How to resolve VirusTotal app on Splunk giving sea...

jayanth221 · ‎04-15-2020

Recently installed Virustotal app on my splunk https://splunkbase.splunk.com/app/4283/
COmpleted initial app setup with VT token
When i come back to search and execute | virustotal command i receive below error
"VirusTotal Command: No field specified for matching. Specify one of 'hash=', 'ip=', 'url=', or 'domain=' and try again."

I modify my search query as | virustotal ip="8.8.8.8"
received error Illegal value: ip=8.8.8.8

Some background information
- Version of VirusTotal TA you're using - 2.0.0
- Whether the Splunk instance you installed it on is Splunk Cloud or on-premises- on-prem
- Version of Splunk - 7.3.4
- Type of Splunk instance (e.g. Search Head, Indexer, Heavy Forwarder, All-In-One) - Search Head
- Does your environment require a proxy to call out to the internet - Yes

Could some advice how this can be resolved ?

haoliveiramb · ‎04-11-2022

Hi @jayanth221,

The correct syntax of command if "| virustotal url=field" and "field" in your event search result have a value of URL to search against Virustotal API

Something like this:

| makeresults | eval site="https://www.google.com"
| rename site as url
| virustotal url=url

The app queries API to the value of the site filed and returns data about it.

Well, you can search for a specific IP value, but you will use a makeresults command and put the value on the field:

| makeresults
| eval ip="8.8.8.8"
| virustotal ip=ip

Regards,

dbroggy · ‎01-25-2023

Doesn't seem to work anymore.

might need a flag option for ssl_verify=false (or something more secure 🙂 )

AttributeError at "/opt/splunk/etc/apps/TA-VirusTotal/bin/virustotal.py", line 508 : 'SSLError' object has no attribute 'message'

How to resolve VirusTotal app on Splunk giving search error?

troubleshooting

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!