Skip to content
/ siem2vt Public

Script to send hashes from SIEM to VirusTotal; then to syslog for automation

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

raoul361/siem2vt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
README.md
README.md
 
 
siem2vt.py
siem2vt.py
 
 

Repository files navigation

siem2vt

Script to send hashes from SIEM to VirusTotal; then to syslog for automated action.

The intention here is to check hashes from specific events (such as an administrator override/UAC allow, etc.) that are picked up by SIEM. If the file in question is malicious, you can then take an action, to be triggered by the resultant syslog message.

      _                ____        _   
  ___(_) ___ _ __ ___ |___ \__   _| |_ 
 / __| |/ _ \ '_ ` _ \  __) \ \ / / __|
 \__ \ |  __/ | | | | |/ __/ \ V /| |_ 
 |___/_|\___|_| |_| |_|_____| \_/  \__|

Check hashes (md5, sha) against VirusTotal for matches. If there is a match, returns the virus signature for a given AV engine and the number of positive hits.

Arguments

  • hash - the md5/sha hash to check
  • engine - the AV engine to use (e.g. McAfee, Kaspersky)
  • message - the prefix for the syslog message; this makes later parsing easier (e.g. regex based on this text within your automation tool)

Dependencies

pip install virustotal

API Key

Requires a [virustotal.com] (https://www.virustotal.com/en/documentation/virustotal-community/) (free) API key.

About

Script to send hashes from SIEM to VirusTotal; then to syslog for automation

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages