Devices

System Health & Performance

The System Health and Performance section of the Devices page provides information about the resource utilization, hostname, IP address, and system version numbers of managers and collectors. Various system statistics are also displayed in tabular form.

The system control options for each device at the top of the page give you the ability to reboot (or force reboot), and shut down a device instantly or after a selected time interval. There are also global reboot and shutdown options on the left side of the page that will affect every manager or collector in the devices list.

Integrations

There are numerous internal analysis components and external analysis appliances available as optional integrations to the Threat Discovery Engine. Having third-party integrations enabled provides a broader scope of detection and increases the alerting and threat factoring capabilities of the system. MetaDefender NDR leverages the analytic capabilities of third-party technologies through internal integration services that can be configured to interact with those technologies. Those services are designed to communicate with and consume the analysis results from those technologies to perform threat analysis on the content that is captured. They can be configured in the Devices page.

Note__: Integrations can be configured using either IPv4 or IPv6 addresses.

Literal IPv6 addresses are enclosed in square brackets, for example: http://[2001:db8:85a3:8d3:1319:8a2e:370:7348]/

When the URL also contains a port number the notation is: https://[2001:db8:85a3:8d3:1319:8a2e:370:7348]:443/ where the trailing 443 is the example's port number.

Some sections in the UI require brackets around the ipv6 address:

  • IPv6 Syslog address
  • Admin > Globals > Network > Upstream HTTP Proxy
  • Admin > Globals > Devices > OPSWAT > OPSWAT Metadefender Core Hosting: Remote Host

By default, post-processors for the following integration features are active:

  • InQuest File Analyzer – Factors variables and data associated with files and their alerts to generate threat scores.
  • InQuest Session Header TDE – Provides threat scoring for TCP sessions by assessing scores of the other InQuest post-processors.
  • InQuest Threat Discovery Engine – Discovers threats embedded within sessions based on the weekly updated MetaDefender ND proprietary signature pack.
  • InQuest Threat Score Engine – Generates and assigns a threat score from 0 to 10 to the sessions using InQuest proprietary scoring algorithms above all configured integrations.
  • InQuest URL Analyzer – Performs URL analysis for threat scoring.
  • InQuest RetroHunt Historic TDE – Scans files stored 2 weeks ago with the latest signatures. The time interval can be set in the Devices page.

Post-processors for the following integration features can be activated, but the configuration of each integration may be required:

  • MetaDefender NDR Automatic Updates – Enables MetaDefender NDR cloud connectivity for automatically retrieving and applying code, signature, and intelligence (C2) updates.
  • Cuckoo Sandbox - Sandbox that performs dynamic malware analysis.
  • Falcon Sandbox - Automated malware analysis system.
  • VMRay Analyzer - Malware sandbox for analysis and reputation.
  • FireEye AX – Hardware appliance that performs dynamic analysis of files.
  • InQuest Eyelet Reputation - Cloud-based reputation database
  • InQuest MultiAV – Provides cloud-based hash analysis.
  • InQuest Threat Exchange – Enables communication with the MetaDefender NDR cloud reputation database to exchange information on file hashes.
  • Joe Sandbox - Sandbox for deep malware analysis
  • OPSWAT MetaDefender Core – Hardware appliance that leverages multiple AV engines to scan files.
  • OPSWAT MetaDefender Sandbox – Emulation based dynamic analysis platfrom
  • VirusTotal – Online service used to look up AV reports for known-bad hashes.
  • ICAP – Protocol for submitting files to InQuest.

Note: Activation of MetaDefender NDR MultiAV and VirusTotal are mutually exclusive. We recommend enabling InQuest MultiAV over VirusTotal.

Integration features can be activated or deactivated by clicking Administration > Devices. Software and hardware configuration is generally required for the integration features that are not activated by default. Toggling the activation status will either cause jobs to be created for an integration or prevent jobs from being created for an integration. To activate or deactivate post-processors for an integration feature, toggle the corresponding On or Off buttons.

Each of the integration features have options that can be supplied to the corresponding integration service. For instance, if the VirusTotal integration is enabled, a private API key supplied by VirusTotal has to be added so that MetaDefender NDR can use the service.

Also, external integrations may either require cloud connectivity or can be on-premise. For example: With VirusTotal, only file hashes are submitted to the cloud. However, with OPSWAT Metascan, if there's a hardware product available in the customer environment, we connect to it and send files.

Configuring Collector Properties

Collector properties (or options) pertain to each collector and are independent. Administration > Devices. By default, MetaDefender NDR Cloud MultiAV has a pre-populated property value. Properties for each collector can be added, modified, or deleted in your deployment. To add new properties pertaining to a particular integration feature on a specific collector:

  1. Go to Administration > Devices, and click Show Configuration corresponding to an integration option for which you want to configure properties.

Note: To remove a property and its value that is no longer required, click Delete corresponding to that property and then click Save. To modify the value of a property, click Edit corresponding to that property, change the value, and then click Save.

For example, to configure the FireEye AX host:

  1. Click Show Configuration to open the Add Property menu.
  2. Select FireEye AX: URL for the FireEye AX API (eg. https://10.10.10.10:443) and under the Value column, specify the host IP as required.
  3. Click Save. A message appears stating the collector is saved with the configured properties successfully.

Collector Properties and Values

The following are the properties and default values available for the collector configuration on this page. Furthermore, there are several options that can be applied globally across collectors, such as proxies, banners, password complexity requirements and so on by clicking Administration > Globals.

Note: The global MIME exceptions will always take precedence over the sandbox inclusion MIME inclusion lists. If a MIME type is in both the inclusion list for a sandbox as well as the global exclusion list, that MIME type will not be submitted to the sandbox.

For further information on MIME exceptions, see the Performance Tuning Recommendations

YAML
Copy

Note: In order for CEF messages to be generated, at least one user group other than the default Administrators group must be configured. The "Syslog" toggle on the edit user groups page will prevent CEF messages from being generated for a policy, provided that this option is disabled for every group associated with that policy. This option is enabled by default. For further information on editing user groups, see the Users and User Group Management guide

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard