Threat Intel Enrichment query with toURL operator

When malware is detected by an endpoint protection solution, I think it's a common security operation to check it against other Threat Intelligence sources (Threat Intel Enrichment).

The following example creates a Link that extracts the file hash value from CylancePROTECT's logs and searches it in VirusTotal. Security analysts can click on the link to see VirusTotal's Threat search results.

■Query

_sourceCategory=Labs/Cylance
// Extract required fields from Cylance log (using Parse Anchor)
| parse "Device Name: *, IP Address: (*), File Name: *, Path: *, Drive Type: *, SHA256: *," as device_name,ip_address,file_name,path,drive_type,file_hash
| "https://www.virustotal.com/gui/file/" as ti_url  // set the VirusTotal search page
| concat(ti_url,file_hash) as url  // attach hash value to ti_url
| toURL(url,"investigate") as invetsigate_link  // set url's link name to investigate
| count by device_name, file_name, path, file_hash, invetsigate_link
| sort _count

■Output

"investigate_link" is added in the last column.

Clicking on the link (investigate) in the first line opens VirusTotal's search results page, where you can see threat information.

■References

• toURL
• concat