MA: Services Config View - Auditing Tab

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Apr 11, 2019
Version 10Show Document
  • View in full screen mode
 

This topic introduces the features and functions of the Auditing tab in the Services Config view for Malware Analysis. The Auditing tab in the Services Config view for Malware Analysis provides a way to configure the auditing feature. Malware Analysis has an automated auditing system capable of sending alerts (syslog, snmp, audit log file entries) as Malware Analysis exceeds configured score value thresholds for each scoring module (Network, Static, Community, Sandbox). Malware Analysis can automatically feed any external system capable of ingesting the supported audit formats. One alert is generated for each file in an analyzed session that meets or exceeds the configure threshold.
The audit log is a log file maintained on the Malware Analysis appliance for every significant event or action. Audit logs are rolled out and archived over time as they become large so an audit history is maintained. The size of these audit logs and their number are both configurable.
Some examples of events that are logged are:

  • User login successes and failures
  • Changes to system configuration settings
  • Server restart
  • Server version upgrade and install
  • Suspicious events that exceed the Audit Thresholds

Malware Analysis can send audit events as an SNMP trap to a configured SNMP trap host, and consolidate logs in syslog format. Refer to the following task topic for detailed procedures: (Optional) Configure Auditing on Malware Analysis Host.

Workflow

What do you want to do?

                                                     
RoleI Want to...Show me how
AdministratorConfigure General Malware Analysis Settings Configure General Malware Analysis Settings
AdministratorConfigure Indicators of CompromiseConfigure Indicators of Compromise

Administrator

Configure Auditing on Malware Analysis Host*

(Optional) Configure Auditing on Malware Analysis Host

AdministratorConfigure Hash Filter(Optional) Configure Hash Filter

Administrator

Configure Installed Anti virus Vendor

Configure Installed Antivirus Vendors

AdministratorConfigure Malware Analysis Proxy Settings(Optional) Configure Malware Analysis Proxy Settings

Administrator

Register a TreadGRID API Key

(Optional) Register for a ThreatGRID API Key

AdministratorEnable Community AnalysisEnable Community Analysis

*You can perform this task in the current view

Related Topics

Basic Setup

Quick Look

This is an example of the Auditing tab.

                             
1

Displays the Auditing Tab.

2

Displays the Audit Thresholds section.

3

Displays the SNMP Auditing section.

4

Displays the Respond Alerting section.

5

Displays the File Auditing section.

6

Displays the Syslog Auditing section.

Features

The Auditing tab includes five sections and an Apply button used to save changes made in this tab and put them into effect.

  • Auditing Thresholds
  • SNMP Auditing
  • Respond Alerting
  • File Auditing
  • Syslog Auditing

Audit Thresholds

This table describes the features in the Audit Thresholds section.

                                
NameConfig Value
Community, Static, Network, and Sandbox Thresholds

Malware Analysis scoring module thresholds for recording event information in a log file. Malware Analysis records the event information in a log file if the event scored high enough to satisfy all of the auditing thresholds. Each scoring category that completed analysis (for example, not all sessions invoke sandbox analysis) is compared against the configured audit threshold for that category. All completed categories must exceed the threshold in order for an audit event to be triggered.

An integer between 0 and 100 is a valid value. Setting these thresholds too low may cause a very large volume of audit events and notifications.

Notify when Installed A/V Misses and Primary A/V Detects

Records a message in a log file when installed antivirus software misses a virus and the primary antivirus software detects that virus. The recorded message is sent through all enabled auditing methods: SNMP, File, and Syslog.
The default value is unchecked.

Notify when Installed A/V Misses and Secondary A/V Detects

Records a message in a log file when installed antivirus software misses a virus and the secondary antivirus software detects that virus. The recorded message is sent through all enabled auditing methods: SNMP, File, and Syslog.
The default value is unchecked.

Notify when Installed A/V Misses and Other A/V Detects

Records a message in a log file when installed antivirus software misses a virus and the other antivirus software detects that virus. The recorded message is sent through all enabled auditing methods: SNMP, File, and Syslog.

The default value is unchecked.

Notify when High Confidence IOC triggers

Records a message in a log file when a high confidence IOC (Indicators of Compromise) triggers. The recorded message is sent through all enabled auditing methods: SNMP, File, and Syslog.

The default value is unchecked.

SNMP Auditing

The Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing services on IP networks. When SNMP auditing is enabled, Malware Analysis can send an audit event as an SNMP trap to a configured SNMP trap host.


This table describes the features in the SNMP Auditing section.

                                           
NameConfig Value
EnabledClick to enable or disable SNMP auditing.
Server NameThe host where the target SNMP server is running.
Server PortThe port used where the SNMP trap receiver is listening.
SNMP VersionThe version of the SNMP protocol to use when sending traps.
Trap OIDThe object ID to use to identify the type of trap to send.
CommunityThe SNMP group to which Malware Analysis belongs.
Number Of RetriesThe number of retries for sending a trap.
TimeoutThe timeout period to wait for acknowledgment.

Respond Alerting

The Respond Alerting section enables NetWitness Respond to receive alerts from Malware Analysis. Select Enabled to forward alerts to the Respond view.

Respond Alerting section of the Malware Analysis service Configuration

File Auditing

This table describes the features in the File Auditing section. Avoid setting the max file size and archive file count too high because it may have an adverse effect on the available disk space on the Malware Analysis appliance.

                       
NameConfig Value
Enable File Auditing

Click to enable or disable file auditing.

Archive File Count

Malware Analysis keeps only as many log files as defined by this setting. When the maximum number is reached, the oldest log files are deleted and cannot be recovered.
The default value is 20. Valid value: Integer between 1 and 50, inclusive.

Max File Size

The maximum file size for a single auditing log before it is archived. The default value is 10485760 bytes.

Syslog Auditing

This table describes the features in the Audit Thresholds section.

                                                   
FeatureDescription
EnabledClick to enable or disable syslog auditing.
Server NameThis is the host where the target syslog process is running.
Server PortThis is the port where the target syslog process is listening.
FacilityThis is the designated syslog facility to use for all outgoing messages. Possible values are KERN, USER, MAIL, DAEMON, AUTH, SYSLOG, LPR, NEWS, UUCP, CRON, AUTHPRIV, and LOCAL1 through LOCAL7.
EncodingThis is the encoding to use for text in syslog messages; for example, UTF-8.
FormatThis is the desired message format. Possible values are: Default, PCI DSS, or SEC.
Max LengthThis is the maximum length in bytes that any syslog message can be. Default is 1024. Messages that exceed the maximum length are truncated.
Include Local TimestampCheck this box to include the local timestamp in messages.
Include Local HostnameCheck this box to include the local hostname.
Identity StringThis is an identity string to be prepended to each syslog alert. If the string is blank, no identity string is prepended to the outgoing syslog alerts. You can use this to identify the source of the alert. Users conventionally set it to the name of the program that will submit the messages to a syslog auditing.

You are here
Table of Contents > Malware Analysis References > Services Config View - Auditing Tab

Attachments

    Outcomes