NSX Network Detection and Response - How to generate TRES bundles
Article ID: 323974
Updated On:
Products
VMware
Issue/Introduction
In version 9.1 (and later) of the On-Premise software, a new script is available which will help diagnose False Positive/False Negative detection issues quicker.
If you have a possible threat detection related Support Request, such as a False Positive or False Negative, you can perform the following steps to expedite the resolution by sending these important details as part of the SR as an attachment.
If you have a possible threat detection related Support Request, such as a False Positive or False Negative, you can perform the following steps to expedite the resolution by sending these important details as part of the SR as an attachment.
Resolution
Summary of steps:
1. Locate the Task UUID of the FP/FN from the Web Portal UI.
Sample:
https://<manager_fqdn>/portal#/analyst/task/<task-UUID>/overview
2. SSH into the NSX NDR Manager appliance node.
3. Execute the command (note optional “-s” command, see below):
cd /tmp/ && sudo get_tres_bundle.py -s <task_uuid>
4. Transfer the file from /tmp/ to your local machine (via putty, rsync, etc)
5. Upload the file to the VMware Customer Connect Support Request as an attachment within the portal.
For further details on how to upload files to a Support Request, see:
How to provide a Malware Sample/Analysis Subject to VMware Technical Support for NSX Threat Response requests (86430)
More information:
The script is get_tres_bundle.py and can be executed on the Manager appliance and requires a task UUID argument as a minimum requirement. This must be run using root or sudo permissions. Note: the -s argument is highly recommended to include to provide full details to VMware Technical Support and our Threat Analysts Response team. Without the analysis subject we may not be able to come to a concrete conclusion.
Optional argument:
-s This will also include the subject of the analysis in the -zip file
Basic syntax (without analysis subject):
get_tres_bundle.py <task_uuid>
Suggested syntax (with analysis subject):
get_tres_bundle.py -s <task_uuid>
This will generate a file called “<task uuid>-tres-bundle.zip” in the current directory.
1. Locate the Task UUID of the FP/FN from the Web Portal UI.
Sample:
https://<manager_fqdn>/portal#/analyst/task/<task-UUID>/overview
2. SSH into the NSX NDR Manager appliance node.
3. Execute the command (note optional “-s” command, see below):
cd /tmp/ && sudo get_tres_bundle.py -s <task_uuid>
4. Transfer the file from /tmp/ to your local machine (via putty, rsync, etc)
5. Upload the file to the VMware Customer Connect Support Request as an attachment within the portal.
For further details on how to upload files to a Support Request, see:
How to provide a Malware Sample/Analysis Subject to VMware Technical Support for NSX Threat Response requests (86430)
More information:
The script is get_tres_bundle.py and can be executed on the Manager appliance and requires a task UUID argument as a minimum requirement. This must be run using root or sudo permissions. Note: the -s argument is highly recommended to include to provide full details to VMware Technical Support and our Threat Analysts Response team. Without the analysis subject we may not be able to come to a concrete conclusion.
Optional argument:
-s This will also include the subject of the analysis in the -zip file
Basic syntax (without analysis subject):
get_tres_bundle.py <task_uuid>
Suggested syntax (with analysis subject):
get_tres_bundle.py -s <task_uuid>
This will generate a file called “<task uuid>-tres-bundle.zip” in the current directory.
Additional Information
Note: This article is applicable to the standalone NSX Network Detection and Response product (formerly Lastline) and is not intended to be applied to the NSX NDR feature of NSX-T.
Feedback
Yes
No
Powered by
