MA: Create Custom Alert in CEF Format

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Sep 19, 2017
Version 2Show Document
  • View in full screen mode
  

This topic provides instructions for creating custom alerts in Common Event Format (CEF) to send to a service that ingests events as CEF. This is an advanced configuration task, which requires sufficient knowledge to manually edit the configuration file: /var/lib/rsamalware/spectrum/conf/malwareCEFDictionaryConfiguration.xml. Before editing the file, you must stop the Malware Analysis service in the operating system. The CEF Alert becomes active when you restart the Malware Analysis service.

The CEF Template

To send events to a service ingesting events as CEF, NetWitness Suite runs them through a configuration file that serves as a CEF template before feeding the events to a correlation technology. You can tune the configuration file, which specifies the sequence and mapping of syslog fields in each alert.

The following example syslog message shows the CEF fields in the extensions section of the alert (following the last '|' in the alert). Each field can be configured to indicate the sequence (described in the Example section below). Fields can be excluded entirely from the alert via a configuration setting.

CEF:0|NetWitness|Spectrum|10.3.0.7995.1.0|Suspicious Event|Detected suspicious network event ID 4 session ID n/a|2|static=100.0 nextgen=25.0 community=100.0 sandbox=25.0 file.name=myFile.exe file.size=1234556 file.md5.hash=DEADBEEFBABECAFEDEADBEEFBABECAFE event.source=spectrum://admin@0:0:0:0:0:0:0:1:64563 event.type=MANUAL_UPLOAD event.id=0 country.dst.code=-- country.dst=Unavailable ip.src=0:0:0:0:0:0:0:1 ip.dst=0:0:0:0:0:0:0:1 event.uuid=f7a6155a-31de-4fa6-ba16-41fb9a8e5f26 ...

Understand a Syslog Auditing File Entry

The description of the file structure is based on the following sample.

Feb 6 10:02:28 10.10.10.125 SpectrumServer125

CEF: 0|NetWitness|Spectrum|1.2.1.130|Suspicious Event|Detected suspicious
network event ID 857 session ID 73|2|

static=100.0 network=29.0 community=8.0 sandbox=N/R

file.name=-CVE-00_DOC_2010-05-13_attachment.doc file.size=0 file.md5.hash=20a29259c0e5958afb2f50c4177bb307

com.netwitness.event.internal.id=73 com.netwitness.event.internal.uuid=37d2bad7-06bc-4b34-88e1-df43d9710204 alias.ip=10.25.50.149 client=Wget/1.11.4 Red Hat modified payload=108872 packets=136 country.dst=Private time=Fri Jan 27 10:09:25 EST 2012 threat.source=netwitness tcp.srcport=43580 action=get com.netwitness.event.internal.source=http://QASpectrum2:50104/sdk filetype=rtf alias.host=qa-fc12-149 eth.src=00:25:90:18:76:E2 ip.proto=6 tcp.flags=27 ip.src=10.25.50.61 tcp.dstport=80 threat.category=spectrum eth.dst=00:0C:29:F8:50:2D lifetime=0 alert.id=nw32535 sessionid=73 medium=1 size=117864 content=spectrum.consume11 extension=doc directory=/files/MALWAREMALWARE/OfficeDocs/DOC/ eth.type=2048 ip.dst=10.25.50.149 service=80 filename=-CVE-00_DOC_2010-05-13_attachment.doc server=Apache/2.2.13 (Fedora) streams=2 referer=http://qa-fc12-149/files/MALWAREMALW...fficeDocs/DOC/ risk.info=http client server version mismatch

First Line

Feb 6 10:02:28 10.10.10.125 SpectrumServer125

                     
Log InformationDescription
Feb 6 10:02:28The timestamp for the entry.
10.10.10.125The source IP address for the event.
SpectrumServer125The source hostname for the event.

