.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
How to configure the context menu for virustotal to return the MD5 and SHA1 hash lookups during an event reconstruction.
Cause
If you are seeing this while attempting to access virustotal you have provided the wrong urlFormat in your context menu to look up MD5 and SHA1 hashes. This link will only return the results for SHA256.
On Security Analytics in your Administration > System > Context Menu Actions - Virustotal menu action, you may have configured:
{
"displayName": "Virustotal Hash",
"cssClasses": [
"ctxmenu-hash-lookup"
],
"description": "",
"type": "UAP.common.contextmenu.actions.URLContextAction",
"version": "1",
"modules": [
"investigation"
],
"local": "false",
"urlFormat": "https://www.virustotal.com/en/file/{0}/analysis/",
"disabled": "",
"id": "Virustotal Hash",
"moduleClasses": [
"UAP.investigation.reconstruction.view.content.ReconstructedEventDataGrid"
],
"openInNewTab": "true",
"order": "2"
}
"displayName": "Virustotal Hash",
"cssClasses": [
"ctxmenu-hash-lookup"
],
"description": "",
"type": "UAP.common.contextmenu.actions.URLContextAction",
"version": "1",
"modules": [
"investigation"
],
"local": "false",
"urlFormat": "https://www.virustotal.com/en/file/{0}/analysis/",
"disabled": "",
"id": "Virustotal Hash",
"moduleClasses": [
"UAP.investigation.reconstruction.view.content.ReconstructedEventDataGrid"
],
"openInNewTab": "true",
"order": "2"
}
Resolution
Update your virustotal context menu action with the correct urlFormat that will lookup MD5, SHA1, and SHA256.
{
"displayName": "Virustotal Hash",
"cssClasses": [
"ctxmenu-hash-lookup"
],
"description": "",
"type": "UAP.common.contextmenu.actions.URLContextAction",
"version": "1",
"modules": [
"investigation"
],
"local": "false",
"urlFormat": "https://www.virustotal.com/en/latest-scan/{0}",
"disabled": "",
"id": "Virustotal Hash",
"moduleClasses": [
"UAP.investigation.reconstruction.view.content.ReconstructedEventDataGrid"
],
"openInNewTab": "true",
"order": "2"
}
"displayName": "Virustotal Hash",
"cssClasses": [
"ctxmenu-hash-lookup"
],
"description": "",
"type": "UAP.common.contextmenu.actions.URLContextAction",
"version": "1",
"modules": [
"investigation"
],
"local": "false",
"urlFormat": "https://www.virustotal.com/en/latest-scan/{0}",
"disabled": "",
"id": "Virustotal Hash",
"moduleClasses": [
"UAP.investigation.reconstruction.view.content.ReconstructedEventDataGrid"
],
"openInNewTab": "true",
"order": "2"
}
Referenced from https://www.virustotal.com/en/faq/#shortcuts
Product Details
RSA Product Set: NetWitness Logs & PacketsRSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x, 11.x
Platform: CentOS
O/S Version: EL6, EL7
Summary
How to change the virustotal context menu to view MD5, SHA1, and SHA256.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue