechanism.

Examples include:

• File creation
• File modification
• File deletion
• New executable detection

2. Wazuh Extracts the File Hash

Wazuh calculates the file’s cryptographic hash and includes it in the generated alert.

Hashes serve as unique identifiers that can be used to determine whether the file has been previously analyzed.

3. Integrator Sends the Hash to VirusTotal

The Wazuh Integrator component receives the alert and submits the hash to the VirusTotal API using your configured API key.

The request occurs automatically without analyst intervention.

4. VirusTotal Returns Reputation Data

VirusTotal searches its intelligence database for the submitted hash and returns information such as:

• Detection statistics
• Malware classifications
• Security vendor results
• Reputation indicators
• Analysis metadata

5. Wazuh Generates an Enriched Alert

Wazuh appends the VirusTotal intelligence data to the original alert and stores the enriched event.

The final alert provides both:

• The original security event
• Threat intelligence context from VirusTotal

This enables analysts to make faster, more accurate decisions when triaging security incidents.

Prerequisites

Before integrating Wazuh with VirusTotal, make sure your environment meets the necessary requirements.

Having the proper components in place will help ensure a smooth deployment and avoid troubleshooting issues later.

Wazuh Deployment Requirements

Wazuh Manager Installed and Operational

The VirusTotal integration runs on the Wazuh Manager, not the endpoint agents.

Therefore, you must have a functioning Wazuh deployment with the manager installed and processing events successfully.

Before proceeding, verify that:

• The Wazuh Manager is running
• Agents are connected
• Alerts are being generated
• The Wazuh dashboard is accessible

If you’re still building your Wazuh deployment, consider reviewing our : How to Install a Wazuh Agent on Windows Server.

Wazuh Agents Reporting Successfully

The integration relies on alerts generated by agents.

If agents are disconnected or failing to report data, VirusTotal lookups will never occur.

Confirm that:

• Agents appear as active
• Logs are being collected
• Syscheck events are visible
• File Integrity Monitoring is functioning correctly

Administrative Access to the Wazuh Server

You’ll need administrative privileges to:

• Modify configuration files
• Restart services
• Review logs
• Test the integration

For Linux deployments, root or sudo access is typically required.

VirusTotal Requirements

VirusTotal Account

A VirusTotal account is required before you can access the API.

Registration is free and only takes a few minutes.

API Key Access

The integration communicates with VirusTotal through its API.

After creating your account, VirusTotal provides an API key that authenticates requests originating from your Wazuh Manager.

Keep this key secure because anyone with access to it can consume your API quota.

Understanding API Rate Limits

VirusTotal limits how many API requests can be performed within a given time period.

If your environment generates a high volume of file integrity events, you may exceed these limits and receive API throttling errors.

Understanding these restrictions before deployment helps avoid unexpected interruptions.

Network Requirements

Internet Connectivity from the Wazuh Manager

The Wazuh Manager must be able to communicate with VirusTotal’s API endpoints.

Without internet connectivity, reputation lookups will fail even if the integration is configured correctly.

Verify that the server can:

• Resolve external DNS names
• Reach VirusTotal over HTTPS
• Establish outbound connections

Firewall Rules Allowing Outbound API Requests

Many organizations restrict outbound traffic from security infrastructure.

Ensure your firewall permits outbound HTTPS traffic from the Wazuh Manager to VirusTotal’s API services.

Common requirements include:

• TCP port 443 access
• DNS resolution capability
• Outbound HTTPS communication

Obtaining a VirusTotal API Key

Create a VirusTotal Account

Visit the VirusTotal website and register for an account if you do not already have one.

After verifying your email address, you’ll gain access to your profile and API settings.

Generate an API Key

After logging in:

1. Open your profile settings.
2. Navigate to the API Key section.
3. Copy your personal API key.
4. Store the key securely.

You’ll use this value later when configuring Wazuh.

A typical API key resembles:

1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef

Never share your API key publicly or commit it to version control systems.

Understand API Usage Limits

Before enabling automated lookups, it’s important to understand how VirusTotal enforces API consumption limits.

Public API Limitations

The free VirusTotal API is suitable for:

• Small labs
• Home environments
• Security testing
• Learning purposes

However, it includes strict request limitations.

Because File Integrity Monitoring can generate many events, large environments may quickly exhaust their quota.

According to VirusTotal documentation, users should carefully monitor API consumption and avoid excessive automated submissions.

Premium API Considerations

Organizations with:

• Large endpoint deployments
• Active SOC teams
• Continuous monitoring requirements
• High alert volumes

may benefit from a VirusTotal Premium subscription.

Premium tiers typically provide:

• Higher request limits
• Additional intelligence capabilities
• Advanced hunting features
• Expanded threat context

The additional capacity can significantly improve scalability in enterprise environments.

