Help
FortiSOAR Discussions
doubleohseven
New Contributor II

Created on ‎03-07-2024 11:57 AM

Virus Total get analysis action returns 'queued'

Hi all,

 

When using the Virus Total connector action "Get Analysis Details", the execution output shows the API request is 'queued'. Does anyone have any experience building in steps to keep checking when the status becomes complete?
Using google.ca just as a test in the screenshot.

 

Thanks in advance,

 

Nelson

vt-api.png

290
0 Kudos
1 Solution
Jtamboli
Staff
Staff

Created on ‎03-08-2024 01:13 AM

Hello,
My observation is for Get Analysis action when we execute it for a file it takes some couple of minutes to complete depending on the file size, so the status is displayed as 'queued' initially. If we re-execute the same action again after sometime like around 5-10 minutes(in my case) it gets 'completed'.
And if we don't want to re-execute the action again and use the same connector, then here we can use "do until loop" and apply a condition (As shown in the screenshot) where we will keep checking till the status becomes completed and once status is changed to completed then action will be completed with the required output.

jinja entered in "do until" is
vars.steps.Get_Analysis_Details.data.data.attributes.status == queued

Hope this helps.

Thanks,
Junaid

Junaid

View solution in original post

Preview file
546 KB
255
3 REPLIES 3
Fabien1
New Contributor II

Created on ‎03-08-2024 12:15 AM

Hey, I guess if VT doing deep analysis, it will provide result in couple of minutes or hours after, it's depends, reason why you have to wait the result till it's "completed" ( by using a "wait" step for checking again )

I guess for such kind of sandboxing it's normal behavior that result is not provided in live

For my part as I cannot wait, I doing some deep analysis w/ capabilities that provide a "fast" scan, means you are getting the result  in real time maybe w/ less data, but w/o need to wait ...

For instance Hybrid Analysis provide a fast scan, URLSCAN.IO also, but Falcon Sandow does not ... I don't know for Joe sandbox

Hope it can help

Fabien

266
Jtamboli
Staff
Staff

Created on ‎03-08-2024 01:13 AM

Hello,
My observation is for Get Analysis action when we execute it for a file it takes some couple of minutes to complete depending on the file size, so the status is displayed as 'queued' initially. If we re-execute the same action again after sometime like around 5-10 minutes(in my case) it gets 'completed'.
And if we don't want to re-execute the action again and use the same connector, then here we can use "do until loop" and apply a condition (As shown in the screenshot) where we will keep checking till the status becomes completed and once status is changed to completed then action will be completed with the required output.

jinja entered in "do until" is
vars.steps.Get_Analysis_Details.data.data.attributes.status == queued

Hope this helps.

Thanks,
Junaid

Junaid
Preview file
546 KB
256
doubleohseven
New Contributor II
In response to Jtamboli

Created on ‎03-08-2024 06:45 AM Edited on ‎03-08-2024 07:01 AM

Thanks Jtamboli, this is brilliant - exactly the logic I was looking for. I hadn't thought of using a do until loop so thanks for pointing that out. I tested it out and it works if I set the condition to

vars.steps.Get_Analysis_Details.data.data.attributes.status == completed

225
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.