All Apps and Add-ons

Forensic Investigator: Is it possible to search for multiple URLs in a vtlookup search?

chlima
Explorer

Hi!

I would like to know if is possible to search for multiples URLs in vtlookup because i have a search that returns many URLs that i would like to test. Example:

This is my query:

source="proxy_logs" category="*unrated*" | stats count by username srcip url

And this is my return:

username | srcip | url | count 
user1 | 10.0.0.1 | www.site1.com | 5
user2 | 10.0.0.2 | www.site2.com | 7 
user3 | 10.0.0.3 | www.site3.com | 8 

I would like to do something this way:

| script vtlookup \_\_EXECUTE\_\_  [search source="proxy_logs" category="*unrated*" | stats count by username srcip url | fields - count | return $url]  | spath input=vt | rex field=vt "\"total\":\s+(?\d+)" | rex field=vt "\"positives\":\s+(?\d+)" | eval Rate="Detection (".vt_positives."/".vt_total.")" | table username srcip url Rate

To get this result:

username | srcip | url | count  | Rate
user1 | 10.0.0.1 | www.site1.com | 5 |  Detection (6/60)
user2 | 10.0.0.2 | www.site2.com | 7 |  Detection (56/60) 
user3 | 10.0.0.3 | www.site3.com | 8  |  Detection (0/60)

But it doesn't works.

Someone can help me?

Thanks in advance!

0 Karma

TonyLeeVT
Builder

I believe that is an intentional limitation with the VirusTotal API. You can only send one submission at a time. I don't believe there is a bulk submission query. We could always create a loop, but if you submit large amounts, my guess is that we will either be rate limited or cancelled for abuse of service.

Here is a link to the API documentation:
https://www.virustotal.com/en/documentation/public-api/#getting-ip-reports

0 Karma

chlima
Explorer

Sorry for not be clear and thank you for your comment, but it isn't my problem.

The fields returned from vtlookup are related only to the analyzed URL , but i need to append more info like username, ip, usergroup and others (like the first example).

The case is I would like to know a way to append other info to vtlookup results, this way:

vtlookup result:

url | rate
www.site1.com | 30/60

result from my query:

username | srcip | url
user1 | 10.0.0.1 | www.site1.com

vtlookup + my result

username | srcip | url | rate
user1 | 10.0.0.1 | www.site1.com | 30/60

0 Karma

willadams
Contributor

Not sure if this software is still being developed but is it possible to do lookups using a private API key to make calls against VT and return the results? Is it possible to leverage this into a search command?

0 Karma

chlima
Explorer

Yes! You need to develop a script to make a post request into VirusTotal API using your Private API Key.
After this you must configure Splunk to use the script as a command in commands.conf.

VirusTotal API documentation: https://www.virustotal.com/en/documentation/public-api/

0 Karma

ccsfdave
Builder

@chlima can you post an example of the script you made that accomplished the goal of getting:

vtlookup + my result

username | srcip | url | rate
user1 | 10.0.0.1 | www.site1.com | 30/60

Thanks!

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!