icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Classic Splunkbase is heading into retirement…

Splunkbase Classic has been deprecated and will be deactivated on February 18, 2026.
The new version of Splunkbase introduces improved search and discoverability, faster performance, enhanced accessibility, and a modern interface. Start exploring the new experience today!
Cancel Go to New Splunkbase Go to New Splunkbase
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
Splunkbase Classic has been deprecated and will be deactivated on February 18, 2026. Go to new Splunkbase.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Splunk End User License for Third Party Content

Splunk Websites Terms and Conditions of Use

Thank You

Downloading VT4Splunk
SHA256 checksum (vt4splunk_185.tgz) 489efbdcf7bb86f435c9530c6f8009a5b116025688942fb252f2c0114efd5cc2 SHA256 checksum (vt4splunk_184.tgz) 67bddd736a9090a8c33b145f0dcd5c3febebafd6885201db40938494492af8b0 SHA256 checksum (vt4splunk_183.tgz) 85a4c71083c366e3da54fa310d94b52232cf555728afcd248d5e59a7c84d06e6 SHA256 checksum (vt4splunk_182.tgz) d708cbacda9d9e3c304ddf054f245eb91041c3919e2af863101f8ebf2c981444 SHA256 checksum (vt4splunk_181.tgz) 238c54e68c0c28a165eedd4ef85f63e6a92763434f38c409d3945d863df44953 SHA256 checksum (vt4splunk_173.tgz) 56004c7c8467cf431734956d0e4cf9dd763d8ad7b14a94af63d7aecc76a5abab SHA256 checksum (vt4splunk_172.tgz) 2551bb2e46fbaff48f6d18c58466608046cb6f234a0733ae36ae126d8a6c1a4d SHA256 checksum (vt4splunk_171.tgz) 5698820dbce2beb4078e6802a4d248378585830a2d933eeb4e456d40e649f8cc SHA256 checksum (vt4splunk_170.tgz) 0c90a869b136b678eb78308de9b1daa1715e4cdc716bb7593fdbc80250f4eb4d SHA256 checksum (vt4splunk_167.tgz) 439193c90070c06a95472deac7571f4cc61a44c9f0f3ce4b7a3a21bb64867123 SHA256 checksum (vt4splunk_166.tgz) 4380836ef40a53646a8624a53983563ecd4269e8219273cf27c126962a2e7ff9 SHA256 checksum (vt4splunk_165.tgz) fc052b3abd19b7c64b64a8134ebe635f86b0f8c15c131a66c3b8b33e7d08611a SHA256 checksum (vt4splunk_164.tgz) 8c20a488adba432986cc9c786632e4af98f1ea08ad3d94a333f2544780867ffa SHA256 checksum (vt4splunk_163.tgz) 2db6aa6ecc2e355c950f84887fa124b50330c44e21a202122517d0daf0407168 SHA256 checksum (vt4splunk_162.tgz) ab85e23f27e90bcae91356cadcd0c15b8c1050bc596ebd4253e8b686d57e9012 SHA256 checksum (vt4splunk_161.tgz) 1cc461dfee427662e27225b491f3578f2dffb55985f28c787a1dd12b86e7dccb SHA256 checksum (vt4splunk_160.tgz) d9c1dc1301b17af23a1044c5f74e26d133f908adea1a16c656799855015fd551 SHA256 checksum (vt4splunk_153.tgz) 53d72e8bab9c1712cea71014279298b771ceb5c073835528ac7d80b3d63be06f SHA256 checksum (vt4splunk_152.tgz) a0b5ee5cf4d50d7d5d308376a83e7d458a55b044db9fd8de08d0a4b10ec441a8 SHA256 checksum (vt4splunk_151.tgz) 20f526176d6faa0d000d3af6f1092efa89058ca7c8cee9080a8a3a7cbe6bc813 SHA256 checksum (vt4splunk_150.tgz) ddd583e1eb4d52ff08a464bd8b0be96cb50292f339a1e77befcad00c0a8ba0fd SHA256 checksum (vt4splunk_141.tgz) 2ed597fcf99a03e33a29c4969d3c521780cd288327be37503bd8d8be7f7ecd9d SHA256 checksum (vt4splunk_140.tgz) 10458f60fff12996d3a2387b6d9c2a54991c56dfbcf4a2e6e8909c54570f03b1 SHA256 checksum (vt4splunk_130.tgz) e8552dde2d0e63d7874cb502a0cfc77e435ab94a601865467b17df86a38dd3e4 SHA256 checksum (vt4splunk_120.tgz) 8f3f116b259c3579e5fdf78d1e57c981c7056c2f19be2efeab683cdd17a993df
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate
splunk

