Monitor for Uploads of My Company Owned/Signed Files to VirusTotal

Hi ​@Sam  - 

You'd likely want to use Livehunting and our SecOops Integration for that which ingests Livehunt hits into SecOps SOAR as alerts and cases.  You can find more information on this setup below, I hope this helps you with your use case but if not let me know and we can dig into this idea further. 

https://gtidocs.virustotal.com/docs/livehunt-guide

https://docs.cloud.google.com/chronicle/docs/soar/marketplace-integrations/google-threat-intelligence#google_threat_intelligence_-_livehunt_connector

Hi ​@Rob_P 

Thank you for your response. I was able to create the YARA rule below, but I didn’t get any matches after saving it and running a retrohunt. Could you please review the rule and let me know if it is correct?

Thanks.

/*

  Livehunt YARA ruleset template

  Learn more about writing Livehunt YARA rules at

  https://gtidocs.virustotal.com/docs/livehunt-guide.

  Livehunt allows you to match file report metadata in addition to binary contents.

  A ruleset is a collection of one or more Livehunt rules. A ruleset containing 3

  YARA rules will consume 3 Livehunt rule credits. 2 rulesets, one containing 2

  YARA rules and another one containing 3 YARA rules, will consume 5 Livehunt

  rule credits.

*/

rule yara_template

{

  meta:

    author = "Sam "

    description = "Monitor for “MyCompany” files uploaded to VT"

    target_entity = "file"

  strings:

    $a = "First string"

    $b = "Second string"

    $c = "Third string"

    $d = "Fourth string"

  condition:

    all of them

}

import "vt"

rule sonicwall {

  condition:

    for any engine, signature in vt.metadata.signatures : (

      signature contains "MyCompanyName"

    )

}