Security Analytics 8.1.x Administration and Central Manager ...

Security Analytics 8.1.3 Administration and Central Manager Guide

Updated: Wednesday, August 12, 2020

Administration and CentralManager Guide SecurityAnalytics 8.1.3

Copyrights, Trademarks, and Intellectual Property

Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Copyright © 2020 Broadcom. All Rights Reserved. For more information, please visit www.broadcom.com.

Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others.

3


Table of Contents

New in Security Analytics 8.1.x 13AWS Virtual Private Cloud (VPC) Traffic Mirroring 13VXLAN Support 13Deprecation Notices 13More New Features 13

Setting Up Security Analytics 8.1.x 14

Initial Configuration 16Network Settings 16Install the License 18

Appliance Ports 202G Appliances 20SA-S500-20-FA 20SA-2G-10T-G6 21

10G Appliances 21SA-S500-30-FA 21SA-S500-35-FA 22SA-S500-40-FA 22SA-10G-HD-8T-FC-G6 22SA-10G-26T-G6 23

Central Managers 23SA-S500-10-CM 23SA-CM-4T-G6 23

Storage Modules and Arrays 24SA-E5660-ISA-300T 24SA-J5300-DAS-40T 24SA-SM-48T-G6 25SA-SM-240T-FC-G6 26

Alerts Management Dashboard 28Populating the Dashboard 29

Capture 30Initiate or Stop Capture 30Capture Summary Graph 31Total Traffic per Interface and Uptime 32View Menu 32Clear the Capture Summary Graph Data 33Actions Menu 33

4


Static Filters 33Apply a Capture Filter to an Interface 34Apply a Capture Filter to a PCAP Download 34

Intelligent Capture 34Intelligent Capture vs. Dynamic Filters 34Intelligent Capture Operation 35

Dynamic Filters 36Dynamic Filter Operation 36Guidelines for Creating Dynamic Filters 37Expected Behavior with Dynamic Filters 37

Capture-Interface Aggregation 38PCAP Files 39Download PCAPs of Captured Data 39Import PCAP Files 41PCAP File Analysis 42Automatically Import PCAP Files 44Automatically Export PCAP Files 45Configure a Mount Point 45

Playback 46Create a Playback Session 47Many-to-Many Sessions 48Playback of Imported PCAPs 49

Data Availability 49Data Enrichment Profiles 49Viewing Data Availability 50Calendar Display 51Capture Summary Graph 52

Reindexing 52Reprocessing 53

Data Analysis 56Metadata Settings 56Metadata Tables 58

Integrated Cyber Defense Exchange (ICDx) 82ICDx Metadata Forwarding 83ICDx Remote Notifications 85

Open Parser 86Open Parser Conventions 87Create an Open-Parser Rule 88View the Report Data 90Add the Open Parser Report Widget to a Summary View 91Open Parser Alerts 91PII Reports Example 92Open Parser Data Matching 95

Summary Views 96

5


Report Widgets 96Create a Summary View 97Report Widget Controls 98Apply Filters to Summary Views 100Save the Output of a Summary View 100Session Resolution 100

Anomaly Detection 101Enabling Anomaly Detection 101Anomalies Pages 102Filtering Anomaly Alerts 103Anomaly Investigation View 103Anomaly Detectors 104Tuning ADM Settings 106

Filters 107Primary Filters 107Dynamic Filters 109Data Enrichment Filters 109Timespan Filters 112Advanced Filters 113Create Filters from Graphical Screen Elements 114Capture Filters 115Advanced-Filter Attributes 115Wildcards and Logical Operators 121Universal Connector 128

Indicators 129Preloaded Indicators 129Indicator Specifications 130Using Indicators 130Create a New Indicator 131Create an Indicator from the Filter Bar 132Import Indicators from a List, or Create a Live-Feed Indicator 132Export Indicators 133Edit Indicators 134Delete Indicators 135Format a List of Indicators 136JSON Formatting for Indicators 137

Reports 137Reports Page 138Report Results List 138Compare Report Results 139Save Report Results 139Export Reports 140Risk and Visibility Report 140Report Status Pages 141Scheduled Reports 143Summary Views 144Populating the Reports 149

6


Extractions 152Artifacts 152Extraction Status Page 154Save Extractions and Artifacts 158Save Multiple Extraction Items 158Cancel an Extraction 159Artifact Preview 159Root Cause Explorer 159Artifacts Timeline 159Email Extractions 159IM Conversations 160Media Panel 161Tune the Extraction Process 161

Artifact Preview 161Artifact Views 162

Sessions 172Sessions Page 173Session Results Table 174Save Session Results 175

Geolocation 176Map Navigation 176Results List 177Saving Geolocation Results 178Geolocation Settings 178Geolocation Filters 179MaxMind City and Country Databases 180Google Earth 181

Encapsulation Detection 181PPPoE 181IPv6 in IPv4 182GRE Encapsulation 183

Packet Analyzer 184Packet Analyzer Filters 184Packet List 184Packet Details 186Packet Bytes Pane 186

Data Enrichment 188Reputation Queries 188Activate a Data-Enrichment Resource 189Exclude from Lookup 189Data Enrichment Filters 190Enrichment Providers 190URL and IP Enrichment 190File and File-Hash Enrichment 191

7


Other Enrichment 191Data Enrichment Resources in Dark Sites 191Symantec Intelligence Services 193Symantec On-Demand Providers 197Symantec Analysis Providers 202Reputation Providers 210Third-Party Integration Providers 214Endpoint Providers 217Custom Hash List 218YARA Rules 220Login Correlation 222File Names Sent to Providers 228

Rules 230Rules Activated by Default 230Prepare to Create a Rule 231Create a New Rule 231

Alerts 236Alert Creation Workflow 236Alert Management 237Data Enrichment Alerts 239

Remote Notifications 245Configure the Server 245Choose or Create a Template 245Select the Notification When Creating or Editing a Rule 247

Data Enrichment Filters 247

Appliance Security 255User Accounts and Groups 255Local Users 256Shell-Only Users 257Account Profile Settings 258User Groups 259Remote-Authentication Users 265

Account Settings 265Remote Authentication 267LDAP Authentication 267CAC Authentication 272Troubleshooting LDAP 272Kerberos Authentication 273RADIUS Authentication 274Two-Factor Authentication 275

Common Access Card Authentication 276Configure Security Analytics to Authenticate with a CAC 277

Using RADIUS and LDAP in Parallel on Security Analytics 278Behavior in SA 8.1.1 278Behavior in SA 8.0-8.3 278

