Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Virustotal Checker Add-on: What search syntax would I use to provide VirusTotal information about my example malware hash?

tzack
New Member
‎04-09-2015 07:29 AM

I am a Splunk newbie so I am not great on all the syntax you can use for searches. Your add-on was pointed out to me and could be very useful, but I have not been able to figure out the search syntax as yet.

I have received events from a malware detection system into Splunk via syslog. It has detected a piece of malware with hash 5f41c906b4a462baea4715692c62023dfd4cdb83. What syntax would I use to have your add-on provide VT information about this hash?

Thanks.

0 Karma
Reply

underbar
Explorer
‎04-13-2015 01:16 AM

Hi.
"vt" command has two options (field, av).
"field" option set the field of malware hash value for searching Virustotal.
ex.)
sourcetype="malware" | table file_name, hash | vt field="hash" | table file_name, hash, vt_av_result, vt_link, vt_ratio

"av" option can setting the anti-virus detection results of Virustotal you wanted.
if you wanna view all results for using asterisk sign("").
ex.)
sourcetype="malware" | table file_name, hash | vt field="hash" av="symantec" | table file_name, hash, vt_av_result, vt_link, vt_ratio
sourcetype="malware" | table file_name, hash | vt field="hash" av="symantec,avast" | table file_name, hash, vt_av_result, vt_link, vt_ratio
sourcetype="malware" | table file_name, hash | vt field="hash" av="" | table file_name, hash, vt_av_result, vt_link, vt_ratio

if you wanna searching for specific hash value, you can follow example.
ex.)
| eval hash="5f41c906b4a462baea4715692c62023dfd4cdb83" | vt field="hash" av="" | table file_name, hash, vt_*

Thanks!

0 Karma
Reply

tvjust
Loves-to-Learn Lots
‎08-12-2015 12:40 PM

what if you are trying to search for a url or IP address?

0 Karma
Reply

underbar
Explorer
‎08-18-2015 07:19 PM

You can search url is the same method like hash. And unfortunately, IP address search is not available...

0 Karma
Reply
Get Updates on the Splunk Community!

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...