All Apps and Add-ons

How to resolve VirusTotal app on Splunk giving search error?

jayanth221
New Member

Recently installed Virustotal app on my splunk https://splunkbase.splunk.com/app/4283/
COmpleted initial app setup with VT token
When i come back to search and execute | virustotal command i receive below error
"VirusTotal Command: No field specified for matching. Specify one of 'hash=', 'ip=', 'url=', or 'domain=' and try again."

I modify my search query as | virustotal ip="8.8.8.8"
received error Illegal value: ip=8.8.8.8

Some background information
- Version of VirusTotal TA you're using - 2.0.0
- Whether the Splunk instance you installed it on is Splunk Cloud or on-premises- on-prem
- Version of Splunk - 7.3.4
- Type of Splunk instance (e.g. Search Head, Indexer, Heavy Forwarder, All-In-One) - Search Head
- Does your environment require a proxy to call out to the internet - Yes

Could some advice how this can be resolved ?

Labels (1)
0 Karma

haoliveiramb
New Member

Hi @jayanth221,

The correct syntax of command if "| virustotal url=field" and "field" in your event search result have a value of URL to search against Virustotal API

Something like this:

| makeresults | eval site="https://www.google.com"
| rename site as url
| virustotal url=url

The app queries API to the value of the site filed and returns data about it.

Well, you can search for a specific IP value, but you will use a makeresults command and put the value on the field:

| makeresults
| eval ip="8.8.8.8"
| virustotal ip=ip

 

Regards,

0 Karma

dbroggy
Path Finder

Doesn't seem to work anymore.

might need a flag option for ssl_verify=false (or something more secure 🙂 )

AttributeError at "/opt/splunk/etc/apps/TA-VirusTotal/bin/virustotal.py", line 508 : 'SSLError' object has no attribute 'message'

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...