I would like to know if is possible to search for multiples URLs in vtlookup because i have a search that returns many URLs that i would like to test. Example:
This is my query:
source="proxy_logs" category="*unrated*" | stats count by username srcip url
And this is my return:
username | srcip | url | count user1 | 10.0.0.1 | www.site1.com | 5 user2 | 10.0.0.2 | www.site2.com | 7 user3 | 10.0.0.3 | www.site3.com | 8
I would like to do something this way:
| script vtlookup \_\_EXECUTE\_\_ [search source="proxy_logs" category="*unrated*" | stats count by username srcip url | fields - count | return $url] | spath input=vt | rex field=vt "\"total\":\s+(?\d+)" | rex field=vt "\"positives\":\s+(?\d+)" | eval Rate="Detection (".vt_positives."/".vt_total.")" | table username srcip url Rate
To get this result:
username | srcip | url | count | Rate user1 | 10.0.0.1 | www.site1.com | 5 | Detection (6/60) user2 | 10.0.0.2 | www.site2.com | 7 | Detection (56/60) user3 | 10.0.0.3 | www.site3.com | 8 | Detection (0/60)
But it doesn't works.
Someone can help me?
Thanks in advance!
I believe that is an intentional limitation with the VirusTotal API. You can only send one submission at a time. I don't believe there is a bulk submission query. We could always create a loop, but if you submit large amounts, my guess is that we will either be rate limited or cancelled for abuse of service.
Here is a link to the API documentation:
Sorry for not be clear and thank you for your comment, but it isn't my problem.
The fields returned from vtlookup are related only to the analyzed URL , but i need to append more info like username, ip, usergroup and others (like the first example).
The case is I would like to know a way to append other info to vtlookup results, this way:
url | rate
www.site1.com | 30/60
result from my query:
username | srcip | url
user1 | 10.0.0.1 | www.site1.com
vtlookup + my result
username | srcip | url | rate
user1 | 10.0.0.1 | www.site1.com | 30/60
Not sure if this software is still being developed but is it possible to do lookups using a private API key to make calls against VT and return the results? Is it possible to leverage this into a search command?
Yes! You need to develop a script to make a post request into VirusTotal API using your Private API Key.
After this you must configure Splunk to use the script as a command in commands.conf.
VirusTotal API documentation: https://www.virustotal.com/en/documentation/public-api/