icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading VirusTotal Malware Lookup for Splunk
SHA256 checksum (virustotal-malware-lookup-for-splunk_123.tgz) f1ec01be13c8f62a78e274afe13172525904761d9117c5a16c6011f1d9b3c471 SHA256 checksum (virustotal-malware-lookup-for-splunk_122.tgz) 9fb430a0210afbfed2c107ce91d5178cd25d1a67a3389b68698e18970000b0a1
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

VirusTotal Malware Lookup for Splunk

Splunk AppInspect Passed
Overview
Details
This app is used to supplement your data with information from VirusTotal.
The custom command ` | virustotal ` (bundled with this app) uses the `https://www.virustotal.com/vtapi/v2/file/report`
endpoint to communicate with the VirusTotal API.

This TA can be installed on the search head. No additional manual steps are required in distributed environments,
as the app only interacts with search-time functionality ( lookups and scheduled searches ).

This Add-on has been tested (and installed) on Splunk Cloud.

We're using GitLab to both share our source code and track issues (bugs or feature requests), please use it freely: https://gitlab.com/ecs_public_projects/splunk/TA-VirusTotal

Virus Total TA

This app is used to supplement your data with information from VirusTotal.
The custom command | virustotal (bundled with this app) uses the https://www.virustotal.com/vtapi/v2/file/report
endpoint to communicate with the VirusTotal API.

This TA can be installed on the search head. No additional manual steps are required in distributed environments,
as the app only interacts with search-time functionality ( lookups and scheduled searches ).

Getting Started

This app requires set-up. App set-up can be accessed from Splunk's "Manage Apps" menu.
The following options should be configured in the set-up menu.

> Note: The setup should be ran by an admin user.

For minimum functionality (ad-hoc searches only), the following should be configured:
- VirusTotal API Key
- VirusTotal Max Batch Size

> Note that without configuring these values, neither the custom command nor the scheduled searches will work.

For full functionality (lookup table caching VT data), the following can also be configured:
- Enable "Cache Auto Update"
- Configure "Cache Auto Update : Index Filter" : Provide index and/or other filters indicating where events with hashes can found
- (optional) Review and customise the cron schedule (directing the frequency of when the internal VT cache is to be refreshed)
- (optional) Review and customise the "Earliest time" for the scheduled search to work with your cron schedule.

For extended cleanup functionality
- Enable "Cache Auto Clean"
- (optional) Review and customise the cron schedule for the search and the retention period for the cache
- It is recommended that the cleanup search run after (not before) the update search.

App functionality

The virustotal command can be used in SPL. The command accepts two arguments - usage of hash=<field> will be described now, and usage of rescan=<bool> will be described later in this document.
This argument should be set to the field name of the filed that contains hashes in your search.

Example:

index=email_attachments attachment_hash=*
| fields attachment_hash, from
| virustotal hash=attachment_hash

This will force a real-time query to the VirusTotal API and retrieve the most recent data for each hash.
This use of the app is recommended strictly on an ad-hoc basis, as it can be slow and use many API queries.

This TA also comes bundled with the ability to cache VT data into a lookup table. This function requires configuration in app setup.
Once configured, a scheduled search will periodically update a KVStore collection with VT data.
This lookup will contain historical hashes (up to a configured age), and will also have all the most recent relevant hashes.
This method of correlating VT data is much faster than the ad-hoc method described above.

Example:

index=email_attachments attachment_hash=*
| fields attachment_hash, from
| lookup virustotal_hash_cache vt_hashes AS attachment_hash OUTPUT vt_classification, vt_query_time

The drawback of this method is that data within the lookup can potentially be outdated,
as known hashes are only updated at the interval specified in the setup.
Additionally, care should be taken that the scheduled search that populates this lookup is scheduled to run shortly
before any correlations or rules that make use of the lookup. This way, the probability is high that the lookup will have a
chance to pull any required (new) information from VT about previously unseen hashes.

To achieve the best of both approaches, you may use the following SPL snippet:

index=email_attachments attachment_hash=*
| fields attachment_hash, from
| lookup virustotal_hash_cache vt_hashes AS attachment_hash OUTPUT vt_classification, vt_query_time
| virustotal hash=attachment_hash rescan=false

Note the rescan=false flag. This instructs the command not to query VT API for hashes which already have metadata attached.
As such, a majority of hashes will retrieved from lookup, and any hashes that weren't found in the lookup will be supplied real-time.

> If the lookup is empty, or some other logical error occurs resulting in failure to supply information from the lookup,
the virustotal command will query VT API for all hashes. This could take a long time and potentially use a very large amount
of API calls. Be sure you understand the risk when using this method.

Manually triggering data onboarding

When running the TA for the first time, there is no need to wait for the scheduled search to execute.
Simply go into the app, click on the reports tab, and click "Open in Search" for the "VirusTotal Update Hash Lookup" row.
This search will work its way through your events and build a cache ( KVStore-backed lookup ) of all the hashes it has seen.

> Depending on the amount of data you have ( in the time-period specified in setup ), and on the VT license/key you are using,
this could take a significant amount of time to go through all your hashes.

Lookup: virustotal_hash_cache

Fields:
- vt_resource : Synonymous to the _key of the underlying KVStore collection. Usually the hash.
- vt_hashes : A MV list of hashes. At this time, typically, has one of each: md5, sha1, sha256. This field is accelerated. All values in this field are lowercase (to support case-insensitive matching). This is the best field to lookup against (e.g. | lookup virustotal_hash_cache vt_hashes AS attachment_hash).
- vt_query_time : Unix timestamp representing the last time the VT API has been queried for information relating to this hash.
- vt_classification : This field is the percentage of AVs that detected a threat. This field is typically synonymous to the following arithmetic expression: vt_positives/vt_total*100. Note that this field can also hold a string value of unknown_hash. This means that VT has no information about any files with this hash.
- vt_scan_date : This is the datetime that VT reports having last scanned this file on their servers.
- vt_permalink : An HTTPs URL to a human-friendly HTML site about this hash/file. May contain more information about the findings.
- vt_positives : The number of AntiVirus utilities that identified the file with the given hash as a threat.
- vt_total : The number of AntiVirus utilities that were used by VT to scan a file with the given hash.
- vt_threat_av : An MV field of the names of all the AntiVirus utilities that identified the file with this hash as a threat.
- vt_threat_id : An MV field of the classification names assigned to the perceived threat by AntiVirus utilities listed in vt_threat_av

Saved Searches

The description of each scheduled search can be found in the app setup. Please ensure you read and understand it before
enabling the saved search

Support

Support will be provided by the developers (ECS) on a best-effort basis. The developers make no commitment to continued development. The software is provided as is, and the developer accepts no responsibility for any issues with the software, or which may result as a consequence of using the software.

Known Issues

  • 1 : While running the search, multiple errors occurr, each from a different indexer, claiming that "Application does not exist: TA-VirusTotal"

  • This issue can happen on several older versions of Splunk. It means that, despite the TA's objections, the command is being run in streaming mode across all indexers. The quick-fix is to use a non-streaming command (e.g | table *) right before the | virustotal command. This will force the remainder of the search to happen on the search head; fixing the issue.

Changelog

1.2.3

Added a data-quality warning to warn users that data in their hash field may have issues.

1.2.0

Added cmd_timeout option to virustotal.conf and the app setup page. This option allows the user to provide a timeout
value. This is a patch intended to provide support for Splunk versions lower than 7.1.0. On those versions,
the search job lifecycle reaches the "Finalising" state prematurely, causing the command to terminate before it is
done processing all events. The consequence of correcting for this behaviour, is that the user is unable to manually
"Stop" the job. The timeout was added to provide the user with the means to specify the maximum running time for the command,
intended to be especially useful in environments where manual stopping is impossible.

Release Notes

Version 1.2.3
Jan. 31, 2019

Added warning message when the data fed into the `virustotal` command is badly normalised.

Version 1.2.2
Nov. 6, 2018

### 1.2.2

Added cmd_timeout option to virustotal.conf and the app setup page. This option allows the user to provide a timeout
value. This is a patch intended to provide support for Splunk versions lower than 7.1.0. On those versions,
the search job lifecycle reaches the "Finalising" state prematurely, causing the command to terminate before it is
done processing all events. The consequence of correcting for this behaviour is that the user is unable to manually
"Stop" the job. The timeout was added to provide the user with the means to specify the maximum running time for the command,
intended to be especially useful in environments where manual stopping is impossible.

241
Installs
602
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.