VT4Splunk

Splunk Cloud
Overview
Details
Unearth malware, adversaries and other breaches hiding in your environment with crowdsourced threat reputation and context coming from hundreds of security vendors and millions of monthly users on VirusTotal.com.

If you would like to unleash the full potential of VirusTotal applied to your security telemetry please do not hesitate to contact us at: https://www.virustotal.com/gui/contact-us/premium-services.

VT4Splunk automatically enriches your Splunk logs with threat intelligence coming from VirusTotal. It allows you to contextualize IoCs (files/hashes, domains, IP addresses, URLs) and confirm malicious intent/discard false positives. The context added includes: security industry reputation, threat categories and labels, associated campaigns and threat actors, etc.

Feature highlights:
- Command-line driven threat intelligence enrichment of subsets of events when conducting investigations.
- Automatic scheduled enrichment of all events to continuously identify breaches in your environment.
- Single pane of glass IoC contextualization via embedded VT Augment widget.
- Dashboards and reporting including:
* Threat Intelligence view summarizing malware activity in your environment.
* Vulnerability Intelligence view shedding light into malicious files trying to exploit specific vulnerabilities (identified by CVE) in your environment.
* Adversary Intelligence view identifying threat {campaigns, toolkits, actors} observed in your environment.
* MITRE ATT&CK matrix identifying tactics and techniques observed in your environment.

VT4Splunk, official VirusTotal app for Splunk

Overview

VT4Splunk automatically enriches your Splunk logs with threat intelligence coming from VirusTotal. It allows you to contextualize IoCs (files/hashes, domains, IP addresses, URLs) and confirm malicious intent/discard false positives. The context added includes: security industry reputation, severity, threat categories and labels, associated campaigns and threat actors, etc.

Compatibility Matrix

  • Unix OS
  • Splunk version: 9.4.x, 9.3.x, 9.2.x, 9.1.x, 9.0.x
  • Python version: Python3

Installation

VT4Splunk app can be installed through UI as is shown below:

  1. Log in to Splunk Web and navigate to Apps > Manage Apps.
  2. Click Install app from file.
  3. Click Choose file and select the TA-virustotal-app installation file.
  4. Click on Upload.
  5. Restart Splunk.

By the limitations of Splunk at the time of reading VT API key from indexers VT4Splunk app will always run on the Search Head so the add-on it only needs to be installed on the Search Head as usual, not on the indexers nor in the forwarders.

Configuration

Configuring VT4Splunk:

Proxy

Configure proxy settings:
Enable Proxy Optional To enable or disable the proxy
Proxy Host Mandatory Host or IP of the proxy server
Proxy Port Mandatory Port for proxy server
Proxy Username Optional Username of the proxy server
Proxy Password Optional Password of the proxy server

Logging

Configure the Logging level:

  1. Navigate to the Configuration tab.
  2. Click on the Logging tab.
  3. Select the log level click on Save.

General Settings

Configure basic values for the correct operation of the app:

To test the connection you can execute this Splunk query after save the API key

| makeresults
| eval testip="8.8.8.8"
| vt4splunk ip=testip
  • Lookup table expiration (days):
    Elements stored in the lookup tables (iocs, campaigns, actors) will be removed when the last time they are seen in the events exceeds this value.

Correlation Settings

Configure values which will affect to the automatic correlation and the data shown in the dashboards:

  • Enable automatic correlation:
    Enable this to automatically correlate IoCs found in your events with VirusTotal context. VirusTotal enrichment will be scheduled every 30 minutes and findings will be summarized in the dashboards.

