Alerting and tagging using a malware analysis platform for threat intelligence made actionable
First Claim
1. A computer-implemented method, comprising:
- receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis, wherein a log file for a sample comprises one or more lines based on results of the automated malware analysis for the sample;
processing the log files to extract artifacts associated with the log files;
receiving a configuration to enable an alert action based on a tag type for matching any of the plurality of samples, wherein the tag type is configured for the alert action for a tag based on a search criteria for one or more artifacts, and wherein the alert action is configured to match private samples and public samples;
determining whether the tag matches any of the plurality of samples based on the search criteria for one or more artifacts; and
performing an action based on whether the tag matches any of the plurality of samples including to trigger the alert action based on a determination that the tag matches a sample detected on a first monitored enterprise network, wherein the sample detected on the first monitored enterprise network is a public sample and the first monitored enterprise network is associated with another subscriber'"'"'s enterprise network.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques for alerting and tagging using a malware analysis platform for threat intelligence made actionable are disclosed. In some embodiments, a system, process, and/or computer program product for alerting and tagging using a malware analysis platform for threat intelligence made actionable includes receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis; processing the log files to extract artifacts associated with the log files; determining whether a tag matches any of the plurality of samples based on the artifacts; and performing an action based on whether the tag matches any of the plurality of samples.
28 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis, wherein a log file for a sample comprises one or more lines based on results of the automated malware analysis for the sample; processing the log files to extract artifacts associated with the log files; receiving a configuration to enable an alert action based on a tag type for matching any of the plurality of samples, wherein the tag type is configured for the alert action for a tag based on a search criteria for one or more artifacts, and wherein the alert action is configured to match private samples and public samples; determining whether the tag matches any of the plurality of samples based on the search criteria for one or more artifacts; and performing an action based on whether the tag matches any of the plurality of samples including to trigger the alert action based on a determination that the tag matches a sample detected on a first monitored enterprise network, wherein the sample detected on the first monitored enterprise network is a public sample and the first monitored enterprise network is associated with another subscriber'"'"'s enterprise network. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system, comprising:
-
a processor configured to; receive a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis, wherein a log file for a sample comprises one or more lines based on results of the automated malware analysis for the sample; process the log files to extract artifacts associated with the log files; receive a configuration to enable an alert action based on a tag type for matching any of the plurality of samples, wherein the tag type is configured for the alert action for a tag based on a search criteria for one or more artifacts, and wherein the alert action is configured to match private samples and public samples; determine whether the tag matches any of the plurality of samples based on the search criteria for one or more artifacts; and perform an action based on whether the tag matches any of the plurality of samples including to trigger the alert action based on a determination that the tag matches a sample detected on a first monitored enterprise network, wherein the sample detected on the first monitored enterprise network is a public sample and the first monitored enterprise network is associated with another subscriber'"'"'s enterprise network; and a memory coupled to the processor and configured to provide the processor with instructions. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product, the computer program product being embodied in a non-transitory tangible computer readable storage medium and comprising computer instructions for:
-
receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis, wherein a log file for a sample comprises one or more lines based on results of the automated malware analysis for the sample; processing the log files to extract artifacts associated with the log files; receiving a configuration to enable an alert action based on a tag type for matching any of the plurality of samples, wherein the tag type is configured for the alert action for a tag based on a search criteria for one or more artifacts, and wherein the alert action is configured to match private samples and public samples; determining whether the tag matches any of the plurality of samples based on the search criteria for one or more artifacts; and performing an action based on whether the tag matches any of the plurality of samples including to trigger the alert action based on a determination that the tag matches a sample detected on a first monitored enterprise network, wherein the sample detected on the first monitored enterprise network is a public sample and the first monitored enterprise network is associated with another subscriber'"'"'s enterprise network. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification