With "VirusTotal Malware Lookup for Splunk", this should be possible.
While in its default mode the | virustotal command outputs structured fields (columns), you can also run the command in "raw" mode - where all the output sent by VirusTotal is passed back to Splunk in json format. From there it should be possible to use | spath or a similar Splunk command to post-process the json and extract relevant fields.
Default usage:
Raw json output mode:
(please excuse the small images - it may be worth opening them in a different tab to better see content)
Unfortunately, any additional data that's not included in the json is currently not obtainable by the TA.
Hopefully this helps.
Please reach out with any further questions.
Thanks,
Tomasz
... View more