VT4Splunk, official VirusTotal app for Splunk

Configuration and use guide

Overview

The VT4Splunk App enrich events with reporting data retrieved from VT API v3.

Compatibility Matrix

  • Unix OS
  • Splunk version: 9.0.x, 8.2.x, 8.1.x, 8.0.x
  • Python version: Python3

RELEASE NOTES

You can find them at the end of this README.

INSTALLATION

VT4Splunk app can be installed through UI as is shown below, this app has to be installed only in the search head.

  1. Log in to Splunk Web and navigate to Apps > Manage Apps.
  2. Click Install app from file.
  3. Click Choose file and select the TA-virustotal-app installation file.
  4. Click on Upload.
  5. Restart Splunk.

CONFIGURATION

Configuring VT4Splunk:

Proxy

To configure proxy settings,

| Enable Proxy | Optional | To enable or disable the proxy |
| Proxy Host | Mandatory | Host or IP of the proxy server |
| Proxy Port | Mandatory | Port for proxy server |
| Proxy Username | Optional | Username of the proxy server |
| Proxy Password | Optional | Password of the proxy server |

Note that only http proxy is supported.

Logging

To configure the Logging,

  1. Navigate to the Configuration tab.
  2. Click on the Logging tab.
  3. Select the log level click on Save.

Add-on Settings

To configure the add-on specific settings,

  • VirusTotal API Key
    Define here the VirusTotal API Key which you can found on virustotal.com platform, this key will be used to retrieve the data provided by the VirusTotal API.

  • Cache expiration
    This value determine from where the enrichment is get. The enrichment is retrieved from the cache if the saved data is newer that the minutes configured here, otherwise is retrieved from the API. A zero value trigger all the calls against VT API.

  • Fields for [file, URL, domain, IP] cache
    Values in this field are used to enrich events during the execution of saved searches. Update these values with field names containing IoCs in your events.

TESTING API CONNECTION

To test your connection to the VirusTotal API you can use this query:

| makeresults
| eval testip="8.8.8.8"
| vt4splunk ip=testip

VT4SPLUNK COMMAND

This is the central point of enrichment in the app. The command enrich every event from a given SPL query result, adding vt_* fields with the VT reporting data.

Parameters:

hash - Expect a file hash (md5, sha1, sha256)

ip - Expects a IPv4

url - Expects a web url

domain - Expects a web domain

nocache - Force to get the results from VT API

Example of use:

sourcetype=access_* status=400 method=POST
| vt4splunk ip=clientip

Or skiping the cache:

sourcetype=access_* status=400 method=POST
| vt4splunk ip=clientip nocache=true

SAVED SEARCHES

This add-on comes with four saved searches which are scheduled by default every 30 minutes. These searches inspect all your events looking for fields with IoCs (these fields can be customized in the configuration tab), those IoCs are enriched with the command vt4splunk automatically and the information is stored in the lookup tables. All the information collected by the query will be available in the dashboards to be consulted filtering by several criterias.

DASHBOARDS

These dashboards get most of the data from

Threat Intelligence - IoCs collected from events ordered by detections. Each row can expand the VT Augment report.

Top CVEs and hashes - CVEs ordered by number of matches in events. Each CVE expand a list of matched hashes and each hash expand a list of events involved.

API Usage - Monitor the VirusTotal API consumption.

CACHE

The app implements a cache on top of the Splunk lookup tables, this cache has two purposes:

  1. Avoid unnecessary calls to VirusTotal API, every enrichment data is stored in the cache and served from there if the TTL criteria meets, avoiding repetitive API calls for the same IoC.

  2. Store enrichment data in lookup tables, that allows the user to query those tables to make complex queries or enrich events faster than use the vt4splunk command.

This is an example of event enrichment using only the lookup table:

sourcetype=access_* status=400 method=POST
| lookup vt_ip_cache vt_id AS clientip OUTPUT vt_malicious, vt_total_engines, vt_tags, vt_reputation, vt_country, vt_asn, vt_as_owner, vt_network

Lookup tables

vt_file_cache

vt_id - The self IoC.

vt_found - Boolean to indicate if the IoC is present on VT database.

vt_malicious - Security vendor positive detections.

vt_total_engines - Total of the security vendors which have analysed this IoC.

vt_tags - VirusTotal tags.

vt_reputation - VirusTotal community reputation.

vt_first_submission - Timestamp of the first submission.

vt_last_submission - Timestamp of the last submission.

vt_md5 - File's MD5 hash.

vt_sha1 - File's SHA1 hash.

vt_sha256 - File's SHA256 hash.

vt_file_extension - File's extension.

vt_vhash - In-house similarity clustering algorithm value, based on a simple structural feature hash allows you to find similar files.

vt_file_type - Tag representing the file type.

vt_threat_label - Human readable names extracted from AV verdicts and clustering hashes.

vt_signature_verified - Status of the certificate. If can say "Signed", "Unsigned", or if there is any problem with the signature it will be noted here (i.e. "A certificate was explicitly revoked by its issuer.").

vt_signature_date - When the file was signed, in %H:%M %p %m/%d/%Y format.

vt_signature_signers - String with signers Common Names. Separated by a ; character.

vt_signature_counter_signers - Details about each counter signer certificate.

vt_url_cache

vt_id - The self IoC.

vt_found - Boolean to indicate if the IoC is present on VT database.

vt_malicious - Security vendor positive detections.

vt_total_engines - Total of the security vendors which have analysed this IoC.

vt_tags - VirusTotal tags.

vt_reputation - VirusTotal community reputation.

vt_first_submission - Timestamp of the first submission.

vt_last_submission - Timestamp of the last submission.

vt_domain_cache

vt_id - The self IoC.

vt_found - Boolean to indicate if the IoC is present on VT database.

vt_malicious - Security vendor positive detections.

vt_total_engines - Total of the security vendors which have analysed this IoC.

vt_tags - VirusTotal tags.

vt_reputation - VirusTotal community reputation.

vt_ip_cache

vt_id - The self IoC.

vt_found - Boolean to indicate if the IoC is present on VT database.

vt_malicious - Security vendor positive detections.

vt_total_engines - Total of the security vendors which have analysed this IoC.

vt_tags - VirusTotal tags.

vt_reputation - VirusTotal community reputation.

vt_country - Country where the IP is placed (ISO-3166 country code).

vt_asn - Autonomous System Number to which the IP belongs.

vt_as_owner - Owner of the Autonomous System to which the IP belongs.

vt_network - IPv4 network range to which the IP belongs.

Clean the cache

The next queries clean the whole cache/lookup table for each of the entities type.

| outputlookup vt_file_cache

| outputlookup vt_url_cache

| outputlookup vt_domain_cache

| outputlookup vt_ip_cache

SUPPORT

Email [email protected]

Copyright (c) 2023 Google. All rights reserved.

RELEASE NOTES

Version 1.2.0

  • Added saved searches to automatize the v4splunk enrichment.
  • Added a malware category pie chart in the Threat Intelligence dashboard.
  • Added a lookup date column in the Threat Intelligence dashboard.
  • Fix bug where the VT Agument didn't open in some cases.

Version 1.1.0

  • Fix several dashboards errors.
  • Fix proxy error when user and pass were missing.

Version: 1.0.0

  • Added a vt4splunk command to enrich events.
  • Added a threat intelligence dashboard to show all malicious IoCs collected from your events.
  • Added a dashboard to show all CVEs found in your events.
  • Added a dashboard to monitor the consumption of the VT API quota.

Updated 3 months ago