Audit Common Event Format (CEF) Header

0|NetWitness|Spectrum|1.2.1.130|Suspicious Event|Detected suspicious network event ID 857 session ID 73|2|

The audit CEF header is a pipe-separated listing of the following fields:

                                     
Log InformationDescription
0The ArcSight Common Event Format (CEF) version used for the audit syslog.
NetWitnessThe service that created the syslog message.
Spectrum Malware Analysis is the logger for the event.
1.2.1.130 Malware Analysis version.
event ID 857Unique network event id for this event.
session ID 73 Core unique session id for the session that included this event.
2Severity, an integer between 1 and 6 indicates the level of severity for the message.
  • 1 = INFORMATION_LEVEL
  • 2 = WARNING_LEVEL
  • 3 = ERROR_LEVEL
  • 4 = SUCCESS_LEVEL
  • 5 = FAILURE_LEVEL
  • 6 = AUDIT_FAILURE_LEVEL

Audit CEF Extension

static=100.0 network=29.0 community=8.0 sandbox=N/R

file.name=-CVE-00_DOC_2010-05-13_attachment.doc  file.size=0 file.md5.hash=20a29259c0e5958afb2f50c4177bb307 com.netwitness.event.internal.id=73

com.netwitness.event.internal.uuid=37d2bad7-06bc-4b34-88e1-df43d9710204 alias.ip=10.25.50.149 client=Wget/1.11.4 Red Hat modified payload=108872 packets=136 country.dst=Private time=Fri Jan 27 10:09:25 EST 2012 threat.source=netwitness tcp.srcport=43580 action=get com.netwitness.event.internal.source=http://QASpectrum2:50104/sdk filetype=rtf alias.host=qa-fc12-149 eth.src=00:25:90:18:76:E2 ip.proto=6 tcp.flags=27 ip.src=10.25.50.61 tcp.dstport=80 threat.category=spectrum eth.dst=00:0C:29:F8:50:2D lifetime=0 alert.id=nw32535 sessionid=73 medium=1 size=117864 content=spectrum.consume11 extension=doc directory=/files/MALWAREMALWARE/OfficeDocs/DOC/ eth.type=2048 ip.dst=10.25.50.149 service=80 filename=-CVE-00_DOC_2010-05-13_attachment.doc server=Apache/2.2.13 (Fedora) streams=2 referer=http://qa-fc12-149/files/MALWAREMALW...fficeDocs/DOC/ risk.info=http client server version mismatch

Analysis Scores

The first entry in the audit CEF extension provides the four Malware Analysis analysis scores for the event: Static, Network, Community, and Sandbox.

                         
Log InformationSample Value
static100.0
network29.0
community8.0
A score of 0.0 can be a community score for the event or can indicate that no community services were enabled.
sandboxN/R
N/R means not run. This indicates that the GFI sandbox was not enabled.

File Information

The next three entries provide file information: file name, size, and hash.

                     
Log InformationSample Value
file.name-CVE-00_DOC_2010-05-13_attachment.doc
file.size0
file.md5.hash20a29259c0e5958afb2f50c4177bb307

Event Meta Data Retrieved by NextGen

The record continues with the Core meta data for the event. The meta data in the message depends on the event. The amount of data in the message is truncated to the maximum length in bytes configured in the Syslog Settings. The default value is 1024.

                                                                                                                                                             
Log InformationSample Value
com.netwitness.event.internal.id73
com.netwitness.event.internal.uuid37d2bad7-06bc-4b34-88e1-df43d9710204
alias.ip10.25.50.149
clientWget/1.11.4 Red Hat modified
payload108872
packets136
country.dstPrivate
timeFri Jan 27 10:09:25 EST 2012
threat.sourcenetwitness
tcp.srcport43580
actionget
com.netwitness.event.internal.sourcehttp://QASpectrum2:50104/sdk
filetypertf
alias.hostqa-fc12-149
eth.src00:25:90:18:76:E2
ip.proto6
tcp.flags27
ip.src10.25.50.61
tcp.dstport80
threat.categoryspectrum
eth.dst00:0C:29:F8:50:2D
lifetime0
alert.idnw32535
sessionid73
medium1
size117864
contentspectrum.consume11
extensiondoc
directory/files/MALWAREMALWARE/OfficeDocs/DOC/
eth.type2048
ip.dst10.25.50.149
service80
filename-CVE-00_DOC_2010-05-13_attachment.doc
serverApache/2.2.13 (Fedora)
streams2
refererhttp://qa-fc12-149/files/MALWAREMALWARE/OfficeDocs/DOC/
risk.infohttp client server version mismatch

Edit the Configuration File

  1. Stop the Malware Analysis service.
  2. Edit the configuration file as described in the Example.
  3. Start the Malware Analysis service.
    The Malware Analysis service begins processing alerts through the configuration file and sending CEF alerts to designated services.

Example

The configuration file can be used to dictate which fields appear in the resulting alert as well as the label associated with each field and the order in which the data fields appear. The configuration file is composed of one or more XML MalwareCefExtension blocks as shown in the example below. The ordering of these blocks in the configuration file implies the order of the data fields in the CEF alert.  

In the example below, the CEF alert would include two data fields, ip.src followed by ip.dst. The customKey is used to indicate the labeling of the data field in the alert. This allows the user to choose a custom label in order to force the alerting format to better match the expectations of the alert consumer. In other words, the format can be tuned to prevent unwanted changes to an existing alert parser. Lastly, the isDisplay setting determines if the field is included in the alert output. This allows the user to turn off data fields without having to physically delete the MalwareCefExtension block from the configuration.

 <config>

 <malwareExtensionList>

<com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>ip.src</customKey>

      <malwareKey>ip.src</malwareKey>

      <isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>ip.dst</customKey>

      <malwareKey>ip.dst</malwareKey>

      <isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

 </malwareExtensionList>

</config>

At the end of the configuration file are three additional settings that can be used to further tune the alert format. They are as follows:

                  
SettingDescription
includesUnknownMetaThis true or false setting indicates if unknown data elements are included in the resulting alert. Any NextGen session meta can be considered for inclusion into a CEF alert.
Because additional session meta can be introduced via authoring new NextGen parsers, meta that is not contained in the default configuration may be encountered. You can set includesUnknownMeta to true to include the unknown meta in the alert and label it using the NextGen meta key name. To force a custom key for the unknown meta, you must edit this file and add a new MalwareCefExtension to the dictionary.  
To omit unknown meta from the alert, set includesUnknownMeta to false.
displayNullsThis true or false setting indicates if values that are set to null are included in the alert. If displayNulls is set to false, the null value fields are omitted even if their MalwareCefExtension isDisplay property is turned on. This allows dynamic formatting of alerts to exclude null fields.
valueIfNullThis true or false setting allows you to specify a string placeholder (n/a by default) to be used as the value for any null valued fields. If displayNulls is set to true, then null valued fields are included in the alerts. Their value is set to the value specified in valueIfNull.

The following represents the default CEF configuration file. The default configuration file includes all default NextGen session meta.

<config>

  <malwareExtensionList>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>static</customKey>

      <malwareKey>static</malwareKey>

      <isDisplay>true</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>nextgen</customKey>

      <malwareKey>nextgen</malwareKey>

      <isDisplay>true</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>community</customKey>

      <malwareKey>community</malwareKey>

      <isDisplay>true</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>sandbox</customKey>

      <malwareKey>sandbox</malwareKey>

      <isDisplay>true</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>file.name</customKey>

      <malwareKey>file.name</malwareKey>

      <isDisplay>true</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>file.size</customKey>

      <malwareKey>file.size</malwareKey>

      <isDisplay>true</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>file.md5.hash</customKey>

      <malwareKey>file.md5.hash</malwareKey>

      <isDisplay>true</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>event.source</customKey>

      <malwareKey>event.source</malwareKey>

      <isDisplay>true</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>event.type</customKey>

      <malwareKey>event.type</malwareKey>

      <isDisplay>true</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>event.id</customKey>

      <malwareKey>event.id</malwareKey>

      <isDisplay>true</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>event.uuid</customKey>

      <malwareKey>event.uuid</malwareKey>

      <isDisplay>true</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>antivirus.primary.detected</customKey>

      <malwareKey>antivirus.primary.detected</malwareKey>

      <isDisplay>true</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>antivirus.secondary.detected</customKey>

      <malwareKey>antivirus.secondary.detected</malwareKey>

      <isDisplay>true</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>antivirus.other.detected</customKey>

      <malwareKey>antivirus.other.detected</malwareKey>

      <isDisplay>true</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>country.dst.code</customKey>

      <malwareKey>country.dst.code</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>city.dst</customKey>

      <malwareKey>city.dst</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>org.dst</customKey>

      <malwareKey>org.dst</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>payload</customKey>

      <malwareKey>payload</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>packets</customKey>

      <malwareKey>packets</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>country.dst</customKey>

      <malwareKey>country.dst</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>time</customKey>

      <malwareKey>time</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>threat.source</customKey>

      <malwareKey>threat.source</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>tcp.srcpport</customKey>

      <malwareKey>tcp.srcpport</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>filetype</customKey>

      <malwareKey>filetype</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>latdec.dst</customKey>

