All Apps and Add-ons

Access Virus Total permalink with Splunk

da_la97
Engager

I am interested in developing an app where Virus total URL scan results will be displayed (rather than the permalink) in Splunk. To be more specific access the data in the Virus Total Permalink and in the permalink it says under "scans" "detected" if it is True output clean site else else Not clean.

I have generated the code for checking if "scans" "detected" is True/False. But I do not know how to access data in Virus total permalink through splunk

0 Karma
1 Solution

tomaszdziwok
Path Finder

With "VirusTotal Malware Lookup for Splunk", this should be possible.
While in its default mode the | virustotal command outputs structured fields (columns), you can also run the command in "raw" mode - where all the output sent by VirusTotal is passed back to Splunk in json format. From there it should be possible to use | spath or a similar Splunk command to post-process the json and extract relevant fields.

Default usage:
alt text

Raw json output mode:
alt text

(please excuse the small images - it may be worth opening them in a different tab to better see content)

Unfortunately, any additional data that's not included in the json is currently not obtainable by the TA.
Hopefully this helps.
Please reach out with any further questions.

Thanks,
Tomasz

View solution in original post

tomaszdziwok
Path Finder

With "VirusTotal Malware Lookup for Splunk", this should be possible.
While in its default mode the | virustotal command outputs structured fields (columns), you can also run the command in "raw" mode - where all the output sent by VirusTotal is passed back to Splunk in json format. From there it should be possible to use | spath or a similar Splunk command to post-process the json and extract relevant fields.

Default usage:
alt text

Raw json output mode:
alt text

(please excuse the small images - it may be worth opening them in a different tab to better see content)

Unfortunately, any additional data that's not included in the json is currently not obtainable by the TA.
Hopefully this helps.
Please reach out with any further questions.

Thanks,
Tomasz

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...