Hi,
My firm has Chronicle und VT Lizenz. How can I use VirusTotal Relationships (vt) in YARA Rule?
Thanks
Serbay
Page 1 / 1
Do you have Chronicle SIEM and Chronicle SOAR (aka Siemplify)? OR just the SIEM?
My team has both Chronicle SIEM and SOAR and we primarily use VirusTotal for SIEM detection enrichment in the SOAR.
It looks like enrichment is possible in detection rules in the SIEM per se.
I found these two articles:
HTH!
Do you have Chronicle SIEM and Chronicle SOAR (aka Siemplify)? OR just the SIEM?
My team has both Chronicle SIEM and SOAR and we primarily use VirusTotal for SIEM detection enrichment in the SOAR.
It looks like enrichment is possible in detection rules in the SIEM per se.
I found these two articles:
HTH!
Hi Chris,
only SIEM and i want to learn how events enriches with VirusTotal file metadata.
Hi Chris,
only SIEM and i want to learn how events enriches with VirusTotal file metadata.
The VT Relationships and VT File Metadata are not on by default, and require enabling, pending contact with your Google Chronicle account team to enable the feature, after verification you have the appropriate license .
In terms of how VT File Metadata enrichment works, for any parser that populates target.file.sha256 or target.process.file.sha256 then a lookup is performed and VT File Metadata is enriched to the UDM Target File object.
You can then write YARA-L Rules or UDM Search using these fields, e.g., to detect any file with a high confidence score:
rule vt_malicious_file_verdict {
meta:
description = "Matches UDM PROCESS_ Events against VT File Metadata Enrichment for known Malicious Verdicts."
severity = "HIGH"
priority = "HIGH"
events:
(
$e.metadata.event_type = "PROCESS_LAUNCH" or
$e.metadata.event_type = "PROCESS_OPEN" or
$e.metadata.event_type = "PROCESS_INJECTION" or
$e.metadata.event_type = "PROCESS_MODULE_LOAD" or
$e.metadata.event_type = "PROCESS_TERMINATION" or
$e.metadata.event_type = "PROCESS_UNCATEGORIZED"
)
$e.target.process.file.security_result.threat_verdict = "MALICIOUS"
$e.target.process.file.sha256 = $hash and $e.target.process.file.sha256 != ""
// placeholder variables
$e.principal.hostname = $asset
$e.target.file.sha256 = $target_hash
$e.target.user.userid = $user
match:
$asset over 1m
outcome:
$risk_score = max(
75 +
if($e.security_result.action = "ALLOW", 10) -
if($e.security_result.action = "BLOCK", 10)
)
$oc_tags = array_distinct($e.target.process.file.tags)
condition:
$e
}
Or you can use VT File Metadata tags:
rule vt_suspicious_ps_files {
meta:
description = "Detects powershell files with obfuscated code of a known Tag in Virus Total"
severity = "MEDIUM"
priority = "MEDIUM"
events:
$vt.metadata.log_type = "WINDOWS_SYSMON"
(
$vt.metadata.event_type = "PROCESS_LAUNCH" or
$vt.metadata.event_type = "PROCESS_OPEN" or
$vt.metadata.event_type = "PROCESS_MODULE_LOAD"
)
// VT File Metadata Enrichment
$vt.target.file.file_type = "FILE_TYPE_POWERSHELL"
any $vt.target.file.tags = "obfuscated"
any $vt.target.file.tags = "powershell"
$tags = arrays.length($vt.target.file.tags)
outcome:
$risk_score = max(
if ($vt.target.file.tags = "powershell", 50,0) +
if ($vt.target.file.tags = "obfuscated", 10,0)
)
$oc_cd_vt_tags = $tags
condition:
$vt and $risk_score > 50
}
The VT Relationships and VT File Metadata are not on by default, and require enabling, pending contact with your Google Chronicle account team to enable the feature, after verification you have the appropriate license .
In terms of how VT File Metadata enrichment works, for any parser that populates target.file.sha256 or target.process.file.sha256 then a lookup is performed and VT File Metadata is enriched to the UDM Target File object.
You can then write YARA-L Rules or UDM Search using these fields, e.g., to detect any file with a high confidence score:
rule vt_malicious_file_verdict {
meta:
description = "Matches UDM PROCESS_ Events against VT File Metadata Enrichment for known Malicious Verdicts."
severity = "HIGH"
priority = "HIGH"
events:
(
$e.metadata.event_type = "PROCESS_LAUNCH" or
$e.metadata.event_type = "PROCESS_OPEN" or
$e.metadata.event_type = "PROCESS_INJECTION" or
$e.metadata.event_type = "PROCESS_MODULE_LOAD" or
$e.metadata.event_type = "PROCESS_TERMINATION" or
$e.metadata.event_type = "PROCESS_UNCATEGORIZED"
)
$e.target.process.file.security_result.threat_verdict = "MALICIOUS"
$e.target.process.file.sha256 = $hash and $e.target.process.file.sha256 != ""
// placeholder variables
$e.principal.hostname = $asset
$e.target.file.sha256 = $target_hash
$e.target.user.userid = $user
match:
$asset over 1m
outcome:
$risk_score = max(
75 +
if($e.security_result.action = "ALLOW", 10) -
if($e.security_result.action = "BLOCK", 10)
)
$oc_tags = array_distinct($e.target.process.file.tags)
condition:
$e
}
Or you can use VT File Metadata tags:
rule vt_suspicious_ps_files {
meta:
description = "Detects powershell files with obfuscated code of a known Tag in Virus Total"
severity = "MEDIUM"
priority = "MEDIUM"
events:
$vt.metadata.log_type = "WINDOWS_SYSMON"
(
$vt.metadata.event_type = "PROCESS_LAUNCH" or
$vt.metadata.event_type = "PROCESS_OPEN" or
$vt.metadata.event_type = "PROCESS_MODULE_LOAD"
)
// VT File Metadata Enrichment
$vt.target.file.file_type = "FILE_TYPE_POWERSHELL"
any $vt.target.file.tags = "obfuscated"
any $vt.target.file.tags = "powershell"
$tags = arrays.length($vt.target.file.tags)
outcome:
$risk_score = max(
if ($vt.target.file.tags = "powershell", 50,0) +
if ($vt.target.file.tags = "obfuscated", 10,0)
)
$oc_cd_vt_tags = $tags
condition:
$vt and $risk_score > 50
}
Hi Martin,
Thank you for your answer!
Assuming I have the appropriate license, all I have to do is create a rule like you wrote?
Thanks
Hi Martin,
Thank you for your answer!
Assuming I have the appropriate license, all I have to do is create a rule like you wrote?
Thanks
Yes, but with the caveats:
1) you have a suitable VT license
2) someone from Google enables the feature on your tenant(s)
3) you have a log source that populates file hashes, e.g., an EDR or OS loggin
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.