  • Data freshness (days):
    Optimizes your VirusTotal API quota. IoC enrichment will be retrieved from the local cache, instead of performing an API call, whenever the cached analysis' age is lower than this value.

  • Names for indexes:
    Automatic correlation and dashboards will use this list of indexes to perform the search of the events in your catalog.

  • Fields names [Hash, URL, Domain, IP]:
    Saved searches will perform automatic correlation using these field names to find IoCs in your events. Empty field disables that automatic correlation specifically.

Commands

The app provides a main command vt4splunk to correlate IoCs found in your events with the VirusTotal information, also provides other commands to keep up-to-date the enrichment dataset:

  • vt4splunk:

Adding the command to a SPL query will enrich events which contains the fieldname passed as argument, adding new fields to the event in search time with the prefix vt_, the command admits the following parameters:

Parameter Optional Description
hash | domain | url | ip No event fieldname
nocache Yes Boolean lowercase value [true | false]

Query examples:

sourcetype=access_* status=400 method=POST
| vt4splunk ip=clientip

Correlate clientip field of access log events.

sourcetype=access_* status=400 method=POST
| vt4splunk ip=clientip nocache=true

Forcing to get the enrichment data from VirusTotal instead of the lookup tables.

sourcetype=access_* status=400 method=POST
| vt4splunk ip=clientip nocache=true
| search vt_detections > 10

Get correlated events where detections are more than ten.

Additional commands

The following additional commands are executed periodically by the saved searches, it rarely will be necessary to execute manually.

  • vtdeleteiocs:

Delete IoCs older than 30 days by default. It can be also executed manually given a table with vt_id field as input and/or with some parameter to perform a more selective delete:

Parameter Optional Description
lookups Yes delete iocs of specific types (hash, domain, ip, url)
ttl Yes delete iocs older than this value (days)

Query examples:

| makeresults | vtdeleteiocs

Delete all IoCs.

| makeresults | vtdeleteiocs ttl=30

Delete all IoCs older than 30 days.

| inputlookup vt_url_cache | search vt_detections < 10 | vtdeleteiocs lookups=url ttl=5

Delete URLs with less than 10 detections and older than 5 days.

| inputlookup vt_file_cache | search vt_tags=*cve-* | vtdeleteiocs lookups=hash

Delete hashes with CVE tags.

  • vtadversaryupdate:

Keep up-to-date campaigns and threat actors.

  • vtvulnerabilitiesupdate:

Keep up-to-date CVEs.

  • vtmitreupdate:

Extract MITRE information of each hash and keep up-to-date the dashboard.

Saved Searches

The app provides tool for creating and managing saved searches that will correlate your events and will keep the data up-to-date in an unmanaged way.

The saved searches are in charge of the automatic correlation, they will inspect new events in the last 15 minutes contained only in the indexes configured in the Correlation Settings.

  • VirusTotal Clean Lookups

This saved search will remove IoCs from the lookup tables older than the value configured in the Correlation Settings, by default 30 days.

  • VirusTotal Keep Adversary Lookups Updated
  • VirusTotal Keep CVE Lookup Updated
  • VirusTotal Keep MITRE Lookup Updated

The above saved searches keep up-to-date the data shown in the Vulnerability, Adversary and MITRE dashboards.

Lookup tables

The app creates several lookup tables to store the enrichment data and to feed the dashboards:

  • vt_file_cache: store the VirusTotal enrichment data for files
  • vt_domain_cache: store the VirusTotal enrichment data for domains
  • vt_url_cache: store the VirusTotal enrichment data for urls
  • vt_ip_cache: store the VirusTotal enrichment data for ips
  • vt_collection_cache: store the VirusTotal collections for flagged iocs (Campaigns and malware toolkits)
  • vt_threat_actor_cache: store the VirusTotal threat actors for flagged iocs
  • vt_cve_cache: store the CVEs extracted from file enrichment data
  • vt_mitre_cache: store the MITRE information for files
  • vt_ignore_cache: store the IoCs to be ignored in the dashboards

All of the above tables can be inspected running a search query like this: | inputlookup vt_file_cache.

