<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Workflow action - Virustotal in Monitoring Splunk</title>
    <link>https://community.splunk.com/t5/Monitoring-Splunk/Workflow-action-Virustotal/m-p/467465#M8239</link>
    <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;yes I want to access VT API&lt;/P&gt;</description>
    <pubDate>Fri, 27 Dec 2019 19:44:49 GMT</pubDate>
    <dc:creator>VijaySrrie</dc:creator>
    <dc:date>2019-12-27T19:44:49Z</dc:date>
    <item>
      <title>Workflow action - Virustotal</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/Workflow-action-Virustotal/m-p/467460#M8234</link>
      <description>&lt;P&gt;Is it possible to create workflow action to check the malicious URL?&lt;BR /&gt;
If yes, after setting it up how to work on it?&lt;/P&gt;</description>
      <pubDate>Wed, 18 Dec 2019 10:01:54 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/Workflow-action-Virustotal/m-p/467460#M8234</guid>
      <dc:creator>VijaySrrie</dc:creator>
      <dc:date>2019-12-18T10:01:54Z</dc:date>
    </item>
    <item>
      <title>Re: Workflow action - Virustotal</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/Workflow-action-Virustotal/m-p/467461#M8235</link>
      <description>&lt;P&gt;Hi,  @vijaysri &lt;/P&gt;

&lt;P&gt;try app&lt;/P&gt;

&lt;P&gt;&lt;A href="https://splunkbase.splunk.com/app/4283/"&gt;virus total TA&lt;/A&gt;&lt;/P&gt;

&lt;H2&gt;&lt;A href="https://gitlab.com/adarma_public_projects/splunk/TA-VirusTotal"&gt;virus total TA usage&lt;/A&gt;&lt;/H2&gt;

&lt;P&gt;my old answer:&lt;/P&gt;

&lt;P&gt;Look at this.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| makeresults 
| eval _raw="http://www.yahoo.com/" 
| eval hash=sha256(_raw) 
| appendpipe 
    [ eval hash="ed91698b5823a5e4424726955dd3fd437d9cfdc46f7b8988cded5da779cc7483"]
`comment("the hash of below link")`
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;&lt;CODE&gt;&lt;A href="https://www.virustotal.com/gui/url/ed91698b5823a5e4424726955dd3fd437d9cfdc46f7b8988cded5da779cc7483/detection" target="test_blank"&gt;https://www.virustotal.com/gui/url/ed91698b5823a5e4424726955dd3fd437d9cfdc46f7b8988cded5da779cc7483/detection&lt;/A&gt;&lt;/CODE&gt;&lt;BR /&gt;
This query is aim to explain the VirusTotal url.&lt;BR /&gt;
So that,&lt;BR /&gt;
You just have to hash it with &lt;CODE&gt;sha256()&lt;/CODE&gt; from &lt;STRONG&gt;url&lt;/STRONG&gt; ( Starts with http, Ends with / OR file name OR anchor name)&lt;BR /&gt;
and give it to the &lt;EM&gt;link&lt;/EM&gt; .&lt;/P&gt;

&lt;P&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/CreateworkflowactionsinSplunkWeb"&gt;Create workflow actions in SplunkWeb&lt;/A&gt;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index="botsv2" sourcetype="stream:http"
| rex field=url "^(?&amp;lt;vt_url&amp;gt;.+:\/\/[\w\:.]+?\/)"
| eventstats values(eval(sha256(vt_url))) as vt_urlhash by vt_url
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;&lt;A href="https://github.com/splunk/botsv2"&gt;BOSS of the soc 2&lt;/A&gt;&lt;BR /&gt;
For example, I made it using this data set.&lt;/P&gt;

&lt;P&gt;Workflow Settings:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Fields » Workflow actions » Add new

Link configuration

URI   &lt;A href="https://www.virustotal.com/gui/url/$vt_urlhash$/detection" target="test_blank"&gt;https://www.virustotal.com/gui/url/$vt_urlhash$/detection&lt;/A&gt;
Open link in   New window
Link method   get
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;HR /&gt;

&lt;PRE&gt;&lt;CODE&gt;| makeresults 
| eval _raw="http://freeloaderstokyo.com/fill-form.html " 
`comment("this url is malicious, Do NOT access!")`
| eval hash=sha256(_raw) 
`comment("put the url to _raw")`
| eval link="https://www.virustotal.com/gui/url/".$hash$."/detection"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;This is interesting, too.&lt;/P&gt;

&lt;P&gt;EDITED:&lt;/P&gt;

&lt;P&gt;VT API access:&lt;BR /&gt;
The URL described here( &lt;A href="https://developers.virustotal.com/reference#file-report"&gt;VT API reference&lt;/A&gt; ) will be created in Splunk.&lt;/P&gt;