8


Functionality and Process 279

LDAP Group Inheritance 279Remote Access 284Firewall 284Web Access 286SSH Access 288Ping (ICMP) 288Web Interface Settings 289

Passwords 290Password-Complexity Rules 290Set Notification Interval for Password Expiry 291

SSL Certificates and Keys 291Install a New Certificate and Key 292Additional Certificate Requirements 295Certificates Between CMCs and Sensors 297

Security Analytics Ports and Protocols 298Inbound Connections to Security Analytics 298Outbound Connections from Security Analytics 299

Disable SSH Root Logins 301SSH Authentication 302Generate an SSH Key for Data Enrichment Providers 302

MD5-Encrypted Password for Bootloader 303Federal Information Processing Standards 304Entering FIPS Mode 304Exiting FIPS Mode 305

System Maintenance 306Logging and Communication 306Logging 306Email Alerts 308SNMP Settings 309Syslog Settings 311Splunk Phantom 312Communication Settings 312MIB Files 313Resetting System Logs 314

Job Queue and System Alerts 314Job Queue 314System Alerts 314File-System Notifications 315System-Critical Notifications 315

Software Upgrades 315Add an Upgrade Server 316Upgrade Security Analytics 317

9


Upgrading from a TAR File 317Licensing 318Network Settings 319System Date and Time 320Statistics 321Network System 321Size on Disk 322Storage System 323Total Captured 324Total Filtered 324

Drive-Space Management 324Capture and Index Drives 324System Drive 324Home Drive 326Time-Based Data Deletion 326

Reboot or Shut Down 328From the Web Interface 328From the CLI 328Using the IPMI Interface 329

Troubleshooting 329Search the Knowledge Base 329Contact Support 329Submit a Support Case 330Consult Help Topics 330

Introduction to the Central Manager Console 331CMC Initial Settings 332Connect Your First Sensor to the CMC 333Generate the Authorization Key for the Sensor 333Link the Sensor to the CMC 334Grant Yourself Access to the Sensor 335Disconnect Sensors from a CMC 336Manage One Sensor with Multiple CMCs 337

User Accounts and Groups on the CMC 338Sensor Access 338

Remote Groups: Example Setup 339Network Setup 339Requirements 340Design 340Create the Remote Groups 341Create the Users 342Assign Sensor Authorizations 344Results 344

Multi-Sensor Environment 347View Multiple Sensors 347

10


Data Aggregation 352Multi-Sensor Metadata 353Multi-Sensor ICDx Metadata 354Multi-Sensor Summary Views 354Multi-Sensor Reports 354Multi-Sensor Extractions 355Multi-Sensor Indicators 356Multi-Sensor Rules 357Multi-Sensor Alerts 357Multi-Sensor PCAP Files 358PCAP Import 358Multi-Sensor Geolocation and Google Earth 358Multi-Sensor Communication Settings 358

Upgrading Sensors 359CMC Upgrade Repository 359Add an Upgrade Image to the CMC Repository 360Upgrade Sensors from the CMC Repository 360

CMC Local Management 362CMC Dashboard 362Your Sensors list 363Other Sensors List 364Control Buttons 364Upgrading the CMC 365

Appendix 366How Security Analytics Works 367Implementation 367Drive Configuration 367Packet Capture 368Writing the Slots 370Data Overwriting 370Overwriting Imported PCAPs 372

Flows in Security Analytics 373TCP Finite State Machine 374UDP State Machine 375Flows in Security Analytics 376Flow-Based Reports 377

Populating the Reports 379Where's my data? 380Metadata Settings 380Natively Indexed Metadata 380Conversation Reports 381Data Enrichment Verdicts 381Hash Reports 382Open-Parser Rules 383

Detecting File Types 383

11


Primary Filters for File Types 383Advanced Extraction Filters 383Why Can't I Detect All JavaScript Files? 384

Artifact Extraction 385Protocol Carvers 385Signature-Based Extraction 385

Data Enrichment Process 389Default Data-Enrichment Process 389Example: Create a Data Enrichment Rule to Evaluate PDFs 390

FRS Prefilter Process 392FRS Prefilter Process 392When to Disable the FRS Prefilter 397

Anomaly Detection Process 398Initial Evaluation 398Statistical Analysis 399ADM Detectors 399Interpreting Anomaly Messages 400

All Settings 404Interface Icons 407Menu > Analyze > Summary 410Menu > Analyze > Summary > Reports 411Menu > Analyze > Summary > Extractions 412Menu > Analyze > Summary > Sessions 414Menu > Analyze > Summary > Geolocation 415Menu > Capture > Summary 416

Resources 419

12


New in Security Analytics 8.1.xThe additions to Security Analytics in version 8.1.x are as follows:

AWS Virtual Private Cloud (VPC) Traffic MirroringAs of this release, we recommend using VPC Traffic Mirroring over the previous solution, CloudLens. For more information, see the Security Analytics AWS Deployment Guide, or https://docs.aws.amazon.com/vpc/latest/mirroring/vpc-tm.pdf.

VXLAN Support In an effort to provide additional paths to transmit monitoring data, we have introduced VXLAN support in this release.

Note: For more information on configuring AWS VPC Traffic Mirroring and VXLAN support, please refer to the Security Analytics AWS Installation Guide, available on https://techdocs.broadcom.com.

Deprecation Notices n Symantec DeepSight

Following Security Analytics 8.1.2, support for DeepSight will no longer be available.

n UI and Documentation LocalizationFollowing Security Analytics 8.1.2, documentation and User Interface content will be provided in English only.

n Artifact Timeline. Security Analytics 8.1.2 is the last version to include the Artifact Timeline Feature.

More New Features n YARA upgraded to version 3.8.1

13

https://docs.aws.amazon.com/vpc/latest/mirroring/vpc-tm.pdf


Setting Up Security Analytics 8.1.xIf you are installing Security Analytics 8.1.x for the first time you must follow these instructions, because the method for setting the management IP address is different from version 7.x.

To permit multiple management interfaces, Security Analytics 8.0.1 and later uses bond0 as the management interface, replacing eth0 in versions previous to 8.0.1.

By default physical eth0 is always bound to logical bond0. Adding another physical interface to bond0 removes that interface from the pool of capture interfaces. (To see the port enumeration for your hardware consult Appliance Ports, below. )

To specify the IP address for bond0 from the command line follow these steps:

1. Access the CLI from a direct connection or use SSH to go to 192.168.20.20.

2. Log in with the default admin credentials: admin | Solera

3. Run this command:

sudo cfg_bond_interface.py -i eth0 -n <IP>/<netmask> -g <gateway>

Specify the netmask in dotted-decimal format: 255.255.255.0.

