How to change which FireEye base profile Security Analytics uses for Data Enrichment

book

Article ID: 168388

calendar_today

Updated On:

Products

Patch Management Solution for Windows Security Analytics

Issue/Introduction

With newer versions of the FireEye MAS server (specifically 7.x), the base profiles have changed.  In the past, Security Analytics(Solera Networks) used the winxp-base profile as the default.  That profile has been removed in the MAS 7.x version.  Starting with Security Analytics version 7.1.5, the default profile has been changed to winxp-sp2.  However, you may want to use a different profile and there is currently no way to change this profile from the GUI.

Resolution

These steps assume that you have already configured the Security Analytics appliance to point to your FireEye MAS server with a user that has appropriate rights (Settings > Data Enrichment in the GUI)

In order to change the default profile that Security Analytics uses for sending files to the FireEye MAS appliance, you must do the following:

1.  Log in to the CLI as the root user.
2.  Make a backup of the current fireeye configuration file:

cp /usr/lib64/python3.3/site-packages/derp/providers/fireeye.py /usr/lib64/python3.3/site-packages/derp/providers/fireeye.bak

3.  Edit the current fireeye.py file

vi /usr/lib64/python3.3/site-packages/derp/providers/fireeye.py

4.  Press the '/' key to start a search and then enter 'win' and press Enter.

The cursor should take you to this line:

'ssh {0[username]}@{0[remote]} cli \\"malware analyze live url file:{1[filename]} timeout 60 priority normal guestos winxp-sp2 no-prefetch force\\"',

Make note of the guestos.  In this case the guestos is 'winxp-sp2'  

5.  To change the base profile, press the letter I for Insert and change the guestos parameter to the desired profile.  The default list of profiles supported in FireEye MAS version 7.x are as follows:

winxp-sp3 
win7-sp1
win7x64-sp1 
winxp-sp2

6.  Once the change has been made, press the ESC key to go back to command mode and then enter :wq to save and exit.

7.  Restart the derpd process by entering:  service derpd restart

FireEye submissions should now be sent to the correct profile.