Forum Discussion
Advanced hunting that queries VirusTotal detections
Interesting question genckelmendi. It seems that this information is not being parsed and is being presented "as/is" given that it is a dynamic value (detection ratio is not static) updated each time the page loads.
Be that as it may, I would place my bet that this information would be found in AlertEvidence table, which I checked, but AdditionalFields doesn't seem to have this information.
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
Thank you cyb3rmik3 , likewise I still haven't found a way around this. By dynamic, you mean that MDATP requests detection ratio from VT each time it loads process tree?
Hello genckelmendi,
yes, exactly, every time the page loads, it should be invoking information from VT. And it is reasonable, given that VT detection ratio changes based on vendors improvements and the community.
Hence, it seems justified not to include this string in the AdditionalFields of AlertEvidence.
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like