Threat Intelligence Exchange workflow with the NTP option enabled
Last Modified: 2022-01-18 14:49:22 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Threat Intelligence Exchange workflow with the NTP option enabled
Technical Articles ID:
KB95179
Last Modified: 2022-01-18 14:49:22 Etc/GMT Environment
Threat Intelligence Exchange (TIE) Server - all supported versions For supported environments, see KB83368 - Supported platforms for Threat Intelligence Exchange Summary
Network Time Protocol (NTP) NTP is an Internet Protocol that's used to synchronize the clocks on computer networks. It synchronizes clocks within a few milliseconds of the universal coordinated time (UTC). Background Details:
![]() Failures When the NTP check fails, you see an error similar to the following displayed in the Server Settings, TIE Topology page: - Make sure NTP servers have been configured on the appliance. - Run /user/sbin/reconfig-ntp in the appliance. - More information can be found here KB90548. NOTES:
Workflow to check for the NTP failure: Enable Debug Logging: Debug logging must be enabled through the TIE policy:
TIESERVER.log (/var/McAfee/tieserver/logs) Example DETAIL {2021-07-13 05:01:56,546} [DxlServiceRequest-default-thread-35] (JsonUtil.java:95) - traceId: {4cad2e2a-44db-4bd8-a70e-a4717cd1a807} - response: /mcafee/service/tie/management/health : {"health":{"status":"ERROR","checks":[{"status":"OK","type":"database_status","data":{"availableSpaceInData":97137623040,"availableSpaceInRoot":1547231232,"currentDatabaseSize":786349191,"biggestTableSize":161538048," replicationWindowSize":8589934592,"maximumConnections":1024,"remoteConnections":0,"localConnections":110,"replicationConnections":0,"shouldVacuum":true,"shouldReindex":true,"isPrimary":true,"isServiceRunning":true ,"isLocalDataBaseEnabled":true,"latestVacuumDate":"1626116419000","latestVacuumFullDate":"1625949078000","latestReindexDate":"1625949109000"}},{"status":"OK","type":"apihealth", "data":{"overallRate":0.15493194194731671,"cpu":1,"queueSizes":{"DEFAULT":0},"queueUsagePercentage":{"DEFAULT":0.0}}},{"status":"ERROR","type":"gti_connectivity", "data":{"CERTIFICATE":{"lastCommTime":1626152460503,"lastCallSuccess":false,"requestsCount":22946998,"responseTime":0,"rollingAverageResponseTime":0,"internalGtiStatus":"ERROR", "tieApplianceUptime":1625068380,"clientEnabled":true,"clientInitialized":true}}},{"status":"OK","type":"ntp_status","data":{"ntpStatus":"just_synchronised","serverDate":"1626152054000", "ntpOffset":300000.0,"lagging":true,"synchronised":true}},{"status":"OK","type":"certificates","data":{"matchingCn":true,"matchingCa":true,"atdKeystoreValid":true}}]}} NOTES:
Condition A - If the NTP connection is good: It shows as synchronized, Lagging as false, and the offset is less time, which confirms no latency. Output "ntpStatus": "synchronised", "ntpOffset": 0.630, "ntpIsLagging": false, "serverDate": "07-14-2021 06:06:23" } Condition B - If there’s a latency or a lag to each the NTP server: In this state, you see just_synchronised or unsynchronized. Output "ntpStatus": "just_synchronised", "ntpOffset": 300000, "ntpIsLagging": true, "serverDate": "0 } Output "ntpStatus": "unsynchronised", "ntpOffset": 300000, "ntpIsLagging": true, "serverDate": "11-28-2021 12:14:22" } Analyzing the results
NOTES:
The NTP Status strings explained:
Useful commands to check the status of NTP server connectivity and latency: -bash-4.1#
Output: time correct to within 142 ms polling server every 1024 s -bash-4.1# Output: polling server every 8 s How to restart and check the status/ of the NTP service: -bash-4.1# Output -bash-4.1# Output Starting ntpd: [ OK ] -bash-4.1#
Output Related InformationAffected ProductsLanguages:This article is available in the following languages: |
|