ReversingLabs has released a new application for Splunk users to enhance their data using ReversingLabs APIs. This application is titled "ReversingLabs Search Extension for Splunk Enterprise," and it replaces the earlier "ReversingLabs External Lookup for Splunk." The latest release significantly overhauls the add-on, introducing a custom command to enrich data more effectively. This blog post will explore the changes and offer practical examples to maximize the add-on's benefits for Splunk environments.
Splunk Custom Search Commands
Splunk custom search commands allow users to define SPL commands with Python scripts. Custom commands enable the ReversingLabs Search Extension for Splunk Enterprise to provide a better user experience and feature set when performing lookups against your data in Splunk Enterprise.
Overview
Using the new custom command is easy. Rather than using the lookup command, you simply need to use the custom command “reversinglabs”. The custom command is paired with various parameters depending on the type of data you want to look up. For example, suppose you want more information about a file hash from ReversingLabs TitaniumCloud’s massive repository of over 14 billion files. In that case, you simply need to use the file_reputation_hash parameter, such as the following SPL query:
All fields returned by the custom command are prepended with the “RL_” value. For example, here’s a sample of results for the query above:
The complete list of parameters and how to use them is shown in the table below:
Parameter Name | Description | SPL Example |
file_reputation_hash | Perform a reputation lookup of a file hash. Expects an md5, sha1, or sha256 hash string. | | reversinglabs file_reputation_hash=<field> |
file_analysis_hash | Retrieve the more detailed file analysis report of a file hash. | | reversinglabs file_analysis_hash=<field> |
network_reputation_location | Perform a reputation lookup of a network location, including URLs, domains, and IP addresses. | | reversinglabs network_reputation_location=<field> |
File Reputation
An example of how to run a file reputation check with an SPL query is shown in the previous section, but here’s a breakdown of the results that may be useful:
- RL_status: a simple threat classification for the submitted hash, returns MALICIOUS, SUSPICIOUS, KNOWN, or UNKNOWN.
- RL_reason: a quick explanation for how ReversingLabs classified the file hash.
- RL_threatname: the associated threat name for a malicious file hash.
File Analysis Details
The file_analysis_hash parameter provides even more details about a file hash by supplying results from the ReversingLabs TitaniumCore static file analysis engine. The screenshot below shows an example of what rundll32.exe
Network Reputation
The network reputation lookup parameter makes discovering reputation information for IP addresses, URLs, and domains easy by simply providing the field for any of these entities to the network_reputation_location parameter . The screenshot below shows an example of a data set containing HTTP requests filtered for the URL field:
Next, by updating the query to include “| reversinglabs network_reputation_location=result.url”, reputation information is returned from the ReversingLabs API:
This parameter can also be used to look up IP addresses and domains. Here’s an example with the parameter pointing to the result.dest_ip field in the same data set:
Create Dashboards Using Data from ReversingLabs
The ReversingLabs Search Extension for Splunk Enterprise gives Splunk users a powerful set of actions to look up and enrich data when creating SPL queries. Splunk admins and developers can also create helpful dashboards that save time when looking up data. Here are a few examples:
Use Inputs to Manually Lookup Hash Reputation
By creating a dashboard with inputs, Splunk users can make a simple interface for analysts to check the reputation of a file hash quickly:
Add a new text input field and set the token value. Add a new statistics table panel, then supply the following query, where $search_hash$ is the token value:
Sample Classification Breakdown
Creating a simple pie chart for file reputation lookups by classification is a great way to visualize threats in your environment. Consider any data sources that produce file hashes, such as EDR or sysmon logs. By using the new custom command for file hash reputation, you can create a dashboard panel that has this lookup information ready to go:
The query uses the stats function to count the total number of samples by their classification status:
For a more verbose dashboard panel for a specific set of data, consider using a statistics table:
The screenshot above shows the results of sending all “Driver Load” sysmon events to the reversinglabs command for file reputation lookups:
Conclusion
To download the app, search your Splunk instance app manager or visit Splunkbase: https://splunkbase.splunk.com/app/7161
Search within your Splunk App Manager or visit Splunkbase to download the ReversingLabs Search Engine extension.
Discover how you can enrich your data with the world’s largest repository of goodware and malware files by reading more about the ReversingLabs File Reputation API Feed.