3. Intelligence
3.1. External
Menu: Administrators > GCenter > Third-Party Modules > Intelligence
In order to obtain a detailed analysis report of the file detected on the GCENTER, a connection must be established between it and the connected Intelligence platform. Once this connection is established, the operator will be able to send files to the Intelligence platform directly from the interface.
The connection status between the GCENTER and the Intelligence platform is displayed in the Interconnection status view below:
Please note that the link between the two devices of the GATEWATCHER solution is optional although recommended for optimal use of the product once malware has been detected.
The connectivity can be checked in a single click by the administrator from the Interconnection check-up section by pressing the Interconnection test button.
The interconnection test result will be displayed as follows:
Certain information is required for the GCENTER to be connected to the platform.
Some fields are to be filled in by the administrator from the Interconnection settings section by pressing the Settings button.
Intelligence target: is the address of the Gatewatcher Intelligence server (https://intelligence.GATEWATCHER.com/gwapi/_).
The boxes Is the target server a GBOX? and Disable SSL verification should only be ticked when using a GBOX. Once the address is filled in, the administrator must store the information by clicking on Save.
Analysis mode: corresponds to the analysis method of the file sent to the Intelligence server: Online or Offline.
Intelligence usermail: The email address of the intelligence account to which an email will be sent. This will contain a token enabling a GCENTER to be connected to https://intelligence.GATEWATCHER.com/packages/list/.
Output interface is the interface of the GCENTER through which it will communicate with the Intelligence server.
Once the email containing the connection token is received, it will be necessary to fill in the field Intelligence secret token:
This token is unique per user account yet can be used on multiple GCENTER. The activation of a new token will be added to the list of other tokens linked to the email address.
The last step in activating the service involves ticking the 'Enable interconnection' box. Then click on Save or Regenerate Token.
Once the service is activated, the condition in the Interconnection status field changes: the link between the GCENTER and the Intelligence platform is operational.
Once the link is established, users will be able to download a detected sample from the analysis platform and run it under the Intelligence engines. Detailed analysis reports of these samples may be retrieved from the Malcore section of Inspectra.
As a result of this connection, the administrator may be able to send files to the Intelligence platform for further analysis and download the report.
The Remote analysis settings section enables the administrator to remain anonymous when sending samples to the platform if the Private remote analysis option is enabled.
If the 'Enabled' box is not ticked and/or the administrator does not backup by pressing Save then other users of the Intelligence platform will be able to see the details of each analysis the administrator carries out.
3.2. GBox
Menu: Administrators > GCenter > Third-Party Modules > Intelligence
Just like connecting to Gatewatcher's Intelligence service, using a GBox enables in-depth analysis of malware detected by Malcore with the difference being that using a GBox enables this without having to send information to an external service. GBOX is a physical device installed within the infrastructure, along with the other devices of the TRACKWATCH solution.
The connection status between the GCENTER and the GBOX is displayed in the Interconnection status view below:
The connectivity can be checked in a single click by the administrator from the Interconnection check-up section by pressing the Interconnection test button.
The interconnection test result will be displayed as follows:
An interconnection must be set up between the GCENTER and the GBOX. The link between the two devices operates via an Application Programming Interface (API) that enables samples to be sent to the GBOX for analysis and the results of the testing to be retrieved.
Some details are required so that the GCENTER can be connected to the platform and can send the HTTP request correctly.
Some fields are to be filled in by the administrator from the Interconnection settings section by pressing the Settings button.
Intelligence target: this is the API address of the GBOX (of the form: https://adresse IP de la GBOX/gwapi/). Is the target server a GBOX?: is to be ticked to indicate the use of a GBox Disable SSL verification: enables the use of auto-signed certificates. Analysis mode: corresponds to the analysis method of the file sent to the Intelligence server: Offline or Online.
Intelligence usermail: is not required when using a GBox.
Output interface is the physical interface of the GCENTER through which it will communicate with the GBOX server.
The last step in activating the service involves ticking the Enable interconnection box. Then click on Save.
Once the link is established, users will be able to download a detected sample from the intelligence analysis platform and run it through the GBox engines. Detailed analysis reports for these samples will be available in the [Inspectra - MALCORE] section (../malcore.html#inspectra).
Once the service is activated, the condition in the Interconnection status field changes: the link between the GCENTER and the GBox is operational.
As for the analysis in the GBOX, the template used for the samples can be specified in the query. If the template is not specified in the query, the samples are analysed using the default template in the GBOX that must therefore be set up beforehand. Samples are transmitted in raw binary format.
The Remote analysis settings section is not useful to the administrator in this choice of infrastructure, the GBOX being a dedicated server within the solution.