Hi Raymond, I have been able to reproduce the error on Windows Server 2016 with python3. Fortunately the new version 2.1.0 of the VirusTotal TA seems to remedy the issue. This new version is now available for download on SplunkBase (manually selectable in the version dropdown). Version 2.0.0 was running and older version of "splunklib", that didn't officially support python3. And although this wasn't an issue on Linux, it seems that windows line-breaks (\r\n) were causing problems. Thanks, Tomasz ... View more

Hi, I am one of the developers for VirusTotal Malware Lookup. Thanks for reporting the issue. Unfortunately I haven't been able to replicate this error locally. Could you share some more information about the specifics of the environment? What version of Splunk are you using? What Operating System is Splunk running on (if not in Splunk Cloud)? What version of the Add-On are you using? Are you seeing this issue in a Splunk Cloud or Splunk Enterprise deployment? Are you using python2 or python3? (depending on the version of Splunk, you can use the following search to determine this: | rest /servicesNS/-/-/configs/conf-server/general | untable id, field, value | search field="python") How long does the command run before it crashes (ERROR time - start time)? Thanks, Tomasz ... View more

Hi maralianup, So "Application does not exist: TA-VirusTotal" is a known issue. (although I had only ever seen it affect Splunk versions <7.0 ) Basically, what's happening is that the indexers are trying to use the "| virustotal" command as a StreamingCommand. As such, they try to find a local copy and execute it. However, as the TA is only installed on the Search Head; this fails. I will investigate a proper solution now that I know this issue is still active. In the mean time, a quick fix, is to add "| table *" just before any use of "| virustotal" (please note that you may need to change the TA's saved searches too in order to have full functionality with this patch). This will force all results to go to the search head before executing the "| virustotal" command; effectively resolving the issue. You may find additional information about this here: https://gitlab.com/adarma_public_projects/splunk/TA-VirusTotal (under the "Known Issues" header). I am not personally aware of any costs associated with using http/https calls on Splunk Cloud. It might be worth clarifying this with your Splunk Cloud Account Manager or with a ticket to Splunk Cloud Support. As for your test SH: It might be worth verifying whether the connectivity is restricted in any way, perhaps there is a firewall preventing any connections to non-whitelisted IP addresses (i.e. www.virustotal.com ) or perhaps you need to egress through a proxy (proxy settings can be configured in the Setup page for the TA). Please let me know if this helps you resolve the problem. I will try to debug the errors on my end and see if I can't determine why the "Application does not exist" issue is still happening. ... View more

Hi muralianup, Sorry to hear you are having trouble with the TA. I am the developer of this Add-on, so hopefully I can help you out. As I have not encountered this issue previously, could you provide me with some more details about your environment to help me diagnose this problem? Some information that might help me: - Version of VirusTotal TA you're using - Whether the Splunk instance you installed it on is Splunk Cloud or on-premises - Version of Splunk - Type of Splunk instance (e.g. Search Head, Indexer, Heavy Forwarder, All-In-One) - Does your environment require a proxy to call out to the internet The error you got would indicate that there may be a connectivity issue (maybe a firewall?) preventing the TA from connecting to the VirusTotal API endpoints. But if you are using version 2.0.0 (which is fairly new), it is also possible there is a connectivity bug somewhere that my testing didn't catch. Any information you are able to provide, will go a long way to helping me find the issue. Thanks, Tomasz ... View more

Hi yehias90, You can use other (similar) searches to look at other VT types. (This documentation)[https://gitlab.com/adarma_public_projects/splunk/TA-VirusTotal#caching-support] lists all the lookups you can use. So for example, if I wanted to search the URLs lookup, I could use something like: index=proxy_logs url=* | fields url, from | lookup virustotal_url_cache vt_urls AS url OUTPUT vt_classification, vt_query_time Splunk's "collect" command can be used to store the results of a search in an index of your choosing. So if I ran: | index=proxy_logs url=* | fields url, from | lookup virustotal_url_cache vt_urls AS url OUTPUT vt_classification, vt_query_time | vt_classification>0 | collect index=bad_url_audit This search would find all "suspicious" URLs that have been requested in the "proxy_logs" and then the collect command would write those events into the "bad_url_audit" index. More examples of the collect command can be found on the official Splunk Docs: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Collect ... View more

Hi yehias90, If correctly understand your intent, you wish to augment your events with information brought back from VirusTotal? You may automate the "cache building" - the creation of lookups that will contain the data relevant to your environment. This can be done in the "Set-Up" page of the TA, and is further documented here. After enabling the "Cache Auto Update" sections, you will be able to use lookups in any of your searches to quickly reference VirusTotal data. This can be achieved easily by running a search like this: index=email_attachments attachment_hash=* | fields attachment_hash, from | lookup virustotal_hash_cache vt_hashes AS attachment_hash OUTPUT vt_classification, vt_query_time This will provide you with the "vt_classification" and "vt_query_time" for your data. From here, you can build any Scheduled Searches, Reports, or even alerts that you need. If you are looking to save the results of these searches to an index for audibility, I would suggest using the "collect" command. Hopefully this helps answer your question. Best Regards, Tomasz ... View more

Hi dopjiepreji, Unfortunately, doing exactly what you want is impossible in Splunk. There is no way that you can have duplicate column names in standard SPL (although you might be able to do it in XML of a dashboard). The following SPL should be very close to what you wanted, but it's a bit "hacky" so I wouldn't recommend this approach. | search name=missed* | sort name | appendcols [ | search name=score* | sort name | rename name as name1, count as count1 ] | table name, count, name1, count1 This search is slightly different from what you requested, but it is much more the "Splunk way". | rex field=name "(?<class>missed|score)(?<type>.*)" | stats sum(count) as count by type, class | xyseries class, type, count Hopefully you can find a way to make this work better with your real data. I had to use "|rex" to extract information from "name" in the sample you provided to get it working. ... View more

I managed to get alerting to work with a hacky solution. Note; this is not officially supported, and I am not the author of the code so I cannot vouch for it. On my Splunk instance, I downloaded the file from (https://github.com/secops4thewin/TA-securitytrails/blob/7faf165ea8465f2feae8035a3c3405115cc9e399/bin/ta_securitytrails/cim_actions.py) and placed it in $SPLUNK_HOME/etc/apps/phantom/bin/. (the file is named cim_actions.py). With this in place, alerting is working fine for me. Disclaimer; I would definitely not recommend running this in production. It's not a supported solution and I certainly can't guarantee that this code is trustworthy. If you choose to use this solution, you will be allowing the downloaded script to run with near-admin privileges on your Splunk instance! Again, I cannot stress enough that you should not use this without vetting the script first. That being said if, like me, you are just trying to get alerting working on an isolated dev instance; it might be worth a try. ... View more

That is strange. It looks like there is an unexpected BOM in the header of some file (I assume it's a python script). I did not experience this issue. If you identify exactly what file it is (perhaps through a stacktrace for this error in _internal), you could re-install/update that app and it would hopefully resolve the issue. ... View more