VirusTotal API v3 - IoC Investigation — IoC Investigation - Files Behaviours

naftiko: 1.0.0-alpha2
info:
  label: VirusTotal API v3 - IoC Investigation — IoC Investigation - Files Behaviours
  description: 'VirusTotal API v3 - IoC Investigation — IoC Investigation - Files Behaviours. 10 operations. Lead operation: Get a File Behavior Report from a Sandbox. Self-contained Naftiko capability
    covering one VirusTotal business surface.'
  tags:
  - VirusTotal
  - IoC Investigation
  - Files Behaviours
  created: '2026-05-29'
  modified: '2026-05-29'
binds:
- namespace: env
  keys:
    VIRUSTOTAL_API_KEY: VIRUSTOTAL_API_KEY
capability:
  consumes:
  - type: http
    namespace: ioc-investigation-ioc-investigation-files-behaviours
    baseUri: https://www.virustotal.com/api/v3
    description: VirusTotal API v3 - IoC Investigation — IoC Investigation - Files Behaviours. Self-contained, no shared references.
    authentication:
      type: apikey
      key: x-apikey
      value: '{{env.VIRUSTOTAL_API_KEY}}'
      placement: header
    resources:
    - name: file-behaviours-sandbox-id
      path: /file_behaviours/{sandbox_id}
      operations:
      - name: getFileBehaviourId
        method: GET
        description: VirusTotal Get a File Behavior Report from a Sandbox
        inputParameters:
        - name: sandbox_id
          in: path
          type: string
          required: true
          description: Sandbox report ID. See "Sandbox Report identifiers" section below for more info.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: file-behaviours-sandbox-id-evtx
      path: /file_behaviours/{sandbox_id}/evtx
      operations:
      - name: fileBehaviourEvtx
        method: GET
        description: VirusTotal Get the EVTX File Generated During a File’s Behavior Analysis
        inputParameters:
        - name: sandbox_id
          in: path
          type: string
          required: true
          description: Sandbox report ID.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: file-behaviours-sandbox-id-html
      path: /file_behaviours/{sandbox_id}/html
      operations:
      - name: getFileBehaviourHtml
        method: GET
        description: VirusTotal Get a Detailed HTML Behaviour Report
        inputParameters:
        - name: sandbox_id
          in: path
          type: string
          required: true
          description: Sandbox report ID.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: file-behaviours-sandbox-id-memdump
      path: /file_behaviours/{sandbox_id}/memdump
      operations:
      - name: fileBehaviourMemdump
        method: GET
        description: VirusTotal Get the Memdump File Generated During a File’s Behavior Analysis
        inputParameters:
        - name: sandbox_id
          in: path
          type: string
          required: true
          description: Sandbox report ID.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: file-behaviours-sandbox-id-pcap
      path: /file_behaviours/{sandbox_id}/pcap
      operations:
      - name: fileBehavioursPcap
        method: GET
        description: VirusTotal Get the PCAP File Generated During a File’s Behavior Analysis
        inputParameters:
        - name: sandbox_id
          in: path
          type: string
          required: true
          description: Sandbox report ID.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: file-behaviours-sandbox-id-relationships-relationship
      path: /file_behaviours/{sandbox_id}/relationships/{relationship}
      operations:
      - name: fileBehaviourssandboxIdrelationshipsrelationship
        method: GET
        description: VirusTotal Get Object Descriptors Related to a Behaviour Report
        inputParameters:
        - name: sandbox_id
          in: path
          type: string
          required: true
          description: Sandbox report ID
        - name: relationship
          in: path
          type: string
          required: true
          description: Relationship name (see [table](ref:file-behaviour-summary-object#relationships))
        - name: limit
          in: query
          type: integer
          required: false
          description: Maximum number of related objects to retrieve
        - name: cursor
          in: query
          type: string
          required: false
          description: Continuation cursor
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: file-behaviours-sandbox-id-relationship
      path: /file_behaviours/{sandbox_id}/{relationship}
      operations:
      - name: fileBehaviourssandboxIdrelationship
        method: GET
        description: VirusTotal Get Objects Related to a Behaviour Report
        inputParameters:
        - name: sandbox_id
          in: path
          type: string
          required: true
          description: Sandbox report ID
        - name: relationship
          in: path
          type: string
          required: true
          description: Relationship name (see [table](ref:file-behaviour-summary-object#relationships))
        - name: limit
          in: query
          type: integer
          required: false
          description: Maximum number of related objects to retrieve
        - name: cursor
          in: query
          type: string
          required: false
          description: Continuation cursor
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: files-id-behaviour-mitre-trees
      path: /files/{id}/behaviour_mitre_trees
      operations:
      - name: getASummaryOfAllMitreAttckTechniquesObservedInAFile
        method: GET
        description: VirusTotal Get a Summary of All MITRE ATT&CK Techniques Observed in a File
        inputParameters:
        - name: id
          in: path
          type: string
          required: true
          description: SHA-256, SHA-1 or MD5 identifying the file
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: files-id-behaviour-summary
      path: /files/{id}/behaviour_summary
      operations:
      - name: fileAllBehavioursSummary
        method: GET
        description: VirusTotal Get a Summary of All Behavior Reports for a File
        inputParameters:
        - name: id
          in: path
          type: string
          required: true
          description: SHA-256, SHA-1 or MD5 identifying the file
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: files-id-behaviours
      path: /files/{id}/behaviours
      operations:
      - name: getAllBehaviorReportsForAFile
        method: GET
        description: VirusTotal Get All Behavior Reports for a File
        inputParameters:
        - name: id
          in: path
          type: string
          required: true
          description: SHA-256, SHA-1 or MD5 identifying the file
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
  exposes:
  - type: rest
    namespace: ioc-investigation-ioc-investigation-files-behaviours-rest
    port: 8080
    description: REST adapter for VirusTotal API v3 - IoC Investigation — IoC Investigation - Files Behaviours. One Spectral-compliant resource per consumed operation, prefixed with /v1.
