Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

ThreatGRID Malware Threat Intelligence Configuration Overview

You can integrate ThreatGRID Malware Threat Intelligence events with JSA.

You must complete the following tasks:

  1. Download the JSA Log Enhanced Event Format Creation script for your collection type from the ThreatGRID support website to your appliance.

  2. On your ThreatGRID appliance, install and configure the script to poll the ThreatGRID API for events.

  3. On your JSA appliance, configure a log source to collect events based on the script you installed on your ThreatGRID appliance.

  4. Ensure that no firewall rules block communication between your ThreatGRID installation and the JSA console or managed host that is responsible for retrieving events.

Syslog Log Source Parameters for ThreatGRID Malware Threat Intelligence Platform

If JSA does not automatically detect the log source, add a ThreatGRID Malware Threat Intelligence Platform log source on the JSA Console by using the Syslog protocol.

When using the Syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Syslog events from ThreatGRID Malware Threat Intelligence Platform:

Table 1: Syslog log source parameters for the ThreatGRID Malware Threat Intelligence Platform DSM

Parameter

Value

Log Source Name

Type a name for your log source.

Log Source Description

Type a description for the log source.

Log Source Type

ThreatGRID Malware Intelligence Platform

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your ThreatGRID Malware Intelligence Platform.

The log source identifier must be unique for the log source type.

Enabled

Select this check box to enable the log source. By default, the check box is selected.

Credibility

From the list, select the credibility of the log source. The range is 0 - 10.

The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

Target Event Collector

From the list, select the Target Event Collector to use as the target for the log source.

Coalescing Events

Select this check box to enable the log source to coalesce (bundle) events.

By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Incoming Event Payload

From the list, select the incoming payload encoder for parsing and storing the logs.

Store Event Payload

Select this check box to enable the log source to store event payload information.

By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Log File Log Source Parameters for ThreatGRID Malware Threat Intelligence Platform

If JSA does not automatically detect the log source, add a Squid Web Proxy log source on the JSA Console by using the Syslog protocol.

When using the Syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Syslog events from Squid Web Proxy:

Table 2: Log File log source parameters for the ThreatGRID Malware Threat Intelligence Platform DSM

Parameter

Value

Log Source Name

Type a name for your log source.

Log Source Description

Type a description for the log source.

Log Source Type

ThreatGRID Malware Intelligence Plat

Protocol Configuration

ThreatGRID Malware Intelligence Plat

Log Source Identifier

Type an IP address, host name, or name to identify the event source.

The log source identifier must be unique for the log source type.

Service Type

From the list, select the protocol that you want to use to retrieve log files from a remote server. The default is SFTP.

  • SFTP SSH File Transfer Protocol

  • FTP File Transfer Protocol

  • SCP Secure Copy Protocol

The SCP and SFTP service type requires that the host server in the Remote IP or Hostname field has the SFTP subsystem enabled.

Remote IP or Hostname

Type the IP address or host name of the ThreatGRID server that contains your event log files.

Remote Port

Type the port number for the protocol that is selected to retrieve the event logs from your ThreatGRID server. The valid range is 1 - 65535.

The list of default service type port numbers:

  • FTP TCP Port 21

  • SFTP TCP Port 22

  • SCP TCP Port 22

Remote User

Type the user name that is required to log in to the ThreatGRID web server that contains your audit event logs.

The user name can be up to 255 characters in length.

Remote Password

Type the password to log in to your ThreatGRID server.

Confirm Password

Confirm the password to log in to your ThreatGRID server

SSH Key File

If you select SCP or SFTP as the Service Type, use this parameter to define an SSH private key file. When you provide an SSH Key File, the Remote Password field is ignored.

Remote Directory

Type the directory location on the remote host from which the files are retrieved, relative to the user account you are using to log in.

For FTP only. If your log files are in the remote user's home directory, you can leave the remote directory blank. Blank values in the Remote Directory field support systems that have operating systems where a change in the working directory (CWD) command is restricted.

Recursive

Select this check box if you want the file pattern to search sub folders in the remote directory. By default, the check box is clear.

The Recursive parameter is ignored if you configure SCP as the Service Type.

FTP File Pattern

Type the regular expression (regex) required to filter the list of files that are specified in the Remote Directory. All files that match the regular expression are retrieved and processed.

The FTP file pattern must match the name that you assigned to your ThreatGRID event log. For example, to collect files that start with leef or LEEF and ends with a text file extension, type the following value:

(leef|LEEF)+.*\.txt

Use of this parameter requires knowledge of regular expressions (regex). This parameter applies to log sources that are configured to use FTP or SFTP.

FTP Transfer Mode

If you select FTP as the Service Type, from the list, select ASCII.

ASCII is required for text-based event logs.

SCP Remote File

If you select SCP as the Service Type, type the file name of the remote file.

Start Time

Type a time value to represent the time of day you want the log file protocol to start. The start time is based on a 24 hour clock and uses the following format: HH:MM.

For example, type 00:00 to schedule the Log File protocol to collect event files at midnight.

This parameter functions with the Recurrence field value to establish when your ThreatGRID server is polled for new event log files.

Recurrence

Type the frequency that you want to scan the remote directory on your ThreatGRID server for new event log files. Type this value in hours (H), minutes (M), or days (D).

For example, type 2H to scan the remote directory every 2 hours from the start time. The default recurrence value is 1H. The minimum time interval is 15M.

Run On Save

Select this check box if you want the log file protocol to run immediately after you click Save.

After the save action completes, the log file protocol follows your configured start time and recurrence schedule.

Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File parameter.

EPS Throttle

Type the number of events per second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 5000.

Processor

From the list, select NONE.

Processors allow event file archives to be expanded and processed for their events. Files are processed after they are downloaded. JSA can process files in zip, gzip, tar, or tar+gzip archive format.

Ignore Previously Processed File(s)

Select this check box to track and ignore files that are already processed.

JSA examines the log files in the remote directory to determine whether the event log was processed by the log source. If a previously processed file is detected, the log source does not download the file. Only new or unprocessed event log files are downloaded by JSA.

This option applies to FTP and SFTP service types.

Change Local Directory?

Select this check box to define a local directory on your JSA appliance to store event log files during processing.

In most scenarios, you can leave this check box not selected. When this check box is selected, the Local Directory field is displayed. You can configure a local directory to temporarily store event log files. After the event log is processed, the events added to JSA and event logs in the local directory are deleted.

Event Generator

From the Event Generator list, select LineByLine.

The Event Generator applies extra processing to the retrieved event files. Each line of the file is a single event. For example, if a file has 10 lines of text, 10 separate events are created.