Services Config View - Auditing Tab

This topic introduces the features and functions of the Auditing tab in the Services Config view for Malware Analysis. The Auditing tab in the Services Config view for Malware Analysis provides a way to configure the auditing feature. Malware Analysis has an automated auditing system capable of sending alerts (syslog, snmp, audit log file entries) as Malware Analysis exceeds configured score value thresholds for each scoring module (Network, Static, Community, Sandbox). Malware Analysis can automatically feed any external system capable of ingesting the supported audit formats. One alert is generated for each file in an analyzed session that meets or exceeds the configure threshold.
The audit log is a log file maintained on the Malware Analysis appliance for every significant event or action. Audit logs are rolled out and archived over time as they become large so an audit history is maintained. The size of these audit logs and their number are both configurable.
Some examples of events that are logged are:

  • User login successes and failures
  • Changes to system configuration settings
  • Server restart
  • Server version upgrade and install
  • Suspicious events that exceed the Audit Thresholds

Malware Analysis can send audit events as an SNMP trap to a configured SNMP trap host, and consolidate logs in syslog format. Refer to the following task topic for detailed procedures: (Optional) Configure Auditing on Malware Analysis Host.

Workflow

netwitness_113_malware_configworkflow_step1.png

What do you want to do?

Role I Want to... Show me how
Administrator Configure General Malware Analysis Settings Configure General Malware Analysis Settings
Administrator Configure Indicators of Compromise Configure Indicators of Compromise

Administrator

Configure Auditing on Malware Analysis Host*

(Optional) Configure Auditing on Malware Analysis Host

Administrator Configure Hash Filter (Optional) Configure Hash Filter

Administrator

Configure Installed Anti virus Vendor

Configure Installed Antivirus Vendors

Administrator Configure Malware Analysis Proxy Settings (Optional) Configure Malware Analysis Proxy Settings

Administrator

Register a TreadGRID API Key

(Optional) Register for a ThreatGRID API Key

Administrator Enable Community Analysis Enable Community Analysis

*You can perform this task in the current view

Related Topics

Basic Setup

Quick Look

This is an example of the Auditing tab.

netwitness_audittab.png

1

Displays the Auditing Tab.

2

Displays the Audit Thresholds section.

3

Displays the SNMP Auditing section.

4

Displays the Respond Alerting section.

5

Displays the File Auditing section.

6

Displays the Syslog Auditing section.

Features

The Auditing tab includes five sections and an Apply button used to save changes made in this tab and put them into effect.

  • Auditing Thresholds
  • SNMP Auditing
  • Respond Alerting
  • File Auditing
  • Syslog Auditing

Audit Thresholds

netwitness_maauditthresholds.png

This table describes the features in the Audit Thresholds section.

Name Config Value
Community, Static, Network, and Sandbox Thresholds

Malware Analysis scoring module thresholds for recording event information in a log file. Malware Analysis records the event information in a log file if the event scored high enough to satisfy all of the auditing thresholds. Each scoring category that completed analysis (for example, not all sessions invoke sandbox analysis) is compared against the configured audit threshold for that category. Any one of the category must exceed the threshold in order for an audit event to be triggered.

An integer between 0 and 100 is a valid value. Setting these thresholds too low may cause a very large volume of audit events and notifications.

Notify when Installed A/V Misses and Primary A/V Detects

Records a message in a log file when installed antivirus software misses a virus and the primary antivirus software detects that virus. The recorded message is sent through all enabled auditing methods: SNMP, File, and Syslog.
The default value is unchecked.

Notify when Installed A/V Misses and Secondary A/V Detects

Records a message in a log file when installed antivirus software misses a virus and the secondary antivirus software detects that virus. The recorded message is sent through all enabled auditing methods: SNMP, File, and Syslog.
The default value is unchecked.

Notify when Installed A/V Misses and Other A/V Detects

Records a message in a log file when installed antivirus software misses a virus and the other antivirus software detects that virus. The recorded message is sent through all enabled auditing methods: SNMP, File, and Syslog.

The default value is unchecked.

Notify when High Confidence IOC triggers

Records a message in a log file when a high confidence IOC (Indicators of Compromise) triggers. The recorded message is sent through all enabled auditing methods: SNMP, File, and Syslog.

The default value is unchecked.

SNMP Auditing

The Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing services on IP networks. When SNMP auditing is enabled, Malware Analysis can send an audit event as an SNMP trap to a configured SNMP trap host.

netwitness_masnmpauditing.png

This table describes the features in the SNMP Auditing section.

Name Config Value
Enabled Click to enable or disable SNMP auditing.
Server Name The host where the target SNMP server is running.
Server Port The port used where the SNMP trap receiver is listening.
SNMP Version The version of the SNMP protocol to use when sending traps.
Trap OID The object ID to use to identify the type of trap to send.
Community The SNMP group to which Malware Analysis belongs.
Number Of Retries The number of retries for sending a trap.
Timeout The timeout period to wait for acknowledgment.

Respond Alerting

The Respond Alerting section enables NetWitness Respond to receive alerts from Malware Analysis. Select Enabled to forward alerts to the Respond view.

Respond Alerting section of the Malware Analysis service Configuration

File Auditing

netwitness_maaudittabfile.png

This table describes the features in the File Auditing section. Avoid setting the max file size and archive file count too high because it may have an adverse effect on the available disk space on the Malware Analysis appliance.

Name Config Value
Enable File Auditing

Click to enable or disable file auditing.

Archive File Count

Malware Analysis keeps only as many log files as defined by this setting. When the maximum number is reached, the oldest log files are deleted and cannot be recovered.
The default value is 20. Valid value: Integer between 1 and 50, inclusive.

Max File Size

The maximum file size for a single auditing log before it is archived. The default value is 10485760 bytes.

Syslog Auditing

netwitness_maauditingtabsyslog.png

This table describes the features in the Audit Thresholds section.

Feature Description
Enabled Click to enable or disable syslog auditing.
Server Name This is the host where the target syslog process is running.
Server Port This is the port where the target syslog process is listening.
Facility This is the designated syslog facility to use for all outgoing messages. Possible values are KERN, USER, MAIL, DAEMON, AUTH, SYSLOG, LPR, NEWS, UUCP, CRON, AUTHPRIV, and LOCAL1 through LOCAL7.
Encoding This is the encoding to use for text in syslog messages; for example, UTF-8.
Format This is the desired message format. Possible values are: Default, PCI DSS, or SEC.
Max Length This is the maximum length in bytes that any syslog message can be. Default is 1024. Messages that exceed the maximum length are truncated.
Include Local Timestamp Check this box to include the local timestamp in messages.
Include Local Hostname Check this box to include the local hostname.
Identity String This is an identity string to be prepended to each syslog alert. If the string is blank, no identity string is prepended to the outgoing syslog alerts. You can use this to identify the source of the alert. Users conventionally set it to the name of the program that will submit the messages to a syslog auditing.