Check file hash reputation with VirusTotal and Slack alerts
🧩 Template Description File Hash Reputation Checker is a security automation workflow that validates file hashes (MD5, SHA1, SHA256) and checks their reputation using the VirusTotal API. It is designed for SOC teams,...
Template notes
🧩 Template Description File Hash Reputation Checker is a security automation workflow that validates file hashes (MD5, SHA1, SHA256) and checks their reputation using the VirusTotal API. It is designed for SOC teams, security engineers, and automation pipelines that need fast and consistent malware verdicts from a single hash input.
The workflow supports two input methods: - An HTTP webhook for API-based integrations
- A Slack slash command (/hash-check) for quick analyst-driven checks directly from Slack
Once a hash is submitted, the workflow normalizes and validates the input, queries VirusTotal for detection statistics, and determines whether the file is Malicious, Suspicious, Clean, or Unknown. Results are returned as a structured JSON response and also posted to Slack with severity-based formatting.
⚙️ How It Works 1. A file hash is submitted via HTTP POST or Slack using /hash-check FILEHASH.
2. The hash is normalized (lowercased and trimmed).
3. The workflow validates the hash format (MD5, SHA1, or SHA256).
4. VirusTotal is queried for hash reputation data.