ThreatGRID Malware Threat Intelligence Configuration Overview
You can integrate ThreatGRID Malware Threat Intelligence events with JSA.
You must complete the following tasks:
Download the JSA Log Enhanced Event Format Creation script for your collection type from the ThreatGRID support website to your appliance.
On your ThreatGRID appliance, install and configure the script to poll the ThreatGRID API for events.
On your JSA appliance, configure a log source to collect events based on the script you installed on your ThreatGRID appliance.
Ensure that no firewall rules block communication between your ThreatGRID installation and the JSA console or managed host that is responsible for retrieving events.
Syslog Log Source Parameters for ThreatGRID Malware Threat Intelligence Platform
If JSA does not automatically detect the log source, add a ThreatGRID Malware Threat Intelligence Platform log source on the JSA Console by using the Syslog protocol.
When using the Syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Syslog events from ThreatGRID Malware Threat Intelligence Platform:
Parameter |
Value |
---|---|
Log Source Name |
Type a name for your log source. |
Log Source Description |
Type a description for the log source. |
Log Source Type |
ThreatGRID Malware Intelligence Platform |
Protocol Configuration |
Syslog |
Log Source Identifier |
Type the IP address or host name for the log source as an identifier for events from your ThreatGRID Malware Intelligence Platform. The log source identifier must be unique for the log source type. |
Enabled |
Select this check box to enable the log source. By default, the check box is selected. |
Credibility |
From the list, select the credibility of the log source. The range is 0 - 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5. |
Target Event Collector |
From the list, select the Target Event Collector to use as the target for the log source. |
Coalescing Events |
Select this check box to enable the log source to coalesce (bundle) events. By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source. |
Incoming Event Payload |
From the list, select the incoming payload encoder for parsing and storing the logs. |
Store Event Payload |
Select this check box to enable the log source to store event payload information. By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source. |
Log File Log Source Parameters for ThreatGRID Malware Threat Intelligence Platform
If JSA does not automatically detect the log source, add a Squid Web Proxy log source on the JSA Console by using the Syslog protocol.
When using the Syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Syslog events from Squid Web Proxy:
Parameter |
Value |
---|---|
Log Source Name |
Type a name for your log source. |
Log Source Description |
Type a description for the log source. |
Log Source Type |
ThreatGRID Malware Intelligence Plat |
Protocol Configuration |
ThreatGRID Malware Intelligence Plat |
Log Source Identifier |
Type an IP address, host name, or name to identify the event source. The log source identifier must be unique for the log source type. |
Service Type |
From the list, select the protocol that you want to use to retrieve log files from a remote server. The default is SFTP.
The SCP and SFTP service type requires that the host server in the Remote IP or Hostname field has the SFTP subsystem enabled. |
Remote IP or Hostname |
Type the IP address or host name of the ThreatGRID server that contains your event log files. |
Remote Port |
Type the port number for the protocol that is selected to retrieve the event logs from your ThreatGRID server. The valid range is 1 - 65535. The list of default service type port numbers:
|
Remote User |
Type the user name that is required to log in to the ThreatGRID web server that contains your audit event logs. The user name can be up to 255 characters in length. |
Remote Password |
Type the password to log in to your ThreatGRID server. |
Confirm Password |
Confirm the password to log in to your ThreatGRID server |
SSH Key File |
If you select SCP or SFTP as the Service Type, use this parameter to define an SSH private key file. When you provide an SSH Key File, the Remote Password field is ignored. |
Remote Directory |
Type the directory location on the remote host from which the files are retrieved, relative to the user account you are using to log in. For FTP only. If your log files are in the remote user's home directory, you can leave the remote directory blank. Blank values in the Remote Directory field support systems that have operating systems where a change in the working directory (CWD) command is restricted. |
Recursive |
Select this check box if you want the file pattern to search sub folders in the remote directory. By default, the check box is clear. The Recursive parameter is ignored if you configure SCP as the Service Type. |
FTP File Pattern |
Type the regular expression (regex) required to filter the list of files that are specified in the Remote Directory. All files that match the regular expression are retrieved and processed. The FTP file pattern must match the name that you assigned to your ThreatGRID event log. For example, to collect files that start with leef or LEEF and ends with a text file extension, type the following value: Use of this parameter requires knowledge of regular expressions (regex). This parameter applies to log sources that are configured to use FTP or SFTP. |
FTP Transfer Mode |
If you select FTP as the Service Type, from the list, select ASCII. ASCII is required for text-based event logs. |
SCP Remote File |
If you select SCP as the Service Type, type the file name of the remote file. |
Start Time |
Type a time value to represent the time of day you want the log file protocol to start. The start time is based on a 24 hour clock and uses the following format: HH:MM. For example, type 00:00 to schedule the Log File protocol to collect event files at midnight. This parameter functions with the Recurrence field value to establish when your ThreatGRID server is polled for new event log files. |
Recurrence |
Type the frequency that you want to scan the remote directory on your ThreatGRID server for new event log files. Type this value in hours (H), minutes (M), or days (D). For example, type 2H to scan the remote directory every 2 hours from the start time. The default recurrence value is 1H. The minimum time interval is 15M. |
Run On Save |
Select this check box if you want the log file protocol to run immediately after you click Save. After the save action completes, the log file protocol follows your configured start time and recurrence schedule. Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File parameter. |
EPS Throttle |
Type the number of events per second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 5000. |
Processor |
From the list, select NONE. Processors allow event file archives to be expanded and processed for their events. Files are processed after they are downloaded. JSA can process files in zip, gzip, tar, or tar+gzip archive format. |
Ignore Previously Processed File(s) |
Select this check box to track and ignore files that are already processed. JSA examines the log files in the remote directory to determine whether the event log was processed by the log source. If a previously processed file is detected, the log source does not download the file. Only new or unprocessed event log files are downloaded by JSA. This option applies to FTP and SFTP service types. |
Change Local Directory? |
Select this check box to define a local directory on your JSA appliance to store event log files during processing. In most scenarios, you can leave this check box not selected. When this check box is selected, the Local Directory field is displayed. You can configure a local directory to temporarily store event log files. After the event log is processed, the events added to JSA and event logs in the local directory are deleted. |
Event Generator |
From the Event Generator list, select LineByLine. The Event Generator applies extra processing to the retrieved event files. Each line of the file is a single event. For example, if a file has 10 lines of text, 10 separate events are created. |