Skip to main content
Solved

VirusTotal Relationships

  • November 23, 2023
  • 5 replies
  • 43 views
sek
Forum|alt.badge.img+1

Hi,

My firm has Chronicle und VT Lizenz. How can I use VirusTotal Relationships (vt) in YARA Rule?

Thanks

Serbay

Best answer by cmmartin_google

Hi Chris,

only SIEM and i want to learn how events enriches with VirusTotal file metadata.

 

 


The VT Relationships and VT File Metadata are not on by default, and require enabling, pending contact with your Google Chronicle account team to enable the feature, after verification you have the appropriate license .

In terms of how VT File Metadata enrichment works, for any parser that populates target.file.sha256 or target.process.file.sha256 then a lookup is performed and VT File Metadata is enriched to the UDM Target File object.

You can then write YARA-L Rules or UDM Search using these fields, e.g., to detect any file with a high confidence score:

 

 

rule vt_malicious_file_verdict { meta: description = "Matches UDM PROCESS_ Events against VT File Metadata Enrichment for known Malicious Verdicts." severity = "HIGH" priority = "HIGH" events: ( $e.metadata.event_type = "PROCESS_LAUNCH" or $e.metadata.event_type = "PROCESS_OPEN" or $e.metadata.event_type = "PROCESS_INJECTION" or $e.metadata.event_type = "PROCESS_MODULE_LOAD" or $e.metadata.event_type = "PROCESS_TERMINATION" or $e.metadata.event_type = "PROCESS_UNCATEGORIZED" ) $e.target.process.file.security_result.threat_verdict = "MALICIOUS" $e.target.process.file.sha256 = $hash and $e.target.process.file.sha256 != "" // placeholder variables $e.principal.hostname = $asset $e.target.file.sha256 = $target_hash $e.target.user.userid = $user match: $asset over 1m outcome: $risk_score = max( 75 + if($e.security_result.action = "ALLOW", 10) - if($e.security_result.action = "BLOCK", 10) ) $oc_tags = array_distinct($e.target.process.file.tags) condition: $e }

 

Or you can use VT File Metadata tags:

 

 

rule vt_suspicious_ps_files { meta: description = "Detects powershell files with obfuscated code of a known Tag in Virus Total" severity = "MEDIUM" priority = "MEDIUM" events: $vt.metadata.log_type = "WINDOWS_SYSMON" ( $vt.metadata.event_type = "PROCESS_LAUNCH" or $vt.metadata.event_type = "PROCESS_OPEN" or $vt.metadata.event_type = "PROCESS_MODULE_LOAD" ) // VT File Metadata Enrichment $vt.target.file.file_type = "FILE_TYPE_POWERSHELL" any $vt.target.file.tags = "obfuscated" any $vt.target.file.tags = "powershell" $tags = arrays.length($vt.target.file.tags) outcome: $risk_score = max( if ($vt.target.file.tags = "powershell", 50,0) + if ($vt.target.file.tags = "obfuscated", 10,0) ) $oc_cd_vt_tags = $tags condition: $vt and $risk_score > 50 }

 

 

A

5 replies

Chris_B
Forum|alt.badge.img+8
  • Chris_BSilver 2
  • Silver 2
  • November 23, 2023

Do you have Chronicle SIEM and Chronicle SOAR (aka Siemplify)? OR just the SIEM?

My team has both Chronicle SIEM and SOAR and we primarily use VirusTotal for SIEM detection enrichment in the SOAR.

It looks like enrichment is possible in detection rules in the SIEM per se.

I found these two articles:

https://cloud.google.com/chronicle/docs/event-processing/data-enrichment#enrich_events_with_virustotal_file_metadata

HTH!

A
sek
Forum|alt.badge.img+1
  • sekBronze 3
  • Author
  • Bronze 3
  • November 24, 2023

Do you have Chronicle SIEM and Chronicle SOAR (aka Siemplify)? OR just the SIEM?

My team has both Chronicle SIEM and SOAR and we primarily use VirusTotal for SIEM detection enrichment in the SOAR.

It looks like enrichment is possible in detection rules in the SIEM per se.

I found these two articles:

https://cloud.google.com/chronicle/docs/event-processing/data-enrichment#enrich_events_with_virustotal_file_metadata

HTH!


Hi Chris,

only SIEM and i want to learn how events enriches with VirusTotal file metadata.

 

 

cmmartin_google
Staff
Forum|alt.badge.img+11

Hi Chris,

only SIEM and i want to learn how events enriches with VirusTotal file metadata.

 

 


The VT Relationships and VT File Metadata are not on by default, and require enabling, pending contact with your Google Chronicle account team to enable the feature, after verification you have the appropriate license .

In terms of how VT File Metadata enrichment works, for any parser that populates target.file.sha256 or target.process.file.sha256 then a lookup is performed and VT File Metadata is enriched to the UDM Target File object.

You can then write YARA-L Rules or UDM Search using these fields, e.g., to detect any file with a high confidence score:

 

 

rule vt_malicious_file_verdict { meta: description = "Matches UDM PROCESS_ Events against VT File Metadata Enrichment for known Malicious Verdicts." severity = "HIGH" priority = "HIGH" events: ( $e.metadata.event_type = "PROCESS_LAUNCH" or $e.metadata.event_type = "PROCESS_OPEN" or $e.metadata.event_type = "PROCESS_INJECTION" or $e.metadata.event_type = "PROCESS_MODULE_LOAD" or $e.metadata.event_type = "PROCESS_TERMINATION" or $e.metadata.event_type = "PROCESS_UNCATEGORIZED" ) $e.target.process.file.security_result.threat_verdict = "MALICIOUS" $e.target.process.file.sha256 = $hash and $e.target.process.file.sha256 != "" // placeholder variables $e.principal.hostname = $asset $e.target.file.sha256 = $target_hash $e.target.user.userid = $user match: $asset over 1m outcome: $risk_score = max( 75 + if($e.security_result.action = "ALLOW", 10) - if($e.security_result.action = "BLOCK", 10) ) $oc_tags = array_distinct($e.target.process.file.tags) condition: $e }

 

Or you can use VT File Metadata tags:

 

 

rule vt_suspicious_ps_files { meta: description = "Detects powershell files with obfuscated code of a known Tag in Virus Total" severity = "MEDIUM" priority = "MEDIUM" events: $vt.metadata.log_type = "WINDOWS_SYSMON" ( $vt.metadata.event_type = "PROCESS_LAUNCH" or $vt.metadata.event_type = "PROCESS_OPEN" or $vt.metadata.event_type = "PROCESS_MODULE_LOAD" ) // VT File Metadata Enrichment $vt.target.file.file_type = "FILE_TYPE_POWERSHELL" any $vt.target.file.tags = "obfuscated" any $vt.target.file.tags = "powershell" $tags = arrays.length($vt.target.file.tags) outcome: $risk_score = max( if ($vt.target.file.tags = "powershell", 50,0) + if ($vt.target.file.tags = "obfuscated", 10,0) ) $oc_cd_vt_tags = $tags condition: $vt and $risk_score > 50 }

 

 

A
sek
Forum|alt.badge.img+1
  • sekBronze 3
  • Author
  • Bronze 3
  • November 24, 2023

The VT Relationships and VT File Metadata are not on by default, and require enabling, pending contact with your Google Chronicle account team to enable the feature, after verification you have the appropriate license .

In terms of how VT File Metadata enrichment works, for any parser that populates target.file.sha256 or target.process.file.sha256 then a lookup is performed and VT File Metadata is enriched to the UDM Target File object.

You can then write YARA-L Rules or UDM Search using these fields, e.g., to detect any file with a high confidence score:

 

 

rule vt_malicious_file_verdict { meta: description = "Matches UDM PROCESS_ Events against VT File Metadata Enrichment for known Malicious Verdicts." severity = "HIGH" priority = "HIGH" events: ( $e.metadata.event_type = "PROCESS_LAUNCH" or $e.metadata.event_type = "PROCESS_OPEN" or $e.metadata.event_type = "PROCESS_INJECTION" or $e.metadata.event_type = "PROCESS_MODULE_LOAD" or $e.metadata.event_type = "PROCESS_TERMINATION" or $e.metadata.event_type = "PROCESS_UNCATEGORIZED" ) $e.target.process.file.security_result.threat_verdict = "MALICIOUS" $e.target.process.file.sha256 = $hash and $e.target.process.file.sha256 != "" // placeholder variables $e.principal.hostname = $asset $e.target.file.sha256 = $target_hash $e.target.user.userid = $user match: $asset over 1m outcome: $risk_score = max( 75 + if($e.security_result.action = "ALLOW", 10) - if($e.security_result.action = "BLOCK", 10) ) $oc_tags = array_distinct($e.target.process.file.tags) condition: $e }

 

Or you can use VT File Metadata tags:

 

 

rule vt_suspicious_ps_files { meta: description = "Detects powershell files with obfuscated code of a known Tag in Virus Total" severity = "MEDIUM" priority = "MEDIUM" events: $vt.metadata.log_type = "WINDOWS_SYSMON" ( $vt.metadata.event_type = "PROCESS_LAUNCH" or $vt.metadata.event_type = "PROCESS_OPEN" or $vt.metadata.event_type = "PROCESS_MODULE_LOAD" ) // VT File Metadata Enrichment $vt.target.file.file_type = "FILE_TYPE_POWERSHELL" any $vt.target.file.tags = "obfuscated" any $vt.target.file.tags = "powershell" $tags = arrays.length($vt.target.file.tags) outcome: $risk_score = max( if ($vt.target.file.tags = "powershell", 50,0) + if ($vt.target.file.tags = "obfuscated", 10,0) ) $oc_cd_vt_tags = $tags condition: $vt and $risk_score > 50 }

 

 


Hi Martin,

Thank you for your answer!

Assuming I have the appropriate license, all I have to do is create a rule like you wrote?

Thanks

A
cmmartin_google
Staff
Forum|alt.badge.img+11

Hi Martin,

Thank you for your answer!

Assuming I have the appropriate license, all I have to do is create a rule like you wrote?

Thanks


Yes, but with the caveats:

1) you have a suitable VT license

2) someone from Google enables the feature on your tenant(s)

3)  you have a log source that populates file hashes, e.g., an EDR or OS loggin

A
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.