wazuh virustotal integration

77 views
Skip to first unread message

reza fathi

unread,
Jul 11, 2023, 7:46:36 AM7/11/23
to Wazuh mailing list
Hi,
I have integrated wazuh with virustotal with api but the following error occurs:

{ "_index": "wazuh-alerts-4.x-2023.07.11", "_id": "Tcp6RIkB8eanV22l-iQj", "_version": 1, "_score": null, "_source": { "input": { "type": "log" }, "agent": { "name": "wazuh-server", "id": "000" }, "manager": { "name": "wazuh-server" }, "data": { "integration": "virustotal", "virustotal": { "description": "Error: Check credentials", "error": "403" } }, "rule": { "firedtimes": 51, "mail": false, "level": 3, "description": "VirusTotal: Error: Check credentials", "groups": [ "virustotal" ], "id": "87102", "gdpr": [ "IV_35.7.d", "IV_32.2" ] }, "location": "virustotal", "decoder": { "name": "json" }, "id": "1689071054.418115907", "timestamp": "2023-07-11T10:24:14.936+0000" }, "fields": { "timestamp": [ "2023-07-11T10:24:14.936Z" ] }, "highlight": { "manager.name": [ "@opensearch-dashboards-highlighted-field@wazuh-server@/opensearch-dashboards-highlighted-field@" ], "rule.groups": [ "@opensearch-dashboards-highlighted-field@virustotal@/opensearch-dashboards-highlighted-field@" ] }, "sort": [ 1689071054936 ] }


Juan Nicolás Asselle (Nico Asselle)

unread,
Jul 11, 2023, 8:04:22 AM7/11/23
to Wazuh mailing list

Hi Reza,

It looks like you are having a problem during the interaction with VirusTotal v2 API. Could you please check if your VirusTotal v2 API configuration parameter (API Key) is valid by executing a request on the commandline, for example (https://developers.virustotal.com/v2.0/reference/url-scanl)

curl --request POST \ --url 'https://www.virustotal.com/vtapi/v2/url/scan' \ --data 'apikey=<apikey>' \ --data 'url=https://wazuh.com/'

Replace <apikey> with the API Key that is configured in Wazuh.

Let me know how it goes.

Looking forward to your comments
Nico

reza fathi

unread,
Jul 12, 2023, 1:08:14 AM7/12/23
to Wazuh mailing list
Hi,

Here is the output:

{"permalink": "https://www.virustotal.com/gui/url/a01990f1644446c9f08c3e8a997703bbe36757d3fc845d2a15f909bc62969770/detection/u-a01990f1644446c9f08c3e8a997703bbe36757d3fc845d2a15f909bc62969770-1689138445", "resource": "https://wazuh.com/", "url": "https://wazuh.com/", "response_code": 1, "scan_date": "2023-07-12 05:07:25", "scan_id": "a01990f1644446c9f08c3e8a997703bbe36757d3fc845d2a15f909bc62969770-1689138445", "verbose_msg": "Scan request successfully queued, come back later for the report"}

Juan Nicolás Asselle (Nico Asselle)

unread,
Jul 12, 2023, 7:33:12 AM7/12/23
to Wazuh mailing list
Hi Reza,

It seems that your API key is working, so `Error: Check credentials` should be something related to Wazuh. I'll be executing some tests on the module to check everything is working as expected.

In the meantime, could you please share with us your integration configuration block and Wazuh version? Remember to obfuscate the API key (and check is the same one used in the previous manual test).

Regards,
Nico

Juan Nicolás Asselle (Nico Asselle)

unread,
Jul 12, 2023, 8:36:00 AM7/12/23
to Wazuh mailing list
Hi Reza,

I was able to make integration work OOTB. Could you please check that there's no missing API key character on your Wazuh configuration?

Regards,
Nico

Reply all
Reply to author
Forward
0 new messages