This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • File Activity Alert Optimization in Multi-EPS Deployment

File Activity Alert Optimization in Multi-EPS Deployment

kulkap8
Contributor kulkap8 Contributor
Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Printer Friendly Page
  • Report Inappropriate Content
Thursday

In 12.1 and older versions, if a file present on a host such as Host 1 was found malicious or suspicious after performing a YARA scan or an OPSWAT scan, an alert was triggered with YARA alert match or OPSWAT alert match respectively only in that particular host. If the same file is present on multiple hosts such as Host 2, Host 3, and Host 4, the YARA alert match or OPSWAT alert match notifications were not triggered in these hosts.

 

Instead, the notifications Process with matched YARA rule or Process with OPSWAT reported suspicious/malicious were triggered respectively on multiple hosts every time when the YARA or OPSWAT matched file activities were detected on any Hosts such as Host1, Host2, Host 3, and Host 4. As a result, it was difficult for analysts working on multiple hosts to triage other important alerts as the notifications Process with matched YARA rule or Process with OPSWAT reported suspicious/malicious were frequently triggered and displayed in the UI whenever some YARA or OPSWAT matched file activities were detected on any Hosts such as Host1, Host2, Host 3, and Host 4.

 

The notifications Process with matched YARA rule or Process with OPSWAT reported suspicious/malicious were triggered even on the new Hosts such as Host 5 or Host 6 whenever some YARA or OPSWAT matched file activities were detected on any Hosts such as Host1, Host2, Host 3, and Host 4.

 

From 12.2 or later versions, the notifications across multiple hosts are optimized. The alert YARA alert match or OPSWAT alert match is triggered across multiple hosts such as Host 1, Host 2, Host 3, and Host 4 as soon as the file present on any host such as Host 1 is found to be malicious or suspicious after performing a YARA scan or an OPSWAT scan. Later, even if the YARA or OPSWAT matched file activities are detected on any host such as Host 1, the notifications Process with matched YARA rule or Process with OPSWAT reported suspicious/malicious are not triggered in any of the hosts. With this enhancement, the analysts can now triage the alerts appropriately with just one notification of YARA alert match or OPSWAT alert match.  

 

If the malicious file is present in the new host such as Host 5, the alert YARA alert match or OPSWAT alert match is triggered even in the new host as soon as the Endpoint server detects the malicious file in the new host.

 

To avoid triggering Process with OPSWAT reported suspicious/malicious notifications in the multiple hosts whenever some OPSWAT matched file activities were detected on a particular host, the following Endpoint App rules are deleted.

  • process with opswat reported infected
  • process with opswat reported suspicious

To avoid triggering Process with matched YARA rule notifications in the multiple hosts whenever some YARA matched file activities were detected on a particular host, the following Endpoint App rule is deleted.

  • process with matched yara rule
Labels:
  • Features
  • Endpoint Features
  • OPSWAT Scan
  • YARA Scan
2 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • File Activity Alert Optimization in Multi-EPS Deployment
  • Threat Profile Series: An Introduction to Royal Ransomware
  • FirstWatch Threat Spotlight: APT-C-36
  • Integration of OPSWAT MetaAccess with Netwitness
  • DCSync Detection with NetWitness
  • FirstWatch Threat Spotlight: Brute Ratel C4
  • Hunting Misconfigured Web Applications
  • Examining APT27 and the HyperBro RAT
  • FirstWatch Threat Spotlight: DarkTortilla
  • Sliver C2 – Network and Endpoint Detection with NetWitness Platform
Labels
  • Announcements 59
  • Events 4
  • Features 10
  • Integrations 8
  • Resources 62
  • Tutorials 26
  • Use Cases 24
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.