VirusTotal App

VirusTotal App for Splunk VirusTotal App for Splunk is a lightweight application that enriches your security events with reputation data for files, URLs, IPs, and domains, leveraging the VirusTotal IOC Reputation API. This app provides a custom search command that accepts file hashes (MD5, SHA-1, or SHA-256), IP addresses, URLs, and domains, and queries the corresponding VirusTotal endpoints to retrieve relevant threat intelligence data — all without submitting new files or URLs for analysis. Key Features - Provides a custom SPL command (`vt`) that is easy to integrate into searches - Supports enrichment of multiple IOCs types: file hashes, IP addresses, URLs, and domains - Compatible with file hash formats: MD5, SHA-1, and SHA-256 - Automatically selects and queries the appropriate VirusTotal API endpoint based on the indicator type - Enrich data with stats, categorizations, tags, detection details by antivirus engines, and much more - Designed to work efficiently within automated alert enrichment pipelines - Includes a user-friendly UI for configuring the VirusTotal API key - Lightweight by design — no dashboards, saved searches, or additional objects - Fully compatible with Splunk Enterprise and Splunk Cloud