Create Custom Alert in CEF Format

This topic provides instructions for creating custom alerts in Common Event Format (CEF) to send to a service that ingests events as CEF. This is an advanced configuration task, which requires sufficient knowledge to manually edit the configuration file: /var/netwitness/malware-analytics-server/spectrum/conf/malwareCEFDictionaryConfiguration.xml. Before editing the file, you must stop the Malware Analysis service in the operating system. The CEF Alert becomes active when you restart the Malware Analysis service.

The CEF Template

To send events to a service ingesting events as CEF, NetWitness Platform runs them through a configuration file that serves as a CEF template before feeding the events to a correlation technology. You can tune the configuration file, which specifies the sequence and mapping of syslog fields in each alert.

The following example syslog message shows the CEF fields in the extensions section of the alert (following the last '|' in the alert). Each field can be configured to indicate the sequence (described in the Example section below). Fields can be excluded entirely from the alert via a configuration setting.

CEF:0|NetWitness|Spectrum|10.3.0.7995.1.0|Suspicious Event|Detected suspicious network event ID 4 session ID n/a|2|static=100.0 nextgen=25.0 community=100.0 sandbox=25.0 file.name=myFile.exe file.size=1234556 file.md5.hash=DEADBEEFBABECAFEDEADBEEFBABECAFE event.source=spectrum://admin@0:0:0:0:0:0:0:1:64563 event.type=MANUAL_UPLOAD event.id=0 country.dst.code=-- country.dst=Unavailable ip.src=0:0:0:0:0:0:0:1 ip.dst=0:0:0:0:0:0:0:1 event.uuid=f7a6155a-31de-4fa6-ba16-41fb9a8e5f26 ...

Understand a Syslog Auditing File Entry

The description of the file structure is based on the following sample.

Feb 6 10:02:28 10.10.10.125 SpectrumServer125

CEF: 0|NetWitness|Spectrum|1.2.1.130|Suspicious Event|Detected suspicious
network event ID 857 session ID 73|2|

static=100.0 network=29.0 community=8.0 sandbox=N/R

file.name=-CVE-00_DOC_2010-05-13_attachment.doc file.size=0 file.md5.hash=20a29259c0e5958afb2f50c4177bb307

com.netwitness.event.internal.id=73 com.netwitness.event.internal.uuid=37d2bad7-06bc-4b34-88e1-df43d9710204 alias.ip=10.25.50.149 client=Wget/1.11.4 Red Hat modified payload=108872 packets=136 country.dst=Private time=Fri Jan 27 10:09:25 EST 2012 threat.source=netwitness tcp.srcport=43580 action=get com.netwitness.event.internal.source=http://QASpectrum2:50104/sdk filetype=rtf alias.host=qa-fc12-149 eth.src=00:25:90:18:76:E2 ip.proto=6 tcp.flags=27 ip.src=10.25.50.61 tcp.dstport=80 threat.category=spectrum eth.dst=00:0C:29:F8:50:2D lifetime=0 alert.id=nw32535 sessionid=73 medium=1 size=117864 content=spectrum.consume11 extension=doc directory=/files/MALWAREMALWARE/OfficeDocs/DOC/ eth.type=2048 ip.dst=10.25.50.149 service=80 filename=-CVE-00_DOC_2010-05-13_attachment.doc server=Apache/2.2.13 (Fedora) streams=2 referer=http://qa-fc12-149/files/MALWAREMALW...fficeDocs/DOC/ risk.info=http client server version mismatch

First Line

Feb 6 10:02:28 10.10.10.125 SpectrumServer125

Log Information Description
Feb 6 10:02:28 The timestamp for the entry.
10.10.10.125 The source IP address for the event.
SpectrumServer125 The source hostname for the event.

Audit Common Event Format (CEF) Header

0|NetWitness|Spectrum|1.2.1.130|Suspicious Event|Detected suspicious network event ID 857 session ID 73|2|

The audit CEF header is a pipe-separated listing of the following fields:

Log Information Description
0

The ArcSight Common Event Format (CEF) version used for the audit syslog.

