Splunk Search

Virustotal Checker Add-on: What search syntax would I use to provide VirusTotal information about my example malware hash?

tzack
New Member

I am a Splunk newbie so I am not great on all the syntax you can use for searches. Your add-on was pointed out to me and could be very useful, but I have not been able to figure out the search syntax as yet.

I have received events from a malware detection system into Splunk via syslog. It has detected a piece of malware with hash 5f41c906b4a462baea4715692c62023dfd4cdb83. What syntax would I use to have your add-on provide VT information about this hash?

Thanks.

0 Karma

underbar
Explorer

Hi.
"vt" command has two options (field, av).
"field" option set the field of malware hash value for searching Virustotal.
ex.)
sourcetype="malware" | table file_name, hash | vt field="hash" | table file_name, hash, vt_av_result, vt_link, vt_ratio

"av" option can setting the anti-virus detection results of Virustotal you wanted.
if you wanna view all results for using asterisk sign("").
ex.)
sourcetype="malware" | table file_name, hash | vt field="hash" av="symantec" | table file_name, hash, vt_av_result, vt_link, vt_ratio
sourcetype="malware" | table file_name, hash | vt field="hash" av="symantec,avast" | table file_name, hash, vt_av_result, vt_link, vt_ratio
sourcetype="malware" | table file_name, hash | vt field="hash" av="
" | table file_name, hash, vt_av_result, vt_link, vt_ratio

if you wanna searching for specific hash value, you can follow example.
ex.)
| eval hash="5f41c906b4a462baea4715692c62023dfd4cdb83" | vt field="hash" av="" | table file_name, hash, vt_*

Thanks!

0 Karma

tvjust
Loves-to-Learn Lots

what if you are trying to search for a url or IP address?

0 Karma

underbar
Explorer

You can search url is the same method like hash. And unfortunately, IP address search is not available...

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...