Overview

Malcolm processes network traffic data in the form of packet capture (PCAP) files or Zeek logs. A sensor (packet capture appliance) monitors network traffic mirrored to it over a SPAN port on a network switch or router, or by using a network TAP device. Zeek logs and Arkime sessions are generated containing important session metadata from the traffic observed, which are then securely forwarded to a Malcolm instance. Full PCAP files are optionally stored locally on the sensor device for later examination.

Malcolm parses the network session data and enriches it with additional lookups and mappings including GeoIP mapping, hardware manufacturer lookups from organizationally unique identifiers (docs/OUI) in MAC addresses, assigning names to network segments and hosts based on a user-defined asset inventory, performing TLS fingerprinting, and many others.

This enriched data is stored in an OpenSearch document in a format suitable for analysis through two intuitive interfaces: OpenSearch Dashboards, a flexible data visualization plugin with dozens of prebuilt dashboards providing an at-a-glance overview of network protocols; and Arkime, a powerful tool for finding and identifying the network sessions comprising suspected security incidents. These tools can be accessed through a web browser from analyst workstations or on a display in a security operations center (SOC). Logs can also be forwarded on to another instance of Malcolm.

Malcolm can also easily be deployed locally on an ordinary consumer workstation or laptop for smaller networks, use at home, or in the field incident response engagements. Malcolm can process local artifacts such as locally generated Zeek logs, locally captured PCAP files, and PCAP files collected offline without the use of a dedicated sensor appliance.

• Quick start
  • Getting Malcolm
  • User interface
• Components
• Supported Protocols
• Downloading Malcolm
  • Docker images
  • Installer ISOs
• Development
  • Building from source
  • Pre-Packaged installation files
• Configuration
  • Recommended system requirements
  • Malcolm Configuration
    • Environment variable files
    • Command-line arguments
  • Configure authentication
    • Local account management
    • Lightweight Directory Access Protocol (LDAP) authentication
      • LDAP connection security
    • TLS certificates
    • Command-line arguments
  • Log Out of Malcolm
  • Platform-specific Configuration
    • Linux host system configuration
    • macOS host system configuration
    • Windows host system configuration
• Running Malcolm
  • OpenSearch and Elasticsearch instances
    • Authentication and authorization for remote data store clusters
  • Starting Malcolm
  • Stopping and restarting Malcolm
  • Clearing Malcolm’s data
  • Temporary read-only interface
• Network traffic artifact upload
  • Tagging
  • Processing uploaded PCAPs with Zeek and Suricata
• Live analysis
  • Using a network sensor appliance
  • Monitoring local network interfaces
    • “Hedgehog” run profile
  • Manually forwarding logs from an external source
• Arkime
  • Zeek log integration
    • Correlating Zeek logs and Arkime sessions
  • Help
  • Sessions
    • PCAP Export
  • SPIView
  • SPIGraph
  • Connections
  • Hunt
  • Statistics
  • Settings
• OpenSearch Dashboards
  • Discover
    • Screenshots
  • Visualizations and dashboards
    • Prebuilt visualizations and dashboards
      • Screenshots
    • Building your own visualizations and dashboards
      • Screenshots
  • Anomaly Detection
  • Reporting
  • Alerting
    • Email Sender Accounts
• Search Queries in Arkime and OpenSearch Dashboards
• Other Malcolm features
  • Custom Rules and Scripts
    • Suricata
    • Zeek
    • YARA
    • Other Customizations
  • Automatic file extraction and scanning
    • User interface
  • Index management
    • OpenSearch index management
    • Using ILM/ISM with Arkime
  • Event severity scoring
    • Customizing event severity scoring
  • Zeek Intelligence Framework
    • STIX™ and TAXII™
    • MISP
  • “Best Guess” Fingerprinting for ICS Protocols
  • Asset Interaction Analysis
    • Enriching network traffic metadata via NetBox lookups
    • Compare and highlight discrepancies between NetBox inventory and observed network traffic
    • Populating the NetBox inventory
      • Manually
      • Via passively-gathered network traffic metadata
        • Matching device manufacturers to OUIs
      • Via active discovery
    • Compare NetBox inventory with database of known vulnerabilities
    • Preloading NetBox inventory
    • Backup and restore
  • CyberChef
  • API
• Forwarding Third-Party Logs to Malcolm
• Malcolm installer ISO
  • Installation
  • Generating the ISO
  • Setup
  • Time synchronization
• Deploying Malcolm with Kubernetes
  • Configuration
  • Running Malcolm
  • Deployment Example
  • Future Enhancements
  • Deploying Malcolm on Amazon Elastic Kubernetes Service (EKS)
  • Deploying Malcolm on Microsoft Azure Kubernetes Service (AKS)
• Deploying Malcolm in Other Third-Party Environments
• Hardening
  • Compliance Exceptions
• Installation example using Ubuntu 22.04 LTS
• Upgrading Malcolm
• Modifying or Contributing to Malcolm