Introduction

The VirusTotal App for Splunk is a lightweight, high-performance integration that enhances your security monitoring and investigation workflows by enriching events with reputation and threat intelligence data from VirusTotal. Using the existing the VirusTotal IOC Reputation API, the app enables security analysts to quickly identify malicious indicators and add meaningful context to detections without generating additional submissions to VirusTotal.

This application introduces a custom SPL search command capable of processing multiple types of Indicators of Compromise (IOCs)—including file hashes (MD5, SHA-1, and SHA-256), IP addresses, URLs, and domains. The command retrieve detailed intelligence such as categorizations, statistical metadata, antivirus detection results, and more. Designed for seamless integration with automated alert enrichment pipelines and compatible with both Splunk Enterprise and Splunk Cloud, the VirusTotal App delivers efficient, scalable enrichment with minimal resource footprint.

 

Key Features

Custom SPL Command

  • Includes a custom SPL command (vt) that integrates seamlessly into Splunk searches.
  • Enables streamlined threat intelligence enrichment and supports faster security investigations.

IOC Enrichment Support

  • Provides enrichment for multiple types of Indicators of Compromise (IOCs), including:
    • File hashes
    • IP addresses
    • URLs
    • Domains
  • Enhances the accuracy and contextual value of security event analysis.

File Hash Compatibility

  • Supports major file hash formats:
    • MD5
    • SHA-1
    • SHA-256
  • Ensures broad coverage for threat detection and enrichment in diverse security workflows.

Comprehensive Threat Intelligence Data

  • Enriches events with:
    • Statistical data
    • Categorizations
    • Tags
    • Antivirus engine detection details
    • Additional threat intelligence metadata

Automation-Ready Design

  • Optimized for use within automated alert enrichment pipelines.
  • Ensures efficient, scalable integration with security automation and orchestration processes.

User-Friendly Configuration

  • Provides an intuitive interface for managing the VirusTotal API key.
  • Simplifies setup and configuration for both analysts and administrators.

Lightweight Implementation

  • Designed to operate with minimal overhead.
  • Does not include dashboards, saved searches, or additional Splunk objects.
  • Ensures high performance within Splunk environments.

Platform Compatibility

  • Fully compatible with both Splunk Enterprise and Splunk Cloud, allowing seamless deployment across on-premise and cloud-based infrastructures.