Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

ThreatGRID Malware Threat Intelligence Configuration Overview

 

You can integrate ThreatGRID Malware Threat Intelligence events with JSA.

You must complete the following tasks:

  1. Download the JSA Log Enhanced Event Format Creation script for your collection type from the ThreatGRID support website to your appliance.

  2. On your ThreatGRID appliance, install and configure the script to poll the ThreatGRID API for events.

  3. On your JSA appliance, configure a log source to collect events based on the script you installed on your ThreatGRID appliance.

  4. Ensure that no firewall rules block communication between your ThreatGRID installation and the JSA console or managed host that is responsible for retrieving events.

Configuring a ThreatGRID Syslog Log Source

JSA automatically discovers and creates a log source for malware events that are forwarded from the ThreatGRID Malware Threat Intelligence Platform.

This procedure is optional.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for the log source.
  8. From the Log Source Type list, select ThreatGRID Malware Intelligence Platform.
  9. From the Protocol Configuration list, select Syslog.
  10. Configure the following values:

    Table 1: Syslog Protocol Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source as an identifier for events from your ThreatGRID Malware Intelligence Platform.

    The log source identifier must be unique for the log source type.

    Enabled

    Select this check box to enable the log source. By default, the check box is selected.

    Credibility

    From the list, select the credibility of the log source. The range is 0 - 10.

    The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

    Target Event Collector

    From the list, select the Target Event Collector to use as the target for the log source.

    Coalescing Events

    Select this check box to enable the log source to coalesce (bundle) events.

    By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

    Incoming Event Payload

    From the list, select the incoming payload encoder for parsing and storing the logs.

    Store Event Payload

    Select this check box to enable the log source to store event payload information.

    By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.

    Malware events that are forwarded to JSA are displayed on the Log Activity tab of JSA.

Configuring a ThreatGRID Log File Protocol Log Source

To use the log file protocol to collect events, you must configure a log source in JSA to poll for the event log that contains your malware events.

  1. Click the Admin tab.
  2. On the navigation menu, click Data Sources.
  3. Click the Log Sources icon.
  4. Click Add.
  5. In the Log Source Name field, type a name for the log source.
  6. In the Log Source Description field, type a description for the log source.
  7. From the Log Source Type list, select ThreatGRID Malware Threat Intelligence Platform.
  8. From the Protocol Configuration list, select Log File.
  9. Configure the following values:

    Table 2: Log File Protocol Parameters

    Parameter

    Description

    Log Source Identifier

    Type an IP address, host name, or name to identify the event source.

    The log source identifier must be unique for the log source type.

    Service Type

    From the list, select the protocol that you want to use to retrieve log files from a remote server. The default is SFTP.

    • SFTP SSH File Transfer Protocol

    • FTP File Transfer Protocol

    • SCP Secure Copy Protocol

    The SCP and SFTP service type requires that the host server in the Remote IP or Hostname field has the SFTP subsystem enabled.

    Remote IP or Hostname

    Type the IP address or host name of the ThreatGRID server that contains your event log files.

    Remote Port

    Type the port number for the protocol that is selected to retrieve the event logs from your ThreatGRID server. The valid range is 1 - 65535.

    The list of default service type port numbers:

    • FTP TCP Port 21

    • SFTP TCP Port 22

    • SCP TCP Port 22

    Remote User

    Type the user name that is required to log in to the ThreatGRID web server that contains your audit event logs.

    The user name can be up to 255 characters in length.

    Remote Password

    Type the password to log in to your ThreatGRID server.

    Confirm Password

    Confirm the password to log in to your ThreatGRID server

    SSH Key File

    If you select SCP or SFTP as the Service Type, use this parameter to define an SSH private key file. When you provide an SSH Key File, the Remote Password field is ignored.

    Remote Directory

    Type the directory location on the remote host from which the files are retrieved, relative to the user account you are using to log in.

    For FTP only. If your log files are in the remote user's home directory, you can leave the remote directory blank. Blank values in the Remote Directory field support systems that have operating systems where a change in the working directory (CWD) command is restricted.

    Recursive

    Select this check box if you want the file pattern to search sub folders in the remote directory. By default, the check box is clear.

    The Recursive parameter is ignored if you configure SCP as the Service Type.

    FTP File Pattern

    Type the regular expression (regex) required to filter the list of files that are specified in the Remote Directory. All files that match the regular expression are retrieved and processed.

    The FTP file pattern must match the name that you assigned to your ThreatGRID event log. For example, to collect files that start with leef or LEEF and ends with a text file extension, type the following value:

    (leef|LEEF)+.*\.txt

    Use of this parameter requires knowledge of regular expressions (regex). This parameter applies to log sources that are configured to use FTP or SFTP.

    FTP Transfer Mode

    If you select FTP as the Service Type, from the list, select ASCII.

    ASCII is required for text-based event logs.

    SCP Remote File

    If you select SCP as the Service Type, type the file name of the remote file.

    Start Time

    Type a time value to represent the time of day you want the log file protocol to start. The start time is based on a 24 hour clock and uses the following format: HH:MM.

    For example, type 00:00 to schedule the Log File protocol to collect event files at midnight.

    This parameter functions with the Recurrence field value to establish when your ThreatGRID server is polled for new event log files.

    Recurrence

    Type the frequency that you want to scan the remote directory on your ThreatGRID server for new event log files. Type this value in hours (H), minutes (M), or days (D).

    For example, type 2H to scan the remote directory every 2 hours from the start time. The default recurrence value is 1H. The minimum time interval is 15M.

    Run On Save

    Select this check box if you want the log file protocol to run immediately after you click Save.

    After the save action completes, the log file protocol follows your configured start time and recurrence schedule.

    Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File parameter.

    EPS Throttle

    Type the number of events per second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 5000.

    Processor

    From the list, select NONE.

    Processors allow event file archives to be expanded and processed for their events. Files are processed after they are downloaded. JSA can process files in zip, gzip, tar, or tar+gzip archive format.

    Ignore Previously Processed File(s)

    Select this check box to track and ignore files that are already processed.

    JSA examines the log files in the remote directory to determine whether the event log was processed by the log source. If a previously processed file is detected, the log source does not download the file. Only new or unprocessed event log files are downloaded by JSA.

    This option applies to FTP and SFTP service types.

    Change Local Directory?

    Select this check box to define a local directory on your JSA appliance to store event log files during processing.

    In most scenarios, you can leave this check box not selected. When this check box is selected, the Local Directory field is displayed. You can configure a local directory to temporarily store event log files. After the event log is processed, the events added to JSA and event logs in the local directory are deleted.

    Event Generator

    From the Event Generator list, select LineByLine.

    The Event Generator applies extra processing to the retrieved event files. Each line of the file is a single event. For example, if a file has 10 lines of text, 10 separate events are created.

  10. Click Save.
  11. On the Admin tab, click Deploy Changes.

    Malware events that are retrieved by the log source are displayed on the Log Activity tab of JSA.