Simple Virus Total integration with Splunk dashboards

Alex Verbniak
Latest posts by Alex Verbniak (see all)
WRITTEN BY
Alex Verbniak
151
October 16, 2017 · 3 min read

Simple integration helps search for malicious processes

Greetings Everyone! Let’s continue to turn Splunk into a multipurpose tool that can quickly detect any threat. My last article described how to create correlation events using Alerts. Now I’ll tell you how to make a simple integration with Virus Total base.

Many of us use Sysmon in the environment to monitor network connections, process creations and any changes in time of file creation. This system driver provides monitoring and logging of system activity to the Event Log. One of the most required Sysmon features is calculation and recording of running processes’ hashes. Thus, we can use this data, Splunk and Virus Total base to detect malicious processes that possibly run in your environment.

So let’s start

  1. Collect Sysmon logs to Splunk.

To setup collecting Sysmon logs from Windows systems, we need to install Add-on for Microsoft Sysmon on Splunk. You can find the description of this process on https://splunkbase.splunk.com/app/1914/.

  1. At this point we have already installed Add-on for Microsoft Sysmon and logs are collecting into our Splunk:

  1. So now we need to make search and create a table with processes that run on our test server.

Sysmon event with ID 1:

index=* source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” EventCode=1

Building of statistics table:

index=* source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” EventCode=1 | stats count by Computer Hashes Image

  1. Then we save this search as dashboard panel:

  1. Now for the saved panel, we need to create a drilldown on the VirusTotal page to check the hash from the table. To do this, we open Edit Source panel, add drilldown option and tag:

<option name=”drilldown”>cell</option>

               <drilldown target=”My New Window”>

         <eval token=”hash”>$row.Hashes$</eval>

         <link>https://www.virustotal.com/latest-scan/$hash$</link>

       </drilldown>

  1. After saving the dashboard, we will be able to click on the Hashes cell to check the hash on the Virus Total page with this drilldown:

In this article, I showed a simple way to make integration using drilldown. You can leverage this method to integrate a lot of different and convenient checks on external web resources. With a single click, you will get the information you need. You can also use Sysmon Framework by SOC Prime for detection and deeper analysis of malicious activities. My next article will be about leveraging of depends panels, the tool that helps make dashboards more informative.

Was this article helpful?

Like and share it with your peers.

Related Posts

Blog, SIEM & EDR — 7 min read
Azure Sentinel Definitive Guide: Diving In Microsoft’s Cloud Platform
Sergiy Prystaiko
Blog, SIEM & EDR — 5 min read
Creating Google Chronicle Rules in Your Environment
Leandro Ariel Millahuel
Blog, SIEM & EDR — 6 min read
Creating Microsoft Azure Sentinel Rules in Your SIEM Instance
Sergiy Prystaiko

This site uses cookies and other tracking technologies to assist with navigation and your ability to provide feedback, analyse your use of our products and services, assist with our promotional and marketing efforts, and provide content from third parties. Cookie Policy. Details

Refuse Cookies Accept Cookies

You previously chose to disable cookies. This site uses cookies and other tracking technologies to assist with navigation and your ability to provide feedback, analyse your use of our products and services, assist with our promotional and marketing efforts, and provide content from third parties. Cookie Policy. Details

Details Accept Cookies