The following figure depicts the Malware Spectrum process flow and the interactions between all the components that exist in Security Analytics.
The overall workflow for continuous submission is detailed in the below steps:
- NextGen Session Query at specific interval: Malware Analysis collects sessions from the NextGen service that are tagged with a spectrum meta key (spectrum.consume or spectrum.consume11).
Malware Analysis service requests the NextGen Source to pre-cache the sessions. The session contents are pre-cached at the Decoder.
Malware Analysis service queries the pre-cached content from the NextGen service.
If the session content contains files, the Malware Analysis service proceeds with Static, Community, and Sandbox Analysis.
Note: The Sandbox Analysis is performed only if any of the Static, Community, and NextGen score results above the Threshold value (the default is 50).
- If any of the Static, Community, and NextGen score is greater than or equal to the threshold (default is 50), proceed with Sandbox Analysis.
Note: Events will be saved only if at least one score is greater than or equal to 41.