These steps assume that you have already configured the Security Analytics appliance to point to your FireEye MAS server with a user that has appropriate rights (Settings > Data Enrichment in the GUI)
In order to change the default profile that Security Analytics uses for sending files to the FireEye MAS appliance, you must do the following:
1. Log in to the CLI as the root user.
2. Make a backup of the current fireeye configuration file:
cp /usr/lib64/python3.3/site-packages/derp/providers/fireeye.py /usr/lib64/python3.3/site-packages/derp/providers/fireeye.bak3. Edit the current fireeye.py file
vi /usr/lib64/python3.3/site-packages/derp/providers/fireeye.py4. Press the '
/' key to start a search and then enter '
win' and press Enter.
The cursor should take you to this line:
'ssh {0[username]}@{0[remote]} cli \\"malware analyze live url file:{1[filename]} timeout 60 priority normal guestos winxp-sp2 no-prefetch force\\"',
Make note of the guestos. In this case the guestos is 'winxp-sp2'
5. To change the base profile, press the letter I for Insert and change the guestos parameter to the desired profile. The default list of profiles supported in FireEye MAS version 7.x are as follows:
winxp-sp3
win7-sp1
win7x64-sp1
winxp-sp2
6. Once the change has been made, press the ESC key to go back to command mode and then enter :wq to save and exit.
7. Restart the derpd process by entering: service derpd restart
FireEye submissions should now be sent to the correct profile.