Recently installed Virustotal app on my splunk https://splunkbase.splunk.com/app/4283/
COmpleted initial app setup with VT token
When i come back to search and execute | virustotal command i receive below error
"VirusTotal Command: No field specified for matching. Specify one of 'hash=', 'ip=', 'url=', or 'domain=' and try again."
I modify my search query as | virustotal ip="220.127.116.11"
received error Illegal value: ip=18.104.22.168
Some background information
- Version of VirusTotal TA you're using - 2.0.0
- Whether the Splunk instance you installed it on is Splunk Cloud or on-premises- on-prem
- Version of Splunk - 7.3.4
- Type of Splunk instance (e.g. Search Head, Indexer, Heavy Forwarder, All-In-One) - Search Head
- Does your environment require a proxy to call out to the internet - Yes
Could some advice how this can be resolved ?
The correct syntax of command if "| virustotal url=field" and "field" in your event search result have a value of URL to search against Virustotal API
Something like this:
| makeresults | eval site="https://www.google.com"
| rename site as url
| virustotal url=url
The app queries API to the value of the site filed and returns data about it.
Well, you can search for a specific IP value, but you will use a makeresults command and put the value on the field:
| eval ip="22.214.171.124"
| virustotal ip=ip
Doesn't seem to work anymore.
might need a flag option for ssl_verify=false (or something more secure 🙂 )
AttributeError at "/opt/splunk/etc/apps/TA-VirusTotal/bin/virustotal.py", line 508 : 'SSLError' object has no attribute 'message'