Send file from Wazuh agent to Shuffle server and analyze the file with workflow
224 views
Skip to first unread message
Shu
May 14, 2024, 5:29:03 AM5/14/24
to Wazuh | Mailing List
Hi, I am trying to create a workflow for file integrity monitoring, where I want to send a file which has suspiciously occurred on an agent to Virustotal and sandbox for further analysis. However, I am not sure how to retrieve the file from the agent machine via a Shuffle workflow and pass it to Virustotal for upload / sandbox for analysis. It will be great if you can suggest any ways to enable this. Thanks!
Isaiah Daboh
May 14, 2024, 7:18:01 AM5/14/24
to Wazuh | Mailing List
Hello,
Please note that I am taking a look at this. I will revert shortly.
Regards,
Isaiah Daboh
May 14, 2024, 11:31:28 AM5/14/24
to Wazuh | Mailing List
Hello,
Please note that Wazuh FIM module can be combined with VirusTotal to detect malicious files. This works by sending the hash of the file to VirusTotal through an HTTP POST request to the VirusTotal database using the VirusTotal API.
However, if the hash information is not sufficient and you really want to move the file from the agent to the sandbox for analysis, you may need to check how the sandbox integration is done on Shuffle.
Wazuh can forward FIM alerts to Shuffle. The file location (agent) can be extracted from the FIM alert to create the instruction that is required by Shuffle to forward the file to the sandbox (you may need further help from Shuffle on how to do this).
Wazuh VirusTotal Integration - https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/virus-total-integration.html
Wazuh Shuffle integration - https://wazuh.com/blog/integrating-wazuh-with-shuffle/
Regards,
Shu
May 16, 2024, 4:56:19 AM5/16/24
to Wazuh | Mailing List
Hello,
Thank you for your respond. I have set up a webhook to receive FIM alert, but it only get alert data, such as file hash, instead of the file.
The workflow I plan to build is to get the whole file from agent and then send it to virustotal api, so I'm thinking of calling ssh command with a Shuffle node to send or copy the file from agent to Shuffle, will this method be applicable? Could you provide any sources where I can get further help on this task? Thank you.
Best,
Thank you for your respond. I have set up a webhook to receive FIM alert, but it only get alert data, such as file hash, instead of the file.
The workflow I plan to build is to get the whole file from agent and then send it to virustotal api, so I'm thinking of calling ssh command with a Shuffle node to send or copy the file from agent to Shuffle, will this method be applicable? Could you provide any sources where I can get further help on this task? Thank you.
Best,
Isaiah Daboh
May 16, 2024, 12:18:20 PM5/16/24
to Wazuh | Mailing List
Hello,
Please allow me some time to confirm if it is possible to provide some more details aside the hash for the file copy.
Regards,
Isaiah Daboh
May 16, 2024, 2:21:28 PM5/16/24
to Wazuh | Mailing List
Hello,
In addition to having the file path extracted from the Wazuh-FIM alert sent to shuffle, another option you can explore is to create a custom active response script that sends the file detected by the FIM from the agent host to a remote host. You can then instruct shuffle to pick the file from the remote host and send to VirusTotal or sandbox for further analysis.
Wazuh Active Response - https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html
Custom Active Response - https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response-scripts.html
Helpful blogpost on active response - https://wazuh.com/blog/blocking-attacks-active-response/
I hope this helps.
Regards,
Shu
May 17, 2024, 4:40:43 AM5/17/24
to Wazuh | Mailing List
Got it, appreciate for your help!
Best,
Reply all
Reply to author
Forward
0 new messages