This guide will provide insight on how to analyze the Analysis Reports from Cloud Threat Detection (CTD), and how to drill down into the files submitted to extract forensic data.
Cloud Threat Detection Workspace
Within your ePO Cloud UI, navigate to the Cloud Threat Detection Workspace. Here you will be able to see the aggregation of all files submitted through integrated products with CTD, and in this case McAfee Network Security Platform (NSP) and McAfee Web Gateway (MWG) are offloading files for further analysis to CTD. You will notice that files will be convicted with four varying severity levels:
High Risk (High RIsk Severity)
Suspicious (Moderate Risk Severity)
Monitored (Low Severity)
Low Risk (Low Risk Severity)
We can drill down on past events that have happened over All Time. This will present all historic analysis that have been submitted to CTD.
By clicking on a severity level tab on the Severity Ribbon at the top, you can filter to which specific severity level events you want visualized.
Extracting Threat Details
Below is a short animation which provides several Threat Details which can provide forensic data such as MD5 and SHA-1 hashes. The malware name of file with which familial classification it shares with will be provided as well.
By clicking the Reputation field, you can extrapolate IOCs in STIX format. As seen below, this will be exported in .xml format.
File Analysis Usage
Clicking on the bell icon at the top right provides you with a dash of your daily file submission usage. If your daily file submissions begins to reach it's daily cap, it's strongly advised to increase your daily submission allowance to avoid any performance degradation with the Cloud sandbox. Contact your McAfee Sales Representative to increase your allotted sample submissions a day.