Security Analytics Malware Analysis can operate as a service on a Security Analytics Decoder or as a service on a dedicated appliance. This guide includes instructions for setting up the operating environment and then configuring the Security Analytics Malware Analysis service. After this configuration is complete, analysts can conduct malware analyses.
|1||Configure Malware Analysis Operating Environment |
If your site is using a dedicated appliance, do one of the following:
|2||Add Malware Analysis Host and Service |
Note: To complete this step you must have the Security Analytics License Server setup as described in the Security Analytics Licensing Guide.
In Security Analytics, create a Malware Analysis service and activate the license. The default REST port is 60007. Sites that are using the free version of Security Analytics Malware Analysis must configure the service IP address as localhost or loopback.
|3||Configure General Malware Analysis Settings |
Configure the general settings for Security Analytics Malware Analysis.
|4||Configure Indicators of Compromise|
Calibrate Indicators of Compromise that are applied for each scoring module (Static, Network, Community, Sandbox) and for YARA-based IOCs.
|5||Configure Installed Antivirus Vendors|
Configure anti-virus vendors that you have installed.
|6||Enable Community Analysis|
Register with the RSA cloud and test connections to enable Community scoring.
|(Optional) Configure Auditing on Malware Analysis Host|
Configure auditing thresholds and enable syslog, SNMP, and file auditing.
|8||(Optional) Configure Hash Filter|
Configure hash filtering to fine tune Security Analytics Malware Analysis event analysis based on known good or bad file hashes.
|9||(Optional) Configure Malware Analysis Proxy Settings|
(Optional) Configure Malware Analysis to communicate with the RSA Cloud through a web proxy instead of directly.
|10||(Optional) Register for a ThreatGrid API Key|
Register for ThreatGrid API Key.