Thirtyseven4 EDR Security

External Threat Feed Settings

Print Friendly, PDF & Email

Thirtyseven4 EDR Security is providing an option to customers for integrating with External Threat Feed to enable detailed threat analysis.
To integrate External Threat Feed with Thirtyseven4 EDR Security, do the following steps.
Step 1 : Download EDR Setup on Thirtyseven4 EDR Security Console
Step 2: On Oracle VM VirtualBox, fresh install MISP and Live Query server
Step 3: Get Authentication Key of MISP server
Step 4: Configure MISP server and scheduler on Thirtyseven4 EDR Security console

Step 1 : Download EDR Setup on Thirtyseven4 EDR Security Console

  1. Log on to the Thirtyseven4 EDR Security.
  2. Go to EDR > Live Query.
  3. When you open this page for the first time, as Live Query Settings are not configured, you see the message about configuring Live Query Settings. Click Configure Live Query Settings.
  4. You are redirected to the Configurations > EDR page. Click Download EDR setup.

Step 2: On Oracle VM VirtualBox, fresh install MISP and Live Query server

For the fresh installation of MISP and Live Query server procedure, see EDR OVA Deployment.

Step 3: Get Authentication Key of MISP server

  1. Log on to MISP console.
  2. Go to Global Actions > My Profile > Auth Keys section.
  3. click + Add authentication key.
  4. The authentication key is displayed. Take note of it on paper or store it properly.
    NOTE: The authentication key will only be displayed once, so take note of it manually else it will be lost.

Step 4: Configure MISP server and scheduler on Thirtyseven4 EDR Security console

To configure MISP server and Scheduler, follow these steps.

  1. Log on to the Thirtyseven4 EDR Security.
  2. Go to Configurations > EDR.
  3. Select the Enable External Threat Feed check box.
  4. Enter host name in the Server text box.
  5. Enter Port number. By default, the value is 8443. You can change the port number if required.
  6. Enter the Authentication Key.
  7. In Schedule settings: Frequency, select either the Daily or Weekly option. If you select the Weekly option select Day.
  8. In Start At, set the time in hours and minutes.
  9. Select Hash Type, MD5 (default) or SHA1 or SHA256.
  10. Select Action to be taken at the endpoint when file matching hash is found from the list. You can select Quarantine or No action option.
  11. To test the External Threat Feed server connection, click Test connection.
  12. After successful verification, click Apply.
    The MISP server is configured.
    The automated searches are generated with Name format as Automated_Search_yyyyMMddHHmmss.
Was this page helpful?
Yes No

Leave a Comment