Home
Play books
VirusTotal - IP reputation

VirusTotal - IP reputation

Entities: IP Log type: VirusTotal

In this page

Playbook Description

This playbook investigates IP reputation by analyzing IP behavior and helps take appropriate actions to mitigate potential security risks.

MITRE D3FEND mapping

Tactics	Techniques	Sub-techniques
Detect(D3-Detect)	D3-ID(Identifier Analysis)	D3-IPRA(URL Analysis)

Playbook input type

Log

Prerequisites

VirusTotal API - Need to connect with VirusTotal API and fetch access key to check the malware IP details.

Playbook creation input

connectionName - Provide the VirusTotal connection name for executing the VirusTotal APIs

Dependencies

Extension - virustotal

virustotal_ipReputation
virustotal_calculateRiskScore

Utility functions:

utility_extractMaliciousEntitiesByRiskScore
utility_validateResponses

Connections

VirusTotal connection - Need to connect with VirusTotal API and fetch access key to check the malware IP/URL/File details.

Execution workflow

Investigation:

Checks the IP reputation in batch by iterating over the IP address list from log details.
Calculates the risk score in batch for each IP reputation result and fetches the malicious IP list by extracting entities with a risk score threshold of 3 (malicious).
Fetches the suspicious IP list by extracting entities with a risk score threshold of 2 (suspicious).
Validates the IP reputation responses to check for any failures.

Execution Workflow — Figure: Execution workflow of the playbook

Awards & recognition

ManageEngine named in 2025 Gartner MQ for SIEM Gartner Peer Insights Customers' choice for SIEM

Editor's choice

8th time in the MQ in 2025

Major player in 2024

Integrated cloud security Innovator

Technical excellence in SIEM

Market leader most innovative