Improve Integration with external APIs: Virustotal documentation - How it works section.

[Paw0n]

Description

While testing the issue Release 4.8.0 - Alpha 2 - E2E UX tests - Integration with external APIs: Virustotal #21379, the how it works section in the VirusTotal integration guide, describes how the configuration works but doesn't include the configurations to visualize how the integration works.

We can improve the section by adding more details.

For example,

Configuring the Wazuh server

Apply the following configuration in the Wazuh server:

 <integration>
    <name>virustotal</name>
    <api_key>⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆⛆</api_key>
    <group>syscheck</group>
    <alert_format>json</alert_format>
  </integration>

Restart the Wazuh manager using the command:
# sudo systemctl restart wazuh-manager

Configuring the Wazuh agent

Apply the following configuration below in the Wazuh agent:

<syscheck>
  <directories check_all="yes" realtime="yes">/media/user/software</directories>
</syscheck>

Restart the Wazuh agent using the command:
# sudo systemctl restart wazuh-agent

Testing the configuration

Create a file in the monitored directory /media/user/software
root@Dragon:/media/user/software# touch 'FILENAME'

Verify the Integration works

Run the command in the Wazuh-server:
root@Avatar:~# tail /var/ossec/logs/alerts/alerts.json | grep -i 'FILENAME'

For example, if you created the file newfile.txt in the monitored directory /media/user/software, you can verify with the command below:

root@Avatar:~# tail /var/ossec/logs/alerts/alerts.json | grep -i 'newfile.txt'
{"timestamp":"2024-01-16T14:04:56.786+0100","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"Dragon","ip":"192.168.213.130"},"manager":{"name":"Avatar"},"id":"1705410296.25955","full_log":"File '/media/user/software/newfile.txt' added\nMode: realtime\n","syscheck":{"path":"/media/user/software/newfile.txt","mode":"realtime","size_after":"0","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"d41d8cd98f00b204e9800998ecf8427e","sha1_after":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256_after":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","uname_after":"root","gname_after":"root","mtime_after":"2024-01-16T14:04:56","inode_after":786438,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}
root@Avatar:~#

[javimed]

Next to the "How it works" subsection, there's a use case showing configurations, testing steps, and alerts visualization. However, we're improving it by adding a malware test file download command which would comply with what's requested in this issue