Joint Solution Overview

The InQuest Platform focuses on capturing, identifying, processing, inspecting and storing network content to detect and/or prevent malicious logic as well as sensitive information in-transit. Innovative and constantly evolving file post-processing techniques are applied to live monitored network traffic providing insights into even the most creative combinations of obfuscation. InQuest's Threat Discovery Engine (TDE) integration discovers threats embedded within network content based on the weekly updated InQuest proprietary signature pack. InQuest's TDE integration, in conjunction with Micro Focus ArcSight, provides users with the ability to monitor and correlate alerts within the ArcSight Console. InQuest’s MetaDefender Core integration provides the capability of scanning files with multiple Antivirus engines without having to disclose files outside of your network boundaries. When this integration is enabled, InQuest will automate the process of submitting files, logging, and alerting on AV engine hits while forwarding network and file alert information to ArcSight via syslog. InQuest’s cloud-based MultiAV and VirusTotal integrations provide alerting capabilities for message digests submitted to either InQuest Labs or VirusTotal. These integrations do not disclose information from your network and serve as an efficient means of discovering exploits and malware in the wild. Hashes are submitted to the cloud and AntiVirus scan results are returned for that hash. This does not provide an equivalent level of coverage as InQuest’s MetaDefender Core integration, but provides an excellent degree of coverage for common malware discovered in the wild. InQuest’s Header Analytics TDE integration provides alerting capabilities for indicators found within numerous protocol headers which could be attributed to various command-and-control or exploit activity.

Use Cases

This section describes important use cases supported by this integration.

● Malicious File Detection using Deep File Inspection (DFI) with InQuest Threat Discovery Engine (TDE)

● Malicious File Detection using AntiVirus-based integrations

Malicious File Detection using Deep File Inspection (DFI) with InQuest Threat Discovery Engine (TDE)

InQuest detected an e-mail with a malicious PDF attachment containing various levels of obfuscation. InQuest’s policy included signatures for malicious XORed file signatures and a Common Event Format (CEF) message was sent to the local MIcro Focus ArcSight deployment. The event was escalated by the Intrusion Detection Team to the Incident Response Team and the appropriate actions were taken to remediate the compromised system.

Malicious File Detection using AntiVirus-based Integrations

A user receives a targeted e-mail containing a URL to a malicious Flash file. The user clicks the link and is redirected to the site hosting the malicious Flash file and that file is executed. InQuest’s MultiAV integration sends an alert to ArcSight based on the malicious file’s message digest which has been previously identified as malicious and circulating the internet. The event was escalated by the Intrusion Detection Team to the Incident Response Team and appropriate actions were taken to remediate the compromised system.

Suggested apps

Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.


InQuest CEF Integration 3.8
712.3 KB
Jan 7, 2018
More info Less info
Product compatibility
Version 8.1 · 8.0
Version 7.16.8 · 7.15.0 · 7.14.0
Release notes

ArcSight Configuration Guide


Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.

Marketplace Terms of Service

In order to continue, you must accept the Marketplace Terms of Service and Micro Focus Terms of Service
Since you are downloading an app from the Micro Focus unified Marketplace using an Access Manager account, you need to also accept the Micro Focus Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service and the Micro Focus Terms of Service" box below and click accept to continue your download.

Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2021-1-1-3600 | Wed Jan 6 00:44:15 PST 2021