Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Virustotal Checker Add-on: What search syntax would I use to provide VirusTotal information about my example malware hash?

tzack
New Member
‎04-09-2015 07:29 AM

I am a Splunk newbie so I am not great on all the syntax you can use for searches. Your add-on was pointed out to me and could be very useful, but I have not been able to figure out the search syntax as yet.

I have received events from a malware detection system into Splunk via syslog. It has detected a piece of malware with hash 5f41c906b4a462baea4715692c62023dfd4cdb83. What syntax would I use to have your add-on provide VT information about this hash?

Thanks.

0 Karma
Reply

underbar
Explorer
‎04-13-2015 01:16 AM

Hi.
"vt" command has two options (field, av).
"field" option set the field of malware hash value for searching Virustotal.
ex.)
sourcetype="malware" | table file_name, hash | vt field="hash" | table file_name, hash, vt_av_result, vt_link, vt_ratio

"av" option can setting the anti-virus detection results of Virustotal you wanted.
if you wanna view all results for using asterisk sign("").
ex.)
sourcetype="malware" | table file_name, hash | vt field="hash" av="symantec" | table file_name, hash, vt_av_result, vt_link, vt_ratio
sourcetype="malware" | table file_name, hash | vt field="hash" av="symantec,avast" | table file_name, hash, vt_av_result, vt_link, vt_ratio
sourcetype="malware" | table file_name, hash | vt field="hash" av="" | table file_name, hash, vt_av_result, vt_link, vt_ratio

if you wanna searching for specific hash value, you can follow example.
ex.)
| eval hash="5f41c906b4a462baea4715692c62023dfd4cdb83" | vt field="hash" av="" | table file_name, hash, vt_*

Thanks!

0 Karma
Reply

tvjust
Loves-to-Learn Lots
‎08-12-2015 12:40 PM

what if you are trying to search for a url or IP address?

0 Karma
Reply

underbar
Explorer
‎08-18-2015 07:19 PM

You can search url is the same method like hash. And unfortunately, IP address search is not available...

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...