Skip to main content

VirusTotal Integration and Active Response

I reviewed the Wazuh VirusTotal integration to enrich file-related alerts and support investigation workflows by submitting relevant files to VirusTotal. I also tested the active response workflow to remove files identified as malicious.

Integration Configuration

I enabled the integration in ossec.conf on the Wazuh server: 
<integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key>
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

File Integrity Monitoring Setup

I then added File Integrity Monitoring rules on the Linux and Windows agents to watch dedicated test directories. 
<syscheck>
  <directories check_all="yes">/tmp/malware</directories>
</syscheck>

Testing the Integration

To test the workflow, I created files inside the monitored directories and validated that Wazuh generated enriched alerts with the expected VirusTotal context. VirusTotal integration test file creation EICAR validation

Active Response

The next step was active response. I followed the Wazuh proof-of-concept guide and implemented the following:
1

Deploy Active Response Scripts

Active response scripts were deployed on the agents to handle file removal actions.
2

Update Agent Configuration

Agent configurations were updated to reference the active response scripts.
3

Create a Triggering Rule

A rule was created that triggers file removal when VirusTotal identifies a file as malicious.
Both Linux and Windows file remediation worked as expected. Linux file remediation Windows file remediation

Build docs developers (and LLMs) love

Get started for freeTalk to us