Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Virustotal Checker Add-on: What search syntax would I use to provide VirusTotal information about my example malware hash?

tzack
New Member
‎04-09-2015 07:29 AM

I am a Splunk newbie so I am not great on all the syntax you can use for searches. Your add-on was pointed out to me and could be very useful, but I have not been able to figure out the search syntax as yet.

I have received events from a malware detection system into Splunk via syslog. It has detected a piece of malware with hash 5f41c906b4a462baea4715692c62023dfd4cdb83. What syntax would I use to have your add-on provide VT information about this hash?

Thanks.

0 Karma
Reply

underbar
Explorer
‎04-13-2015 01:16 AM

Hi.
"vt" command has two options (field, av).
"field" option set the field of malware hash value for searching Virustotal.
ex.)
sourcetype="malware" | table file_name, hash | vt field="hash" | table file_name, hash, vt_av_result, vt_link, vt_ratio

"av" option can setting the anti-virus detection results of Virustotal you wanted.
if you wanna view all results for using asterisk sign("").
ex.)
sourcetype="malware" | table file_name, hash | vt field="hash" av="symantec" | table file_name, hash, vt_av_result, vt_link, vt_ratio
sourcetype="malware" | table file_name, hash | vt field="hash" av="symantec,avast" | table file_name, hash, vt_av_result, vt_link, vt_ratio
sourcetype="malware" | table file_name, hash | vt field="hash" av="" | table file_name, hash, vt_av_result, vt_link, vt_ratio

if you wanna searching for specific hash value, you can follow example.
ex.)
| eval hash="5f41c906b4a462baea4715692c62023dfd4cdb83" | vt field="hash" av="" | table file_name, hash, vt_*

Thanks!

0 Karma
Reply

tvjust
Loves-to-Learn Lots
‎08-12-2015 12:40 PM

what if you are trying to search for a url or IP address?

0 Karma
Reply

underbar
Explorer
‎08-18-2015 07:19 PM

You can search url is the same method like hash. And unfortunately, IP address search is not available...

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...