Services Config View - Indicators of Compromise Tab

This topic introduces the features and functions available in the Service Config view > Indicators of Compromise tab, which applies to the Malware Analysis service. This tab provides a way to configure the way each of the four scoring modules uses the available rules to score data.

Workflow

netwitness_113_malware_configworkflow_step4.png

What do you want to do?

Role I Want to... Show me how
Administrator Configure General Malware Analysis Settings Configure General Malware Analysis Settings
Administrator Configure Indicators of Compromise* Configure Indicators of Compromise

Administrator

Configure Auditing on Malware Analysis Host

(Optional) Configure Auditing on Malware Analysis Host

Administrator Configure Hash Filter (Optional) Configure Hash Filter

Administrator

Configure Installed Anti virus Vendor

Configure Installed Antivirus Vendors

Administrator Configure Malware Analysis Proxy Settings (Optional) Configure Malware Analysis Proxy Settings

Administrator

Register a TreadGRID API Key

(Optional) Register for a ThreatGRID API Key

Administrator Enable Community Analysis Enable Community Analysis

*You can perform this task in the current view

Related topic

Basic Setup

Quick Look

This is an example of the Indicators of Compromise tab.

122_indicompro_1222.png

1 Displays the Indicators of Compromise Tab.

Features

The Indicators of Compromise tab consists of a toolbar and page-able grid.

This table describes the features of the grid.

Feature Description
Module selection list Selects the scoring module for which you want to view the Indicators of Compromise: All, Network, Static, Community, Sandbox, or Yara.
Search field Type text for which you are searching in the Description field.
Search option Filters the grid to display only Descriptions that match the Description search term.
Enable All option Click to enable all rules for the scoring module, as opposed to enabling all rules on the page using the checkbox.
Enable option Click to enable selected rules.
Disable All option Click to disable all rules for the scoring module, as opposed to disabling all rules on the page using the checkbox.
Disable option Click to disable selected rules.
Reset All option Click to reset all rows on the page to their default values.
Reset option Click to reset selected rows to their default values.
Save option Click to save changes you made on this page. If you leave the page without saving, the changes are lost. The description of each row with unsaved changes has a red corner.

This table describes the features of the toolbar.

Column Description
Selection checkbox Checkboxes for selecting individual rows or all rows on the page.
Enabled checkbox If the indicator of compromise is enabled, Malware Analysis uses the rule for scoring session data.
High Confidence checkbox If checked, Malware Analysis treats the rule as one very likely to indicate the presence of malware, and an event that triggers that rule is marked in the results grid.
Description Describes the Indicator of Compromise.
Score Specifies the score that you want to factor in to the total score for any event that triggers the rule. The default score is displayed and you can raise or lower the score by dragging the slider or typing a number in the score box.
File Type Displays the file types to which the rule applies. Possible values are ALL, PDF, MS Office, and Windows PE.