[Wazuh - VirusTotal integration]

[Van Than Vu]

Hi Colleagues, 

Currently, I'm tasked with Wazuh - VirusToTal Integration, where I have a piece of information to clarify and provide with the vendor to receive a discount about price. I'm looking for this information on Wazuh. Please guide me in a way to count it.

Incidents/per month. 

hashes/per month

URLs/per month

Domains/ per month.

Regards,

[Miguel Keane]

Hello, 

are you aiming to monitor all hashes additions and modifications on the environments? We usually recommend restricting the analysis to certain paths. In this guide, you will find an example where we restrict Virus Total analysis for just the /root directory: https://github.com/wazuh/wazuh/wiki/Proof-of-concept-guide#virustotal

To check for all the changes, you can use certain filters in Kibana. As shown in the image, you may go to Modules -> Integrity Monitoring. There, you will be interested ONLY in "added" and "modified" alerts, as you will not be analyzing hashes of deleted files. So there, you can filter those events out. 

Then, on that same Module, you can go to "Events", select the agent you want to look into, and see the number of events that have been triggered over a certain amount of time. See the image attached. 

Be sure, to change your Syscheck configuration accordingly. Preferably using `Real Time` or `Who data` options, so that you know all the changes of the files you will be monitoring. Take into account, that certain paths can be very noisy to monitor, as they will be constantly changing, so I would suggest avoiding them. For more thorough information on the different options FIle Integrity Monitoring has to offer, feel free to check our documentation: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html

Regarding the rest of points you want to monitor. Such as Incidents, URLs and Domains. As long as we ingest them to Wazuh, it will be possible to count them, but I will need more information on what exactly it is that you want to monitor, preferably, seeing a related Wazuh alert. 

Let me know if you have any questions. 

Best regards, 
Miguel Keane