Ensure you understand this risk, or speak to the data owner before using the command. This could lead to information disclosure. This TA will not anonymise, remove, nor mutate your data in any way. Depending on your data, this field might contain HTTP parameters (e.g. Note that care should be taken when using the url field. The contents of the field specified when running the | virustotal =FIELD command. The VirusTotal API key : Required to authenticate against the VirusTotal API This TA will share certain information with the VirusTotal API. These connections will only ever be triggered by the explicit invocation of the | virustotal command (either by users or by scheduled searches). These connections will only ever be performed over https connections. This TA will only ever connect to the VirusTotal REST API endpoint. It is recommended that the cleanup search run after (not before) the update search. (optional) Review and customise the cron schedule for the search and the retention period for the cache (optional) Review and customise the "Earliest time" for the scheduled search to work with your cron schedule. (optional) Review and customise the cron schedule (directing the frequency of when the internal VT cache is to be refreshed) Configure "Cache Auto Update : Index Filter" : Provide index and/or other filters indicating where events with hashes can found ![]() Note that without configuring these values, neither the custom command nor the scheduled searches will work.įor full functionality (lookup table caching VT data), the following can also be configured: Note: The setup should be ran by an admin user.įor minimum functionality (ad-hoc searches only), the following should be configured: The following options should be configured in the set-up menu. App set-up can be accessed from Splunk's "Manage Apps" menu. No additional manual steps are required in distributed environments,Īs the app only interacts with search-time functionality ( lookups and scheduled searches ). This TA can be installed on the search head. The custom command | virustotal (bundled with this app) uses the Įndpoint to communicate with the VirusTotal API. This app is used to supplement your data with information from VirusTotal.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |