All Apps and Add-ons

Forensic Investigator: Is it possible to search for multiple URLs in a vtlookup search?

Explorer

Hi!

I would like to know if is possible to search for multiples URLs in vtlookup because i have a search that returns many URLs that i would like to test. Example:

This is my query:

source="proxy_logs" category="*unrated*" | stats count by username srcip url

And this is my return:

username | srcip | url | count 
user1 | 10.0.0.1 | www.site1.com | 5
user2 | 10.0.0.2 | www.site2.com | 7 
user3 | 10.0.0.3 | www.site3.com | 8 

I would like to do something this way:

| script vtlookup \_\_EXECUTE\_\_  [search source="proxy_logs" category="*unrated*" | stats count by username srcip url | fields - count | return $url]  | spath input=vt | rex field=vt "\"total\":\s+(?\d+)" | rex field=vt "\"positives\":\s+(?\d+)" | eval Rate="Detection (".vt_positives."/".vt_total.")" | table username srcip url Rate

To get this result:

username | srcip | url | count  | Rate
user1 | 10.0.0.1 | www.site1.com | 5 |  Detection (6/60)
user2 | 10.0.0.2 | www.site2.com | 7 |  Detection (56/60) 
user3 | 10.0.0.3 | www.site3.com | 8  |  Detection (0/60)

But it doesn't works.

Someone can help me?

Thanks in advance!

0 Karma

Builder

I believe that is an intentional limitation with the VirusTotal API. You can only send one submission at a time. I don't believe there is a bulk submission query. We could always create a loop, but if you submit large amounts, my guess is that we will either be rate limited or cancelled for abuse of service.

Here is a link to the API documentation:
https://www.virustotal.com/en/documentation/public-api/#getting-ip-reports

0 Karma

Explorer

Sorry for not be clear and thank you for your comment, but it isn't my problem.

The fields returned from vtlookup are related only to the analyzed URL , but i need to append more info like username, ip, usergroup and others (like the first example).

The case is I would like to know a way to append other info to vtlookup results, this way:

vtlookup result:

url | rate
www.site1.com | 30/60

result from my query:

username | srcip | url
user1 | 10.0.0.1 | www.site1.com

vtlookup + my result

username | srcip | url | rate
user1 | 10.0.0.1 | www.site1.com | 30/60

0 Karma

Contributor

Not sure if this software is still being developed but is it possible to do lookups using a private API key to make calls against VT and return the results? Is it possible to leverage this into a search command?

0 Karma

Explorer

Yes! You need to develop a script to make a post request into VirusTotal API using your Private API Key.
After this you must configure Splunk to use the script as a command in commands.conf.

VirusTotal API documentation: https://www.virustotal.com/en/documentation/public-api/

0 Karma

Builder

@chlima can you post an example of the script you made that accomplished the goal of getting:

vtlookup + my result

username | srcip | url | rate
user1 | 10.0.0.1 | www.site1.com | 30/60

Thanks!

0 Karma