Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

VirusTotal API scan in workflow (http request)

vwolf80
Explorer
‎09-10-2018 01:44 PM

Hello All,

I am working on a solution that requires a "workflow action" to give a drop down when searching against a "url" field when a search has been initiated for a User's URL/web history.

We are filtering results from a security appliance for web traffic / firewall filtering.

We use VirusTotal for the bulk of our URL scans for remediation. I would like to click on the "Event Action (Verbose Mode)" and click on the custom VirusTotal workflow that I created. We have a functioning WHOIS workflow function and it is working beautifully. But VirusTotal has certain restrictions on how data is fed to them via their website.

I would love to have this function like the "WHOIS" search and pop the results via the VirusTotal website.

I have researched all that I can so far, I do have a public API for searching if needed.

Does anyone have any information on what to do next? I have listed below some examples for what VirusTotal provides.

https://www.virustotal.com/vtapi/v2/file/scan/upload_url?apikey=

https://www.virustotal.com/vtapi/v2/url/scan

  • Thanks Everyone!
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vwolf80
Explorer
‎09-13-2018 11:46 AM

"elpred0 · 7 hours ago More...
Hello,

Configure the workflow action in post mode, URI: https://www.virustotal.com/vtapi/v2/url/scan

Post Arguments:
apikey = your_apikey
url = $field$

It will open a json response with a perma link to your analysis."

View solution in original post

Reply
Solved! Jump to solution
Solution

vwolf80
Explorer
‎09-13-2018 11:46 AM

"elpred0 · 7 hours ago More...
Hello,

Configure the workflow action in post mode, URI: https://www.virustotal.com/vtapi/v2/url/scan

Post Arguments:
apikey = your_apikey
url = $field$

It will open a json response with a perma link to your analysis."

Reply
Solved! Jump to solution

osakachan
Communicator
‎09-13-2018 04:44 AM

Hello,

Configure the workflow action in post mode, URI: https://www.virustotal.com/vtapi/v2/url/scan

Post Arguments:
apikey = your_apikey
url = $field$

It will open a json response with a perma link to your analysis.

0 Karma
Reply
Solved! Jump to solution

vwolf80
Explorer
‎09-13-2018 11:00 AM

This worked GREAT!!! Thanks for your help, however I would love to take the HTTPS response from Virustotal and run it in a separate browser window if possible.

0 Karma
Reply
Solved! Jump to solution

osakachan
Communicator
‎09-14-2018 03:37 AM

Your welcome. Upvote/answer will be appreciated.

Yep, that will be better but I think it would be far away from workflow action capacity.

Maybe this app can help, but I did not test it.
https://splunkbase.splunk.com/app/3446/#/details

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...