4. Provide the sudo password: Solera

5. In a web browser navigate to the address you just specified.

6. Log in with default admin credentials: admin | Solera

7. Accept the EULA.

8. Complete the Initial Configuration page and license the product.

9. If you want to add another management interface after the appliance reboots:

14


n Go to Menu > Settings > Network.

n Select Use Multiple Management Interfaces.

n Select the other interface and click Save.

The Secondary Network Address is a failover address for bond0. It is not the IP address for the second management interface.

15


Initial ConfigurationHave you set the management IP address on your appliance?

Yes — Continue. No — Go to "Setting Up Security Analytics 8.1.x" on page 14.

This page contains instructions for configuring the Symantec Security Analytics appliance on the Initial Configuration page. To see how to configure other settings, see "All Settings" on page 404.

Network Settings 1. After you have logged in to the web interface (admin | Solera), accept the EULA and then the Initial

Configuration page is displayed. If you cannot see the Initial Configuration page, append /settings/initial_config to the appliance's IP address in the address line of your browser.

n Specify a Fully Qualified Hostname (system name) for the Security Analytics appliance.

o If the hostname is not an FQDN, you may get unexpected results.

o The name typed here is displayed as part of the prompt when anyone logs in to the command line for this appliance.

o The hostname is the first element of an artifact filename.

o You must register this hostname with your DNS servers if you intend to refer to this appliance by its hostname in other contexts.

o Later, if you want to refer to this appliance using multiple hostnames, go to Settings > Web Interface and input the additional hostnames under Allowed Hostnames.

2. Set the IP address, mask, and default gateway for the management interface (bond0) using one of the following methods:

n Select the Use DHCP check box to automatically retrieve network settings for bond0. (DHCP is not available for multiple management interfaces.) If you choose to enable DHCP, Symantec recommends that you use the DHCP reservation feature of your DHCP server to statically map the MAC address of the management interface to an IP address.

n As desired, edit the static network settings manually.

If you specify an IPv6 address, the network service restarts after you click Save, and you may lose connectivity temporarily.

3. Optional — For IPv6 secondary addresses, separate the addresses with a space.

16


4. Optional — If your appliance accesses the Internet through a proxy, type the IP address of the HTTP Proxy in the following format: <hostname>:<port>

5. Optional — Specify comma-delimited exceptions to the proxy in the No Proxy field: .mycompany.com,10.18.5.5, 2508:34ed:af:2d1::3d33

n The value hostname is always present in the No Proxy field, even though it is not visible.

n If your appliance accesses the Internet through an authenticated proxy, edit /etc/environment as follows:

http_proxy="http://<username>:<password>@<IPv4>:<port>"https_proxy="http://<username>:<password>@<IPv4>:<port>"

or

http_proxy="https://<username>:<password>@[<IPv6>]:<port>" https_proxy="https://<username>:<password>@[<IPv6>]:<port>"

Also see how to "Authenticate to an Internet Proxy" on page 296, which you can do after you license Security Analytics.

6. Specify up to three DNS servers. If you will be using hostnames for other settings on this appliance, you must specify the primary DNS.

7. Set the correct date and time for the appliance (MM/DD/YYYY hh:ii:ss). You can enable NTP later.

8. Select the appropriate Time Zone for this appliance's physical location.

Because time is an essential parameter for both PCAP generation and playback, you must set the correct time and time zone on the appliance before you begin to capture data.

9. Select the Interface Language.

Changing the browser language setting while filters or processes are active is not supported.

10. Change the root password for the appliance and specify its lifespan. To change the root password after initial configuration use passwd on the CLI.

17


n There is no password-backup option. If you lose the root password you may need to send the appliance back to Symantec Support for reset.

n Follow best key-maintenance practices by manually recording the root and admin passwords and by keeping a copy in a secure location that is separate from the appliance.

11. Select Lock Root Account to disable all root access to the appliance.

WARNING! You cannot re-enable the root account unless you have console access to the appliance, and then you will have to contact Symantec Support for assistance.

12. Change the password for the admin account and specify its lifespan. To change the admin password after

initial configuration, select [current account] > Account Settings.

13. For Password, change any of the requirements, as desired.

Alterations to the password requirements apply to the root and admin passwords that you set on this page as well as to all new user accounts. You can change the requirements after initial configuration on Settings > Security. See "Passwords" on page 290.

14. Click Save.

If there are any errors on the page, you will be prompted to fix the errors. Before you click Save again, you must input the passwords again for both the root and admin accounts.

Install the License 15. The License Details dialog is displayed.

16. Retrieve your license key from Symantec Support (support.broadcom.com/security) as instructed in the eFulfillment message from Symantec.

17. Does your appliance have access to the internet (license.soleranetworks.com; port 443)?

18

http://support.broadcom.com/security


Yes — Under Retrieve License, input the License Key and click Send Request.

n If applicable, select the desired license type.

n The appliance sends the license key and the license seed file to the Symantec license server, which generates the appropriate license file (license.tgz) and returns it to the appliance, which then automatically reboots.

No — Click Download DS Seed to download the seed file (dsseed.tgz) to your workstation.

n On a workstation that has Internet access, go to license.soleranetworks.com.

n Type your license key, upload dsseed.tgz, and click Submit.

n If applicable, select the desired license type and click Submit.

n Save the license file (license.tgz) to your workstation.

n Return to the License Details dialog.

n Click Browse and select license.tgz.

n The license is uploaded and the appliance automatically reboots.

18. Once the system has rebooted, select About > License Details to verify that the items are correct.

19. Click Download to create an archive copy of the license file (solera-license.dat). Store this file in a safe location that is not on the appliance.

20. Consult "All Settings" on page 404 to further configure your system. If you are setting up a Central Manager Console, continue to "CMC Initial Settings" on page 332.

19

https://license.soleranetworks.com/


Appliance PortsConsult the following diagrams to see how ports are designated on a Symantec Security Analytics appliance.

For instructions on cabling and configuration for head unit plus storage module combinations, see the Security Analytics Installation Guides on Symantec Support Center under Installation Guide. Be sure that you use the instructions for the correct hardware vendor and generation.

Go to Security Analytics documentation on the Symantec Support Center and select Compatibility Lists under Onboarding to see the bill of materials for each Dell or NetApp model.

The location of the management port (physical: eth0; logical: bond0) on the Dell Hardware is valid only after Security Analytics has been installed on the hardware.

