Create Custom Alert in CEF FormatCreate Custom Alert in CEF Format

This topic provides instructions for creating custom alerts in Common Event Format (CEF) to send to a service that ingests events as CEF. This is an advanced configuration task, which requires sufficient knowledge to manually edit the configuration file: /var/netwitness/malware-analytics-server/spectrum/conf/malwareCEFDictionaryConfiguration.xml. Before editing the file, you must stop the Malware Analysis service in the operating system. The CEF Alert becomes active when you restart the Malware Analysis service.

The CEF TemplateThe CEF Template

To send events to a service ingesting events as CEF, NetWitness runs them through a configuration file that serves as a CEF template before feeding the events to a correlation technology. You can tune the configuration file, which specifies the sequence and mapping of syslog fields in each alert.

The following example syslog message shows the CEF fields in the extensions section of the alert (following the last '|' in the alert). Each field can be configured to indicate the sequence (described in the Example section below). Fields can be excluded entirely from the alert via a configuration setting.

CEF:0|NetWitness|Spectrum|10.3.0.7995.1.0|Suspicious Event|Detected suspicious network event ID 4 session ID n/a|2|static=100.0 nextgen=25.0 community=100.0 sandbox=25.0 file.name=myFile.exe file.size=1234556 file.md5.hash=DEADBEEFBABECAFEDEADBEEFBABECAFE event.source=spectrum://admin@0:0:0:0:0:0:0:1:64563 event.type=MANUAL_UPLOAD event.id=0 country.dst.code=-- country.dst=Unavailable ip.src=0:0:0:0:0:0:0:1 ip.dst=0:0:0:0:0:0:0:1 event.uuid=f7a6155a-31de-4fa6-ba16-41fb9a8e5f26 ...

Understand a Syslog Auditing File EntryUnderstand a Syslog Auditing File Entry

The description of the file structure is based on the following sample.

Feb 6 10:02:28 10.10.10.125 SpectrumServer125

CEF: 0|NetWitness|Spectrum|1.2.1.130|Suspicious Event|Detected suspicious
network event ID 857 session ID 73|2|

static=100.0 network=29.0 community=8.0 sandbox=N/R

file.name=-CVE-00_DOC_2010-05-13_attachment.doc file.size=0 file.md5.hash=20a29259c0e5958afb2f50c4177bb307

com.netwitness.event.internal.id=73 com.netwitness.event.internal.uuid=37d2bad7-06bc-4b34-88e1-df43d9710204 alias.ip=10.25.50.149 client=Wget/1.11.4 Red Hat modified payload=108872 packets=136 country.dst=Private time=Fri Jan 27 10:09:25 EST 2012 threat.source=netwitness tcp.srcport=43580 action=get com.netwitness.event.internal.source=http://QASpectrum2:50104/sdk filetype=rtf alias.host=qa-fc12-149 eth.src=00:25:90:18:76:E2 ip.proto=6 tcp.flags=27 ip.src=10.25.50.61 tcp.dstport=80 threat.category=spectrum eth.dst=00:0C:29:F8:50:2D lifetime=0 alert.id=nw32535 sessionid=73 medium=1 size=117864 content=spectrum.consume11 extension=doc directory=/files/MALWAREMALWARE/OfficeDocs/DOC/ eth.type=2048 ip.dst=10.25.50.149 service=80 filename=-CVE-00_DOC_2010-05-13_attachment.doc server=Apache/2.2.13 (Fedora) streams=2 referer=http://qa-fc12-149/files/MALWAREMALW...fficeDocs/DOC/ risk.info=http client server version mismatch

First LineFirst Line

Feb 6 10:02:28 10.10.10.125 SpectrumServer125

Log Information	Description
Feb 6 10:02:28	The timestamp for the entry.
10.10.10.125	The source IP address for the event.
SpectrumServer125	The source hostname for the event.

