Integration VirusTotal enhances threat detection by leveraging the VirusTotal malware database for accurate identification and faster incident response.
Accessing VirusTotal
- Navigate to VirusTotal Integration: From the dashboard, select VirusTotal on the left menu
Using VirusTotal Integration
- View VirusTotal Reports: Access reports on file hashes, IP addresses, or domain names that have been analyzed by VirusTotal.
- Submit Files/URLs for Analysis: Submit suspicious files or URLs directly from the Argus interface to VirusTotal for comprehensive analysis.
- Integration with Alerts: Automatically submit hashes from detected alerts to VirusTotal and review the analysis results.
Example Use Case
- File Analysis: Submit a suspicious file detected during threat hunting to VirusTotal and analyze the results to determine if it is malicious.
Use case: Scanning a file
Follow the instructions from External API integration to enable the Integrator module and configure the VirusTotal integration.
External API integration
Configuration
To configure an integration, add the following configuration within the <ossec_config> in the /var/ossec/etc/ossec.conf file on the Argus server:
<integration>
<name> </name>
<api_key> </api_key>
<alert_format>json</alert_format>
<!– Optional filters –>
<rule_id> </rule_id>
<level> </level>
<group> </group>
<event_location> </event_location>
<options> </options>
</integration>
Where:
· <name> indicates the name of the service to integrate with. For custom integrations, the name must be any string that begins with custom-.
· <api_key> is the key you would have retrieved from the VirusTotal API. This is mandatory for VirusTotal
· <alert_format> writes the alert file in the JSON format. The Integrator module makes use of this alert file to fetch field values. The allowed value is json.
· <rule_id> filters alerts by rule ID. The allowed values are comma-separated rule IDs.
· <level> filters alerts by rule level so only alerts with the specified level or above are pushed. The allowed value is any alert level from 0 to 16.
· <group> filters alerts by rule group. For the VirusTotal integration, only rules from the syscheck group are available. The allowed values are any rule group or comma-separated rule groups.
· <event_location> filters alerts by where the event originated. The allowed value is any sregex expression.
· <options> overwrites the previous fields or adds customization fields according to the information provided in the JSON object. The allowed value is json.
Restart the Argus manager via the command line interface with the following command:
Systemd: systemctl restart Argus-manager
SysV init : service Argus-manager restart
Virus Total Integration
VirusTotal is an online service that analyzes files and URLs to detect viruses, worms, trojans, and other malicious content using antivirus engines and website scanners.
To set up this integration, follow these steps:
1. Get your API key from the VirusTotal API key page.
2. Edit /var/ossec/etc/ossec.conf in the Argus server and include a configuration block such as the following. Replace <VIRUSTOTAL_API_KEY> with your VirusTotal API key.
<integration>
<name>virustotal</name>
<api_key><VIRUSTOTAL_API_KEY></api_key> <!– Replace with your VirusTotal API key –>
<group>syscheck</group>
<alert_format>json</alert_format>
</integration>
3. Restart the Argus manager to apply the changes:
Systemd : #systemctl restart Argus-manager
SysV init : # service Argus-manager restart
