All Apps and Add-ons

How to resolve VirusTotal app on Splunk giving search error?

jayanth221
New Member

Recently installed Virustotal app on my splunk https://splunkbase.splunk.com/app/4283/
COmpleted initial app setup with VT token
When i come back to search and execute | virustotal command i receive below error
"VirusTotal Command: No field specified for matching. Specify one of 'hash=', 'ip=', 'url=', or 'domain=' and try again."

I modify my search query as | virustotal ip="8.8.8.8"
received error Illegal value: ip=8.8.8.8

Some background information
- Version of VirusTotal TA you're using - 2.0.0
- Whether the Splunk instance you installed it on is Splunk Cloud or on-premises- on-prem
- Version of Splunk - 7.3.4
- Type of Splunk instance (e.g. Search Head, Indexer, Heavy Forwarder, All-In-One) - Search Head
- Does your environment require a proxy to call out to the internet - Yes

Could some advice how this can be resolved ?

Labels (1)
0 Karma

haoliveiramb
New Member

Hi @jayanth221,

The correct syntax of command if "| virustotal url=field" and "field" in your event search result have a value of URL to search against Virustotal API

Something like this:

| makeresults | eval site="https://www.google.com"
| rename site as url
| virustotal url=url

The app queries API to the value of the site filed and returns data about it.

Well, you can search for a specific IP value, but you will use a makeresults command and put the value on the field:

| makeresults
| eval ip="8.8.8.8"
| virustotal ip=ip

 

Regards,

0 Karma

dbroggy
Path Finder

Doesn't seem to work anymore.

might need a flag option for ssl_verify=false (or something more secure 🙂 )

AttributeError at "/opt/splunk/etc/apps/TA-VirusTotal/bin/virustotal.py", line 508 : 'SSLError' object has no attribute 'message'

 

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...