Search hash, domain, and ip information from VirusTotal, ThreatCrowd, TotalHash, PassiveTotal, and Censys.io
This app uses the public/free versions of the above API providers.
Some results are truncated to 20 items due to the potential for thousands of items returned.
In order to use some of the API providers in this App, you must create a directory called local in the app's home path and create a file called api_keys.conf in the local directory.
ThreatCrowd is the only API provider that does not require an API key, see each providers website for obtaining an API credentials.
There is an example api_keys.conf in the default directory. You can simply copy that file into local and place your api credentials in it.
Below is an example as to how to create your api_keys.conf
$ cd /opt/splunk/etc/apps/TA-security/ $ mkdir local $ cp default/api_keys.conf local/ $ vi local/api_keys.conf Enter your API Credentials
You can obtain API credentials for the API Providers at the following links
You can search All or some of the API providers by clicking checkboxes on the Hash Lookup, Domain Lookup, or IP Lookup views
If you do not click a checkbox, that API provider is NOT contacted with the query, and the subsequent panel is not generated
• TotalHash requires a SHA1 hash
• ThreatCrowd does not require an API key
Perhaps you want to run your own searches or create panels in your own dashboards using these queries... You can totally do that!
Below are some examples for creating your own searches
| securitylookup engine="virustotal" file_hash="871cc547feb9dbec0285321068e392b8" | mvexpand SearchType
| securitylookup engine="passivetotal" domain="027.ru" | mvexpand SearchType
| securitylookup engine="censys" ip="126.96.36.199" | mvexpand SearchType
file_hash="hash" domain="domain" ip="ip"
engine="virustotal" engine="threatcrowd" engine="totalhash" engine="passivetotal" engine="censys"
This app contains its own logger.
You can check the log at: $SPLUNK_HOME$/etc/apps/TA-IOC_Lookup/logs/securitylookup.log
You can set log level to DEBUG in bin/core.py for more detailed logging.
- Removed limits.conf
Upgrades to code, including:
- Core python libraries
- Improved method instantiation
- Application logging independent of splunk python logger
- Controlled fields returned to splunk
- Improved error handling, front end notification of errors
- Improved api data parsing
Better XML presentation
- Single Checkbox input handles all API Providers
- Tokenizing from single checkbox input.
- Controlling field presentation with base searches
Instructions view includes updated settings.
Added app icon, h/t to Dan.
- v1.0 was my intro to splunk dev. Its a messy app as I was figuring out how it all works. The code in v2.0 is much more stable, well written.
- I noticed while testing upgrade from v1.0 in my environment, original scripts may be present. This shouldn't impact performance, but for a clean install, delete v1.0 and do a fresh install of v2.0
Initial Release v1.0: Search hash, domain, and ip information from VirusTotal, ThreatCrowd, TotalHash, PassiveTotal, and Censys.io
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.