<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;ev=PageView&amp;noscript=1">

RL Blog

|

ReversingLabs Search Extension for Splunk Enterprise

The new RL Search Extension for Splunk Enterprise provides a better user experience for enriching file data

ReversingLabs Search Extension for Splunk EnterpriseReversingLabs has released a new application for Splunk users to enhance their data using ReversingLabs APIs. This application is titled "ReversingLabs Search Extension for Splunk Enterprise," and it  replaces the earlier "ReversingLabs External Lookup for Splunk." The latest release significantly overhauls the add-on, introducing a custom command to enrich data more effectively. This blog post will explore the changes and offer practical examples to maximize the add-on's benefits for Splunk environments.

Splunk Custom Search Commands

Splunk custom search commands allow users to define SPL commands with Python scripts. Custom commands enable the ReversingLabs Search Extension for Splunk Enterprise to provide a better user experience and feature set when performing lookups against your data in Splunk Enterprise.

Overview

Using the new custom command is easy. Rather than using the lookup command, you simply need to use the custom command “reversinglabs”. The custom command is paired with various parameters depending on the type of data you want to look up. For example, suppose you want more information about a file hash from ReversingLabs TitaniumCloud’s massive repository of over 14 billion files. In that case, you simply need to use the file_reputation_hash parameter, such as the following SPL query:

spl-query


All fields returned by the custom command are prepended with the “RL_” value. For example, here’s a sample of results for the query above:

ReversingLabs Search Extension for Splunk Enterprise

The complete list of parameters and how to use them is shown in the table below:

Parameter Name Description SPL Example
file_reputation_hash Perform a reputation lookup of a file hash. Expects an md5, sha1, or sha256 hash string. | reversinglabs file_reputation_hash=<field>
file_analysis_hash Retrieve the more detailed file analysis report of a file hash. | reversinglabs file_analysis_hash=<field>
network_reputation_location Perform a reputation lookup of a network location, including URLs, domains, and IP addresses. | reversinglabs network_reputation_location=<field>

 

File Reputation

An example of how to run a file reputation check with an SPL query is shown in the previous section, but here’s a breakdown of the results that may be useful:

  • RL_status: a simple threat classification for the submitted hash, returns MALICIOUS, SUSPICIOUS, KNOWN, or UNKNOWN.
  • RL_reason: a quick explanation for how ReversingLabs classified the file hash.
  • RL_threatname: the associated threat name for a malicious file hash.


File Analysis Details

The file_analysis_hash parameter provides even more details about a file hash by supplying results from the ReversingLabs TitaniumCore static file analysis engine. The screenshot below shows an example of what rundll32.exe 

sample of results for the query

Network Reputation

The network reputation lookup parameter makes discovering reputation information for IP addresses, URLs, and domains easy by simply providing the field for any of these entities to the network_reputation_location parameter . The screenshot below shows an example of a data set containing HTTP requests filtered for the URL field:

ReversingLabs

Next, by updating the query to include “| reversinglabs network_reputation_location=result.url”, reputation information is returned from the ReversingLabs API:

sample of results for the query

This parameter can also be used to look up IP addresses and domains. Here’s an example with the parameter pointing to the result.dest_ip field in the same data set:

sample of results for the query

Create Dashboards Using Data from ReversingLabs

The ReversingLabs Search Extension for Splunk Enterprise gives Splunk users a powerful set of actions to look up and enrich data when creating SPL queries. Splunk admins and developers can also create helpful dashboards that save time when looking up data. Here are a few examples:

Use Inputs to Manually Lookup Hash Reputation

By creating a dashboard with inputs, Splunk users can make a simple interface for analysts to check the reputation of a file hash quickly:

sample of results for the query

Add a new text input field and set the token value. Add a new statistics table panel, then supply the following query, where $search_hash$ is the token value:

rl-splunk-integration-blog-figure-07

Sample Classification Breakdown

Creating a simple pie chart for file reputation lookups by classification is a great way to visualize threats in your environment. Consider any data sources that produce file hashes, such as EDR or sysmon logs. By using the new custom command for file hash reputation, you can create a dashboard panel that has this lookup information ready to go:

sample of results for the query

The query uses the stats function to count the total number of samples by their classification status:

rl-splunk-integration-blog-figure-09

For a more verbose dashboard panel for a specific set of data, consider using a statistics table:

sample of results for the query

The screenshot above shows the results of sending all “Driver Load” sysmon events to the reversinglabs command for file reputation lookups:

rl-splunk-integration-blog-figure-11

 

Conclusion

To download the app, search your Splunk instance app manager or visit Splunkbase: https://splunkbase.splunk.com/app/7161

Search within your Splunk App Manager or visit Splunkbase to download the ReversingLabs Search Engine extension.

Discover how you can enrich your data with the world’s largest repository of goodware and malware files by reading more about the ReversingLabs File Reputation API Feed.

 

More Blog Posts

    Special Reports

    Latest Blog Posts

    Is Cybersecurity Ready for the SolarWinds Prosecution? Is Cybersecurity Ready for the SolarWinds Prosecution?

    Conversations About Threat Hunting and Software Supply Chain Security

    Reproducible Builds: Graduate Your Software Supply Chain Security Reproducible Builds: Graduate Your Software Supply Chain Security

    Glassboard conversations with ReversingLabs Field CISO Matt Rose

    Software Package Deconstruction: Video Conferencing Software Software Package Deconstruction: Video Conferencing Software

    Analyzing Risks To Your Software Supply Chain