&lt;P&gt;example: &lt;CODE&gt;curl --request GET --url 'https://www.virustotal.com/vtapi/v2/url/report?apikey=&amp;lt;apikey&amp;gt;&amp;amp;resource=&amp;lt;resource&amp;gt;'&lt;/CODE&gt;&lt;BR /&gt;
you will create &lt;EM&gt;apikey.csv&lt;/EM&gt;.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; apikey.csv:
 apikey
 your_api_key
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Url/Report workflow action example:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; index=your_index sourcetype=your_sourcetype 
| inputlookup append=t apikey.csv
| eval resource=your_url
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.0.1/Knowledge/SetupaGETworkflowaction"&gt;Setup a GET workflow action&lt;/A&gt;&lt;BR /&gt;
workflow setting:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Link configration &amp;gt; URI
&lt;A href="https://www.virustotal.com/vtapi/v2/url/report?apikey=$apikey$&amp;amp;resource=$!resource$" target="test_blank"&gt;https://www.virustotal.com/vtapi/v2/url/report?apikey=$apikey$&amp;amp;resource=$!resource$&lt;/A&gt;
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;The fields of access result JSON file:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;scans: 
permalink :  
positives :
resource :
response_code :
scan_date :
scan_id :
url:
total : 
verbose_msg :
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;The fields of access result JSON file, Scans object:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;&amp;lt;antivirus vender&amp;gt;.detected 
&amp;lt;antivirus vender&amp;gt;.result
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 18 Dec 2019 11:41:49 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/Workflow-action-Virustotal/m-p/467461#M8235</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2019-12-18T11:41:49Z</dc:date>
    </item>
    <item>
      <title>Re: Workflow action - Virustotal</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/Workflow-action-Virustotal/m-p/467462#M8236</link>
      <description>&lt;P&gt;Hi to4kawa,&lt;/P&gt;

&lt;P&gt;1) I have done the workflow settings &lt;BR /&gt;
2) To get the hash value | makeresults &lt;BR /&gt;
 | eval _raw="&lt;A href="http://www.yahoo.com/" target="_blank"&gt;http://www.yahoo.com/&lt;/A&gt;" &lt;BR /&gt;
 | eval hash=sha256(_raw) &lt;/P&gt;

&lt;P&gt;3) I doesn't know how to proceed further&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 03:27:36 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/Workflow-action-Virustotal/m-p/467462#M8236</guid>
      <dc:creator>VijaySrrie</dc:creator>
      <dc:date>2020-09-30T03:27:36Z</dc:date>
    </item>
    <item>
      <title>Re: Workflow action - Virustotal</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/Workflow-action-Virustotal/m-p/467463#M8237</link>
      <description>&lt;P&gt;Name and label of the workflow is virustotal&lt;/P&gt;</description>
      <pubDate>Wed, 18 Dec 2019 16:07:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/Workflow-action-Virustotal/m-p/467463#M8237</guid>
      <dc:creator>VijaySrrie</dc:creator>
      <dc:date>2019-12-18T16:07:22Z</dc:date>
    </item>
    <item>
      <title>Re: Workflow action - Virustotal</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/Workflow-action-Virustotal/m-p/467464#M8238</link>
      <description>&lt;P&gt;look at my second query.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;your search and there is a url(http://xxx.xxx.xx/yyy/zzz....) field.
| rex field=url "^(?&amp;lt;vt_url&amp;gt;.+:\/\/[\w\:.]+?\/)"
| eventstats values(eval(sha256(vt_url))) as vt_urlhash by vt_url
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;this is the solution.&lt;/P&gt;

&lt;P&gt;my first query is aim to explain the the url of virustotal to how it works .&lt;/P&gt;

&lt;P&gt;Do you want to access VT API?&lt;/P&gt;</description>
      <pubDate>Wed, 18 Dec 2019 19:31:14 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/Workflow-action-Virustotal/m-p/467464#M8238</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2019-12-18T19:31:14Z</dc:date>
    </item>
    <item>
      <title>Re: Workflow action - Virustotal</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/Workflow-action-Virustotal/m-p/467465#M8239</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;yes I want to access VT API&lt;/P&gt;</description>
      <pubDate>Fri, 27 Dec 2019 19:44:49 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/Workflow-action-Virustotal/m-p/467465#M8239</guid>
      <dc:creator>VijaySrrie</dc:creator>
      <dc:date>2019-12-27T19:44:49Z</dc:date>
    </item>
    <item>
      <title>Re: Workflow action - Virustotal</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/Workflow-action-Virustotal/m-p/467466#M8240</link>
      <description>&lt;P&gt;Hi, @vijaysri&lt;BR /&gt;
My answer updated, please confirm.&lt;/P&gt;</description>
      <pubDate>Sat, 28 Dec 2019 00:07:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/Workflow-action-Virustotal/m-p/467466#M8240</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2019-12-28T00:07:05Z</dc:date>
    </item>
  </channel>
</rss>

