Integration example virustotal only for some agentes
Jorge Tomás Guerra
I would like to know if it is possible to integrate Wazuh and virustotal but only for a group of agents.
For example, we would like to scan files uploaded to our web servers(we have a Group for tweb servers in configuration) but not to others servers.
IS it possible?
Thank you.
Jorge
Md. Nazmur Sakib
Hi Jorge Tomás Guerra,
Hope you are doing well. Thank you for using wazuh.
It is not possible to configure any integration including VirusTotal for a group of agents.
The optional fields that you can add for integration are:
<!-- Optional filters -->
<rule_id> </rule_id>
<level> </level>
<group> </group>
<event_location> </event_location>
Based on those you can filter any integration. Please note that here <group> </group> means rule group.
Please check this document to learn more.
https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html#optional-filters
I can give you an idea about possible workaround.
Make some custom rules for file added, file deleted, and file modified for some specific agents you want to monitor log.
<group name="syscheck,pci_dss_11.5,nist_800_53_SI.7,">
<!-- Rules for Linux systems -->
<rule id="100200" level="7">
<if_sid>550</if_sid>
<var name="agnt">workstation1</var>
<location>$agnt</location>
<description>File modified for agents abcd.</description>
</rule>
<rule id="100201" level="7">
<if_sid>554</if_sid>
<var name="agnt">workstation1</var>
<location>$agnt</location>
<description>File added for agents abcd.</description>
</rule>
</group>
You cannot create a custom rule based on the agent group, the Wazuh rule engine is not aware of the rule group. For custom rules for an agent, you can try using the <location> tag. This tag is sort of a hybrid header that contains not just where the logs are coming from but also other data like hostname and IP address.
https://github.com/wazuh/wazuh/issues/10687
Add this rule ID to your Viroustoal integration configuration. This allows to trigger a VirusTotal query whenever any of the rules 100200 and 100201 are triggered:
<ossec_config>
<integration>
<name>virustotal</name>
<api_key><YOUR_VIRUS_TOTAL_API_KEY></api_key> <!-- Replace with your VirusTotal API key -->
<rule_id>100200,100201</rule_id>
<alert_format>json</alert_format>
</integration>
</ossec_config>
Please check these configurations in the test environment before deploying it to production.
Check this document to learn more about VirusTotal integration:
https://documentation.wazuh.com/current/proof-of-concept-guide/detect-remove-malware-virustotal.html
I hope this helps.
Regards
jorge...@gmail.com
Thanks, I tested it and perfect, but now, we want to analyse a directory that is NFS.
What rule should we monitor so that it scans that directory at least once a day? since realtime doesn't work in NFS, right?
Thanks.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/Q-IauZeodv8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b68eba56-b2aa-453c-82e6-b03303553147n%40googlegroups.com.