MA: Services Config View - Auditing Tab

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Nov 29, 2016
Version 2Show Document
  • View in full screen mode
  

This topic introduces the features and functions of the Auditing tab in the Services Config view for Security Analytics Malware Analysis. The Auditing tab in the Services Config view for Security Analytics Malware Analysis provides a way to configure the auditing feature. Malware Analysis has an automated auditing system capable of sending alerts (syslog, snmp, audit log file entries) as Malware Analysis exceeds configured score value thresholds for each scoring module (Network, Static, Community, Sandbox). Security Analytics Malware Analysis can automatically feed any external system capable of ingesting the supported audit formats. One alert is generated for each file in an analyzed session that meets or exceeds the configure threshold.
The audit log is a log file maintained on the Malware Analysis appliance for every significant event or action. Audit logs are rolled out and archived over time as they become large so an audit history is maintained. The size of these audit logs and their number are both configurable.
Some examples of events that are logged are:

  • User login successes and failures
  • Changes to system configuration settings
  • Server restart
  • Server version upgrade and install
  • Suspicious events that exceed the Audit Thresholds

Security Analytics Malware Analysis can send audit events as an SNMP trap to a configured SNMP trap host, and consolidate logs in syslog format. Refer to the following task topic for detailed procedures: Configure Auditing on Malware Analysis Appliance.

Features

The Auditing tab includes four sections and an Apply button used to save changes made in this tab and put them into effect.

Audit Thresholds

This table describes the features in the Audit Thresholds section.

                                
NameConfig Value
Community, Static, Network, and Sandbox ThresholdsMalware Analysis scoring module thresholds for recording event information in a log file. Security Analytics Malware Analysis records the event information in a log file if the event scored high enough to satisfy all of the auditing thresholds. Each scoring category that completed analysis (for example, not all sessions invoke sandbox analysis) is compared against the configured audit threshold for that category. All completed categories must exceed the threshold in order for an audit event to be triggered.
An integer between 0 and 100 is a valid value. Setting these thresholds too low may cause a very large volume of audit events and notifications.
Notify when Installed A/V Misses and Primary A/V DetectsRecords a message in a log file when installed antivirus software misses a virus and the primary antivirus software detects that virus. The recorded message is sent through all enabled auditing methods: SNMP, File, and Syslog.
The default value is unchecked.
Notify when Installed A/V Misses and Secondary A/V DetectsRecords a message in a log file when installed antivirus software misses a virus and the secondary antivirus software detects that virus. The recorded message is sent through all enabled auditing methods: SNMP, File, and Syslog.
The default value is unchecked.
Notify when Installed A/V Misses and Other A/V DetectsRecords a message in a log file when installed antivirus software misses a virus and the other antivirus software detects that virus. The recorded message is sent through all enabled auditing methods: SNMP, File, and Syslog.
The default value is unchecked.
Notify when High Confidence IOC triggersRecords a message in a log file when a high confidence IOC (Indicators of Compromise) triggers. The recorded message is sent through all enabled auditing methods: SNMP, File, and Syslog.
The default value is unchecked.

SNMP Auditing

The Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing services on IP networks. When SNMP auditing is enabled, Security Analytics Malware Analysis can send an audit event as an SNMP trap to a configured SNMP trap host. 

This table describes the features in the SNMP Auditing section.

                                           
NameConfig Value
EnabledClick to enable or disable SNMP auditing.
Server NameThe host where the target SNMP server is running.
Server PortThe port used where the SNMP trap receiver is listening.
SNMP VersionThe version of the SNMP protocol to use when sending traps.
Trap OIDThe object ID to use to identify the type of trap to send.
CommunityThe SNMP group to which Security Analytics Malware Analysis belongs.
Number Of RetriesThe number of retries for sending a trap.
TimeoutThe timeout period to wait for acknowledgement.

Incident Management Auditing

The Incident Management Auditing section provides a checkbox to enable the Security Analytics Incident Management function to receive alerts from Malware Analysis. Clicking Enabled enables or disables syslog auditing

File Auditing

This table describes the features in the File Auditing section. Avoid setting the max file size and archive file count too high because it may have an adverse effect on the available disk space on the Security Analytics Malware Analysis appliance.

                       
NameConfig Value
Enable File Auditing

Click to enable or disable file auditing.

Archive File Count

Security Analytics Malware Analysis keeps only as many log files as defined by this setting. When the maximum number is reached, the oldest log files are deleted and cannot be recovered.
The default value is 20. Valid value: Integer between 1 and 50, inclusive.

Max File Size

The maximum file size for a single auditing log before it is archived. The default value is 10485760 bytes.

Syslog Auditing


This table describes the features in the Audit Thresholds section.

                                                   
FeatureDescription
EnabledClick to enable or disable syslog auditing.
Server NameThis is the host where the target syslog process is running.
Server PortThis is the port where the target syslog process is listening.
FacilityThis is the designated syslog facility to use for all outgoing messages. Possible values are KERN, USER, MAIL, DAEMON, AUTH, SYSLOG, LPR, NEWS, UUCP, CRON, AUTHPRIV, and LOCAL1 through LOCAL7.
EncodingThis is the encoding to use for text in syslog messages; for example, UTF-8.
FormatThis is the desired message format. Possible values are: Default, PCI DSS, or SEC.
Max LengthThis is the maximum length in bytes that any syslog message can be. Default is 1024. Messages that exceed the maximum length are truncated.
Include Local TimestampCheck this box to include the local timestamp in messages.
Include Local HostnameCheck this box to include the local hostname.
Identity StringThis is an identity string to be prepended to each syslog alert. If the string is blank, no identity string is prepended to the outgoing syslog alerts. You can use this to identify the source of the alert. Users conventionally set it to the name of the program that will submit the messages to a syslog auditing.
You are here
Table of Contents > Malware Analysis References > Services Config View - Auditing Tab

Attachments

    Outcomes