https://community.splunk.com/t5/Splunk-Search/Virustotal-Checker-Add-on-What-search-syntax-would-I-use-to/m-p/132110#M184568 <P>You can search url is the same method like hash. And unfortunately, IP address search is not available...</P> Wed, 19 Aug 2015 02:19:34 GMT underbar 2015-08-19T02:19:34Z https://community.splunk.com/t5/Splunk-Search/Virustotal-Checker-Add-on-What-search-syntax-would-I-use-to/m-p/132107#M184565 <P>I am a Splunk newbie so I am not great on all the syntax you can use for searches. Your add-on was pointed out to me and could be very useful, but I have not been able to figure out the search syntax as yet.</P> <P>I have received events from a malware detection system into Splunk via syslog. It has detected a piece of malware with hash 5f41c906b4a462baea4715692c62023dfd4cdb83. What syntax would I use to have your add-on provide VT information about this hash?</P> <P>Thanks.</P> Thu, 09 Apr 2015 14:29:30 GMT https://community.splunk.com/t5/Splunk-Search/Virustotal-Checker-Add-on-What-search-syntax-would-I-use-to/m-p/132107#M184565 tzack 2015-04-09T14:29:30Z https://community.splunk.com/t5/Splunk-Search/Virustotal-Checker-Add-on-What-search-syntax-would-I-use-to/m-p/132108#M184566 <P>Hi.<BR /> "vt" command has two options (field, av).<BR /> "field" option set the field of malware hash value for searching Virustotal.<BR /> ex.)<BR /> sourcetype="malware" | table file_name, hash | vt field="hash" | table file_name, hash, vt_av_result, vt_link, vt_ratio</P> <P>"av" option can setting the anti-virus detection results of Virustotal you wanted.<BR /> if you wanna view all results for using asterisk sign("<EM><EM></EM>").<BR /> ex.)<BR /> sourcetype="malware" | table file_name, hash | vt field="hash" av="symantec" | table file_name, hash, vt_av_result, vt_link, vt_ratio<BR /> sourcetype="malware" | table file_name, hash | vt field="hash" av="symantec,avast" | table file_name, hash, vt_av_result, vt_link, vt_ratio<BR /> sourcetype="malware" | table file_name, hash | vt field="hash" av="</EM>" | table file_name, hash, vt_av_result, vt_link, vt_ratio</P> <P>if you wanna searching for specific hash value, you can follow example.<BR /> ex.)<BR /> <EM><EM></EM> | eval hash="5f41c906b4a462baea4715692c62023dfd4cdb83" | vt field="hash" av="<EM></EM></EM>" | table file_name, hash, vt_*</P> <P>Thanks!</P> Mon, 28 Sep 2020 19:31:01 GMT https://community.splunk.com/t5/Splunk-Search/Virustotal-Checker-Add-on-What-search-syntax-would-I-use-to/m-p/132108#M184566 underbar 2020-09-28T19:31:01Z https://community.splunk.com/t5/Splunk-Search/Virustotal-Checker-Add-on-What-search-syntax-would-I-use-to/m-p/132109#M184567 <P>what if you are trying to search for a url or IP address?</P> Wed, 12 Aug 2015 19:40:08 GMT https://community.splunk.com/t5/Splunk-Search/Virustotal-Checker-Add-on-What-search-syntax-would-I-use-to/m-p/132109#M184567 tvjust 2015-08-12T19:40:08Z https://community.splunk.com/t5/Splunk-Search/Virustotal-Checker-Add-on-What-search-syntax-would-I-use-to/m-p/132110#M184568 <P>You can search url is the same method like hash. And unfortunately, IP address search is not available...</P> Wed, 19 Aug 2015 02:19:34 GMT https://community.splunk.com/t5/Splunk-Search/Virustotal-Checker-Add-on-What-search-syntax-would-I-use-to/m-p/132110#M184568 underbar 2015-08-19T02:19:34Z