2G Appliances

SA-S500-20-FA

20

https://support.symantec.com/content/unifiedweb/en_US/Documentation.1145515.2121507.html


SA-2G-10T-G6Dell PowerEdge R630 Rack Server

10G Appliances

SA-S500-30-FA

21


SA-S500-35-FA

SA-S500-40-FA

SA-10G-HD-8T-FC-G6Dell PowerEdge R630 Rack Server

22


SA-10G-26T-G6Dell PowerEdge R730xd Rack Server

Central Managers

SA-S500-10-CM

SA-CM-4T-G6Dell PowerEdge R630 Rack Server

23


Storage Modules and Arrays

SA-E5660-ISA-300T Security Analytics E5660 300T Intelligent Storage Array

SA-J5300-DAS-40TBlue Coat Security Analytics J5300 40T Direct-Attached Storage

24


The rightmost two ports in each module are used only in a two-node failover cluster, which Symantec does not support for Security Analytics.

SA-SM-48T-G6Dell PowerVault MD1400 Attached Storage

The rightmost two ports in each module are used only in a two-node failover cluster, which Symantec does not support for Security Analytics.

25


SA-SM-240T-FC-G6Dell PowerVault MD3860f High-Speed Fibre Channel Storage

26


NetApp® E2760 Storage Array

27


Alerts Management DashboardThe default landing page, the Alerts Management Dashboard, provides immediate visibility into the current state of network traffic.

n "Populating the Dashboard" on the next page

n Alerts List

1

Analyze, Capture, Statistics, Settings, Menus

8 Dashboard, Summary, and List tabs

2

Alerts and Anomalies in the last 96 hours; this count is not affected by the alerts filters

9 Time Range Filter

3

System Utilization 10 IP Filter

4

About Menu 11 Advanced Filter

5

Job Queue 12 Importance Filter — Click to add to the Advanced Filter

28


6

Notifications 13 Alert Distribution over Time Histogram

7

Account Settings 14 Alert Cards — Click details to see the alert list

Populating the DashboardAlerts are produced by rules.

n By default, the following rules are enabled: Heartbleed Attack Attempt, Non-Standard SSH, Shellshock Webserver Exploit Attempt, and Local File Analysis - Live Exploits.

n To enable other rules or create new ones, select Analyze > Rules or click Set Up Rules for Alerts.

29


CaptureInitiate or Stop Capture 30

Capture Summary Graph 31

Static Filters 33

Intelligent Capture 34

Dynamic Filters 36

Capture-Interface Aggregation 38

PCAP Files 39

Playback 46

Data Availability 49

Reindexing 52

Reprocessing 53

Also see "Tap Placement and Capture Optimization Best Practices" on the Security Analytics documentation site.

The Menu > Capture > Summary page has two sections: the interactive graph at the top of the page and a set of summary boxes (one per interface). (See "Menu > Capture > Summary" on page 416.)

Initiate or Stop Capture

You can also use the dscapture command in the CLI for some of these actions. (Consult the in the Security Analytics 8.1.x Reference Guide on support.symantec.com.)

1. Select Menu > Capture > Summary and identify the graphical box for the interface.

2. Click Start Capture. The green Start Capture button becomes a red Stop Capture button.

30

https://support.symantec.com/content/unifiedweb/en_US/Documentation.1145515.html



3. If there is traffic on that interface, the Current, Max, and Total rows in the Captured column will begin to populate.

Do not click Start Capture for interfaces that receive no traffic or you will produce unexpected behavior.

1. To view the interface's traffic in the graph, click the Hidden icon.

2. The color of the left margin of the graphical box is the same color as the interface's line in the graph. Select View > Aggregated Statistics to display all traffic in one line.

Capture Summary GraphThe capture summary graph provides a view of the capture statistics for each network interface so that you can see patterns in network data over time. Click and drag the cursor over a section of the graph to highlight a section to enlarge. The graph polls the system regularly to get information on interface captures. By default, the graph will display up to six months of historical data.

This interval can be changed by selecting About > Data-Retention Settings. The "age" of graph data is calculated according to when it was written to the database, not according to the timestamps on the packet data. For example, if you import a two-year-old PCAP today and retain the timestamps, the graph for the PCAP will be displayed

31


two years in the past; however, if you set the data-retention interval to one month, the graph data for the PCAP will be erased only after a month has elapsed.

Total Traffic per Interface and UptimeAt the upper-left of the graph you can see System Uptime as well as total traffic per interface and 10-day average capture rate.

n To show or hide each interface, click its Hide/Show Line on Graph icon. (See "Capture Interfaces" on page 417.)

View MenuUse this menu to display information about system performance. You can select as many or as few of these values as you want.

Process Definition Unit of Measurement

CPU Usage Amount of CPU capacity currently used Percentage of Capacity

RAM Usage Amount of RAM currently used Percentage of Capacity

Flow Table Size Cumulative size of the flow table since last reboot Cumulative (Kilo)bytes

DPI Threads Cumulative number of deep-packet inspection (DPI) threads

Cumulative Number

Slot Overflow The number of slots that exceed the DPI slot capacity Current Number

Cumulative Flow Maximum

The highest number of flows since last reboot Cumulative Number

Flows in Progress The number of flows that are currently being processed Current Number

Slots in Use The number of slots that are currently being processed Current Number

Packets in Progress The number of packets that are currently being processed

Current Number

Flows Initiated The number of new flows that have begun processing Current Number

PCAP Import Toggle to show/hide PCAP imports in the graph Network traffic unit of measure

Aggregated Statistics Aggregate data from all capture interfaces Network traffic unit of measure

File Analysis Jobs in Progress

The number of file-analysis jobs that are in the queue Current Number

32


Process Definition Unit of Measurement

Processed File Analysis The number of file-analysis jobs that have been processed

Current Number

File Analysis Queue Discards

The number of file-analysis jobs that were dropped because the extractor's queue limit was exceeded

Current Number

File Analysis Range Discards

The number of file-analysis jobs that were dropped because the maximum slot range limit was exceeded

Current Number

File Analysis Slot Discards

The number of data-enrichment jobs that were dropped because the slot was not in memory (not live)

Current Number

File Analysis Requests The number of file-analysis requests to the Intelligence Services

Current Number

Clear the Capture Summary Graph Data

1. Select About > Data-Retention Settings.

2. Click Delete ALL Capture Summary Graph Data. You cannot undo this action.

3. Optional — Specify how long to keep data for Life of Capture Summary Graph Data.

Actions MenuClick the Actions menu to access the following options:

n Download PCAP — Save the data in the selected timespan as a PCAP file.

n Start Playback — Create a playback session based on the selected timespan. (See "Playback" on page 46.)

n Reprocess — Resend packets through the rules engine. (See "Reprocessing" on page 53.)

n Reset Zoom — Reset the graph to the default view.

n Analyze Data — View the selected timespan on the Summary page.

