Hi ,    I am trying to use the VirusTotal TA which you developed and want to know if it is possible to use the proxy without being authenicated? Our proxy does not require authentication however it requires a SSL certificate to all traffic to the internet. ... View more

Hi yehias90, You can use other (similar) searches to look at other VT types. (This documentation)[https://gitlab.com/adarma_public_projects/splunk/TA-VirusTotal#caching-support] lists all the lookups you can use. So for example, if I wanted to search the URLs lookup, I could use something like: index=proxy_logs url=* | fields url, from | lookup virustotal_url_cache vt_urls AS url OUTPUT vt_classification, vt_query_time Splunk's "collect" command can be used to store the results of a search in an index of your choosing. So if I ran: | index=proxy_logs url=* | fields url, from | lookup virustotal_url_cache vt_urls AS url OUTPUT vt_classification, vt_query_time | vt_classification>0 | collect index=bad_url_audit This search would find all "suspicious" URLs that have been requested in the "proxy_logs" and then the collect command would write those events into the "bad_url_audit" index. More examples of the collect command can be found on the official Splunk Docs: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Collect ... View more

@damode, the non-hacky approach is to install Splunk Common Information Model (CIM) app. It should be documented as a dependency. ... View more