NetWitness

The service that created the syslog message.

Spectrum

Malware Analysis is the logger for the event.

1.2.1.130

Malware Analysis version.

event ID 857

Unique network event id for this event.

session ID 73

Core unique session id for the session that included this event.

2

Severity, an integer between 1 and 6 indicates the level of severity for the message.

  • 1 = INFORMATION_LEVEL
  • 2 = WARNING_LEVEL
  • 3 = ERROR_LEVEL
  • 4 = SUCCESS_LEVEL
  • 5 = FAILURE_LEVEL
  • 6 = AUDIT_FAILURE_LEVEL

Audit CEF Extension

static=100.0 network=29.0 community=8.0 sandbox=N/R

file.name=-CVE-00_DOC_2010-05-13_attachment.doc file.size=0 file.md5.hash=20a29259c0e5958afb2f50c4177bb307 com.netwitness.event.internal.id=73

com.netwitness.event.internal.uuid=37d2bad7-06bc-4b34-88e1-df43d9710204 alias.ip=10.25.50.149 client=Wget/1.11.4 Red Hat modified payload=108872 packets=136 country.dst=Private time=Fri Jan 27 10:09:25 EST 2012 threat.source=netwitness tcp.srcport=43580 action=get com.netwitness.event.internal.source=http://QASpectrum2:50104/sdk filetype=rtf alias.host=qa-fc12-149 eth.src=00:25:90:18:76:E2 ip.proto=6 tcp.flags=27 ip.src=10.25.50.61 tcp.dstport=80 threat.category=spectrum eth.dst=00:0C:29:F8:50:2D lifetime=0 alert.id=nw32535 sessionid=73 medium=1 size=117864 content=spectrum.consume11 extension=doc directory=/files/MALWAREMALWARE/OfficeDocs/DOC/ eth.type=2048 ip.dst=10.25.50.149 service=80 filename=-CVE-00_DOC_2010-05-13_attachment.doc server=Apache/2.2.13 (Fedora) streams=2 referer=http://qa-fc12-149/files/MALWAREMALW...fficeDocs/DOC/ risk.info=http client server version mismatch

Analysis Scores

The first entry in the audit CEF extension provides the four Malware Analysis scores for the event: Static, Network, Community, and Sandbox.

Log Information Sample Value
static

100.0

network

29.0

community

8.0

A score of 0.0 can be a community score for the event or can indicate that no community services were enabled.

sandbox

N/R

N/R means not run. This indicates that the GFI sandbox was not enabled.

File Information

The next three entries provide file information: file name, size, and hash.

Log Information Sample Value
file.name -CVE-00_DOC_2010-05-13_attachment.doc
file.size 0
file.md5.hash 20a29259c0e5958afb2f50c4177bb307

Event Meta Data Retrieved by NextGen

The record continues with the Core meta data for the event. The meta data in the message depends on the event. The amount of data in the message is truncated to the maximum length in bytes configured in the Syslog Settings. The default value is 1024.

Log Information Sample Value
com.netwitness.event.internal.id 73
com.netwitness.event.internal.uuid 37d2bad7-06bc-4b34-88e1-df43d9710204
alias.ip 10.25.50.149
client Wget/1.11.4 Red Hat modified
payload 108872
packets 136
country.dst Private
time Fri Jan 27 10:09:25 EST 2012
threat.source netwitness
tcp.srcport 43580
action get
com.netwitness.event.internal.source http://QASpectrum2:50104/sdk
filetype rtf
alias.host qa-fc12-149
eth.src 00:25:90:18:76:E2
ip.proto 6
tcp.flags 27
ip.src 10.25.50.61
tcp.dstport 80
threat.category spectrum
eth.dst 00:0C:29:F8:50:2D
lifetime 0
alert.id nw32535
sessionid 73
medium 1
size 117864
content spectrum.consume11
extension doc
directory /files/MALWAREMALWARE/OfficeDocs/DOC/
eth.type 2048
ip.dst 10.25.50.149
service 80
filename -CVE-00_DOC_2010-05-13_attachment.doc
server Apache/2.2.13 (Fedora)
streams 2
referer http://qa-fc12-149/files/MALWAREMALWARE/OfficeDocs/DOC/
risk.info http client server version mismatch

Edit the Configuration File

  1. Stop the Malware Analysis service.
  2. Edit the configuration file as described in the Example.
  3. Start the Malware Analysis service.

