The InQuest Platform focuses on capturing, identifying, processing, inspecting and storing network content to detect and/or prevent malicious logic as well as sensitive information in-transit. Innovative and constantly evolving file post-processing techniques are applied to live monitored network traffic providing insights into even the most creative combinations of obfuscation. InQuest's Threat Discovery Engine (TDE) integration discovers threats embedded within network content based on the weekly updated InQuest proprietary signature pack. InQuest's TDE integration, in conjunction with Micro Focus ArcSight, provides users with the ability to monitor and correlate alerts within the ArcSight Console. InQuest’s MetaDefender Core integration provides the capability of scanning files with multiple Antivirus engines without having to disclose files outside of your network boundaries. When this integration is enabled, InQuest will automate the process of submitting files, logging, and alerting on AV engine hits while forwarding network and file alert information to ArcSight via syslog. InQuest’s cloud-based MultiAV and VirusTotal integrations provide alerting capabilities for message digests submitted to either InQuest Labs or VirusTotal. These integrations do not disclose information from your network and serve as an efficient means of discovering exploits and malware in the wild. Hashes are submitted to the cloud and AntiVirus scan results are returned for that hash. This does not provide an equivalent level of coverage as InQuest’s MetaDefender Core integration, but provides an excellent degree of coverage for common malware discovered in the wild. InQuest’s Header Analytics TDE integration provides alerting capabilities for indicators found within numerous protocol headers which could be attributed to various command-and-control or exploit activity.
This section describes important use cases supported by this integration.
● Malicious File Detection using Deep File Inspection (DFI) with InQuest Threat Discovery Engine (TDE)
● Malicious File Detection using AntiVirus-based integrations
Malicious File Detection using Deep File Inspection (DFI) with InQuest Threat Discovery Engine (TDE)
InQuest detected an e-mail with a malicious PDF attachment containing various levels of obfuscation. InQuest’s policy included signatures for malicious XORed file signatures and a Common Event Format (CEF) message was sent to the local MIcro Focus ArcSight deployment. The event was escalated by the Intrusion Detection Team to the Incident Response Team and the appropriate actions were taken to remediate the compromised system.
Malicious File Detection using AntiVirus-based Integrations
A user receives a targeted e-mail containing a URL to a malicious Flash file. The user clicks the link and is redirected to the site hosting the malicious Flash file and that file is executed. InQuest’s MultiAV integration sends an alert to ArcSight based on the malicious file’s message digest which has been previously identified as malicious and circulating the internet. The event was escalated by the Intrusion Detection Team to the Incident Response Team and appropriate actions were taken to remediate the compromised system.
ArcSight Configuration Guide
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox