Solved: Re: Workflow action - Virustotal

VijaySrrie · ‎12-18-2019

Is it possible to create workflow action to check the malicious URL?
If yes, after setting it up how to work on it?

to4kawa · ‎12-18-2019

Hi, @vijaysri

try app

virus total TA

virus total TA usage

my old answer:

Look at this.

| makeresults 
| eval _raw="http://www.yahoo.com/" 
| eval hash=sha256(_raw) 
| appendpipe 
    [ eval hash="ed91698b5823a5e4424726955dd3fd437d9cfdc46f7b8988cded5da779cc7483"]
`comment("the hash of below link")`

https://www.virustotal.com/gui/url/ed91698b5823a5e4424726955dd3fd437d9cfdc46f7b8988cded5da779cc7483/...
This query is aim to explain the VirusTotal url.
So that,
You just have to hash it with sha256() from url ( Starts with http, Ends with / OR file name OR anchor name)
and give it to the link .

Create workflow actions in SplunkWeb

index="botsv2" sourcetype="stream:http"
| rex field=url "^(?<vt_url>.+:\/\/[\w\:.]+?\/)"
| eventstats values(eval(sha256(vt_url))) as vt_urlhash by vt_url

BOSS of the soc 2
For example, I made it using this data set.

Workflow Settings:

Fields » Workflow actions » Add new

Link configuration

URI   https://www.virustotal.com/gui/url/$vt_urlhash$/detection
Open link in   New window
Link method   get

| makeresults 
| eval _raw="http://freeloaderstokyo.com/fill-form.html " 
`comment("this url is malicious, Do NOT access!")`
| eval hash=sha256(_raw) 
`comment("put the url to _raw")`
| eval link="https://www.virustotal.com/gui/url/".$hash$."/detection"

This is interesting, too.

EDITED:

VT API access:
The URL described here( VT API reference ) will be created in Splunk.

example: curl --request GET --url 'https://www.virustotal.com/vtapi/v2/url/report?apikey=<apikey>&resource=<resource>'
you will create apikey.csv.

 apikey.csv:
 apikey
 your_api_key

Url/Report workflow action example:

 index=your_index sourcetype=your_sourcetype 
| inputlookup append=t apikey.csv
| eval resource=your_url

Setup a GET workflow action
workflow setting:

Link configration > URI
https://www.virustotal.com/vtapi/v2/url/report?apikey=$apikey$&resource=$!resource$

The fields of access result JSON file:

scans: 
permalink :  
positives :
resource :
response_code :
scan_date :
scan_id :
url:
total : 
verbose_msg :

The fields of access result JSON file, Scans object:

<antivirus vender>.detected 
<antivirus vender>.result

View solution in original post

to4kawa · ‎12-18-2019

Hi, @vijaysri

try app

virus total TA

virus total TA usage

my old answer:

Look at this.

| makeresults 
| eval _raw="http://www.yahoo.com/" 
| eval hash=sha256(_raw) 
| appendpipe 
    [ eval hash="ed91698b5823a5e4424726955dd3fd437d9cfdc46f7b8988cded5da779cc7483"]
`comment("the hash of below link")`

https://www.virustotal.com/gui/url/ed91698b5823a5e4424726955dd3fd437d9cfdc46f7b8988cded5da779cc7483/...
This query is aim to explain the VirusTotal url.
So that,
You just have to hash it with sha256() from url ( Starts with http, Ends with / OR file name OR anchor name)
and give it to the link .

Create workflow actions in SplunkWeb

index="botsv2" sourcetype="stream:http"
| rex field=url "^(?<vt_url>.+:\/\/[\w\:.]+?\/)"
| eventstats values(eval(sha256(vt_url))) as vt_urlhash by vt_url

BOSS of the soc 2
For example, I made it using this data set.

Workflow Settings:

Fields » Workflow actions » Add new

Link configuration

URI   https://www.virustotal.com/gui/url/$vt_urlhash$/detection
Open link in   New window
Link method   get

| makeresults 
| eval _raw="http://freeloaderstokyo.com/fill-form.html " 
`comment("this url is malicious, Do NOT access!")`
| eval hash=sha256(_raw) 
`comment("put the url to _raw")`
| eval link="https://www.virustotal.com/gui/url/".$hash$."/detection"

This is interesting, too.

EDITED:

VT API access:
The URL described here( VT API reference ) will be created in Splunk.

example: curl --request GET --url 'https://www.virustotal.com/vtapi/v2/url/report?apikey=<apikey>&resource=<resource>'
you will create apikey.csv.

 apikey.csv:
 apikey
 your_api_key

Url/Report workflow action example:

 index=your_index sourcetype=your_sourcetype 
| inputlookup append=t apikey.csv
| eval resource=your_url

Setup a GET workflow action
workflow setting:

Link configration > URI
https://www.virustotal.com/vtapi/v2/url/report?apikey=$apikey$&resource=$!resource$

The fields of access result JSON file:

scans: 
permalink :  
positives :
resource :
response_code :
scan_date :
scan_id :
url:
total : 
verbose_msg :

The fields of access result JSON file, Scans object:

<antivirus vender>.detected 
<antivirus vender>.result

VijaySrrie · ‎12-18-2019

Hi to4kawa,

1) I have done the workflow settings
2) To get the hash value | makeresults
| eval _raw="http://www.yahoo.com/"
| eval hash=sha256(_raw)

3) I doesn't know how to proceed further

VijaySrrie · ‎12-18-2019

Name and label of the workflow is virustotal

to4kawa · ‎12-18-2019

look at my second query.

your search and there is a url(http://xxx.xxx.xx/yyy/zzz....) field.
| rex field=url "^(?<vt_url>.+:\/\/[\w\:.]+?\/)"
| eventstats values(eval(sha256(vt_url))) as vt_urlhash by vt_url

this is the solution.

my first query is aim to explain the the url of virustotal to how it works .

Do you want to access VT API?

VijaySrrie · ‎12-27-2019

Hi,

yes I want to access VT API

to4kawa · ‎12-27-2019

Hi, @vijaysri
My answer updated, please confirm.

Workflow action - Virustotal

virus total TA usage

virus total TA usage

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...