Is it possible to create workflow action to check the malicious URL?
If yes, after setting it up how to work on it?
Hi, @vijaysri
try app
my old answer:
Look at this.
| makeresults
| eval _raw="http://www.yahoo.com/"
| eval hash=sha256(_raw)
| appendpipe
[ eval hash="ed91698b5823a5e4424726955dd3fd437d9cfdc46f7b8988cded5da779cc7483"]
`comment("the hash of below link")`
https://www.virustotal.com/gui/url/ed91698b5823a5e4424726955dd3fd437d9cfdc46f7b8988cded5da779cc7483/...
This query is aim to explain the VirusTotal url.
So that,
You just have to hash it with sha256()
from url ( Starts with http, Ends with / OR file name OR anchor name)
and give it to the link .
Create workflow actions in SplunkWeb
index="botsv2" sourcetype="stream:http"
| rex field=url "^(?<vt_url>.+:\/\/[\w\:.]+?\/)"
| eventstats values(eval(sha256(vt_url))) as vt_urlhash by vt_url
BOSS of the soc 2
For example, I made it using this data set.
Workflow Settings:
Fields » Workflow actions » Add new
Link configuration
URI https://www.virustotal.com/gui/url/$vt_urlhash$/detection
Open link in New window
Link method get
| makeresults
| eval _raw="http://freeloaderstokyo.com/fill-form.html "
`comment("this url is malicious, Do NOT access!")`
| eval hash=sha256(_raw)
`comment("put the url to _raw")`
| eval link="https://www.virustotal.com/gui/url/".$hash$."/detection"
This is interesting, too.
EDITED:
VT API access:
The URL described here( VT API reference ) will be created in Splunk.
example: curl --request GET --url 'https://www.virustotal.com/vtapi/v2/url/report?apikey=<apikey>&resource=<resource>'
you will create apikey.csv.
apikey.csv:
apikey
your_api_key
Url/Report workflow action example:
index=your_index sourcetype=your_sourcetype
| inputlookup append=t apikey.csv
| eval resource=your_url
Setup a GET workflow action
workflow setting:
Link configration > URI
https://www.virustotal.com/vtapi/v2/url/report?apikey=$apikey$&resource=$!resource$
The fields of access result JSON file:
scans:
permalink :
positives :
resource :
response_code :
scan_date :
scan_id :
url:
total :
verbose_msg :
The fields of access result JSON file, Scans object:
<antivirus vender>.detected
<antivirus vender>.result
Hi, @vijaysri
try app
my old answer:
Look at this.
| makeresults
| eval _raw="http://www.yahoo.com/"
| eval hash=sha256(_raw)
| appendpipe
[ eval hash="ed91698b5823a5e4424726955dd3fd437d9cfdc46f7b8988cded5da779cc7483"]
`comment("the hash of below link")`
https://www.virustotal.com/gui/url/ed91698b5823a5e4424726955dd3fd437d9cfdc46f7b8988cded5da779cc7483/...
This query is aim to explain the VirusTotal url.
So that,
You just have to hash it with sha256()
from url ( Starts with http, Ends with / OR file name OR anchor name)
and give it to the link .
Create workflow actions in SplunkWeb
index="botsv2" sourcetype="stream:http"
| rex field=url "^(?<vt_url>.+:\/\/[\w\:.]+?\/)"
| eventstats values(eval(sha256(vt_url))) as vt_urlhash by vt_url
BOSS of the soc 2
For example, I made it using this data set.
Workflow Settings:
Fields » Workflow actions » Add new
Link configuration
URI https://www.virustotal.com/gui/url/$vt_urlhash$/detection
Open link in New window
Link method get
| makeresults
| eval _raw="http://freeloaderstokyo.com/fill-form.html "
`comment("this url is malicious, Do NOT access!")`
| eval hash=sha256(_raw)
`comment("put the url to _raw")`
| eval link="https://www.virustotal.com/gui/url/".$hash$."/detection"
This is interesting, too.
EDITED:
VT API access:
The URL described here( VT API reference ) will be created in Splunk.
example: curl --request GET --url 'https://www.virustotal.com/vtapi/v2/url/report?apikey=<apikey>&resource=<resource>'
you will create apikey.csv.
apikey.csv:
apikey
your_api_key
Url/Report workflow action example:
index=your_index sourcetype=your_sourcetype
| inputlookup append=t apikey.csv
| eval resource=your_url
Setup a GET workflow action
workflow setting:
Link configration > URI
https://www.virustotal.com/vtapi/v2/url/report?apikey=$apikey$&resource=$!resource$
The fields of access result JSON file:
scans:
permalink :
positives :
resource :
response_code :
scan_date :
scan_id :
url:
total :
verbose_msg :
The fields of access result JSON file, Scans object:
<antivirus vender>.detected
<antivirus vender>.result
Hi to4kawa,
1) I have done the workflow settings
2) To get the hash value | makeresults
| eval _raw="http://www.yahoo.com/"
| eval hash=sha256(_raw)
3) I doesn't know how to proceed further
Name and label of the workflow is virustotal
look at my second query.
your search and there is a url(http://xxx.xxx.xx/yyy/zzz....) field.
| rex field=url "^(?<vt_url>.+:\/\/[\w\:.]+?\/)"
| eventstats values(eval(sha256(vt_url))) as vt_urlhash by vt_url
this is the solution.
my first query is aim to explain the the url of virustotal to how it works .
Do you want to access VT API?
Hi,
yes I want to access VT API
Hi, @vijaysri
My answer updated, please confirm.