HCyber

+1 from me, would be awesome to have this

I will add that Velociraptor _may be_ eligible for a free VirusTotal API key with higher quota, details here : https://support.virustotal.com/hc/en-us/articles/115002100149-API

@mgreen27 thanks. For the `Windows.Sysinternals.Autoruns` artefact, it is worth noting that `autorunsc` supports querying VirusTotal using the following options : - `-v[s]` : Query VirusTotal for malware based on file...

> This is probably not what you want - having 10k endpoints directly query VT at the same time for potentially the same binaries will use the API quota pretty...

> This is what Server.Enrichment.Virustotal is for. Collect Autoruns > reduce/dedup > enrich with VT lookups. What I am suggesting [here](https://github.com/Velocidex/velociraptor/issues/1931#issuecomment-1180706835) is different: VT lookups would be done by `autorunsc`...

> How does autorunsc work without and API key? does it have some kind of free limit? They have probably applied for a special privilege using the instructions here :...

@mpfz0r thanks. Would uninstalling and reinstalling create a new sidecar entry in Graylog ? Or would Graylog recognise the fact that the endpoint is the same ?

I will aslo add that the available options (10, 25, 50) are inconsistant with other menu areas in Graylog (Dashboards, Streams, etc.) which offer the options 10, 50 and 100.

> Is this something locked behind an enterprise license perhaps? No, the feature is not there even in the enterprise version. Here is the latest feedback that I have seen...

Also see #13203