The vt commandThe VirusTotal App for Splunk provides the vt command to enrich different types of Indicators of Compromise (IOCs) directly within your SPL searches. Depending on the type of IOC you want to analyze, the command accepts different parameters such as hash, url, domain, or ip.Below are examples of how to use the command for each IOC category.1. File HashesYou can analyze file hashes (MD5, SHA1, SHA256) by providing the field that contains the hash value.Example:index=wineventlog | vt hash=MD5In this example, the field MD5 contains the file hash to be sent to VirusTotal.2. URLsTo analyze URLs, specify the field that stores the URL value.Example:index=paloalto sourcetype=paloalto:threat subtype="url" | vt url=urlHere, the field url contains the URL extracted from the Palo Alto logs.3. DomainsDomain names can be enriched by specifying the field that contains the domain.Example:index=fortinet | vt domain=hostnameIn this case, hostname is the field containing the domain to analyze.4. IP AddressesFor IP-based analysis, pass the IP field to the vt command.Example:index=firewall | vt ip=dest_ipThe field dest_ip contains the destination IP address extracted from firewall logs.Using the vt Command with Direct ValuesIn addition to enriching IOCs stored in event fields, the vt command also supports direct IOC values. This is useful for quick tests, manual checks, or validation during troubleshooting.Example: Using a Direct IP Address| makeresults | vt ip="185.196.11.30"In this example:makeresults generates a single empty event.The vt command sends the literal IP address (185.196.11.30) to VirusTotal.The response includes the typical vt_* enrichment fields based on the ioc type.Other IOC Types Using Direct ValuesYou can apply the same approach to any supported IOC type:Direct Hash| makeresults | vt hash="d41d8cd98f00b204e9800998ecf8427e"Direct Domain| makeresults | vt domain="malicious-example.com"Direct URL| makeresults | vt url="http://suspicious-domain.com/path"Using direct IOCs is especially helpful for:Quick testing of the API configurationTroubleshooting VT connectivityChecking behavior with specific known IOCs