Logstash configuration + Virustotal API with http filter + memcached

gistfile1.txt

# There's a virustotal filter for logstash if you search the Internet 
# I have a field hash that contains the sha256 of the file downloaded on the honeypot 
# memcached is used to store the query results in memory 
# query is made to memcached, if there's nothing there then make the http request with the API key 
# memcached is used to minimize the # of queries made given the same file hash 
# the returned results is stored in vt.* field . You may need to remove fields that you don't need 
# you'll also need to install memcached and the logstash memcached filter 

input {}

filter {

if [hash] {
     memcached {
            hosts => ["127.0.0.1:11211"]
            namespace => "virustotal"
            get => {
            "%{[hash]}" => "[vt]"
             }
             add_tag => ["hash_memcached_get"]
       }
  }
if ((! [vt]) and ("" in [hash])) {
   http {
      url => "https://www.virustotal.com/api/v3/files/%{hash}"
      verb => "GET"
      headers => { "x-apikey"  =>  "INSERT_YOUR_VT_API_KEY_HERE" }
      target_body => "[vt]"
      target_headers => "[@metadata][vt-response-header]"
  }
  #set the results in memcached 
  if [vt] {
    memcached {
    hosts => ["127.0.0.1"]
    namespace => "virustotal"
    set => {
         "[vt]" => "%{[hash]}"
        }
    #3600 * 24 hr, store for 24 hours 
    ttl => 86400
    add_tag =>  ["hash_memcached_set"]
    
    }
  } 
 }

#remove field that you don't need (example) 
# if [vt] {
#  mutate{
#   remove_field => [
#   "[vt][data][type]",
#   "[vt][data][id]"
#  ]
# }
#}

}

output{}