Ignoring specific IoCs

IoCs can be ignored adding them to a specific lookup table, preventing them from appearing in the dashboards, this can be useful if you have a well-known or false positives IoCs.

You can manage those IoCs with these queries: * To add a single IoC:

| makeresults | eval vt_id="eed999fcf63eaa5dd73fac49a7d49d64fe19b945eb30730da4ab026d78746559", vt_type="hash"
| outputlookup append=true vt_ignore_cache
  • To add multiple IoCs:
| makeresults format=csv data="vt_id, vt_type
eed999fcf63eaa5dd73fac49a7d49d64fe19b945eb30730da4ab026d78746559,hash
google.com,domain
https://www.google.com,url
127.0.0.1,ip"
| outputlookup append=true vt_ignore_cache
  • To remove duplicate IoCs:
| inputlookup vt_ignore_cache | dedup vt_id vt_type | outputlookup vt_ignore_cache

Troubleshooting

Empty dashboards

  • Saved searches only correlate events created in the last 30 minutes, if you want to do a backfill to start showing data perform a search adding the command vt4splunk as described above.

  • Check lookup tables have information, if not try to execute the vt4splunk command manually over a search of events.

  • Check the index names in the Correlation Settings.

I cannot see the correlations settings.

The correlations settings is now on its own page, click on the Configuration menu and select the Correlations menu entry.

Attention Splunk 9.3 users. This version has an acknowledged bug by which the add-on navigation bar does not refresh after an add-on upgrade. To overcome this, please, open the browser developer tools, locate the local storage (In Chrome: Application tab -> Local Storage left menu) filter by TA-virustotal-app, remove the splunk-appnav:TA-virustotal-app entry and refresh the page.

Support

  • Email contact@virustotal.com

  • When contacting to support, please indicate your VT4Splunk version, Splunk version, if Enterprise or Cloud, and some screenshots and logs by executing:

index="_internal" | search source="*ta_virustotal_app*"

To get all logs stored by VT4Splunk.

index="_internal" | search "virustotal" "ERROR"

To get all logs stored by Splunk about VT4splunk.

Copyright (c) 2024 Google. All rights reserved.

Binary File Declaration

/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/lib/aiohttp/_websocket.cpython-39-darwin.so: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/lib/aiohttp/_helpers.cpython-39-darwin.so: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/lib/aiohttp/_http_parser.cpython-39-darwin.so: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/lib/aiohttp/_http_writer.cpython-39-darwin.so: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/lib/frozenlist/_frozenlist.cpython-39-darwin.so: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/lib/charset_normalizer/md__mypyc.cpython-39-darwin.so: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/lib/charset_normalizer/md.cpython-39-darwin.so: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/lib/multidict/_multidict.cpython-39-darwin.so: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/lib/yarl/_quoting_c.cpython-39-darwin.so: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/ta_virustotal_app/aob_py3/pvectorc.cpython-37m-x86_64-linux-gnu.so: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/ta_virustotal_app/aob_py3/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/ta_virustotal_app/aob_py3/yaml/_yaml.cpython-37m-x86_64-linux-gnu.so: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/ta_virustotal_app/aob_py3/setuptools/cli-arm64.exe: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/ta_virustotal_app/aob_py3/setuptools/cli-64.exe: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/ta_virustotal_app/aob_py3/setuptools/gui-64.exe: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/ta_virustotal_app/aob_py3/setuptools/cli.exe: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/ta_virustotal_app/aob_py3/setuptools/cli-32.exe: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/ta_virustotal_app/aob_py3/setuptools/gui-32.exe: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/ta_virustotal_app/aob_py3/setuptools/gui.exe: this file does not require any source code
/Applications/Splunk/var/data/tabuilder/package/TA-virustotal-app/bin/ta_virustotal_app/aob_py3/setuptools/gui-arm64.exe: this file does not require any source code

