Virustotal custom rule set for >1 positive

[Idefix RC]

Hello,

I'm rather new to Wazuh and while I have it up and running on a few machines now via agent and syslog, I'm only getting started now on dashboarding etc.

One of the issues I currently face is the Virustotal integration and the large amount of registry false positives flagged by Bkav Pro in particular.

I plan to filter out positives that have less than 2 scanners reporting a hit.
As there seem to be not many configuration options for the Virustotal integration, the only way to do that is via a custom rule?

First of all, am I on the right track with this approach?
If yes, would 2 custom rules be required, one which triggers whendata.virustotal.positives: = 1 to set the level to low (e.g. 0) and one which triggers when  data.virustotal.positives:  >1 to set the level to high (e.g. 12) ?

When implemented, would that only overwrite the severity level based on this one trigger and all other rules remain intact or would that essentially replace all other rules?

Thanks !

[Md. Nazmur Sakib]

Hello,


If I have understood your query correctly, you want to have a lower-level rule when the value of data.virustotal.positives = 1, and a level 12 rule when you have a value data.virustotal.positives: > 1
You can have rules like this: one rule for the value one only, and overwrite the existing rule for other values.

For this use case, add these rules to your custom rule file.
<group name="virustotal,">
  <rule id="107105" level="5">

        <if_sid>87100</if_sid>

        <field name="virustotal.malicious">1</field>
        <field name="virustotal.positives">1</field>

        <description>VirusTotal: Alert - $(virustotal.source.file) - $(virustotal.positives) engines detected this file</description>

        <group>pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,</group>

        <options>no_full_log</options>

        <mitre>

            <id>T1203</id>

        </mitre>

    </rule>

  <rule id="87105" level="12" overwrite="yes">

        <if_sid>87100</if_sid>

        <field name="virustotal.malicious">1</field>
        <field name="virustotal.positives" negate="yes">1</field>

        <description>VirusTotal: Alert - $(virustotal.source.file) - $(virustotal.positives) engines detected this file</description>

        <group>pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,</group>

        <options>no_full_log</options>

        <mitre>

            <id>T1203</id>

        </mitre>

    </rule>

</group>

data.virustotal.positives:  >1


data.virustotal.positives: = 1


You can check these documents if you want to make any further changes to your rule.

Rules Syntax

Custom rules
Let me know if you need any further assistance.

[Idefix RC]

You Sir, are an absolute legend !!!
Thanks a million 🥳

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/eYI-nmtFaEg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/c5b366d0-a663-421a-90f6-f5b2042522bcn%40googlegroups.com.