Audit Common Event Format (CEF) HeaderAudit Common Event Format (CEF) Header

0|NetWitness|Spectrum|1.2.1.130|Suspicious Event|Detected suspicious network event ID 857 session ID 73|2|

The audit CEF header is a pipe-separated listing of the following fields:

Log Information	Description
0	The ArcSight Common Event Format (CEF) version used for the audit syslog.
NetWitness	The service that created the syslog message.
Spectrum	Malware Analysis is the logger for the event.
1.2.1.130	Malware Analysis version.
event ID 857	Unique network event id for this event.
session ID 73	Core unique session id for the session that included this event.
2	Severity, an integer between 1 and 6 indicates the level of severity for the message. 1 = INFORMATION_LEVEL 2 = WARNING_LEVEL 3 = ERROR_LEVEL 4 = SUCCESS_LEVEL 5 = FAILURE_LEVEL 6 = AUDIT_FAILURE_LEVEL

Audit CEF ExtensionAudit CEF Extension

static=100.0 network=29.0 community=8.0 sandbox=N/R

file.name=-CVE-00_DOC_2010-05-13_attachment.doc file.size=0 file.md5.hash=20a29259c0e5958afb2f50c4177bb307 com.netwitness.event.internal.id=73

com.netwitness.event.internal.uuid=37d2bad7-06bc-4b34-88e1-df43d9710204 alias.ip=10.25.50.149 client=Wget/1.11.4 Red Hat modified payload=108872 packets=136 country.dst=Private time=Fri Jan 27 10:09:25 EST 2012 threat.source=netwitness tcp.srcport=43580 action=get com.netwitness.event.internal.source=http://QASpectrum2:50104/sdk filetype=rtf alias.host=qa-fc12-149 eth.src=00:25:90:18:76:E2 ip.proto=6 tcp.flags=27 ip.src=10.25.50.61 tcp.dstport=80 threat.category=spectrum eth.dst=00:0C:29:F8:50:2D lifetime=0 alert.id=nw32535 sessionid=73 medium=1 size=117864 content=spectrum.consume11 extension=doc directory=/files/MALWAREMALWARE/OfficeDocs/DOC/ eth.type=2048 ip.dst=10.25.50.149 service=80 filename=-CVE-00_DOC_2010-05-13_attachment.doc server=Apache/2.2.13 (Fedora) streams=2 referer=http://qa-fc12-149/files/MALWAREMALW...fficeDocs/DOC/ risk.info=http client server version mismatch

Analysis ScoresAnalysis Scores

The first entry in the audit CEF extension provides the four Malware Analysis scores for the event: Static, Network, Community, and Sandbox.

Log Information	Sample Value
static	100.0
network	29.0
community	8.0 A score of 0.0 can be a community score for the event or can indicate that no community services were enabled.
sandbox	N/R N/R means not run. This indicates that the GFI sandbox was not enabled.

File InformationFile Information

The next three entries provide file information: file name, size, and hash.

Log Information	Sample Value
file.name	-CVE-00_DOC_2010-05-13_attachment.doc
file.size	0
file.md5.hash	20a29259c0e5958afb2f50c4177bb307

Event Meta Data Retrieved by NextGenEvent Meta Data Retrieved by NextGen

The record continues with the Core meta data for the event. The meta data in the message depends on the event. The amount of data in the message is truncated to the maximum length in bytes configured in the Syslog Settings. The default value is 1024.

Log Information	Sample Value
com.netwitness.event.internal.id	73
com.netwitness.event.internal.uuid	37d2bad7-06bc-4b34-88e1-df43d9710204
alias.ip	10.25.50.149
client	Wget/1.11.4 Red Hat modified
payload	108872
packets	136
country.dst	Private
time	Fri Jan 27 10:09:25 EST 2012
threat.source	netwitness
tcp.srcport	43580
action	get
com.netwitness.event.internal.source	http://QASpectrum2:50104/sdk
filetype	rtf
alias.host	qa-fc12-149
eth.src	00:25:90:18:76:E2
ip.proto	6
tcp.flags	27
ip.src	10.25.50.61
tcp.dstport	80
threat.category	spectrum
eth.dst	00:0C:29:F8:50:2D
lifetime	0
alert.id	nw32535
sessionid	73
medium	1
size	117864
content	spectrum.consume11
extension	doc
directory	/files/MALWAREMALWARE/OfficeDocs/DOC/
eth.type	2048
ip.dst	10.25.50.149
service	80
filename	-CVE-00_DOC_2010-05-13_attachment.doc
server	Apache/2.2.13 (Fedora)
streams	2
referer	http://qa-fc12-149/files/MALWAREMALWARE/OfficeDocs/DOC/
risk.info	http client server version mismatch

Edit the Configuration FileEdit the Configuration File

1. Stop the Malware Analysis service.
2. Edit the configuration file as described in the Example.

3. Start the Malware Analysis service.

   The Malware Analysis service begins processing alerts through the configuration file and sending CEF alerts to designated services.