Release Notes

Version 1.8.5
Nov. 18, 2025

Version 1.8.5

  • Fixed a bug that resulted in the MITRE ATT&CK dashboard loading with an empty matrix despite having underlying data.
Version 1.8.4
Oct. 28, 2025

Version 1.8.4
Version 1.8.3
Sept. 23, 2025

Version 1.8.3

  • Update Addon Builder version
Version 1.8.2
April 3, 2025

Version: 1.8.2

  • Get the management port from the Splunk configuration instead of the default.
Version 1.8.1
March 12, 2025

Version: 1.8.1

  • Add view-context documentation in each panel of the integration.
  • Implement an update mechanism for saved searches, prompting users to update queries that are not aligned with the latest add-on version. This ensures all searches leverage the most current functionality.
Version 1.7.3
March 4, 2025

Version: 1.7.3

  • Python 3.7 dependencies have been updated.
  • Optimized search query for basic correlations.
  • De-duplicate IoCs in basic correlations to avoid extra calls to VT API.
Version 1.7.2
Feb. 4, 2025

Version: 1.7.2

  • Update Splunk SDK for python.
Version 1.7.1
Dec. 20, 2024

Version: 1.7.1

  • New CIM data models correlations.
Version 1.7.0
Nov. 28, 2024

Version: 1.7.0

  • A new dashboard to manage correlations allows users to define their own correlations, giving them greater control over the index and the fields used by each correlation.
  • Add granular controls to enable/disable correlations individually.
  • The basic correlation saved searches performance has been improved.
  • The basic correlation saved searches execution interval has been reduced from 30 to 15 minutes.

Upgrade from version 1.6.7

  • Execute the following command to keep up to date your threat actors.
| vtadversaryupdate
Version 1.6.7
Oct. 21, 2024

Version: 1.6.7

  • The performance of the vt4splunk command has been drastically improved.
  • The MITRE ATT&CK techniques tab from Adversary Intelligence has been moved to the MITRE ATT&CK dashboard.
  • Events drilldown tables has been replaced by a Splunk Search action, so the users can get more control refining the search query to match the IoCs in their events.
Version 1.6.6
Sept. 2, 2024

Version 1.6.6

  • Update VT Augment version to 1.7.4
  • Fix error when dashboards are loaded outside of add-on context (i.e. on Splunk home view)
Version 1.6.5
June 13, 2024

Version 1.6.5

  • Cloud compatibility
Version 1.6.4
June 4, 2024

Version 1.6.4

  • Fixed bug when detecting if Splunk REST uses SSL or not.
  • New unknown pivot en Severity pie chart.
  • Fix empty values in pie charts.
  • Upgrade Add-on builder version to 4.2.0.
Version 1.6.3
Nov. 20, 2023

Version 1.6.3

  • Added HTTPS proxy support.
  • Added JARM information to IP addresses and domains.
Version 1.6.2
Oct. 4, 2023

Version 1.6.2

  • Improve saved searches performance.
  • Disable saved searches by default.
  • Improve fields validation to avoid inconsistent states.

Upgrade from all versions

  • We have changed the way the add-on stores some configuration values like the Lookup table expiration, Index names and the Enable automatic correlation. Values stored before the upgrade will not work as expected, please, after the upgrade, enter again the configuration in the General and Correlation Settings and save both forms.
Version 1.6.1
Sept. 26, 2023

Version 1.6.1

  • Run vt4splunk command locally.
  • Fix compatibility with Splunk 9.1.*.
  • Added the IoC severity for VT Enterprise users.
  • Fix bug when lists in Correlation Settings contained spaces.
  • Added whois information to domains.
Version 1.6.0
Aug. 7, 2023

Version 1.6.0

  • Allow users to run vt4splunk command locally.
  • Added VPN, Tor and Proxy IPs tab in Threat Intelligence dashboard.
  • Added the number of VT comments on each IoC.
  • Added the number of Crowdsource Yara rules matches to file iocs.
  • Avoid to enrich private IP addresses.
  • vtdeleteiocs command is able to receive IoCs as input.
  • Improved window time selector by allowing any relative time.
  • Fix bug in hashes tables when displaying SHA256 instead of ID.
  • Fix bug where the Configuration tab didn't open in some cases.
Version 1.5.3
June 15, 2023

