Alert with external web service
Description
A flow that, on-demand, activates an alert through an email after checking if a file (in the SHA-256 form) is infected by a virus. This is done via an external web service (VirusTotal) that scans the file through several antiviruses. By clicking the first unit, we generate an event with the SHA-256, which will be complemented with additional information to get a complete analysis.
Flow configuration
The following table describes the units needed to create this flow, as well as how to configure and link them.
Unit type and description | Configuration |
---|---|
Tick When clicking on this unit, you will generate an event that contains a field called sha_256, which includes the encryption of a sample file. | Drag a Tick unit to the canvas and open its configuration options by double-clicking it. In the General tab, simply add a name to the unit (in this example, we called it tckCheckSHA256). Now go to the Fields tab. Click the + icon to add 3 different columns to the events sent:
Click Apply to save the configuration. |
HttpCall This unit will receive the SHA-256 input file and return the outcome of all the antivirus which scanned the file, by performing a request to the VirusTotal API. | Drag a HttpCall unit to the canvas and link the output port of the Tick unit to the input port of this unit. Then, open the configuration options of the unit by double-clicking it and enter the following values:
Leave the rest of the fields with their default values. Then, scroll down to the bottom of the window to add the required Parameters to the API request by clicking the + icon. We need to add 3 parameters with the following values: Parameter 1We must add the apikey parameter to authorize our API request.
Parameter 2The resource parameter is needed to indicate the resources to be analyzed.
Parameter 3We will also add the optional allinfo parameter, which will return additional information about the file analyzed.
Click Apply to save the configuration. |
JsonParser This unit will parse the response string generated by the VirusTotal API and transform it into a JSON object. | Drag a JsonParser unit to the canvas and link the output port out of the HttpCall unit to the input port of this unit. Then, open the configuration options of the unit by double-clicking it and enter the following values:
Click Apply to save the configuration. |
Map Using this unit, we will add two additional columns to the output result to indicate the total amount of virus detected and their types. | Drag a Map unit to the canvas and link the output port out of the JsonParser unit to the input port of this unit. Then, open the configuration options of the unit by double-clicking it. In the General tab, simply add a name to the unit (in this example, we called it VirusTotal_Count). Now go to the Fields to add tab. Click the + icon in the fields section to add 2 new columns to the events sent: Column 1We will add a column to list the different types of viruses found in the file.
def values = json_response.scans
.collect{it}
.findAll{it.value.detected}
values.collect{it.key +" -> "+ it.value.result} Column 2This column will indicate the total amount of viruses found.
def total = json_response.total
def positives = json_response.positives
def result = positives + " / " + total
result Click Apply to save the configuration. |
EmailSink This unit will send the complete virus analysis to an indicated email address. | Drag an EmailSink unit to the canvas and link the output port out of the Map unit to the input port of this unit. Then, open the configuration options of the unit by double-clicking it In the General tab, add a Name to the unit (in this example, we called it toMail), the Subject of the mails that will be sent (in this example, Threat detected) and the Message to be sent. This is the message that we used in this example, referencing the information in the columns of the events received:
Now go to the To recipients tab, click the + icon in the TOs section, and enter the email addresses you want to send the mails. Click Apply to save the configuration. |
Result
After saving and starting the Flow, you must click the red button of the Tick unit to begin sending events.
Once you have defined the whole Flow, click the Start button to activate it and click the first unit (Tick). If everything is correctly configured and a threat is detected, the addresses indicated in the EmailSink unit will receive an email including the analysis of the SHA-256 file, with the information we defined and added to the events generated.
Import this Flow
Download the above Flow and import it to your domain clicking the Import from JSON option in the File menu.
Add your API key and mail addresses before trying it out
As explained in the Flow configuration section, you must include your own VirusTotal API key in the configuration of the HttpCall unit and the required email addresses in the EmailSink unit to make this flow work.