THREAT ANALYTICS Search CHROME Extension
Current Version 4.0 – Updated on 5/7/2015 to add support for 3rd group and ability to HTTP POST in addition to GET. Also updated search providers – go to Options and click “Refresh Now” button to the new providers.
Most users will NOT need to use the POST function – just ignore. The POST function is useful when you want to POST (versus GET) a search term to an application or API. You would copy the destination URL to the ‘Link’ field and add the raw POST data in the ‘Add POST value’ field. The HTTP POST will come from the Chrome extension by default, which some applications/API’s will not allow. In that case use a PROXY to send the POST. A simple proxy script can be found at https://www.criticalstart.com/?p=3430.
Note – Virus Total has changed MD5 lookup – use this instead https://www.virustotal.com/latest-report.html?resource=TESTSEARCH
3.3 – Updated on 12/5/2013 to fix bug when using SSL with Security Analytics enabled. Added Carbon Black support (beta)
Version 3.0.7 – Updated on 10/9/2013 to fix bug when saving new NetWitness Pivot Query
Version 3 – added integration with RSA NetWitness (Windows client)
Version 2 – added integration with RSA Security Analytics web interface
The extension is available at the Chrome Web Store. You need at least Chrome version 6.0.472 to install and use this extension.
The screenshot below is an example of the configuration options. By selecting the URL and clicking on “Domain Lookup”, the entire group will be opened in new tabs. This saves valuable time for security analysts involved in investigations of many different events. You can edit the group names (IP Lookup, Domain) just by clicking in the column header. Drag the arrows to rearrange search providers.
The initial configuration is downloaded from our website at http://criticalstart.wpengine.com/cschromeplugin/criticalstart.txt. It looks like:
You can make your own configuration file and host it yourself. Use the example one supplied as a guide. The first boolean value for each search provider (true/false) determines if the search provider is enabled by default. The second boolean value shows if the provider came from the remote configuration file or was added manually. The last item determines if the search provider is a member of no groups (0), group 1 (1), group 2 (2), or both groups (3).
If you have suggestions for search providers or improvements, please send an email to [email protected]. This will automatically open a case in our ticketing system.