Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why virustotal doesn't fill in values?

bt149
Path Finder
‎08-09-2023 09:50 AM

Using the "virustotal" cmd and it appears that if there are multiple events that have the same file_hash that only one of the events will "populate" the field/values from the virustotal cmd.  I can't post events.

Example would be:

event 1:

_time=08/06/2023 07:00:00
dest=abc1
file_hash=45vv678
file_name=badguy.dll
file_path=my_path 
vt_* will be populated


event 2:

_time=08/06/2023 07:150:00
dest=abc2
file_hash=45vv678
file_name=badguy.dll
file_path=my_path
vt_* - nothing will be populated


event 3:

_time=08/06/2023 07:30:00
dest=abc3
file_hash=45vv678
file_name=badguy.dll
file_path=my_path
vt_* - nothing will be populated

I know the spl is fine as if I were to change the time picker to that of just the 2nd or 3rd event, all the vt_ fields would be populated.  It looks like this is the expected behavior.  Thanks in advance.

Tags (1)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎08-14-2023 12:40 AM

@bt149 - I'm sure you are using a custom App here as mentioned by @yuanliu 

Kindly post your search query here (you can hide sensitive data if any in the SPL). And then we might spot any issues if any.

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-11-2023 05:34 PM

There is no virustotal command in Search Commands.  If you are using a special app that provides this command, you should go to that app's forum for help.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...