Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Configure the VirusTotal script to see VirusTotal anomalies in Splunk UBA

The VirusTotal script in Splunk UBA compares existing external IP addresses and domains in Splunk UBA against VirusTotal. Any matches are added to the VirusTotal watch list, which can be viewed in Splunk UBA in Anomalies Table > Add Filter > User Watchlists. The first time the script is run, it checks data from the past 180 days. You can configure the script to run regularly after that.


Verify the following before running the VirusTotal script:

  1. Ensure that Splunk UBA node 1 can connect to https://developers.virustotal.com/v2.0/reference/domain-report and https://developers.virustotal.com/v2.0/reference/ip-address-report.
  2. Make sure you have an existing VirusTotal API key. If you need to obtain a key, register in the VirusTotal community. Complete the registration form and click Sign Up.
  3. Identify the maximum number of queries you can run using your API key. If you are using a private key, exclude your regular usage (non-UBA related searches) from this limit.

Run the script

  1. Run the VirusTotal setup:

    The script prompts you for the following:

    1. A disclaimer for using VirusTotal. If you accept the terms of usage, press Y.
    2. Your Virustotal API key. Enter your API key and press Enter to continue.
      Find your API key under the account details, after logging in to VirusTotal.
    3. The VirusTotal API maximum limit of queries per minute. Provide the maximum queries that Splunk UBA can run in one minute, and then press Enter to continue.
    4. The directory where VirusTotal script writes temporary files. By default, temporary files are written in /temp. Press Enter to continue.
    5. Prompt you for the location where VirusTotal scan logs must be stored. By default, these logs are written in /var/log/caspida. Press Enter to continue.

The VirusTotal script is executed every Saturday. If you need to manually run the VirusTotal script at another time, perform the following tasks:

  1. Go to the /opt/caspida/bin/utils/virustotal_scan directory.
  2. Run the following command:
    /opt/caspida/bin/utils/virustotal_scan/virustotal_scan.sh &

    Do not run before the weekend to avoid double execution and locking out the API key.

Additional information

You can find more information and details about the script in the README file: /opt/caspida/bin/utils/virustotal_scan/README.

Last modified on 05 April, 2022
Configure PowerShell logging to see PowerShell anomalies in Splunk UBA   Non-CIM complaint mapping for cloud storage data

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4,, 5.0.5,, 5.1.0,, 5.2.0, 5.2.1, 5.3.0, 5.4.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters