Integration Configuration

There are numerous internal analysis components and external analysis appliances available as optional integrations to the Threat Discovery Engine. Having third-party integrations enabled provides a broader scope of detection and increases the alerting and threat factoring capabilities of the system. MetaDefender NDR leverages the analytic capabilities of third-party technologies through internal integration services that can be configured to interact with those technologies. Those services are designed to communicate with and consume the analysis results from those technologies to perform threat analysis of the content that is captured.

Refer to the Devices section of the Administrator Guide to view a list of the default active integrations and those which need to be configured before being activated.

Integration features can be activated or deactivated by clicking Administration > Devices and toggling between the On and Off buttons for each integration. Software and hardware configuration is generally required for the integration features not activated by default. Toggling the activation status will either cause jobs to be created for an integration or prevent jobs from being created for an integration.

Each of the integration features have options that can be supplied to the corresponding integration service. For instance, if the VirusTotal feature is turned on, a private API key supplied by VirusTotal has to be added so that MetaDefender NDR can use the service.

The following section provides instructions on how to configure MetaDefender NDR to communicate with the external OPSWAT integration.

Configuring MD Core

MetaDefender NDR can be configured to communicate with OPSWAT via MetaDefender Core REST API. When enabled, this integration feature allows MetaDefender NDR to submit files over HTTPS to the appliance. OPSWAT’s REST server provides AntiVirus output for each file. That information is combined with network and session data already collected by MetaDefender NDR and will be displayed in the AntiVirus page linked from any of the viewers.

  1. Designate the IP address and host of the OPSWAT appliance and port which the REST service is listening on, which is 443 by default.
  2. Click View Collection Properties corresponding to the InQuest collector.
  3. Click Add Collector Property.
  4. Select the OPSWAT Metadefender Core Hosting: Host (ip, default=none) option as the property from the available drop-down menu.
  5. Type the IP address of the OPSWAT appliance as the Property Value.
  6. Add the port that OPSWAT’s REST server listens on (443 by default).
  7. Select the OPSWAT Metadefender Core Hosting : Port (port, default=443) option as the property from the available drop-down menu.
  8. Type the port number of the REST service as 443 to be the Property Value.
  9. To configure the integrated OPSWAT syslog messages from InQuest to a syslog server, select OPSWAT Syslog Host(s) GMT Offset: (+/- integer, default=0) and OPSWAT InQuest Controls: Syslog Host(s) & Port(s) (ip:port[, ip:port]) options (one at a time) as the properties from the drop-down menu .
  10. Type their respective values and click Save Collection Properties.
  11. To complete the integration, go to Administration > Integrations and toggle the OPSWAT Metadefender Core integration to turn it On.

MetaDefender NDR will begin forwarding files to MD Core and storing the scan results it receives from the files that were forwarded to the API. If syslog is enabled, syslog messages will be sent out from MetaDefender NDR as scan results are received from METASCAN REST API.

Note: If syslog is configured for this integration, the messages will sent in the following CEF format:

OPSWAT's archive handling feature adds significant lag to file processing and may need to be disabled. To disable archive handling in OPSWAT v3:

  • Navigate to Policies > Security Rules
  • Select a security rule to modify
  • Click on the Archive section of the modify rule pane
  • Uncheck the "Enable Archive Handling" option

To disable archive handling in OPSWAT v4:

  • Navigate to Policy > Workflow rules
  • Click on a workflow rule to open the modify rule pane
  • Scroll to the bottom of the modify rule pane and click on the archive section
  • Uncheck the "Enable Archive Handling" option

MetaDefender NDR

The OPSWAT Integration feature configures the collector(s) to submit files over HTTPS to the OPSWAT OPSWAT Metadefender REST server in the form of POST requests using “/metascan_rest/scanner?method=scan” as the URI. Aside from the file data, no additional information is submitted. MetaDefender NDR sends one request per file. The Metadefender REST server responds with XML data listing the Antivirus engine information and corresponding alerts for the submitted file, if applicable. That information is then pushed to the MetaDefender NDR Manager, which stores the alert data, aggregates it with the associated TCP session/application data such as HTTP and SMTP headers and makes it available in the UI as well as syslog alerting.

Configuring Sandbox Integrations

MetaDefender NDR supports several sandbox or "detonation" integrations for advanced dynamic analysis. Currently supported integrations are:

  • Cuckoo Sandbox
  • Falcon Sandbox
  • FireEye AX Series Appliances
  • Joe Sandbox
  • VMRay Analyzer

For full documentation on configuring these integrations, refer to the Devices section of the Administrator Guide.

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Performance Tuning Recommendations
On This Page
Integration ConfigurationMetaDefender NDR