Avoiding Rate-Limit Issues

To minimize API exhaustion:

• Monitor only critical directories
• Avoid scanning temporary folders
• Exclude frequently changing files
• Limit lookups to high-value events
• Use targeted File Integrity Monitoring policies

These practices reduce unnecessary queries while preserving visibility into meaningful security events.

Configuring Wazuh to Use VirusTotal

Once you’ve obtained your VirusTotal API key, the next step is configuring Wazuh to perform automated reputation lookups.

The integration is configured within the Wazuh Manager’s primary configuration file.

Locate the Wazuh Configuration File

The main Wazuh configuration file is:

/var/ossec/etc/ossec.conf

This file controls:

• Agent communication
• Integrations
• Monitoring policies
• Alerting behavior
• Threat intelligence connections

Before making changes, create a backup:

cp /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.bak

This allows you to restore the previous configuration if needed.

Edit the ossec.conf File

Open the file using your preferred editor:

sudo nano /var/ossec/etc/ossec.conf

Add the following integration block:

<integration>
  <name>virustotal</name>
  <api_key>YOUR_API_KEY</api_key>
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

Replace:

YOUR_API_KEY

with your actual VirusTotal API key.

Save the file when finished.

Understanding the Configuration Parameters

Each element within the integration block controls a specific aspect of the VirusTotal integration.

<name>

<name>virustotal</name>

This specifies the integration type.

Wazuh includes a built-in VirusTotal integration module, and the value must remain:

virustotal

Changing the value will prevent the integration from loading correctly.

<api_key>

<api_key>YOUR_API_KEY</api_key>

This field contains your VirusTotal API key.

Wazuh uses this credential when sending reputation requests to VirusTotal.

Best practices include:

• Restricting file permissions
• Rotating keys periodically
• Avoiding exposure in screenshots or documentation

<group>

<group>syscheck</group>

This determines which alert group triggers VirusTotal lookups.

The syscheck group is commonly used because it contains File Integrity Monitoring alerts.

When a file modification or creation event occurs, Wazuh can automatically submit the associated hash to VirusTotal.

<alert_format>

<alert_format>json</alert_format>

This instructs Wazuh to send alert data in JSON format.

JSON provides structured event information that the integration can process efficiently.

Restarting Wazuh Services

After saving the configuration, restart the Wazuh Manager to apply the changes.

Restart the Wazuh Manager

Execute:

systemctl restart wazuh-manager

This reloads the configuration and activates the VirusTotal integration.

Verify Successful Startup

Check the service status:

systemctl status wazuh-manager

A healthy service should show:

active (running)

with no startup failures.

Check for Configuration Errors

If the service fails to start:

1. Review the service status output.
2. Inspect the manager logs.
3. Validate XML syntax.
4. Confirm the integration block is properly nested.

Common issues include:

• Missing closing tags
• Invalid XML formatting
• Incorrect API key placement
• Typographical errors

If Wazuh fails to start after a configuration change, our Wazuh Agent Not Connecting to Manager? 12 Fixes That Actually Work contains several troubleshooting techniques that are also useful when diagnosing manager communication issues.

Configuring File Integrity Monitoring for VirusTotal Lookups

Why FIM Is Required

The VirusTotal integration is most commonly triggered by File Integrity Monitoring (FIM) events generated by Wazuh Syscheck.

Without FIM:

• File changes are not detected.
• File hashes are not generated.
• VirusTotal lookups are never initiated.

In other words, FIM provides the events that power the entire threat intelligence workflow.

For a complete overview of FIM capabilities, see our How to Configure File Integrity Monitoring (FIM) in Wazuh.

Configure Syscheck Monitoring

Open:

/var/ossec/etc/ossec.conf

Locate the Syscheck section and add monitored directories.

Example:

<syscheck>
  <directories check_all="yes" realtime="yes">
    /home
    /var/www
  </directories>
</syscheck>

This configuration enables:

• Real-time monitoring
• Hash generation
• File modification detection
• New file detection

Whenever a monitored file changes, Wazuh can perform a VirusTotal lookup on the associated hash.

Select Critical Directories

Not every directory needs monitoring.

Focusing on high-value locations reduces noise and conserves VirusTotal API requests.

User Download Folders

Downloads are a common source of malware infections.

Examples include:

/home/*/Downloads
C:\Users\*\Downloads

These directories often contain:

• Email attachments
• Downloaded installers
• Browser downloads

Web Application Directories

Web servers frequently become targets for malware uploads and web shell deployments.

Examples:

/var/www
/opt/webapps

Monitoring these paths can help detect:

• Unauthorized uploads
• Web shells
• Malicious scripts

Shared Network Locations

Shared folders often act as malware propagation points.