ExampleExample

The configuration file can be used to dictate which fields appear in the resulting alert as well as the label associated with each field and the order in which the data fields appear. The configuration file is composed of one or more XML MalwareCefExtension blocks as shown in the example below. The ordering of these blocks in the configuration file implies the order of the data fields in the CEF alert.

In the example below, the CEF alert would include two data fields, ip.src followed by ip.dst. The customKey is used to indicate the labeling of the data field in the alert. This allows the user to choose a custom label in order to force the alerting format to better match the expectations of the alert consumer. In other words, the format can be tuned to prevent unwanted changes to an existing alert parser. Lastly, the isDisplay setting determines if the field is included in the alert output. This allows the user to turn off data fields without having to physically delete the MalwareCefExtension block from the configuration.

<config>

<malwareExtensionList>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ip.src</customKey>

<malwareKey>ip.src</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ip.dst</customKey>

<malwareKey>ip.dst</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

</malwareExtensionList>

</config>

At the end of the configuration file are three additional settings that can be used to further tune the alert format. They are as follows:

Setting	Description
includesUnknownMeta	This true or false setting indicates if unknown data elements are included in the resulting alert. Any NextGen session meta can be considered for inclusion into a CEF alert. Because additional session meta can be introduced via authoring new NextGen parsers, meta that is not contained in the default configuration may be encountered. You can set includesUnknownMeta to true to include the unknown meta in the alert and label it using the NextGen meta key name. To force a custom key for the unknown meta, you must edit this file and add a new MalwareCefExtension to the dictionary. To omit unknown meta from the alert, set includesUnknownMeta to false.
displayNulls	This true or false setting indicates if values that are set to null are included in the alert. If displayNulls is set to false, the null value fields are omitted even if their MalwareCefExtension isDisplay property is turned on. This allows dynamic formatting of alerts to exclude null fields.
valueIfNull	This true or false setting allows you to specify a string placeholder (n/a by default) to be used as the value for any null valued fields. If displayNulls is set to true, then null valued fields are included in the alerts. Their value is set to the value specified in valueIfNull.

The following represents the default CEF configuration file. The default configuration file includes all default NextGen session meta.

<config>

<malwareExtensionList>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>static</customKey>

<malwareKey>static</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>nextgen</customKey>

<malwareKey>nextgen</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>community</customKey>

<malwareKey>community</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>sandbox</customKey>

<malwareKey>sandbox</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>file.name</customKey>

<malwareKey>file.name</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>file.size</customKey>

<malwareKey>file.size</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>file.md5.hash</customKey>

<malwareKey>file.md5.hash</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>event.source</customKey>

<malwareKey>event.source</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>event.type</customKey>

<malwareKey>event.type</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>event.id</customKey>

<malwareKey>event.id</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>event.uuid</customKey>

<malwareKey>event.uuid</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>antivirus.primary.detected</customKey>

<malwareKey>antivirus.primary.detected</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>antivirus.secondary.detected</customKey>

<malwareKey>antivirus.secondary.detected</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>antivirus.other.detected</customKey>

<malwareKey>antivirus.other.detected</malwareKey>

<isDisplay>true</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>country.dst.code</customKey>

<malwareKey>country.dst.code</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>city.dst</customKey>

<malwareKey>city.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>org.dst</customKey>

<malwareKey>org.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>payload</customKey>

<malwareKey>payload</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>packets</customKey>

<malwareKey>packets</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>country.dst</customKey>

<malwareKey>country.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>time</customKey>

<malwareKey>time</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>threat.source</customKey>