Static FiltersWith static capture filters, you can select the packets to be captured or discarded by a given network interface. Static filters are applied manually and do not expire.

Security Analytics uses the standard Berkeley Packet Filter language to define capture filters at the Ethernet, network, and transport levels (OSI Layers 2–4). Once created, the filter definition can be saved and reused for other capture interfaces. Capture filters can also be applied to PCAP downloads and playback. (Consult BPF Syntax in the Security Analytics 8.1.x Reference Guide on support.symantec.com.)

33



Traffic that is excluded by a capture filter is not written to the capture drive. To filter out traffic types at the application level, use dynamic filters. (See "Dynamic Filters" on page 36.)

Apply a Capture Filter to an Interface

1. Select Menu > Capture > Summary.

2. For the desired interface, click the filter icon .

3. For Filter, do one of the following:

n Select an existing filter.

n Select Create New Filter. Provide the Name and BPF Expression for the filter.

4. Click Save. The interface will now capture only the traffic specified by the filter.

5. To remove the filter click again, select No Filter, and click Save.

Apply a Capture Filter to a PCAP DownloadFollow the steps in "Download PCAPs of Captured Data" on page 39, select PCAP without Packet Filters for Type, and then specify a new BPF filter in the space provided.

Intelligent CaptureNew in Security Analytics 8.1.1 With intelligent capture you can specify which packets are not written to the capture drive but that are nevertheless subjected to classification, indexing, and the rules engine. For example, you may want to classify encrypted traffic so that you can see report data on that traffic, but you also do not want to store those packets on the capture drive.

You can use intelligent capture to keep your capture drive from filling up with packets that you do not want to record, such as Netflix® movies, Pandora® audio streams, SSL-encrypted traffic, or any other traffic that you can identify with an indicator.

Intelligent Capture vs. Dynamic Filters Intelligent capture performs a similar function to dynamic filters—preventing the capture drive from filling up as quickly as it otherwise would. The differences are as follows:

n Dynamic filters stop all traffic at the point of ingress to the system, that is, at the capture interface; with intelligent capture the traffic enters the system but is later discarded.

n Dynamic filters are far more resource-intensive than intelligent capture.

34


n Intelligent capture permits metadata indexing and rules to be performed on the traffic that is later discarded; with dynamic filters there is no metadata for the excluded traffic.

Intelligent Capture Operation Intelligent capture rules operate as follows:

1. The user decides which kind of traffic to exclude from the capture drive and creates one or more indicators to identify that traffic. Examples:

n Streaming video by service — application_id=netflix,hulu,youtube,yahoo_screen,vimeo,slingbox,qqlive,mubi,blockbuster,baidu_player,blip_tv

n Streaming media by protocol — application_id=bmff,h225,h245,h248_binary,mgcp,mms,mpgets,msrp,rdt,rtcp,rtp,rtsp,sccp,sip,x25

n All audio/video protocols and services — application_group=audio/video

n Conferencing services — application_id=adobe_connect,gotomeeting,meetingplace,q931,vsee,webex

n Encrypted traffic — application_group=encrypted, application_id=ssl, port=443

n Traffic from a specified VLAN— vlan_id=23

n Traffic on a specified subnet — ipv4_address=10.10.*.*

n To see which protocols and applications are supported for indicators, go to Recognized Applications in the Security Analytics 8.1.3 WebGuide on support.symantec.com and download the XLSX or CSV file.

n Many streaming services are classified as Web traffic rather than Audio/Video. Use the application_id attribute to filter out that traffic.

2. The user creates a discard-packets rule on Menu > Analyze > Rules using the desired indicator(s). (See "Rules" on page 230.)

3. When traffic matches a discard-packets rule, the indexer writes the packet headers and other metadata to the indexing DB. If the traffic matches any other rules, the rule action is performed, such as producing an alert or sending a file or URL to data enrichment.

4. When the flow has completed, the packets are discarded instead of being written to the capture drive.

35



The amount of packets discarded by a rule will vary from application to application. Where there are long flows with large packets, such as with Audio/Video, most of the packets will be discarded. Where there are shorter flows with shorter packets, such as with encryption, most of the flow will have been captured before the rule matches. Discard-packets rules do not remove packets after they have been written to the capture drive.

You can view the intelligent capture (discard-packets rule) statistics with the Packet Retention report. Note that the report defaults to flows rather than packets, so you must reconfigure the report for packets if that's what you desire.

Dynamic FiltersDynamic filters are similar to "auto notch" filters — a term from radio signal processing. Auto-notch filters identify and suppress frequencies that are overpowering other frequencies, thereby improving the signal-to-noise ratio.

In Security Analytics, the auto-notch daemon converts specified flow characteristics into ingress filters, which prevents the flow from being written to the capture and indexing drives. You can use dynamic filters to keep your drives from filling up with packets that you do not want to record, such as Netflix movies, Pandora audio streams, SSL-encrypted traffic, or any other traffic that you can identify with an indicator.

Be very careful about applying dynamic filters — you risk overwhelming your system resources if an excessive number of filters is applied in a short time.

Dynamic Filter Operation Dynamic filter rules operate as follows:

1. The user decides which kind of traffic to exclude and creates one or more indicators to identify that traffic. Examples:

n Streaming video by service — application_id=netflix,hulu,youtube,yahoo_screen,vimeo,slingbox,qqlive,mubi,blockbuster,baidu_player,blip_tv

n Streaming media by protocol — application_id=bmff,h225,h245,h248_binary,mgcp,mms,mpgets,msrp,rdt,rtcp,rtp,rtsp,sccp,sip,x25

n All audio/video protocols and services — application_group=audio/video

n Conferencing services — application_id=adobe_connect,gotomeeting,meetingplace,q931,vsee,webex

n Encrypted traffic — application_group=encrypted, application_id=ssl

36


n Traffic from a specified VLAN— vlan_id=23

n Traffic on a specified subnet — ipv4_address=10.10.*.*

To see which protocols and applications are supported for indicators, go to Recognized Applications in the Security Analytics 8.1.3 WebGuide on support.symantec.com and download the XLSX or CSV file.

Use the dynfilter command to manage the dynamic filters. (More information in the Security Analytics 8.1.x Reference Guide on support.symantec.com.)

2. The user creates a dynamic filter rule on Menu > Analyze > Rules using the desired indicator(s). (See "Rules" on page 230.)

3. When traffic matches a dynamic filter rule, an ingress filter is applied to the capture interface where the traffic was detected. The flow that matches the filter is dropped before it is written to the capture and indexing drives, except for the first few packets (less than one second) of the flow.

