Advanced hunting that queries VirusTotal detections

Question

MDATP supports VirusTotal detection ratio for most executions. But how to query VirusTotal details using advanced hunting? For example,

DeviceProcessEvents

| where VirusTotalDetections > 5

How to extract and translate the "VirusTotal detection ratio" parameter from execution GUI tree to advanced hunting query? Thank you.

cyb3rmik3 · Answer

Interesting&nbsp;question&nbsp;genckelmendi. It seems that this information is not being parsed and is being presented "as/is" given that it is a dynamic value (detection ratio is not static) updated each time the page loads.&nbsp;Be that as it may, I would place my bet that this information would be found in AlertEvidence table, which I checked, but&nbsp;AdditionalFields doesn't seem to have this information.&nbsp;&nbsp;If I have answered your question,&nbsp;please mark your post as SolvedIf you like my response,&nbsp;please consider giving it a like

cyb3rmik3 · Answer

Hello&nbsp;genckelmendi,&nbsp;yes, exactly, every time the page loads, it should be invoking information from VT. And it is reasonable, given that VT detection ratio changes based on vendors improvements and the community.&nbsp;Hence, it seems justified not to include this string in the AdditionalFields of AlertEvidence.&nbsp;If I have answered your question,&nbsp;please mark your post as SolvedIf you like my response,&nbsp;please consider giving it a like

genckelmendi · Answer

Nobody knows?

genckelmendi · Answer

Thank you&nbsp;cyb3rmik3&nbsp;, likewise I still haven't found a way around this. By dynamic, you mean that MDATP requests detection ratio from VT each time it loads process tree?

Forum Discussion

Advanced hunting that queries VirusTotal detections

4 Replies

Resources