Knowledge Management

VirusTotal API scan in workflow (http request)

vwolf80
Explorer

Hello All,

I am working on a solution that requires a "workflow action" to give a drop down when searching against a "url" field when a search has been initiated for a User's URL/web history.

We are filtering results from a security appliance for web traffic / firewall filtering.

We use VirusTotal for the bulk of our URL scans for remediation. I would like to click on the "Event Action (Verbose Mode)" and click on the custom VirusTotal workflow that I created. We have a functioning WHOIS workflow function and it is working beautifully. But VirusTotal has certain restrictions on how data is fed to them via their website.

I would love to have this function like the "WHOIS" search and pop the results via the VirusTotal website.

I have researched all that I can so far, I do have a public API for searching if needed.

Does anyone have any information on what to do next? I have listed below some examples for what VirusTotal provides.

https://www.virustotal.com/vtapi/v2/file/scan/upload_url?apikey=

https://www.virustotal.com/vtapi/v2/url/scan

  • Thanks Everyone!
0 Karma
1 Solution

vwolf80
Explorer

"elpred0 · 7 hours ago More...
Hello,

Configure the workflow action in post mode, URI: https://www.virustotal.com/vtapi/v2/url/scan

Post Arguments:
apikey = your_apikey
url = $field$

It will open a json response with a perma link to your analysis."

View solution in original post

vwolf80
Explorer

"elpred0 · 7 hours ago More...
Hello,

Configure the workflow action in post mode, URI: https://www.virustotal.com/vtapi/v2/url/scan

Post Arguments:
apikey = your_apikey
url = $field$

It will open a json response with a perma link to your analysis."

osakachan
Communicator

Hello,

Configure the workflow action in post mode, URI: https://www.virustotal.com/vtapi/v2/url/scan

Post Arguments:
apikey = your_apikey
url = $field$

It will open a json response with a perma link to your analysis.

0 Karma

vwolf80
Explorer

This worked GREAT!!! Thanks for your help, however I would love to take the HTTPS response from Virustotal and run it in a separate browser window if possible.

0 Karma

osakachan
Communicator

Your welcome. Upvote/answer will be appreciated.

Yep, that will be better but I think it would be far away from workflow action capacity.

Maybe this app can help, but I did not test it.
https://splunkbase.splunk.com/app/3446/#/details

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...