Threat Intel Enrichment query with toURL operator
When malware is detected by an endpoint protection solution, I think it's a common security operation to check it against other Threat Intelligence sources (Threat Intel Enrichment).
The following example creates a Link that extracts the file hash value from CylancePROTECT's logs and searches it in VirusTotal. Security analysts can click on the link to see VirusTotal's Threat search results.
■Query
_sourceCategory=Labs/Cylance
// Extract required fields from Cylance log (using Parse Anchor)
| parse "Device Name: *, IP Address: (*), File Name: *, Path: *, Drive Type: *, SHA256: *," as device_name,ip_address,file_name,path,drive_type,file_hash
| "https://www.virustotal.com/gui/file/" as ti_url // set the VirusTotal search page
| concat(ti_url,file_hash) as url // attach hash value to ti_url
| toURL(url,"investigate") as invetsigate_link // set url's link name to investigate
| count by device_name, file_name, path, file_hash, invetsigate_link
| sort _count
■Output
"investigate_link" is added in the last column.
Clicking on the link (investigate) in the first line opens VirusTotal's search results page, where you can see threat information.
■References
Please sign in to leave a comment.
Comments
0 comments