Advanced Malware

What is Advanced Malware?

The data ingested from Advanced Malware event sources are similar to Virus Scan data in that they are also used for analytics and allows you to track which users and assets are infected frequently.

However, Advanced Malware data includes network level detection of infected assets, and is of a higher fidelity when gathering data.

At this time, the Insight Platform has a log parser for FireEye NX. However, if you have a malware detection module as part of your firewall, those events can forwarded as part of the regular firewall traffic.

FireEye NX

FireEye NX Network Security helps you detect and block attacks from the web. It protects the entire spectrum of attacks from relatively unsophisticated drive-by malware to highly targeted zero-day exploits. Its capabilities provide an extremely low false positive rate by leveraging the FireEye Multi-Vector Virtual Execution (MVX) engine to confirm when malware calls out to C&C servers.

Before You Begin

FireEye supports syslogs in LEEF or CEF format. Because the InsightOps parser expects CEF, you must configure FireEye to send data in the correct format.

  1. Log onto the FireEye NX Web.
  2. Go to Settings | Notifications.
  3. Tick rsyslog to enable a Syslog notification configuration.
  4. Enter a name to label your FireEye connection to the InsightOps Collector in the Name field.
  5. Click the Add Rsyslog Server button.
  6. Enter the InsightOps Collector IP address in the IP Address field.
  7. Tick the Enabled check box.
  8. Select Per event in the Delivery drop-down list.
  9. Select All Events from the Notifications drop-down list.
  10. Select CEF as the Format drop-down list. Other formats are not supported.
  11. Leave the Account field empty.
  12. Select UDPfrom the Protocol drop-down list.
  13. Click the Update button.

Ensure that you send syslog to the collector on a unique UDP or TCP port (above 1024).

You can read more information about FireEye NX and Splunk as a Syslog serverhere.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu
  2. At the top right of the page, select the dropdown that says "Setup Event Source" and then choose Add Event Source
  3. Select the Advanced Malware icon from the Security Data section
  4. Select your collector, and optionally name your event source
  5. From the list of event source options, choose FireEye NX
  6. Choose a timezone, or optionally choose a US timezone
  7. Optionally choose to send unfiltered logs
  8. Configure inactivity timeout threshold in minutes.
  9. Select Listen for Syslog Select UDPfrom the Protocol dropdown menu. Enter a port number in the Port field. FireEye NX uses port 514 by default. This can be changed from the command line interface. InsightOps recommends that you do not use port 514 whenever possible. Use this port only for network systems that can't be configured to use any other port but port 514.

Confirm the Integration

Test that the FireEye NX Notifications page does not get sent to the InsightOps Collector. To accomplish this, you need to trigger a real alert or use the deployment checks.

Confirm Alerts within InsightOps

  1. Confirm that the event shows up within a minute or two. You should see new incidents in the InsightOps dashboard.
  2. Click the Incident to drill down into the event to display the User Context and Asset names.
  3. Click the ADVANCED MALWARE ALERT link to drill down to display the occurrences for this alert.

Troubleshooting

Check the Collector log located at C:\Program Files\Rapid7\logs\collector.log. If the FireEye NX log data is not visible in the (Undefined variable: Variables.Project) cloud, you should:

  1. Stop the FireEye NX event source.
  1. Create a Generic Syslog listener on the same port. This is found under the Rapid7 category of event sources.