<malwareKey>threat.source</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>tcp.srcpport</customKey>

<malwareKey>tcp.srcpport</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>filetype</customKey>

<malwareKey>filetype</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>latdec.dst</customKey>

<malwareKey>latdec.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>eth.src</customKey>

<malwareKey>eth.src</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>agency.dst</customKey>

<malwareKey>agency.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ip.proto</customKey>

<malwareKey>ip.proto</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>tcp.flags</customKey>

<malwareKey>tcp.flags</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ip.src</customKey>

<malwareKey>ip.src</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>tcp.dstport</customKey>

<malwareKey>tcp.dstport</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>threat.category</customKey>

<malwareKey>threat.category</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>eth.dst</customKey>

<malwareKey>eth.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>lifetime</customKey>

<malwareKey>lifetime</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>latdec.src</customKey>

<malwareKey>latdec.src</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>did</customKey>

<malwareKey>did</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>alert.id</customKey>

<malwareKey>alert.id</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>country.src</customKey>

<malwareKey>country.src</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>sessionid</customKey>

<malwareKey>sessionid</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>longdec.src</customKey>

<malwareKey>longdec.src</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>medium</customKey>

<malwareKey>medium</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>size</customKey>

<malwareKey>size</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ad.domain.dst</customKey>

<malwareKey>ad.computer.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ad.computer.dst</customKey>

<malwareKey>ad.computer.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ad.username.src</customKey>

<malwareKey>ad.username.src</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>rpackets</customKey>

<malwareKey>rpackets</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>action</customKey>

<malwareKey>action</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ad.domain.src</customKey>

<malwareKey>ad.domain.src</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>eth.src.vendor</customKey>

<malwareKey>eth.src.vendor</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>rpayload</customKey>

<malwareKey>rpayload</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ad.username.dst</customKey>

<malwareKey>ad.username.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>content</customKey>

<malwareKey>content</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>extension</customKey>

<malwareKey>extension</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>eth.dst.vendor</customKey>

<malwareKey>eth.dst.vendor</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>rid</customKey>

<malwareKey>rid</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>directory</customKey>

<malwareKey>directory</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>risk.suspicious</customKey>

<malwareKey>risk.suspicious</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>eth.type</customKey>

<malwareKey>eth.type</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>ip.dst</customKey>

<malwareKey>ip.dst</malwareKey>

<isDisplay>false</isDisplay>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>service</customKey>

<malwareKey>service</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>filename</customKey>

<malwareKey>filename</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>streams</customKey>

<malwareKey>streams</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>risk.info</customKey>

<malwareKey>risk.info</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>dest.tld</customKey>

<malwareKey>dest.tld</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>alias.host</customKey>

<malwareKey>alias.host</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>tcp.srcport</customKey>

<malwareKey>tcp.srcport</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>udp.srcport</customKey>

<malwareKey>udp.srcport</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>udp.dstport</customKey>

<malwareKey>udp.dstport</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>domain.dst</customKey>

<malwareKey>domain.dst</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>feed.name</customKey>

<malwareKey>feed.name</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>feed.description</customKey>

<malwareKey>feed.description</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>threat.description</customKey>

<malwareKey>threat.description</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>referer</customKey>

<malwareKey>referer</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>client</customKey>

<malwareKey>client</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>server</customKey>

<malwareKey>server</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>risk.warning</customKey>

<malwareKey>risk.warning</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>attachment</customKey>

<malwareKey>attachment</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>whois.registrar</customKey>

<malwareKey>whois.registrar</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>whois.registrant</customKey>

<malwareKey>whois.registrant</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>whois.date.creation</customKey>

<malwareKey>whois.date.creation</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

<com.netwitness.malware.core.cef.MalwareCefExtension>

<customKey>whois.server</customKey>

<malwareKey>whois.server</malwareKey>

<isDisplay>false</isDisplay>

</com.netwitness.malware.core.cef.MalwareCefExtension>

</malwareExtensionList>

<includesUnknownMeta>false</includesUnknownMeta>

<displayNulls>false</displayNulls>

<valueIfNull>n/a</valueIfNull>

</config>