(Optional) Configure Auditing on Malware Analysis Host

This topic introduces the configurable features of the Malware Analysis auditing log and the procedures for configuring the features. Malware Analysis is capable of generating auditing alerts based on configured score module thresholds. Once the analysis score for a file in an analysis session meets or exceeds the configured threshold(s), an auditing alert is generated. Thresholding allows sessions and files that score high enough to be likely malware candidates to automatically generate an alert.

Alerts can be configured to be formatted as SNMP, Syslog or File entries. Supporting various audit formats provides a method for external systems to ingest auditing events based on their capability of parsing the supported formats.

In addition to auditing analysis sessions, the following events will trigger an audit alert:

  • User login successes and failures
  • Changes to system configuration settings
  • Server restart
  • Server version upgrade and install

The Auditing configuration settings for Malware Analysis are in the Service Config view > Auditing tab.

Configure the Auditing Threshold

The sole purpose of the thresholds is to specify the criteria that must be reached prior to an alert being generated for an analyzed session/file. If auditing is enabled, each scored file/session is examined to determine if the score in each score module meets or exceeds the configured auditing threshold. If so, an alert is generated using the configured audit alert format (e.g., SNMP, Syslog or File). For example, by configuring SNMP and setting the Community Threshold to 90, all sessions/files that score 90 or higher in the Community Score module generate an SNMP trap. If all of the thresholds are set to 90, then an alert is not generated unless a session or file scores 90 or higher in the Network, Static, Community and sandbox score modules.

To configure the auditing threshold:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Malware Analysis service, and select netwitness_ic-actns.png > View > Config.
  3. In the Services Config view, click the Auditing tab.
  4. In the Auditing Thresholds section:

    1. Set the threshold for the Community, Static, Network, and Sandbox by doing one of the following for each scoring module:

      • In the slider, click and drag the handle in either direction.
      • In the value field, type a number between 0 and 100, inclusive.
    2. (Optional for 10.3 SP2) Select one or more triggers to record a message and deliver it through all enabled auditing methods.
    3. Click Apply.

      • The threshold setting becomes effective immediately for all enabled auditing methods: SNMP, File, and Syslog.
      • The recorded messages are sent through all enabled auditing methods: SNMP, File, and Syslog.

Configure Incident Management Alerting

When enabled, Malware Analysis alerts feed into the NetWitness Respond workflow.

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Malware Analysis service, and select select netwitness_ic-actns.png > View > Config.
  3. In the Services Config view, select the Auditing tab.
  4. In the Respond Alerting section, select the Enabled checkbox and click Apply.
    Alerting becomes effective immediately.

Configure SNMP Auditing

The Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing services on IP networks. When SNMP auditing is enabled, Malware Analysis can send an audit event as an SNMP trap to a configured SNMP trap host. In addition to the score and event ID, the alert includes all session meta as well as generated meta data. This is useful for users who want to feed event data to third-party systems.

To configure SNMP auditing:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Malware Analysis service, and select netwitness_ic-actns.png > View > Config.
  3. In the Services Config view, select the Auditing tab.
  4. In the SNMP Auditing section, click the checkbox to enable SNMP auditing.
  5. Configure the SNMP server name and port.
  6. Configure the SNMP version and trap OID for sending traps.
  7. Configure the Malware Analysis community, and retry and timeout parameters when sending traps.
  8. Click Apply.
    The SNMP auditing settings become effective immediately.

Configure File Auditing Settings

When file auditing is enabled, the audit log file is kept in the Malware Analysis Home Directory. The default location for this log file is:

/var/lib/netwitness/malware-analytics-server/spectrum/logs/audit/audit.log.

As each log reaches the maximum file size, it is archived and a new log is created. The size of these audit logs and their number are both configurable.

Caution: Avoid setting the max file size and archive file count too high, because it may have an adverse effect on the available disk space on the Malware Analysis appliance.

To configure the file auditing settings:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Malware Analysis service, and select netwitness_ic-actns.png > View > Config.
  3. In the Services Config view, select the Auditing tab.
  4. In the File Auditing section, click the checkbox to enable file auditing.
  5. (Optional) Set the Archive File Count and Max File Size.
  6. Click Apply.
    The file auditing settings become effective immediately.

Configure Syslog Auditing Settings

When enabled, Syslog provides auditing through the use of the RFC 5424 syslog protocol. Regulations, such as SOX, PCI DSS, HIPAA, and many others are requiring organizations to implement comprehensive security measures, which often include collecting and analyzing logs from many different sources. Syslog has proven to be an effective format to consolidate logs, as there are many open source and proprietary tools for reporting and analysis.

In addition to the score and event ID, the syslog includes all session meta as well as generated meta data. This is useful for users who want to feed event data to third-party systems.

To configure the syslog auditing settings:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Malware Analysis service, and select netwitness_ic-actns.png > View > Config.
  3. In the Services Config view, select the Auditing tab.
  4. In the Syslog Auditing section, click the checkbox to enable syslog auditing.
  5. Configure the host where the target syslog process is running and the port on the host where the syslog process is listening.
  6. Configure the facility, encoding, format, max length, and timestamp for outgoing syslog messages.

Note: (Optional) Configure Identity String to prepend to syslog alerts. ​
For CEF format, please refer to Create Custom Alert in CEF Format for additional considerations.

  1. Click Apply.

    The syslog auditing settings become effective immediately.