McAfee Network Threat Response (NTR) 4.0
Configuring Automated Reporting and Alerting
Automated reporting is supported with introduction of NTR 4.0 and designed to send automated reports via existing SMTP mail servers. Optionally, XML reports can be generated and saved locally for processing within other systems. The following tasks describe how to configure flexible reporting templates that instruct NTR on how to generate reports and where to send them. If you do not wish to enable emailing of reports, then skip to Configure and Enable Reporting Templates.
Note: Completion of the following steps assumes basic familiarity with Linux Operating Systems and the ability to execute basic Unix command line operations.
Configure Email Server
Tasks:
1 Logon to the NTR Management Web Console with an administrative account.
2 To perform follow-on steps, click on the Admin Settings icon located at the top of the console.
3 Click Mail Settings from the Admin Settings tab.
4 Change your configuration according to your environment as follows: Server Address: IP or hostname of the outbound SMTP server
Domain: Your local fully qualified domain name
BounceBack Address: Return address where delivery problems may be reported From Address: Email address that should be shown in the “from” field of mail
5
Click “Save”.Configure and Enable Reporting Templates
YAML (
http://en.wikipedia.org/wiki/YAML)
reporting “templates” are included as part of the core NTR installation, but additional customer-driven templates are available for download fromhttps://networkthreatresponse.com/reporting and each template can be modified based on customer data requirements. Automated reports can be generated in XML and HTML formats and sent to various recipients or ingested by other reporting and analysis systems. Once the configuration templates are in place, activation of the reports and configuration of the SMTP server can be done within the NTR Manager. It is recommended that the recipient email address consist of an email Distribution List (DL) that can be more easily maintained. Perform the following steps to enable automated report
generation.
Note: For proper parsing of report templates, it is critical that proper syntax and existing data structures are adhered to. A link to an online YAML syntax tool is provided below. Access to the Internet is assumed for successful completion of those steps.
Tasks:
1. Logon to the NTR Manager system (CentOS) with root privileges and browse to the following directory where reporting templates are saved (this is also where new report templates should be saved).
/opt/endeavor/amp/amp_ruby/report_templates/
2. Each report template file that you want to activate must be modified to include proper recipient email addresses and output format (XML or HTML). Optionally, the title and description can be updated as well as the “trigger” that kicks off report generation. The report templates can be updated to reflect specific customer requirements as follows:
a. Summary: The report Title and description can be modified by editing the Title: and Description: fields as displayed below:
b. Event Triggers: Report creation can be triggered based on a pre-determined
schedule or in response to detection of a new Event or Incident. In the example
below the - Event: field is set to send reports based upon a schedule outlined in
crontab format. Modify the existing - Schedule: field (example below is daily at
midnight) with the schedule of your choice. For those unfamiliar w/ crontab, the
following online calculator can be used to assist with creating the correct format for
your scheduling needs: http://www.csgnetwork.com/crongen.html.
Note: existing hyphens (-) preceding Event Trigger fields are required.
To configure the reporting engine to create reports in response to an Incident, set
the - Event: field to New Incident as displayed in the following example:
To configure the reporting engine to create reports in response to a new Event, set
the - Event: field to Notification and set the - NotificationType field to the type of
event you want to trigger on. NotificationType can be any of the following event
types:
DAT (AntiVirus)
ART (File Reputation)
MIP (IP Reputation)
MHP (Host/URL Reputation)
SC
(Shellcode)
XOR (Encoded File)
FM
(File Mismatch)
CC
(Command & Control)
While this example will trigger only in response to GTI File reputation events:
c. Output: To specify report format, specify “HTML” or “XML” for the Format: field. If you’ve configured an SMTP server in prior steps and you want to send the report via email, delete the ‘#’ preceding the Destination: field and ensure a valid email address or DL is configured for your environment.
Alternatively, if you choose to have reports saved locally or to network drive instead of emailing, the Output: section can contain fields for specifying the destination folder (Directory:). By default, the filename will match the name of the yml report template file, but the FileNameOptions: field can be used to create unique file names with the following switches:
:date – insert current date into the file name.
:time – insert current time into the file name.
:id_event_type – Depending on the report trigger, insert the name of the id
type (“notification_id” or “incident_id”) into the file name.
:event_id – Depending on the report trigger, insert the unique ID of the
Event or Incident into the file name.
In the following example, a file will be created in the local /tmp directory with a name consisting of the yml file name, current date and time, type and
A report template named “ESM-Group-local-filesave” would result in a report output file name of:
“ESM-Group-local-filesave_2013-08-05T11:05:47+0200_incident_id_1239.xml”
d. Sections: Basic report formatting and data querying are handled with the
Header, Title and Query fields. A single reporting template can include multiple
SQL queries, each of which will be displayed as a simple table of records (HTML) or in XML representation. The Header field supports a configurable header for the entire data section, just below the overall report Title and Description. The Title and Query fields are specific to each data query, allowing for execution of an underlying database (MySQL) query, as well as a configurable data label displayed above each table. The following configuration would result in execution of two database queries with the associated labeling created within the output report.
This would result in HTML report formatting similar to this:
It is beyond the scope of this document to cover MySQL database queries or the underlying NTR database schema. It is expected that reporting template creators have experience with writing MySQL queries and can interpret the NTR database schema.
3. Validate your syntax and Save any changes. The following online YAML syntax tool can be used to validate and optimize proper formatting of the report template:
http://yamllint.com/.
4. Logon to the NTR Management Web Console with an administrative account and click on the Admin Settings icon located at the top to enable the Administration tab. 5. Select the Reports section and click Restart Reporting to load the new configuration
templates (Note: perform this step whenever underlying reporting templates or mailer configuration files are modified). If parsing errors were encountered during processing of the report templates, an error message will be displayed within the Description field of the Reports table as depicted below (Additional logging information can be found within
