Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Workflow action - Virustotal

VijaySrrie
Builder
‎12-18-2019 02:01 AM

Is it possible to create workflow action to check the malicious URL?
If yes, after setting it up how to work on it?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-18-2019 03:41 AM

Hi, @vijaysri

try app

virus total TA

virus total TA usage

my old answer:

Look at this.

| makeresults 
| eval _raw="http://www.yahoo.com/" 
| eval hash=sha256(_raw) 
| appendpipe 
    [ eval hash="ed91698b5823a5e4424726955dd3fd437d9cfdc46f7b8988cded5da779cc7483"]
`comment("the hash of below link")`

https://www.virustotal.com/gui/url/ed91698b5823a5e4424726955dd3fd437d9cfdc46f7b8988cded5da779cc7483/...
This query is aim to explain the VirusTotal url.
So that,
You just have to hash it with sha256() from url ( Starts with http, Ends with / OR file name OR anchor name)
and give it to the link .

Create workflow actions in SplunkWeb

index="botsv2" sourcetype="stream:http"
| rex field=url "^(?<vt_url>.+:\/\/[\w\:.]+?\/)"
| eventstats values(eval(sha256(vt_url))) as vt_urlhash by vt_url

BOSS of the soc 2
For example, I made it using this data set.

Workflow Settings:

Fields » Workflow actions » Add new

Link configuration

URI   https://www.virustotal.com/gui/url/$vt_urlhash$/detection
Open link in   New window
Link method   get

| makeresults 
| eval _raw="http://freeloaderstokyo.com/fill-form.html " 
`comment("this url is malicious, Do NOT access!")`
| eval hash=sha256(_raw) 
`comment("put the url to _raw")`
| eval link="https://www.virustotal.com/gui/url/".$hash$."/detection"

This is interesting, too.

EDITED:

VT API access:
The URL described here( VT API reference ) will be created in Splunk.

example: curl --request GET --url 'https://www.virustotal.com/vtapi/v2/url/report?apikey=<apikey>&resource=<resource>'
you will create apikey.csv.

 apikey.csv:
 apikey
 your_api_key

Url/Report workflow action example:

 index=your_index sourcetype=your_sourcetype 
| inputlookup append=t apikey.csv
| eval resource=your_url

Setup a GET workflow action
workflow setting:

Link configration > URI
https://www.virustotal.com/vtapi/v2/url/report?apikey=$apikey$&resource=$!resource$

The fields of access result JSON file:

scans: 
permalink :  
positives :
resource :
response_code :
scan_date :
scan_id :
url:
total : 
verbose_msg :

The fields of access result JSON file, Scans object:

<antivirus vender>.detected 
<antivirus vender>.result

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-18-2019 03:41 AM

Hi, @vijaysri

try app

virus total TA

virus total TA usage

my old answer:

Look at this.

| makeresults 
| eval _raw="http://www.yahoo.com/" 
| eval hash=sha256(_raw) 
| appendpipe 
    [ eval hash="ed91698b5823a5e4424726955dd3fd437d9cfdc46f7b8988cded5da779cc7483"]
`comment("the hash of below link")`

https://www.virustotal.com/gui/url/ed91698b5823a5e4424726955dd3fd437d9cfdc46f7b8988cded5da779cc7483/...
This query is aim to explain the VirusTotal url.
So that,
You just have to hash it with sha256() from url ( Starts with http, Ends with / OR file name OR anchor name)
and give it to the link .

Create workflow actions in SplunkWeb

index="botsv2" sourcetype="stream:http"
| rex field=url "^(?<vt_url>.+:\/\/[\w\:.]+?\/)"
| eventstats values(eval(sha256(vt_url))) as vt_urlhash by vt_url

BOSS of the soc 2
For example, I made it using this data set.

Workflow Settings:

Fields » Workflow actions » Add new

Link configuration

URI   https://www.virustotal.com/gui/url/$vt_urlhash$/detection
Open link in   New window
Link method   get

| makeresults 
| eval _raw="http://freeloaderstokyo.com/fill-form.html " 
`comment("this url is malicious, Do NOT access!")`
| eval hash=sha256(_raw) 
`comment("put the url to _raw")`
| eval link="https://www.virustotal.com/gui/url/".$hash$."/detection"

This is interesting, too.

EDITED:

VT API access:
The URL described here( VT API reference ) will be created in Splunk.

example: curl --request GET --url 'https://www.virustotal.com/vtapi/v2/url/report?apikey=<apikey>&resource=<resource>'
you will create apikey.csv.

 apikey.csv:
 apikey
 your_api_key

Url/Report workflow action example:

 index=your_index sourcetype=your_sourcetype 
| inputlookup append=t apikey.csv
| eval resource=your_url

Setup a GET workflow action
workflow setting:

Link configration > URI
https://www.virustotal.com/vtapi/v2/url/report?apikey=$apikey$&resource=$!resource$

The fields of access result JSON file:

scans: 
permalink :  
positives :
resource :
response_code :
scan_date :
scan_id :
url:
total : 
verbose_msg :

The fields of access result JSON file, Scans object:

<antivirus vender>.detected 
<antivirus vender>.result
0 Karma
Reply
Solved! Jump to solution

VijaySrrie
Builder
‎12-18-2019 08:01 AM

Hi to4kawa,

1) I have done the workflow settings
2) To get the hash value | makeresults
| eval _raw="http://www.yahoo.com/"
| eval hash=sha256(_raw)

3) I doesn't know how to proceed further

0 Karma
Reply
Solved! Jump to solution

VijaySrrie
Builder
‎12-18-2019 08:07 AM

Name and label of the workflow is virustotal

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎12-18-2019 11:31 AM

look at my second query.

your search and there is a url(http://xxx.xxx.xx/yyy/zzz....) field.
| rex field=url "^(?<vt_url>.+:\/\/[\w\:.]+?\/)"
| eventstats values(eval(sha256(vt_url))) as vt_urlhash by vt_url

this is the solution.

my first query is aim to explain the the url of virustotal to how it works .

Do you want to access VT API?

0 Karma
Reply
Solved! Jump to solution

VijaySrrie
Builder
‎12-27-2019 11:44 AM

Hi,

yes I want to access VT API

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎12-27-2019 04:07 PM

Hi, @vijaysri
My answer updated, please confirm.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...