4. When the interval specified in the rule elapses, the filter is deleted from the capture interface. If the same media is still streaming, it triggers the rule again and the filter is reapplied.

5. When a dynamic filter is applied to a capture interface, the interface display should show how much traffic is being filtered in the Filtered column.

Guidelines for Creating Dynamic Filters n Avoid creating dynamic filters on any type of traffic that is likely to occur frequently across a diverse set of

flows. Such a dynamic filter rule will produce filter strings that soon exceed the size limit for the ingress filter, after which no new entries can be added until older entries expire. For example, a dynamic filter rule using the Commonly Scanned Ports indicator will soon fill allotted memory and prevent other dynamic filters from being applied.

n Dynamic filters should be as course-grained as possible, meaning that you should select only 1 or 2 of the five available attributes to create the filter: usually, IP Responder and IP Protocol together. There is a limit on the number of flows that can be dynamically filtered at a time. By ensuring that only 1–2 of the options are selected, the limit is much harder to reach.

Expected Behavior with Dynamic Filters n Between the time that a flow enters the system and the time that the flow is classified and the dynamic filter

applied, some packets will still be captured to disk. If the flow is especially short, the entire flow may be captured before it is classified and the filter applied.

n Because dynamic filters time out, a flow that lasts longer than the filter timeout may begin to be captured after the filter expires. The DPI engine must reclassify the flow and reapply the dynamic filter before the flow's packets are again filtered out and discarded.

37




n It may take more time to apply a dynamic filter to the traffic in an imported PCAP than it takes to import the PCAP. Unless the PCAP is especially large or the import speed especially slow, dynamic filters probably will not be applied to imported PCAP data.

Capture-Interface AggregationIn some cases it is advantageous to aggregate two or more physical interfaces into one virtual interface — for example, if you have separate physical interfaces for Rx and Tx traffic — an aggregated interface permits Security Analytics to match initiator traffic with its corresponding responder traffic.

You can also aggregate capture interfaces with the dscapture command in the Security Analytics 8.1.x Reference Guide on support.symantec.com.

The following rules apply to interface aggregation:

n You can aggregate as many interfaces as reside on a single appliance.

n You can add only one interface to the aggregate at a time.

n If any of the component interfaces have a capture filter, that filter will be ignored in the aggregate.

n You can apply a capture filter to the aggregated interface.

n When you separate an aggregated interface, you separate all of the component interfaces; you cannot delete only one or two interfaces from the aggregate.

n After separating an aggregated interface, any filters that were on the individual interfaces will be reapplied, whereas any filters that were on the aggregated interface will be removed.

To aggregate interfaces, follow these steps:

1. Stop capture and playback on all of the interfaces that you want to aggregate.

2. Click and drag one interface box onto another interface box.

38



3. Verify that you have selected the correct interfaces, make a note of the new interface name, and click Combine.

4. Click Start Capture to start capturing on the aggregated interface.

5. To separate the aggregated interface into its component interfaces, stop the capture or playback on the interface, click the chain icon at the top-right of the interface box and click Separate.

PCAP FilesPCAP files contain copies of all captured packets for a given timespan. Symantec Security Analytics supports PCAP and PCAPNG formats, both Ethernet-encapsulated and PPP-encapsulated.

PCAP files can be very large. If you are accessing the Security Analytics web interface on Microsoft® Internet Explorer 9 or another browser that cannot send files in chunks, you cannot support PCAP files larger than 2 GB without using the Web Services APIs in the Security Analytics 8.1.x Reference Guide on support.symantec.com.

Download PCAPs of Captured Data

1. Do one of the following on Menu > Analyze > [Summary | Reports | Extractions | Geolocation]:

n Select Actions > Download PCAP — Any filters in the filter bar are applied to the downloaded file.

n Click the info icon on the Status bar.

2. The Download PCAP dialog is displayed.

3. For Filter click View Path to see the /pfs/flows path.

4. Click Calculate Size to see the amount of data to be downloaded.

39



5. For Type, select one of the following:

n PCAP — File is downloaded in PCAP format.

n PCAPNG — File is downloaded in PCAPNG format.

n PCAP without Packet Filters — All primary filters are cleared from the data.

n To apply a BPF filter, click the Filter list. Select a previously configured filter or select Create New Filter, type a name for the filter, and enter the BPF expression in the space provided. (See BPF Syntax.)

6. For Download Options, select one of the following:

n Browser — Download the PCAP file using your browser's file-download feature.

n Offline — Send the PCAP download job to the queue, to run in the background. (Not available for PCAP without Packet Filters.)

o A message indicates that the generation of the PCAP has begun.

o Click the notification at the upper-right corner of the web interface. The entry shows PCAP generation in progress.

o When the process has completed, the status changes from Processing to Download. Click the entry and follow the prompts to save the PCAP file.

n NFS save — Save to an NFS server. (Not available for PCAP without Packet Filters.)

The apache user (on the Security Analytics Apache instance) must have both read and write permissions to copy the PCAP to the mounted NFS server.

n For Server, click the Manage Connections icon. The Manage Connections dialog is displayed. As needed, configure an NFS mount point.

7. Click Download to save data.pcap or data.pcapng.

Other PCAP Downloads

Download PCAPs as follows, using your browser's Save function:

n On Menu > Analyze > [Summary | Reports | Extractions | Geolocation], select Actions >Analyze Packets, and then click Download PCAP — Any packet-analysis filters are applied to the downloaded PCAP. (See "Packet Analyzer" on page 184.)

40


n Select Menu > Analyze > Summary > Extractions and expand an artifact entry.

o Click Download and then select Download Artifact PCAP or Download Artifact PCAPNG.

o Click Analyze PCAP and then click Download PCAP — Any packet-analysis filters are applied to the downloaded PCAP.

n Select Menu > Capture > Summary, then select Actions > Download PCAP — Any filters on the capture interfaces are applied to the downloaded PCAP.

Automatic PCAP Downloads

To export PCAPs automatically, create a PCAP Export rule.

Import PCAP FilesYou can import PCAP files from your workstation, a USB drive, or a remote server. To import from a USB drive, insert the drive into the Security Analytics appliance before performing the next steps; do not remove the USB drive until the import is complete.

n Select View > PCAP Import in the Capture Summary Graph ("Menu > Capture > Summary" on page 416) to see the histogram of the import.

n You can also use the dspcapimport command in the CLI for this function. (More information in the Security Analytics 8.1.x Reference Guide on support.symantec.com.)