    resources:
    - path: /v1/file_behaviours/{sandbox_id}
      name: file-behaviours-sandbox-id
      description: REST surface for /file_behaviours/{sandbox_id}.
      operations:
      - method: GET
        name: getFileBehaviourId
        description: VirusTotal Get a File Behavior Report from a Sandbox
        call: ioc-investigation-ioc-investigation-files-behaviours.getFileBehaviourId
        outputParameters:
        - type: object
          mapping: $.
        with:
          sandbox_id: rest.sandbox_id
    - path: /v1/file_behaviours/{sandbox_id}/evtx
      name: file-behaviours-sandbox-id-evtx
      description: REST surface for /file_behaviours/{sandbox_id}/evtx.
      operations:
      - method: GET
        name: fileBehaviourEvtx
        description: VirusTotal Get the EVTX File Generated During a File’s Behavior Analysis
        call: ioc-investigation-ioc-investigation-files-behaviours.fileBehaviourEvtx
        outputParameters:
        - type: object
          mapping: $.
        with:
          sandbox_id: rest.sandbox_id
    - path: /v1/file_behaviours/{sandbox_id}/html
      name: file-behaviours-sandbox-id-html
      description: REST surface for /file_behaviours/{sandbox_id}/html.
      operations:
      - method: GET
        name: getFileBehaviourHtml
        description: VirusTotal Get a Detailed HTML Behaviour Report
        call: ioc-investigation-ioc-investigation-files-behaviours.getFileBehaviourHtml
        outputParameters:
        - type: object
          mapping: $.
        with:
          sandbox_id: rest.sandbox_id
    - path: /v1/file_behaviours/{sandbox_id}/memdump
      name: file-behaviours-sandbox-id-memdump
      description: REST surface for /file_behaviours/{sandbox_id}/memdump.
      operations:
      - method: GET
        name: fileBehaviourMemdump
        description: VirusTotal Get the Memdump File Generated During a File’s Behavior Analysis
        call: ioc-investigation-ioc-investigation-files-behaviours.fileBehaviourMemdump
        outputParameters:
        - type: object
          mapping: $.
        with:
          sandbox_id: rest.sandbox_id
    - path: /v1/file_behaviours/{sandbox_id}/pcap
      name: file-behaviours-sandbox-id-pcap
      description: REST surface for /file_behaviours/{sandbox_id}/pcap.
      operations:
      - method: GET
        name: fileBehavioursPcap
        description: VirusTotal Get the PCAP File Generated During a File’s Behavior Analysis
        call: ioc-investigation-ioc-investigation-files-behaviours.fileBehavioursPcap
        outputParameters:
        - type: object
          mapping: $.
        with:
          sandbox_id: rest.sandbox_id
    - path: /v1/file_behaviours/{sandbox_id}/relationships/{relationship}
      name: file-behaviours-sandbox-id-relationships-relationship
      description: REST surface for /file_behaviours/{sandbox_id}/relationships/{relationship}.
      operations:
      - method: GET
        name: fileBehaviourssandboxIdrelationshipsrelationship
        description: VirusTotal Get Object Descriptors Related to a Behaviour Report
        call: ioc-investigation-ioc-investigation-files-behaviours.fileBehaviourssandboxIdrelationshipsrelationship
        outputParameters:
        - type: object
          mapping: $.
        with:
          sandbox_id: rest.sandbox_id
          relationship: rest.relationship
          limit: rest.limit
          cursor: rest.cursor
    - path: /v1/file_behaviours/{sandbox_id}/{relationship}
      name: file-behaviours-sandbox-id-relationship
      description: REST surface for /file_behaviours/{sandbox_id}/{relationship}.
      operations:
      - method: GET
        name: fileBehaviourssandboxIdrelationship
        description: VirusTotal Get Objects Related to a Behaviour Report
        call: ioc-investigation-ioc-investigation-files-behaviours.fileBehaviourssandboxIdrelationship
        outputParameters:
        - type: object
          mapping: $.
        with:
          sandbox_id: rest.sandbox_id
          relationship: rest.relationship
          limit: rest.limit
          cursor: rest.cursor
    - path: /v1/files/{id}/behaviour_mitre_trees
      name: files-id-behaviour-mitre-trees
      description: REST surface for /files/{id}/behaviour_mitre_trees.
