How to submit samples sent to Threat Intelligence Exchange to the closest Intelligent Sandbox instance
Last Modified: 2022-09-30 14:39:26 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
How to submit samples sent to Threat Intelligence Exchange to the closest Intelligent Sandbox instance
Technical Articles ID:
KB86707
Last Modified: 2022-09-30 14:39:26 Etc/GMT Environment
Threat Intelligence Exchange Server (TIE Server) Intelligent Sandbox For supported platforms, see KB83368 - Supported platforms for Threat Intelligence Exchange Server. NOTE: Advanced Threat Defense was rebranded to Intelligent Sandbox in version 5.0. SummaryEvery TIE Server instance can submit file samples to Intelligent Sandbox for analysis. This article describes how to configure the TIE Server to send submitted samples to the closest ATD instance.
NOTE: As of TIE Server version 2.1.0, the naming convention for Master and Slave operations changed to Primary and Secondary. For example: Master becomes Primary
Previous versions of TIE Server retain the original Master/Slave designations.Slave becomes Secondary The example scenario in this article is for a large deployment in a geographically distributed environment. Even in a non-geographically distributed environment, you can use the concepts to ensure that the Intelligent Sandbox submission process scales properly for many endpoints, though this scenario is not covered in this article. The Intelligent Sandbox instances that the TIE Server uses are configured using ePolicy Orchestrator (ePO) policies. The TIE Server uses a "round robin" approach on the list of configured Intelligent Sandbox instances to send samples for analysis. Each time a TIE Server instance receives a sample, it forwards it to the next Intelligent Sandbox instance in the list. If all existing Intelligent Sandbox instances are configured for every TIE Server instance, a TIE Server might send a file to the most geographically distant Intelligent Sandbox instance rather than the closest one. You can use the grouping capabilities of ePO to set up the deployment so that submitted samples are sent only to the closest Intelligent Sandbox instance.
Example scenario: TIE instances distributed around the world and three Intelligent Sandbox instances located in America, Europe, and Asia. It is not desirable for an endpoint in Asia to upload a sample to the primary TIE Server instance in North America, and then have that TIE Server forward the sample to an Intelligent Sandbox instance in Asia. To submit samples to the closest Intelligent Sandbox instance:
Affected ProductsLanguages:This article is available in the following languages: |
|