Hi.
"vt" command has two options (field, av).
"field" option set the field of malware hash value for searching Virustotal.
ex.)
sourcetype="malware" | table file_name, hash | vt field="hash" | table file_name, hash, vt_av_result, vt_link, vt_ratio
"av" option can setting the anti-virus detection results of Virustotal you wanted.
if you wanna view all results for using asterisk sign("").
ex.)
sourcetype="malware" | table file_name, hash | vt field="hash" av="symantec" | table file_name, hash, vt_av_result, vt_link, vt_ratio
sourcetype="malware" | table file_name, hash | vt field="hash" av="symantec,avast" | table file_name, hash, vt_av_result, vt_link, vt_ratio
sourcetype="malware" | table file_name, hash | vt field="hash" av="" | table file_name, hash, vt_av_result, vt_link, vt_ratio
if you wanna searching for specific hash value, you can follow example.
ex.)
| eval hash="5f41c906b4a462baea4715692c62023dfd4cdb83" | vt field="hash" av="" | table file_name, hash, vt_*
Thanks!
... View more