×
McAfee ATD

Overview

Security Flow ATD Plugin provides the ability to automates McAfee ATD sandbox functionality.

Functionality

The ATD Plugin provides the functionality to help determine if an uploaded file is malware.

Instance Configuration Parameters

Property
Description

Instance Name

Name for the ATD instance.


Unique Id

Unique name for the ATD instance.


Server

IP or hostname where ATD is running.


Server Port

Port number where ATD is running on; typically 443


ATD User Name

Valid user name for the ATD server.


ATD Password

Valid password for the user name on the ATD server.


ATD Password Confirmation

Confirm valid password for the user name on the ATD server.

Flow Nodes

Communication node which controls the Nevelex Labs OpenDXL ATD Plugin Instance(s) for analyzing files for malware.
Property
Description

Name

The display name of the node within the flows.


Unique Id

Unique ID name for the specific ATD Plugin Instance.


Analyzer Profile

Analyzer profile ID number. The profile ID number can be found in the ATD UI Policy/Analyzer Profile page.


Filename

This field defines the location from the message, flow, global, or JavaScript expression to use as the data source for the filename. Additionally, the node context can also be changed. The following contexts are supported:

  • msg: This selects part of the incoming message as the source of the data. This is typical choice.
  • flow: This selects part of the flow context’s saved data as the source. This information is shared with only the nodes on a given tab.
  • global: This selects part of the global context’s saved data as the source. This information is shared by all nodes regardless of tab.
  • J: expression: JSONata expression language to perform query and transform operations on the payload.

File Size

This field defines the location from the message, flow, global, or JavaScript expression to use as the data source for the file’s size in bytes. Additionally, the node context can also be changed. The following contexts are supported:

  • msg: This selects part of the incoming message as the source of the data. This is typical choice.
  • flow: This selects part of the flow context’s saved data as the source. This information is shared with only the nodes on a given tab.
  • global: This selects part of the global context’s saved data as the source. This information is shared by all nodes regardless of tab.
  • J: expression: JSONata expression language to perform query and transform operations on the payload.

File Globs / Min. Size/ Max. Size

ATD has a set of limits on file sizes based on type. These limits are defined within the node. By default, the list is seeded with the default ATD configuration. The applied file size check rule is determined by finding the first filename match, based on glob matching, by traversing the list from top to bottom. If no file size configuration is supplied or the glob matching does not match, the file to be analyzed is passed on to ATD without checking the file size. If the file size is outside the bounds, the file is not sent to ATD and the message is filter out and an audit message is added in the Incident.

Node that waits for a file analysis to complete. NL-ATD-Analyze-File node must be used prior to this node.
Property
Description

Name

The display name of the node within the flows.


Unique Id

Unique ID name for the specific ATD Plugin Instance.


Distrust Level

This setting is used to as the IoC file hashes’ distrust level. An ATD score of 2 (Low), 3 (Medium), 4 (High), or 5 (Very High) is considered distrusted.


Trust Level

This setting is used to as the file hashes’ trust level. An ATD score of -1 (Clean) is considered trusted.

This node has been deprecated, but remains usable in existing flows. Use the NL-Message-Analysis node instead.

Helper node used to classify an Indicator of Compromise (IoC) from an ATD report as trusted or malicious based on the response's overall score. The field is found within the response at msg.payload.atd.[uniqueId].response.results.score. This node takes as input the successful response from the NL ATD Wait For Analysis node.

Report analysis nodes have five (5) outputs.

  1. Malicious: The Malicious Score matched the Indicator of Compromise's score.
  2. Trusted: The Trusted Score matched the Indicator of Compromise's score.
  3. No Match: The rules did not match the IoC as either trusted or malicious.
  4. Report Missing: The incoming message did not include a report for ATD or the score is Analysis not complete.
  5. Report Error: A report exists with an error message of some type.
Property
Description

Name

The display name of the node within the flows.


Unique Id

Unique ID name for the specific ATD Plugin Instance.


Malicious Score

Any score matching the defined Malicious Score level is considered a malicious IoC. Multiple Malicious Score values may be selected to be treated as malicious. If no values are selected, no match will be made. Malicious score checks are done against the set of the selected values.