    The Malware Analysis service begins processing alerts through the configuration file and sending CEF alerts to designated services.

Example

The configuration file can be used to dictate which fields appear in the resulting alert as well as the label associated with each field and the order in which the data fields appear. The configuration file is composed of one or more XML MalwareCefExtension blocks as shown in the example below. The ordering of these blocks in the configuration file implies the order of the data fields in the CEF alert.

In the example below, the CEF alert would include two data fields, ip.src followed by ip.dst. The customKey is used to indicate the labeling of the data field in the alert. This allows the user to choose a custom label in order to force the alerting format to better match the expectations of the alert consumer. In other words, the format can be tuned to prevent unwanted changes to an existing alert parser. Lastly, the isDisplay setting determines if the field is included in the alert output. This allows the user to turn off data fields without having to physically delete the MalwareCefExtension block from the configuration.

<config>

<malwareExtensionList>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ip.src</customKey>

<malwareKey>ip.src</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ip.dst</customKey>

<malwareKey>ip.dst</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

</malwareExtensionList>

</config>

At the end of the configuration file are three additional settings that can be used to further tune the alert format. They are as follows:

Setting Description

includesUnknownMeta

This true or false setting indicates if unknown data elements are included in the resulting alert. Any NextGen session meta can be considered for inclusion into a CEF alert.

Because additional session meta can be introduced via authoring new NextGen parsers, meta that is not contained in the default configuration may be encountered. You can set includesUnknownMeta to true to include the unknown meta in the alert and label it using the NextGen meta key name. To force a custom key for the unknown meta, you must edit this file and add a new MalwareCefExtension to the dictionary.

To omit unknown meta from the alert, set includesUnknownMeta to false.

displayNulls

This true or false setting indicates if values that are set to null are included in the alert. If displayNulls is set to false, the null value fields are omitted even if their MalwareCefExtension isDisplay property is turned on. This allows dynamic formatting of alerts to exclude null fields.

valueIfNull

This true or false setting allows you to specify a string placeholder (n/a by default) to be used as the value for any null valued fields. If displayNulls is set to true, then null valued fields are included in the alerts. Their value is set to the value specified in valueIfNull.

The following represents the default CEF configuration file. The default configuration file includes all default NextGen session meta.

<config>

<malwareExtensionList>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>static</customKey>

<malwareKey>static</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>nextgen</customKey>

<malwareKey>nextgen</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>community</customKey>

<malwareKey>community</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>sandbox</customKey>

<malwareKey>sandbox</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>file.name</customKey>

<malwareKey>file.name</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>file.size</customKey>

<malwareKey>file.size</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>file.md5.hash</customKey>

<malwareKey>file.md5.hash</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>event.source</customKey>

<malwareKey>event.source</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>event.type</customKey>

<malwareKey>event.type</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>event.id</customKey>

<malwareKey>event.id</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>event.uuid</customKey>

<malwareKey>event.uuid</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>antivirus.primary.detected</customKey>

<malwareKey>antivirus.primary.detected</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>antivirus.secondary.detected</customKey>

<malwareKey>antivirus.secondary.detected</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>antivirus.other.detected</customKey>

<malwareKey>antivirus.other.detected</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>country.dst.code</customKey>

<malwareKey>country.dst.code</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>city.dst</customKey>

<malwareKey>city.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>org.dst</customKey>

<malwareKey>org.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>payload</customKey>

<malwareKey>payload</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>packets</customKey>

<malwareKey>packets</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>country.dst</customKey>