      operations:
      - method: GET
        name: getASummaryOfAllMitreAttckTechniquesObservedInAFile
        description: VirusTotal Get a Summary of All MITRE ATT&CK Techniques Observed in a File
        call: ioc-investigation-ioc-investigation-files-behaviours.getASummaryOfAllMitreAttckTechniquesObservedInAFile
        outputParameters:
        - type: object
          mapping: $.
        with:
          id: rest.id
    - path: /v1/files/{id}/behaviour_summary
      name: files-id-behaviour-summary
      description: REST surface for /files/{id}/behaviour_summary.
      operations:
      - method: GET
        name: fileAllBehavioursSummary
        description: VirusTotal Get a Summary of All Behavior Reports for a File
        call: ioc-investigation-ioc-investigation-files-behaviours.fileAllBehavioursSummary
        outputParameters:
        - type: object
          mapping: $.
        with:
          id: rest.id
    - path: /v1/files/{id}/behaviours
      name: files-id-behaviours
      description: REST surface for /files/{id}/behaviours.
      operations:
      - method: GET
        name: getAllBehaviorReportsForAFile
        description: VirusTotal Get All Behavior Reports for a File
        call: ioc-investigation-ioc-investigation-files-behaviours.getAllBehaviorReportsForAFile
        outputParameters:
        - type: object
          mapping: $.
        with:
          id: rest.id
  - type: mcp
    namespace: ioc-investigation-ioc-investigation-files-behaviours-mcp
    port: 9090
    transport: http
    description: MCP adapter for VirusTotal API v3 - IoC Investigation — IoC Investigation - Files Behaviours. One tool per consumed operation, routed inline through this capability's consumes block.
    tools:
    - name: get-file-behavior-report-sandbox
      description: VirusTotal Get a File Behavior Report from a Sandbox
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: ioc-investigation-ioc-investigation-files-behaviours.getFileBehaviourId
      outputParameters:
      - type: object
        mapping: $.
      with:
        sandbox_id: tools.sandbox_id
    - name: get-evtx-file-generated-during
      description: VirusTotal Get the EVTX File Generated During a File’s Behavior Analysis
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: ioc-investigation-ioc-investigation-files-behaviours.fileBehaviourEvtx
      outputParameters:
      - type: object
        mapping: $.
      with:
        sandbox_id: tools.sandbox_id
    - name: get-detailed-html-behaviour-report
      description: VirusTotal Get a Detailed HTML Behaviour Report
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: ioc-investigation-ioc-investigation-files-behaviours.getFileBehaviourHtml
      outputParameters:
      - type: object
        mapping: $.
      with:
        sandbox_id: tools.sandbox_id
    - name: get-memdump-file-generated-during
      description: VirusTotal Get the Memdump File Generated During a File’s Behavior Analysis
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: ioc-investigation-ioc-investigation-files-behaviours.fileBehaviourMemdump
      outputParameters:
      - type: object
        mapping: $.
      with:
        sandbox_id: tools.sandbox_id
    - name: get-pcap-file-generated-during
      description: VirusTotal Get the PCAP File Generated During a File’s Behavior Analysis
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: ioc-investigation-ioc-investigation-files-behaviours.fileBehavioursPcap
      outputParameters:
      - type: object
        mapping: $.
      with:
        sandbox_id: tools.sandbox_id
    - name: get-object-descriptors-related-behaviour
      description: VirusTotal Get Object Descriptors Related to a Behaviour Report
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: ioc-investigation-ioc-investigation-files-behaviours.fileBehaviourssandboxIdrelationshipsrelationship
      outputParameters:
      - type: object
        mapping: $.
      with:
        sandbox_id: tools.sandbox_id
        relationship: tools.relationship
        limit: tools.limit
        cursor: tools.cursor
    - name: get-objects-related-behaviour-report
      description: VirusTotal Get Objects Related to a Behaviour Report
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: ioc-investigation-ioc-investigation-files-behaviours.fileBehaviourssandboxIdrelationship
      outputParameters:
      - type: object
        mapping: $.
      with:
        sandbox_id: tools.sandbox_id
        relationship: tools.relationship
        limit: tools.limit
        cursor: tools.cursor
    - name: get-summary-all-mitre-att
      description: VirusTotal Get a Summary of All MITRE ATT&CK Techniques Observed in a File
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: ioc-investigation-ioc-investigation-files-behaviours.getASummaryOfAllMitreAttckTechniquesObservedInAFile
      outputParameters:
      - type: object
        mapping: $.
      with:
        id: tools.id
    - name: get-summary-all-behavior-reports
      description: VirusTotal Get a Summary of All Behavior Reports for a File
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: ioc-investigation-ioc-investigation-files-behaviours.fileAllBehavioursSummary
      outputParameters:
      - type: object
        mapping: $.
      with:
        id: tools.id
    - name: get-all-behavior-reports-file
      description: VirusTotal Get All Behavior Reports for a File
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: ioc-investigation-ioc-investigation-files-behaviours.getAllBehaviorReportsForAFile
      outputParameters:
      - type: object
        mapping: $.
      with:
        id: tools.id