Version 1.5.3

  • Fix bug when vt4splunk command process records with non utf-8 encoding.
Version 1.5.2
May 19, 2023

Version 1.5.2

  • Fix bug when checking the API key.
Version 1.5.1
April 25, 2023

Version 1.5.1

  • Added vt_ignore_cache to ignore desired IoCs.
  • Fix bug when using proxy with username and password.
  • Fix bug in Vulnerability Intelligence dashboard when using the time window selector.
Version 1.5.0
April 12, 2023

Version 1.5.0

  • Added signature severity to MITRE ATT&CK techniques in Adversary Intelligence dashboard.
  • Added a control to filter by signature severity to MITRE ATT&CK techniques in Adversary Intelligence dashboard.
  • Change flagged files by extension chart to by type in Threat Intelligence dashboard.
  • Clicking on cards works as clicking on tabs in Threat and Adversary Intelligence dashboards.
  • Fix a bug in MITRE ATT&CK dashboard when number of files with MITRE ATT&CK techniques was greater than 100.
  • Change workflow action endpoint for URLs.
  • Fix bug when using saved searches in distributed environment.
  • Fix cloud compatibility.

Upgrade from 1.4.* versions

  • Delete content of the MITRE lookup table to make them compatible with the new version:
| outputlookup vt_mitre_cache
Version 1.4.1
March 28, 2023

Version 1.4.1

  • Add a brand new MITRE ATT&CK matrix dashboard.
  • Add a new command vtmitreupdate to extract tactics and techniques from IoCs.
  • Add a new attack techniques and sub-techniques table to the Adversary dashboard.
  • Add a saved search to keep up-to-date the MITRE data.
  • Add a validator to the API key field to avoid enter by mistake an invalid value.
  • Improve errors feedback, no quota, API key not set or other errors are displayed in all dashboards.
  • Improve the support on distributed installations, the app and config are replicated across the search head cluster.
  • Improve logs, app logs can now be read at $SPLUNK_HOME/var/log/splunk/ta_virustotal_app_*.log.
  • Automatic correlation can be disabled per IoC type, leaving the input of the field names empty.
  • Saved searches don't run if there is not a valid API key configured.
  • Fix the vt4splunk command search error _last_correlation_date.
  • Fix the vt4splunk command search error vt_tags.
  • Fix workflow URLs.
  • Fix cloud compatibility.
Version 1.4.0
March 28, 2023

Version 1.4.0

  • Added a brand new MITRE ATT&CK matrix dashboard.
  • Added a new command vtmitreupdate to extract tactics and techniques from IoCs.
  • Added a new attack techniques and sub-techniques table to the Adversary dashboard.
  • Added a saved search to keep up-to-date the MITRE data.
  • Added a validator to the API key field to avoid enter by mistake an invalid value.
  • Improve errors feedback, no quota, API key not set or other errors are now displayed in all dashboards.
  • Improve the support on distributed installations, now the app and config are replicated across the search head cluster.
  • Improve logging, app logs can now be read at $SPLUNK_HOME/var/log/splunk/ta_virustotal_app_*.log.
  • Now automatic correlation can be disabled per IoC type, leaving the input of the field names empty.
  • Now saved searches don't run if there is not a valid API key configured.
  • Fix the vt4splunk command search error _last_correlation_date.
  • Fix the vt4splunk command search error vt_tags.
  • Fix workflow URLs.
Version 1.3.0
March 8, 2023