  • Unverified
  • Informational
  • Low
  • Medium
  • High
  • Very High

Trusted Score

Any score matching the defined Trusted Score level is considered a trusted IoC. This field can be set to Never to never consider an IoC trusted. Multiple Trusted Score values may be selected to be treated as trusted. If no values are selected, no match will be made. Trusted score checks are done against the set of the selected values.

  • Clean
  • Unverified
  • Informational
  • Low

Audit Missing Report

If there is not an ATD report in the incoming message, report that fact that it is missing in the Incident’s timeline.

Learn More

JSON Message Format

The following samples show the JSON content added to the message payload, which conform to Node Messaging Format. The content exists within the atd object.

Login Success

The italicized, green text is inserted into the message payload upon a successful request. The id is the uniqueId of the ATD.

"payload": {
    "atd" : {
        "uniqueId" : id
            "topic" : "/nevelexlabs/service/atd/{uniqueId}/restapi"
            "success":true,
            "results":{
                "session":"bodnnhhui5d0e9gv4mj376op25",
                "userId":"1",
                "isAdmin":"1",
                "serverTZ":"PDT",
                "apiVersion":"1.5.0",
                "isCurrentAPI":true,
                "matdVersion":"4.x.x.x.x"
            }
        }
    } 
}

Login Error

The italicized, maroon text is inserted into the message payload upon a failed request.

"payload": {
    "atd": {
        "uniqueId" : id,
         "response": {
            "success":false,
            "results":{
                "apiVersion":"1.5.0",
                "matdVersion":"4.x.x.x.x",
                "isCurrentAPI":false,
                "reason":"Client API version(0.7.6) is too old, Please upgrade to 1.5.0"
            }
        }
    }
}

Submit File Success

The italicized, green text is inserted into the message payload upon a successful request. The following example uses file “clean_pdf.pd”” and id is the uniqueId of the ATD:

"payload": {
    "atd" : {
        "uniqueId" : uniqueId,
        "response" : {
            "success":true,
            "subId":72057594037928306,
            "mimeType":" application/pdf",
            "fileId":"",
            "filesWait":0,
            "estimatedTime":0,
            "results":[
                {
                    "taskId":754,
                    "messageId":"",
                    "file":"clean_pdf.pdf",
                    "submitType":"0",
                    "url":"",
                    "destIp":null,
                    "srcIp":"",
                    "md5":"F0F9F5762565782F62FED035584537D0",
                    "sha1":"7F53D6A3DC01D30567049B11B264E1B551F7D0B7",
                    "sha256":"BD3C5441961707875CE5BE7A1497D44EC5C63250B4FD7577085B134571CE0AF7",
                    "size":" 144779",
                    "cache":0
               }
            ]
        }
    } 
}

Submit URL Success

The italicized, green text is inserted into the message payload upon a successful request. The following example uses url “http://news.google.co.in” and id is the uniqueId of the ATD.

"payload": {
    "atd" : {
        "uniqueId" : id,
        "response" : {
        "success":true,
        "subId":17,
        "mimeType":"text\/plain",
        "filesWait":1,
        "estimatedTime":0,
        "results":[
            {
                "taskId":23,
                "messageId":"",
                "file":"URL1419314922.url",
                "submitType":1,
                "url":"http: \/\/news.google.co.in\/",
                "destIp":null,
                "srcIp":null,
                "md5":"839f551f97e669dddb348bddb907d32c",
                "sha1":"D9C1CB1FCD53530212317800CC1B935657042CDF",
                "sha256":"9A33B63558EE78AFA9A4DFD063B6B118ADFC455E20C2752B7F7977F88C2361CD",
                "size":25
            }
        ]
    } 
}

Report Success

The italicized, green text is inserted into the message payload upon a successful request. The id is the ATD uniqueId.

"payload": {
    "atd" : {
        "uniqueId" : id,
            "response" : {
                "reportText" : "...",
                "results" : {
                    "status" : {number},
                    "score" : {number}
                }
            }
        }
    } 
}
Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2021, All Rights Reserved.

EULA