This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

File Activity Alert Optimization in Multi-EPS Deployment

kulkap8
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2023-03-16 06:37 AM

In 12.1 and older versions, if a file present on a host such as Host 1 was found malicious or suspicious after performing a YARA scan or an OPSWAT scan, an alert was triggered with YARA alert match or OPSWAT alert match respectively only in that particular host. If the same file is present on multiple hosts such as Host 2, Host 3, and Host 4, the YARA alert match or OPSWAT alert match notifications were not triggered in these hosts.

 

Instead, the notifications Process with matched YARA rule or Process with OPSWAT reported suspicious/malicious were triggered respectively on multiple hosts every time when the YARA or OPSWAT matched file activities were detected on any Hosts such as Host1, Host2, Host 3, and Host 4. As a result, it was difficult for analysts working on multiple hosts to triage other important alerts as the notifications Process with matched YARA rule or Process with OPSWAT reported suspicious/malicious were frequently triggered and displayed in the UI whenever some YARA or OPSWAT matched file activities were detected on any Hosts such as Host1, Host2, Host 3, and Host 4.

 

The notifications Process with matched YARA rule or Process with OPSWAT reported suspicious/malicious were triggered even on the new Hosts such as Host 5 or Host 6 whenever some YARA or OPSWAT matched file activities were detected on any Hosts such as Host1, Host2, Host 3, and Host 4.

 

From 12.2 or later versions, the notifications across multiple hosts are optimized. The alert YARA alert match or OPSWAT alert match is triggered across multiple hosts such as Host 1, Host 2, Host 3, and Host 4 as soon as the file present on any host such as Host 1 is found to be malicious or suspicious after performing a YARA scan or an OPSWAT scan. Later, even if the YARA or OPSWAT matched file activities are detected on any host such as Host 1, the notifications Process with matched YARA rule or Process with OPSWAT reported suspicious/malicious are not triggered in any of the hosts. With this enhancement, the analysts can now triage the alerts appropriately with just one notification of YARA alert match or OPSWAT alert match.  

 

If the malicious file is present in the new host such as Host 5, the alert YARA alert match or OPSWAT alert match is triggered even in the new host as soon as the Endpoint server detects the malicious file in the new host.

 

To avoid triggering Process with OPSWAT reported suspicious/malicious notifications in the multiple hosts whenever some OPSWAT matched file activities were detected on a particular host, the following Endpoint App rules are deleted.

  • process with opswat reported infected
  • process with opswat reported suspicious

To avoid triggering Process with matched YARA rule notifications in the multiple hosts whenever some YARA matched file activities were detected on a particular host, the following Endpoint App rule is deleted.

  • process with matched yara rule
Labels:
© 2022 RSA Security LLC or its affiliates. All rights reserved.