Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to merge Virus total application information with Splunk search query?

prajapatividhy1
New Member
‎09-05-2019 08:46 AM

Hi, I am trying to get the some information from virus total in splunk enterprise through Virus total API Key. I don't know how to do it ? Can anyone please help me with it ?

0 Karma
Reply

prajapatividhy1
New Member
‎09-06-2019 06:21 AM

HI thank you for consideration.
I already have that APP. in my Splunk platform. I still couldn't get how to use this APP. for my search in splunk to extract the data.
I wants to extract the registrar field, Creation and Last update fields into my Splunk query.
Can you elaborate it with some commands which i should use or Can you show me the sample search with virus total into Splunk?

Thank you in Advance.

0 Karma
Reply

jawaharas
Motivator
‎09-09-2019 06:58 PM

@prajapatividhyut2

I have updated my answer with sample code which is working.

As mentioned in the app's documentation , the custom command | virustotal (bundled with this app) uses the https://www.virustotal.com/vtapi/v2/file/report endpoint to communicate with the VirusTotal API.

In which API endpoint you can see below fields?

  • Registrar field
  • Creation and Last fields
  • Update field
0 Karma
Reply

jawaharas
Motivator
‎09-15-2019 08:37 AM

@prajapatividhyut2

If my answer helped you, please accept and/or upvote it!

0 Karma
Reply

jawaharas
Motivator
‎09-06-2019 12:13 AM

You can try below App.

VirusTotal Malware Lookup for Splunk

This app is used to supplement your data with information from VirusTotal.
The custom command | virustotal (bundled with this app) uses the https://www.virustotal.com/vtapi/v2/file/report endpoint to communicate with the VirusTotal API.

Example code:

| makeresults
| eval file_md5_hash="99017f6eebbac24f351415dd410d522d"
| virustotal hash=file_md5_hash
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...