Examples:

/samba
/shares
/mnt/storage

Monitoring these areas improves visibility into lateral movement and malicious file distribution.

Application Installation Paths

Many attackers attempt to place malicious binaries inside application directories.

Examples:

/opt
/usr/local
Program Files

Monitoring installation paths can reveal persistence mechanisms and unauthorized software deployments.

Testing the VirusTotal Integration

After configuration is complete, verify that Wazuh is successfully communicating with VirusTotal.

Generate a Test Event

The easiest test method is creating a new file inside a monitored directory.

Example:

touch /home/testfile.txt

This should trigger a File Integrity Monitoring event.

Trigger a File Integrity Monitoring Alert

Once the file is created:

1. Wait for Syscheck processing.
2. Open the Wazuh Dashboard.
3. Review recent alerts.
4. Locate the file modification event.

The alert should contain file hash information that can be submitted to VirusTotal.

Verify VirusTotal Queries

After the FIM alert is generated:

1. Open the Wazuh dashboard.
2. Locate the event.
3. Review alert details.
4. Confirm VirusTotal enrichment data is present.

Successful enrichments typically include:

• Detection counts
• Reputation results
• Malware classifications
• Threat intelligence metadata

Review Integration Logs

The integration process is logged by Wazuh.

Useful log locations include:

/var/ossec/logs/integrations.log

You may also review:

/var/ossec/logs/ossec.log

for additional troubleshooting information.

Confirm Successful API Responses

A healthy integration should show:

• Successful API requests
• Reputation data returned from VirusTotal
• Enriched alerts visible in Wazuh
• No authentication or rate-limit errors

If API responses are missing, verify:

• The API key is valid
• Internet access is available
• Firewall rules permit outbound HTTPS
• VirusTotal rate limits have not been exceeded

At this point, Wazuh should automatically enrich File Integrity Monitoring alerts with VirusTotal threat intelligence, providing analysts with immediate context about potentially malicious files.

"sha256_after": "e3b0c44298fc1c149afbf4c8996fb924..."

"positives": 18,
"total": 72

18 / 72 security vendors detected the file

"Microsoft": "Trojan:Win32/...",
"BitDefender": "Gen:Variant...",
"Kaspersky": "HEUR:Trojan..."

{
  "timestamp": "2026-06-12T15:30:00Z",
  "rule": {
    "id": 87105,
    "level": 7,
    "description": "VirusTotal Integration Alert"
  },
  "agent": {
    "id": "001",
    "name": "webserver01"
  },
  "syscheck": {
    "path": "/home/user/suspicious.exe",
    "sha256_after": "7f83b1657ff1fc53b92dc18148a1d65d..."
  },
  "virustotal": {
    "found": 1,
    "positives": 22,
    "total": 74,
    "permalink": "https://www.virustotal.com/gui/file/..."
  }
}

<rule id="100500" level="12">
  <if_sid>87105</if_sid>
  <field name="virustotal.positives">^[1-9]</field>
  <description>VirusTotal detected a malicious file.</description>
</rule>

<if_sid>87105</if_sid>

<field name="virustotal.positives">^[1-9]</field>

<level>12</level>

<rule id="100501" level="5">
  <if_sid>87105</if_sid>
  <field name="virustotal.positives">^[1-2]$</field>
  <description>VirusTotal low-confidence detection.</description>
</rule>

<rule id="100502" level="8">
  <if_sid>87105</if_sid>
  <field name="virustotal.positives">^[3-9]$</field>
  <description>VirusTotal medium-confidence detection.</description>
</rule>

<rule id="100503" level="12">
  <if_sid>87105</if_sid>
  <field name="virustotal.positives">^([1-9][0-9]+)$</field>
  <description>VirusTotal high-confidence malware detection.</description>
</rule>

<rule id="100504" level="14">
  <if_sid>100503</if_sid>
  <description>
    Critical malware detected by VirusTotal.
    Immediate investigation required.
  </description>
</rule>

File detected
       ↓
VirusTotal lookup
       ↓
Custom rule triggers
       ↓
Active response executes
       ↓
Threat contained

42 / 70 detections

mv suspicious.exe /opt/quarantine/
chmod 000 /opt/quarantine/suspicious.exe

iptables -A INPUT -s 10.0.0.25 -j DROP

netsh advfirewall firewall add rule ...

Critical Alert

Host: workstation-23
File: suspicious.exe
VirusTotal Detections: 37/74
Severity: Critical

403 Forbidden
Authentication Failed
Unauthorized Request

429 Too Many Requests
Rate Limit Exceeded

/var/ossec/logs/ossec.log

/var/ossec/logs/integrations.log

ERROR
WARNING
Integration failed
Authentication error

<integration>
<name>virustotal</name>

curl https://www.virustotal.com

chmod 640 /var/ossec/etc/ossec.conf