AnsweredAssumed Answered

MAS question.

Question asked by James Creel on Mar 28, 2018
Latest reply on Mar 29, 2018 by John Snider

Like • Show 0 Likes0
Comment • 5

I have a question from an internal customer:

would like to get RSA engaged and find out how to further tune false positives from the spectrum/malware analysis appliance. For instance if we saw a mcafee dat file fire that was a false positive, we would like to tune this filename/hash /various other characteristics from preventing the tool to fire in the future. If we can get this to tune as requested, would like to ingest syslog into the SIEM and look at potential alerts .

The customer already has RSA Security Analytics User Documentation. Is there any other resource he can access to help answer his questions?

No one else has this question

Outcomes

5 Replies

Eric Partington Mar 29, 2018 1:00 PM
Mark Correct
Correct Answer
Malware - Spectrum - What's involved...
File exclude from Malware analysis?
I would take a look at these items to see where you have the opportunity to filter out files from the malware pipeline.

most likely you will add an app rule to mark that file type/extension or other combination with a value of spectrum.filter into the content metakey to remove that flow from being sent to the MA appliance.
Like • Show 0 Likes0
Actions
- Joe Gumke @ Eric Partington on Mar 29, 2018 1:26 PM
  Mark Correct
  Correct Answer
  thanks eric. how do we tune this within the spectrum appliance? We shouldn't have to go into and modify tags outside of the appliance just to tune this.
  
  For instance we want to tune out / in filenames/hashes/extensions from iocs that fire here
  Like • Show 0 Likes0
  Actions
  - Eric Partington @ Joe Gumke on Mar 29, 2018 1:41 PM
    Mark Correct
    Correct Answer
    select * where content='spectrum.consume' || content='spectrum.consume11'
    
    that is the filter command from spectrum, you could try to adjust that but its not scaleable to try to update that for specific filters.
    Using a feed or app rule to filter in or out items from the MA pipeline is the best way to do it as far as I know.
    
    In the MA > Config > Hash tab you can search for an MD5 in there and add it to trusted (edit the entry and save it). That way you can trust certain hashes that have come in already.
    Like • Show 0 Likes0
    Actions
    - John Snider @ Eric Partington on Mar 29, 2018 2:57 PM
      Mark Correct
      Correct Answer
      Actually, spectrum parser now only tags sessions with appropriate files as “spectrum.analysis” then the Application Rule applies the filtering:
      
      spectrum.consume content=’spectrum.analysis’ && content != ‘spectrum.filter’
      
      As I noted before, adding && direction=’outbound’ will drastically cut down on the number of sessions even sent to MA, cutting out Lateral (internal-internal) and inbound (external-internal) sessions.
      
      so to filter sessions PRIOR to MA even getting them, use either an app rule, feed, or custom parser to tag those sessions with ‘spectrum.filter’ in the “content” metakey.
      
      This is far more effective than filtering them by hash in the appliance itself.
      
      A Long time ago, I helped create filtering for your deployment Joe, if you are still at the same company. I cut it down from 60000 sessions per hour to 600 sessions per hour being consumed, but I fear all that filtering was lost some time in the past.
      
      John E. Snider | Senior Consultant, SME, Professional Services | GCIH, GCFA | RSA
      m: +1 (281) 813-7147 |e: john.snider@rsa.com<mailto:john.snider@rsa.com> | www.rsa.com<http://www.rsa.com/> | Time Zone: America/Central Time (CST6DST)
      
      <http://www.rsa.com/>
      <https://community.rsa.com/welcome>
      Attachments
      image002.png4.6 KB
      image001.png2.7 KB
      Like • Show 0 Likes0
      Actions
John Snider Mar 29, 2018 1:38 PM
Mark Correct
Correct Answer
Several things to do to filter down the traffic to Malware Appliance:
1. Limit to "outbound" only sessions, make sure you have the traffic_flow parser deployed and the traffic_flow_options configured for your networks ranges, so directionality meta is correct. Then add (direction=outbound) to the spectrum.consume application rule
2. use feeds to tag items to filter (filenames/extensions/domains...) have the tag be "spectrum.filter" to the "content" metakey.
3. If the item can't be tagged with a feed properly, create a lua parser to generate the "spectrum.filter" meta in "content" for the action.
4. In MA itself, you can right click a hash for a file and "blacklist" or "whitelist"
  Blacklist means trigger alert immediately if seen.
  Whitelist means ignore this hash
Like • Show 0 Likes0
Actions

MAS question.

Outcomes

Attachments

Related Content

Recommended Content