<malwareKey>country.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>time</customKey>

<malwareKey>time</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>threat.source</customKey>

<malwareKey>threat.source</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>tcp.srcpport</customKey>

<malwareKey>tcp.srcpport</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>filetype</customKey>

<malwareKey>filetype</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>latdec.dst</customKey>

<malwareKey>latdec.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>eth.src</customKey>

<malwareKey>eth.src</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>agency.dst</customKey>

<malwareKey>agency.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ip.proto</customKey>

<malwareKey>ip.proto</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>tcp.flags</customKey>

<malwareKey>tcp.flags</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ip.src</customKey>

<malwareKey>ip.src</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>tcp.dstport</customKey>

<malwareKey>tcp.dstport</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>threat.category</customKey>

<malwareKey>threat.category</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>eth.dst</customKey>

<malwareKey>eth.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>lifetime</customKey>

<malwareKey>lifetime</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>latdec.src</customKey>

<malwareKey>latdec.src</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>did</customKey>

<malwareKey>did</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>alert.id</customKey>

<malwareKey>alert.id</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>country.src</customKey>

<malwareKey>country.src</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>sessionid</customKey>

<malwareKey>sessionid</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>longdec.src</customKey>

<malwareKey>longdec.src</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>medium</customKey>

<malwareKey>medium</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>size</customKey>

<malwareKey>size</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ad.domain.dst</customKey>

<malwareKey>ad.computer.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ad.computer.dst</customKey>

<malwareKey>ad.computer.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ad.username.src</customKey>

<malwareKey>ad.username.src</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>rpackets</customKey>

<malwareKey>rpackets</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>action</customKey>

<malwareKey>action</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ad.domain.src</customKey>

<malwareKey>ad.domain.src</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>eth.src.vendor</customKey>

<malwareKey>eth.src.vendor</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>rpayload</customKey>

<malwareKey>rpayload</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ad.username.dst</customKey>

<malwareKey>ad.username.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>content</customKey>

<malwareKey>content</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>extension</customKey>

<malwareKey>extension</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>eth.dst.vendor</customKey>

<malwareKey>eth.dst.vendor</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>rid</customKey>

<malwareKey>rid</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>directory</customKey>

<malwareKey>directory</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>risk.suspicious</customKey>

<malwareKey>risk.suspicious</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>eth.type</customKey>

<malwareKey>eth.type</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ip.dst</customKey>

<malwareKey>ip.dst</malwareKey>

<isDisplay>false</isDisplay>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>service</customKey>

<malwareKey>service</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>filename</customKey>

<malwareKey>filename</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>streams</customKey>

<malwareKey>streams</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>risk.info</customKey>

<malwareKey>risk.info</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>dest.tld</customKey>

<malwareKey>dest.tld</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>alias.host</customKey>

<malwareKey>alias.host</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>tcp.srcport</customKey>

<malwareKey>tcp.srcport</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>udp.srcport</customKey>

<malwareKey>udp.srcport</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>udp.dstport</customKey>

<malwareKey>udp.dstport</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>domain.dst</customKey>

<malwareKey>domain.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>feed.name</customKey>

<malwareKey>feed.name</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>feed.description</customKey>

<malwareKey>feed.description</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>threat.description</customKey>

<malwareKey>threat.description</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>referer</customKey>

<malwareKey>referer</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>client</customKey>

<malwareKey>client</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>server</customKey>

<malwareKey>server</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>risk.warning</customKey>

<malwareKey>risk.warning</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>attachment</customKey>

<malwareKey>attachment</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>whois.registrar</customKey>

<malwareKey>whois.registrar</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>whois.registrant</customKey>

<malwareKey>whois.registrant</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>whois.date.creation</customKey>

<malwareKey>whois.date.creation</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>whois.server</customKey>

<malwareKey>whois.server</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

</malwareExtensionList>

<includesUnknownMeta>false</includesUnknownMeta>

<displayNulls>false</displayNulls>

<valueIfNull>n/a</valueIfNull>

</config>