Version 1.3.0

  • Added a new Adversary Intelligence dashboard.
  • Added a new command vtdeleteiocs to delete iocs selectively.
  • Added a new command vtadversaryupdate to gather adversary intelligence data from VirusTotal.
  • Added a new command vtvulnerabilitiesupdate to extract vulnerabilities from the iocs.
  • Added a saved search to delete iocs older than a configured value.
  • Added a saved search to keep up-to-date the adversary intelligence data.
  • Added a saved search to keep up-to-date the vulnerabilities data.
  • Added a malware category pie chart (file) to the Threat Intelligence dashboard.
  • Added a categories pie chart (url,domains) to the Threat Intelligence dashboard.
  • Added a country pie chart (ip) to the Threat Intelligence dashboard.
  • Added a TLD pie chart (urls, domains) to the Threat Intelligence dashboard.
  • Added a ASN pie chart (ip) to the Threat Intelligence dashboard.
  • Added country flags.
    ...
    See the full release notes in the details tab.
Version 1.2.0
Feb. 3, 2023

Version 1.2.0

  • Added saved searches to automatize the v4splunk enrichment.
  • Added a malware category pie chart in the Threat Intelligence dashboard.
  • Added a lookup date column in the Threat Intelligence dashboard.
  • Fix bug where the VT Augment didn't open in some cases.
8,863
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
Built by
VirusTotal Team
Support
Questions on Splunk Answers Flag as inappropriate
Compatibility
This version of the app (1.8.2) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.8.1) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.7.3) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.7.2) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.7.1) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.7.0) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.6.7) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.6.6) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.6.5) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.6.4) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.6.3) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.6.2) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.6.1) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.6.0) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.5.3) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.5.2) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.5.1) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.5.0) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.4.1) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.4.0) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.3.0) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
This version of the app (1.2.0) is not available for Splunk Cloud. However, version 1.8.5 of this app is available for Splunk Cloud.
Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise
Platform: Platform Independent Platform: Platform Independent Platform: Platform Independent Platform: Platform Independent Platform: Platform Independent Platform: Platform Independent Platform: Platform Independent Platform: Platform Independent Platform: Platform Independent Platform: Platform Independent Platform: Platform Independent Platform: Linux Platform: Linux Platform: Linux Platform: Linux Platform: Linux Platform: Linux Platform: Linux Platform: Linux Platform: Linux Platform: Linux Platform: Linux Platform: Platform Independent Platform: Linux Platform: Platform Independent
Licensing
Splunk End User License for Third Party Content
Category & Contents
Categories: Reputation, Threat Intel
App Type: Add-on
Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Submit New Splunk App Dev Resources
PLATFORM
Data-to-Everything Platform
Splunk Cloud
Splunk Enterprise
Splunk Machine Learning Toolkit
Splunk Data Stream Processor
Pricing
Free Trials & Downloads
SECURITY PRODUCTS
Splunk Enterprise Security
Splunk Phantom
Splunk Mission Control
Splunk User Behavior Analytics
IT OPERATIONS & OBSERVABILITY PRODUCTS
Splunk Infrastructure Monitoring
Splunk IT Service Intelligence
Splunk Application Performance Monitoring
Splunk On-Call
SOLUTIONS BY INITIATIVE
Cloud Transformation
SOLUTIONS BY FUNCTION
Security
IT
Devops
SOLUTIONS BY INDUSTRY
Aerospace & Defense
Communications
Energy & Utilities
Financial Services
Healthcare
Higher Education
Manufacturing
Nonprofits
Online Services
Public Sector
Retail
WHY SPLUNK?
Why Splunk?
Customer Stories
Partners
Data-to-Everything
Diversity & Inclusion
SUPPORT
Support Portal
Support Programs
Splunk Answers
Contact Us
Product Security Updates
RESOURCES
Events
Webinars
Blogs
Customer Success
Expert Services
Data Insider
View All Resources
FOR DEVELOPERS
Documentation
Best Practices
Get Started with Splunk
Training & Certification
User Groups
Community
Splunkbase
Splunk dev
COMPANY
About Splunk
Careers
Leadership
Splunk for Good
Splunk Ventures
Splunk Protects
Newsroom
COVID-19 Response
SPLUNK SITES
.conf
Splunk Live!
T-Shirt Store
Investor Relations
Follow Us:
© 2005-2026 Splunk LLC All rights reserved.
Sitemap | Privacy | Website Terms of Use | Splunk Licensing Terms | Export Control | Modern Slavery Statement | Splunk Patents | Report a Problem
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk LLC in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.