icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading TA-IOC Lookup
SHA256 checksum (ta-ioc-lookup_201.tgz) 9550e7e685449955930fe3c75beaf95493ebd0ce939f7ee5e4d7db467b40e510 SHA256 checksum (ta-ioc-lookup_20.tgz) bc7d0291950cd945f99e667677dd7ad152bca83ef9f4614e331c1241944285f5 SHA256 checksum (ta-ioc-lookup_10.tgz) 7ebd7d0201c9ddb4b9cb1a4c98fcc08611e62924fac09af79592c0d59b8b44b3
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

TA-IOC Lookup

Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Search hash, domain, and ip information from VirusTotal, ThreatCrowd, TotalHash, PassiveTotal, and Censys.io. This app has dashboards for making the API requests, but also provides documentation for building your own panels and viewing API requests inline with your own dashboards.


Search hash, domain, and ip information from VirusTotal, ThreatCrowd, TotalHash, PassiveTotal, and Censys.io
This app uses the public/free versions of the above API providers.
Some results are truncated to 20 items due to the potential for thousands of items returned.

API Providers

Hash Search

• VirusTotal
• ThreatCrowd
• TotalHash

Domain Search

• PassiveTotal
• Censys.io
• VirusTotal
• ThreatCrowd
• TotalHash

IP Search

• PassiveTotal
• Censys.io
• VirusTotal
• ThreatCrowd
• TotalHash


In order to use some of the API providers in this App, you must create a directory called local in the app's home path and create a file called api_keys.conf in the local directory.

ThreatCrowd is the only API provider that does not require an API key, see each providers website for obtaining an API credentials.

There is an example api_keys.conf in the default directory. You can simply copy that file into local and place your api credentials in it.

Below is an example as to how to create your api_keys.conf

$ cd /opt/splunk/etc/apps/TA-security/
$ mkdir local
$ cp default/api_keys.conf local/
$ vi local/api_keys.conf
Enter your API Credentials

Obtain API Credentials

You can obtain API credentials for the API Providers at the following links
VirusTotal: https://www.virustotal.com/en/
TotalHash: https://totalhash.cymru.com/contact-us/
PassiveTotal: https://www.passivetotal.org/registration
Censys.io: https://censys.io/register

Using Dashboards

You can search All or some of the API providers by clicking checkboxes on the Hash Lookup, Domain Lookup, or IP Lookup views
If you do not click a checkbox, that API provider is NOT contacted with the query, and the subsequent panel is not generated


  1. Enter searchitem
  2. Select API providers
  3. Click Submit


• TotalHash requires a SHA1 hash
• ThreatCrowd does not require an API key

Create your own Panels

Perhaps you want to run your own searches or create panels in your own dashboards using these queries... You can totally do that!
Below are some examples for creating your own searches

Hash Search

| securitylookup engine="virustotal" file_hash="871cc547feb9dbec0285321068e392b8"  
| mvexpand SearchType 

Domain Search

| securitylookup engine="passivetotal" domain="027.ru"  
| mvexpand SearchType

IP Search

| securitylookup engine="censys" ip=""  
| mvexpand SearchType

Search Types:


Search Engines:



This app contains its own logger.
You can check the log at: $SPLUNK_HOME$/etc/apps/TA-IOC_Lookup/logs/securitylookup.log
You can set log level to DEBUG in bin/core.py for more detailed logging.

Release Notes

Version 2.0.1
March 12, 2018

Release: 2.0.1
- Removed limits.conf

Version 2.0
July 17, 2017

Upgrades to code, including:
- Core python libraries
- Improved method instantiation
- Application logging independent of splunk python logger
- Controlled fields returned to splunk
- Improved error handling, front end notification of errors
- Improved api data parsing

Better XML presentation
- Single Checkbox input handles all API Providers
- Tokenizing from single checkbox input.
- Controlling field presentation with base searches

Instructions view includes updated settings.

Added app icon, h/t to Dan.

- v1.0 was my intro to splunk dev. Its a messy app as I was figuring out how it all works. The code in v2.0 is much more stable, well written.
- I noticed while testing upgrade from v1.0 in my environment, original scripts may be present. This shouldn't impact performance, but for a clean install, delete v1.0 and do a fresh install of v2.0

Version 1.0
June 5, 2017

Initial Release v1.0: Search hash, domain, and ip information from VirusTotal, ThreatCrowd, TotalHash, PassiveTotal, and Censys.io


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2021 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.