      <malwareKey>latdec.dst</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>eth.src</customKey>

      <malwareKey>eth.src</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>agency.dst</customKey>

      <malwareKey>agency.dst</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>ip.proto</customKey>

      <malwareKey>ip.proto</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>tcp.flags</customKey>

      <malwareKey>tcp.flags</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>ip.src</customKey>

      <malwareKey>ip.src</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>tcp.dstport</customKey>

      <malwareKey>tcp.dstport</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>threat.category</customKey>

      <malwareKey>threat.category</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>eth.dst</customKey>

      <malwareKey>eth.dst</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>lifetime</customKey>

      <malwareKey>lifetime</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>latdec.src</customKey>

      <malwareKey>latdec.src</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>did</customKey>

      <malwareKey>did</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>alert.id</customKey>

      <malwareKey>alert.id</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>country.src</customKey>

      <malwareKey>country.src</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>sessionid</customKey>

      <malwareKey>sessionid</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>longdec.src</customKey>

      <malwareKey>longdec.src</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>medium</customKey>

      <malwareKey>medium</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>size</customKey>

      <malwareKey>size</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>ad.domain.dst</customKey>

      <malwareKey>ad.computer.dst</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>ad.computer.dst</customKey>

      <malwareKey>ad.computer.dst</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>ad.username.src</customKey>

      <malwareKey>ad.username.src</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>rpackets</customKey>

      <malwareKey>rpackets</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>action</customKey>

      <malwareKey>action</malwareKey>

      <isDisplay>false</isDisplay>

   </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>ad.domain.src</customKey>

      <malwareKey>ad.domain.src</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>eth.src.vendor</customKey>

      <malwareKey>eth.src.vendor</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>rpayload</customKey>

      <malwareKey>rpayload</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>ad.username.dst</customKey>

      <malwareKey>ad.username.dst</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>content</customKey>

      <malwareKey>content</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>extension</customKey>

      <malwareKey>extension</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>eth.dst.vendor</customKey>

      <malwareKey>eth.dst.vendor</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>rid</customKey>

      <malwareKey>rid</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>directory</customKey>

      <malwareKey>directory</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>risk.suspicious</customKey>

      <malwareKey>risk.suspicious</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>eth.type</customKey>

      <malwareKey>eth.type</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>ip.dst</customKey>

      <malwareKey>ip.dst</malwareKey>

      <isDisplay>false</isDisplay>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>service</customKey>

      <malwareKey>service</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>filename</customKey>

      <malwareKey>filename</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>streams</customKey>

      <malwareKey>streams</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>risk.info</customKey>

      <malwareKey>risk.info</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>dest.tld</customKey>

      <malwareKey>dest.tld</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>alias.host</customKey>

      <malwareKey>alias.host</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>tcp.srcport</customKey>

      <malwareKey>tcp.srcport</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>udp.srcport</customKey>

      <malwareKey>udp.srcport</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>udp.dstport</customKey>

      <malwareKey>udp.dstport</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>domain.dst</customKey>

      <malwareKey>domain.dst</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>feed.name</customKey>

      <malwareKey>feed.name</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>feed.description</customKey>

      <malwareKey>feed.description</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>threat.description</customKey>

      <malwareKey>threat.description</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>referer</customKey>

      <malwareKey>referer</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>client</customKey>

      <malwareKey>client</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>server</customKey>

      <malwareKey>server</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>risk.warning</customKey>

      <malwareKey>risk.warning</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>attachment</customKey>

      <malwareKey>attachment</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>whois.registrar</customKey>

      <malwareKey>whois.registrar</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>whois.registrant</customKey>

      <malwareKey>whois.registrant</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>whois.date.creation</customKey>

      <malwareKey>whois.date.creation</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

    <com.netwitness.malware.core.cef.MalwareCefExtension>

      <customKey>whois.server</customKey>

      <malwareKey>whois.server</malwareKey>

      <isDisplay>false</isDisplay>

    </com.netwitness.malware.core.cef.MalwareCefExtension>

  </malwareExtensionList>

  <includesUnknownMeta>false</includesUnknownMeta>

  <displayNulls>false</displayNulls>

  <valueIfNull>n/a</valueIfNull>

</config>

You are here
Table of Contents > Additional Procedures for Configuring Malware Analysis > Create Custom Alert in CEF Format

Attachments

    Outcomes