NetWitness Community

AbuFaizal3 · ‎2017-12-05

Hi Team,

please let me know, is it possible to integrate RSA with Virus total. ?

Anonymous · ‎2017-12-06

That's quite a broad question - what sort of integration are you looking for? Do you have an example use case that you would like to implement?

AbuFaizal3 · ‎2017-12-06

Hi Chris,

Thanks for your response.

I read one article from internet, that mentioned Qradar and arcsight having possibilities to integrating SIEM solution with Virus total.

so i would like to know is there any possibilities with RSA ?

Anonymous · ‎2017-12-08

We've used right-click plugins in the past to query data in VirusTotal. For example in this plugin, I pivoted from 'alias.host' meta into VirusTotal's passive DNS feature. If you are getting file hashes from some log event sources, the url and meta key (cssClasses) in this plugin could be slightly modified to pivot directly into a VT search.

{
"groupName": "externalLookupGroup",
"openInNewTab": "true",
"urlFormat": "https://www.virustotal.com/en/domain/{0}/information/",
"moduleClasses": [
"UAP.investigation.InvestigationValuesApplication"
],
"type": "UAP.common.contextmenu.actions.URLContextAction",
"version": "1",
"id": "VirusTotalPDNSAction",
"order": "15",
"description": "",
"local": "false",
"displayName": "VirusTotal PDNS",
"modules": [
"investigation"
],
"disabled": "",
"cssClasses": [
"alias-host"
]
}

Furthermore, the Malware Analysis appliance is checking hashes on files it had obtained over the network, but would likely see some more interesting results in the hashes of files that launched. ECAT/Netwitness Endpoint could also be such a source for this meta.

So, there are options in leveraging VirusTotal. However, as Chris Thomas mentioned above, we might need to know a bit more about your expectations for this use case.

Chris

AbuFaizal3 · ‎2017-12-09

Dear Chris

Thanks for response.

please help me to how to make that plugin for the same

If you share the step by steps, it will very help for me

and where will i configure the below mentioned rule

{
"groupName": "externalLookupGroup",
"openInNewTab": "true",
"urlFormat": "https://www.virustotal.com/en/domain/{0}/information/",
"moduleClasses": [
"UAP.investigation.InvestigationValuesApplication"
],
"type": "UAP.common.contextmenu.actions.URLContextAction",
"version": "1",
"id": "VirusTotalPDNSAction",
"order": "15",
"description": "",
"local": "false",
"displayName": "VirusTotal PDNS",
"modules": [
"investigation"
],
"disabled": "",
"cssClasses": [
"alias-host"
]
}

Anonymous · ‎2017-12-10

Abu,

They might look something like this. Each would be it’s own separate entry in Admin, System, Context Menu Actions.

{

"displayName": "VirusTotal PassiveDNS",

"cssClasses": [

"alias-host",

"alias.host"

],

"description": "",

"type": "UAP.common.contextmenu.actions.URLContextAction",

"version": "1",

"modules": [

"investigation"

],

"local": "false",

"groupName": "externalLookupGroup",

"urlFormat": "https://www.virustotal.com/en/domain/{0}/information/",

"disabled": "",

"id": "VirusTotalPDNS",

"moduleClasses": [

"UAP.investigation.navigate.view.NavigationPanel",

"UAP.investigation.events.view.EventGrid"

],

"openInNewTab": "true",

"order": "12"

}

{

"displayName": "VirusTotal Hash Lookup",

"cssClasses": [

"hash",

"checksum"

],

"description": "",

"type": "UAP.common.contextmenu.actions.URLContextAction",

"version": "1",

"modules": [

"investigation"

],

"local": "false",

"groupName": "externalLookupGroup",

"urlFormat": "https://www.virustotal.com/en/file/{0}/analysis/",

"disabled": "",

"id": "VirusTotalHashLookup",

"moduleClasses": [

"UAP.investigation.navigate.view.NavigationPanel",

"UAP.investigation.events.view.EventGrid"

],

"openInNewTab": "true",

"order": "13"

}

Chris Ahearn

RSA | Principal Consultant | Incident Response

AbuFaizal3 · ‎2017-12-11

Dear Chris,

Thanks for clarification,

i am getting error when copy/pasting, Please find the screenshot for reference line number 55

AbuFaizal3 · ‎2017-12-11

And i am pasting below mentioned data's. Please help on same

{

"displayName": "VirusTotal PassiveDNS",

"cssClasses": [

"alias-host",

"alias.host"

],

"description": "",

"type": "UAP.common.contextmenu.actions.URLContextAction",

"version": "1",

"modules": [

"investigation"

],

"local": "false",

"groupName": "externalLookupGroup",

"urlFormat": "https://www.virustotal.com/en/domain/{0}/information/",

"disabled": "",

"id": "VirusTotalPDNS",

"moduleClasses": [

"UAP.investigation.navigate.view.NavigationPanel",

"UAP.investigation.events.view.EventGrid"

],

"openInNewTab": "true",

"order": "12"

}

{

"displayName": "VirusTotal Hash Lookup",

"cssClasses": [

"hash",

"checksum"

],

"description": "",

"type": "UAP.common.contextmenu.actions.URLContextAction",

"version": "1",

"modules": [

"investigation"

],

"local": "false",

"groupName": "externalLookupGroup",

"urlFormat": "https://www.virustotal.com/en/file/{0}/analysis/",

"disabled": "",

"id": "VirusTotalHashLookup",

"moduleClasses": [

"UAP.investigation.navigate.view.NavigationPanel",

"UAP.investigation.events.view.EventGrid"

],

"openInNewTab": "true",

"order": "13"

}

Anonymous · ‎2017-12-11

They should be in separate entries. When I copy and paste both into a single entry, I get a similar error.

Chris Ahearn

RSA | Principal Consultant | Incident Response

AbuFaizal3 · ‎2017-12-13

Dear Chris,

Very Thanks, It's working in investigation Tab

Is any other possibilities with Virus Total with SA in RE, Dashboard or ESA ?

NetWitness Community

Virus Total- Integration