Configure the VirusTotal script to see VirusTotal anomalies in Splunk UBA
The VirusTotal script in Splunk UBA compares existing external IP addresses and domains in Splunk UBA against VirusTotal. Any matches are added to the VirusTotal watch list, which can be viewed in Splunk UBA in Anomalies Table > Add Filter > User Watchlists. The first time the script is run, it checks data from the past 180 days. You can configure the script to run regularly after that.
Prerequisites
Verify the following before running the VirusTotal script:
- Ensure that Splunk UBA node 1 can connect to https://developers.virustotal.com/v2.0/reference/domain-report and https://developers.virustotal.com/v2.0/reference/ip-address-report.
- Make sure you have an existing VirusTotal API key. If you need to obtain a key, register in the VirusTotal community. Complete the registration form and click Sign Up.
- Identify the maximum number of queries you can run using your API key. If you are using a private key, exclude your regular usage (non-UBA related searches) from this limit.
Run the script
- Run the VirusTotal setup:
/opt/caspida/bin/utils/virustotal_scan/virustotal_setup.sh
The script prompts you for the following:
- A disclaimer for using VirusTotal. If you accept the terms of usage, press Y.
- Your Virustotal API key. Enter your API key and press Enter to continue.
Find your API key under the account details, after logging in to VirusTotal. - The VirusTotal API maximum limit of queries per minute. Provide the maximum queries that Splunk UBA can run in one minute, and then press Enter to continue.
- The directory where VirusTotal script writes temporary files. By default, temporary files are written in
/temp
. Press Enter to continue. - Prompt you for the location where VirusTotal scan logs must be stored. By default, these logs are written in
/var/log/caspida
. Press Enter to continue.
The VirusTotal script is executed every Saturday. If you need to manually run the VirusTotal script at another time, perform the following tasks:
- Go to the
/opt/caspida/bin/utils/virustotal_scan
directory. - Run the following command:
/opt/caspida/bin/utils/virustotal_scan/virustotal_scan.sh &
Do not run before the weekend to avoid double execution and locking out the API key.
Additional information
You can find more information and details about the script in the README file: /opt/caspida/bin/utils/virustotal_scan/README
.
Configure PowerShell logging to see PowerShell anomalies in Splunk UBA | Non-CIM complaint mapping for cloud storage data |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!