Malicious submissions detected in the last 24 hours-fireeye-wMPS

Malicious submissions detected in the last 24 hours-fireeye-wMPS
0

Malicious submissions detected in the last 24 hours-fireeye-wMPS

Vendor: fireeye

OS: wMPS

Description:
Indeni checks if the total number of malicious submissions in the last 24 hours is more than 0

Remediation Steps:
Malicious submissions detected in the last 24 hours. Users are advised to further investigate into the details for any potential security incidents.

How does this work?
Indeni uses the FireEye NX “show workorders stats” cli command to retrieve the workorders information.

Why is this important?
Workorders statistics displays information about workorders that are in the queue waiting to be analyzed, in process and cumulative submission statistics. It is critical to identify any submission with anomaly. If total number of submissions with anomaly is greater than 0, it can indicate possible security incidents.

Without Indeni how would you find this?
An administrator could login and manually run the command via CLI to check the workorders statistics.

fireeye-nx-show-workorders-stats

name: fireeye-nx-show-workorders-stats
description: Show workorders statistics information
type: monitoring
monitoring_interval: 5 minute
requires:
    vendor: fireeye
    os.name: wMPS
    privileged-mode: 'true'
comments:
    fireeye-nx-workorders-submissions-with-anomaly:
        why: |
            Workorders statistics displays information about workorders that are in the queue waiting to be analyzed, in process and cumulative submission statistics.
            It is critical to identify any submission with anomaly. If total number of submissions with anomaly is greater than 0, it can indicate possible security incidents.
        how: |
            Indeni uses the FireEye NX "show workorders stats" cli command to retrieve the workorders information.
        without-indeni: |
            An administrator could login and manually run the command via CLI to check the workorders statistics.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        command: show workorders stats
    parse:
        type: AWK
        file: show-workorders-stats.parser.1.awk

FireEyeNXWOMalwareDetectedRule

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package templatebased.fireeye.nx

import com.indeni.server.rules.library.templates.NumericThresholdOnDoubleMetricTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
import com.indeni.server.rules.ThresholdDirection

/**
  *
  */
case class FireEyeNXWOMalwareDetectedRule() extends NumericThresholdOnDoubleMetricTemplateRule(
  ruleName = "FireEyeNXWOMalwareDetectedRule",
  ruleFriendlyName = "FireEye NX Devices: Malicious submissions detected in the last 24 hours",
  ruleDescription = "Indeni checks if the total number of malicious submissions in the last 24 hours is more than 0",
  severity = AlertSeverity.WARN,
  metricName = "fireeye-nx-workorders-submissions-with-anomaly",
  threshold = 1.0,
  thresholdDirection = ThresholdDirection.ABOVE,
  alertDescriptionFormat = "The total number of malicious submissions detected by FireEye NX in the last 24 hours has reached %.0f.",
  baseRemediationText = """Malicious submissions detected in the last 24 hours. Users are advised to further investigate into the details for any potential security incidents.""")()