1. Select Menu > Capture > Import PCAP.

2. Click New.

3. For Import from, specify the import device.

n My Computer — Click Browse, locate the PCAP file, and open. (Not available from the CMC; see "Multi-Sensor PCAP Files" on page 358.)

n Appliance USB Drive — Select the PCAP file to import. (Not available from the CMC.)

n Remote Server — Select an existing mount point or specify a new one, select the Schedule, and then select the PCAP file to import.

4. Indicate whether to share the imported PCAP.

5. Clear the Retain original packet timestamps check box to use the importation begin and end times as the timestamps.

41



When the original timestamps are not retained, the PCAP is imported as fast as system resources allow; therefore, the new timestamps will not necessarily be in the same order as in the original PCAP. If you need to preserve the order or timing of events, Symantec recommends that you retain the original packet timestamps.

6. Click Import.

n When you upload a series of PCAPs rapidly, one after the other, each PCAP may be imported over a different virtual interface: impt0–impt9. PCAP data can be imported concurrently on up to ten virtual interfaces.

n Use dspcapimport to specify which impt interface to use for a PCAP import. (More information in the in the Security Analytics 8.1.x Reference Guide on support.symantec.com.)

PCAP File AnalysisAfter you have imported a PCAP file, use the following methods to further analyze the data.

Analyze PCAPs on Security Analytics

The web UI on Security Analytics offers these options:

n "PCAP Imports List" below

n "Storage System Page" on the next page

n "Capture Summary Page" on page 44

PCAP Imports List

Select Menu > Capture > Import PCAP. On the Imports list, the following information is available:

n Name — Name of the imported PCAP file.

n Status — Import state such as Running, Queued, Completed, or Canceled. To filter the list by status, click All at the top-left of the list and select the desired state.

n Import Source — The method of importing the PCAP, such as Browser Upload or the name of the remote server (as specified under Manage Connections).

n Interface — The interface on which the PCAP was imported, usually impt0.

n Import ID — Sequential number that is assigned to the import. This number appears in filters as import_id=<x>.

42



n Extraction Jobs — Number of files that have been reconstructed by the micro-extraction process. Total shows how many rule hits were registered, and Completed shows how many micro-extractions have been completed.

n Data Enrichment Jobs — Number of verdicts that have been returned by the enrichment providers. One artifact can trigger multiple data enrichment jobs when multiple enrichment providers receive the artifact. Total shows how many data enrichment jobs have been created, and Completed shows how many verdicts have been returned.

n Created Time — The time at which the PCAP import began.

n First Packet Time — The timestamp on the first packet in the PCAP file. If you selected Retain original packet timestamps for the import, this date will be earlier than the Created Time; otherwise, it will be a few seconds later.

n Actions — Click an icon:

o View Import Information — See more information about the import, including error messages.

o View Alerts of This Import — Open the Alerts Management Dashboard to see the alerts that this PCAP generated.

o View This Import — Loads the PCAP into the Menu > Analyze > Summary view with import_id=<x>in the filter bar.

n You cannot directly type import_id=<x> into the filter bar to view the PCAP data, because the proper timespan for the import must also be specified. Always use View This Import to load the PCAP data into the Analyze pages.

n On the Alerts pages, you can type import_id=<x> into the Advanced Filter to see the alerts that were generated by that PCAP.

Storage System Page

On the Menu > Statistics > Storage System page, an entry for the imported PCAP is displayed under Active Slot Chain for Interface impt<X>.

43


n Because PCAPs are imported to the capture drive along with the live captures, imported PCAPs will be overwritten as the capture process cycles.

n As a PCAP is overwritten, the values that indicate size and location gradually decrease. The entry for the PCAP disappears when the PCAP data in the capture drive is completely overwritten.

n When you import multiple PCAPs via the same virtual interface, the system shows the combined statistics for the PCAPs in a single entry.

Capture Summary Page

On the Menu > Capture > Summary page, select View > PCAP Import to see the histogram for the PCAP.

n If you selected the Retain original packet timestamps check box during import, the PCAP data will be displayed in its original capture timeframe at the far left of the chart.

n Any activity that the PCAP import generates — such as Intelligence Service requests or flows in progress — is displayed using the actual timestamps. For example, if the original packet timestamps are in February and the PCAP is imported the following April (with timestamps retained), the histogram for the PCAP import will be in February and the data enrichment requests it generates will be shown as occurring in April.

Analyze PCAP Files in Wireshark

n To view PCAP files in Wireshark®, download and install that third-party application.

n Follow the Wireshark instructions to import and read PCAP(NG) files.

n Alternatively, open Menu > Analyze > [Summary | Reports | Extractions | Geolocation] and then select Actions > Analyze Packets. The PCAP is displayed in the packet analyzer, which has an interface similar to Wireshark's.

Automatically Import PCAP FilesUse watch folders to automatically import PCAP files from a remote server.

1. Select Menu > Capture > Import PCAP and click the Watch Folders tab.

2. Click New.

3. Do you need to configure a new server (mount point)?

Yes — Follow the steps to Configure a Mount Point to configure the new server and directory.

No — Select an existing mount point and continue the procedure.

4. For Check for Files, specify the interval to check for new PCAP files.

5. For Select folders, specify which folder(s) to monitor for new PCAP files. The selected folder names are displayed in the space below.

44


6. Optional — Clear the Retain original packet timestamps check box to ignore the PCAP timestamps and use the import start time instead.

7. Click Create. The system will check the specified folder(s) and automatically upload any new PCAP files that it finds.

8. Click Manage Connections to edit the information for the watch folder mount points.

Automatically Export PCAP FilesTo automatically export PCAP files, use a PCAP export rule. (See "Rules" on page 230.)

Configure a Mount PointFollow these steps to configure a mount point:

1. Do one of the following to access the Manage Connections dialog:

n Select Menu > Capture > Import PCAP and click Manage Connections.

n On Menu > Analyze > [Summary | Reports | Extractions | Geolocation], select Actions >

Download PCAP or click the Info icon on the Status bar.

o Select NFS save for Download Options, and then click the Manage Connections icon .

n Select Menu > Analyze > Rules, click New, select PCAP Export for Type, and then click the

Manage Connections icon .

2. On the Manage Connections dialog, click Add New Server.

3. For Title, specify a unique name for the mount point. You can create multiple mount points on the same server that point to different directories.

4. For Protocol, select CIFS/SMB or NFS.

45


5. For Server, specify the IP address or hostname for the server. Optionally, you can add a port number after a colon: 10.11.12.13:80.

6. For Directory, type a slash and then the path: /public/saved_pcaps/SA_0344

7. CIFS/SMB Only — Enter the Username and Password of the account to access the server or directory.

8. Click Save.

Playback

Use the dsregen command in the CLI for these functions. (More information in the Security Analytics 8.1.x Reference Guide on support.symantec.com.)

Use the playback feature to reconstruct and transmit captured data flows to a physical network interface for analysis. Depending on which data is selected for replay, the data is lifted from the capture drives or regenerated directly from the input interface(s). Play back live data to forward data flows to a physical network interface for analysis. The Symantec Security Analytics appliance can regenerate traffic with less than 1 ms latency, even at high network speeds (up to 10 Gbps).

When sending data from multiple input interfaces to a single output, take into consideration the interface speeds. For example, if you have two 100-Mbps input interfaces and your output interface is also 100 Mbps, you might experience problems with throughput.

46



Create a Playback Session

1. Select Menu > Capture > Summary.

2. For the output interface, click Start Playback.

3. Select the input interface(s) whose data you want to include.

4. Select the Output Interface to be used.

Interfaces that are in use for capture cannot be used as the output interfaces for playback; otherwise, the existing capture sessions will be stopped.

5. For Time Span, select one of the following:

n All Captured Data — Select to replay all of the data that is currently on the capture drives.

n Live Data — Select to send the data that is currently being captured.

n Custom Time Range — Select to specify the beginning and end.

o For Start Time, expand the list to select a fixed timespan or specify manually the date and time.

o Select Never End so that the data continues to play back until you stop it.

o For End Time, expand the list to select a fixed timespan or specify manually the date and time.

6. To apply a filter to the output interface, expand the Filter list and do one of the following:

47


n Select or edit an existing filter.

n Select Create New Filter and specify a Name and the BPF expression for the filter. (See BPF Syntax.)

7. Click Save.

8. The message Playback in Progress is displayed on the interface box if the playback session is successful.

Click to see the parameters of the playback.

Many-to-Many SessionsWhen a playback session is created, the system merges the input from the physical interfaces and maps it to a virtual interface (imfX), which then forwards the traffic to another physical output interface. (See Virtual Interface Mapping.)

The web interface permits you to specify many-to-one sessions—that is, multiple input interfaces to a single output interface. To create the equivalent of a many-to-many session, you must create one session per output interface.

example

In the example above, there are two output interfaces — eth6 and eth7 — so the following two sessions must be created:

Session Input Filter Output

1 eth2, eth3 [as desired] eth6

48


Session Input Filter Output

2 eth2, eth3 [as desired] eth7

CLI Commands for Many-to-Many Session

To set up the session for the mappings in the example, type the following commands. For more information, see dscapture map and dsregen in the Security Analytics 8.1.x Reference Guide on support.symantec.com.

dscapture --map ifm0 eth2dscapture --map ifm0 eth3dscapture --map ifm1 eth2dscapture --map ifm1 eth3dsregen start ifm0 eth6dsregen start ifm1 eth7

To limit the session to a particular timespan — from 8:00 a.m. to 5:30 p.m. on April 25, 2020 — type the following commands:

dscapture --map ifm0 eth2dscapture --map ifm0 eth3dscapture --map ifm1 eth2dscapture --map ifm1 eth3dscapture --settime ifm0 04.25.2020.08.00.00 04.25.2020.17.30.00.00dscapture --settime ifm1 04.25.2020.08.00.00 04.25.2020.17.30.00.00dsregen start ifm0 eth6dsregen start ifm1 eth7

Playback of Imported PCAPsThe playback function is currently restricted to captured data. Imported PCAPs are imported through a virtual interface, which cannot be selected for playback.

Data AvailabilityData availability is a function of two factors:

n Which data enrichment profile was selected when the data was captured.

n The rate at which the capture and indexing drives overwrite existing data. (See "Data Overwriting" on page 370.)

Data Enrichment Profiles

Menu > Settings > Data Enrichment

Select different "data enrichment profiles" that affect whether metadata, analytical services, and anomaly detection are available for the captured data.

Select one of the following options and click Save.

49



It is not necessary to reboot after changing the data enrichment profile; however, changing from one profile to another may take a few minutes to complete.

n Full Data Enrichment with Anomaly Detection — All services are available:

o indexing (solera-shaft)

o reindexing (solera-reindexerd)

o data enrichment (tonicd)

o rules and alerts (solera-ruleEngine)

o artifact extraction (solera-extractord)

o anomaly detection (adm-connector)

o IPFIX export (solera-ipfixexport)

o PCAP export (solera-pcapexport)

n Full Data Enrichment (No Anomaly Detection) — Default. All services are available except anomaly detection (adm-connector).

n Packets Only — All resources are dedicated to writing data to the capture drive as fast as the hardware permits. All of the analytical and metadata services are disabled. To retrieve PCAPs from the drive that were written during Packets Only, use the GET: /pcap/download/merge API; you cannot download filtered PCAPs from the web UI during Packets Only.

Data that was captured during Packets Only — and that has not been overwritten — can be reprocessed to index the data and apply all active rules. (See "Reprocessing" on page 53.)

Viewing Data Availability

You can see data availability on Menu > Analyze > [Summary | Reports | Extractions | Geolocation] by expanding the timespan selector.

50


Data availability information is displayed:

n [no message] — All metadata and packet data are available.

n limited packet data — Full metadata is available as well as some packet data.

n metadata only — Full metadata is available but no packet data.

n limited metadata — Some metadata is available but no packet data.

n no data — All packets and metadata have been overwritten, or no data was captured during that time.

In some cases, just after packets have been captured but indexing has not been completed, the data is temporarily not available for searches and reports.

Calendar DisplayClick a date to see color-coded information for packet and metadata availability.

51


n White background — All metadata and packet data are available. Reports, artifacts, and PCAP downloads are available for this data.

n Light pink background — Metadata is available but the corresponding packets have been overwritten. Only reports are available for this data.

n Dark pink background — All packet data and metadata have been overwritten, or no data was captured on those days.

Capture Summary Graph"Menu > Analyze > Summary" on page 410

The capture summary graph indicates overwritten data with the dark pink No Data Available area and the light pink Packet Data Overwritten (Metadata Only) area.

Capture summary graph data can remain available after the corresponding packets and metadata have been overwritten because it is not stored on the capture or index drives. See "Drive-Space Management" on page 324 for information on retaining and deleting capture summary data.

ReindexingAlso see "Reprocessing" on the next page.

52


During periods of heavy network activity, the system may not be able to index every packet as it is written to the capture drive. During periods of lower activity, the system returns to the unindexed packets on the capture drive and attempts to finish indexing them.

On the Status bar, the total amount of data in the flows is indicated. If the system has not been able to finish indexing

all of the packets, the warning icon is displayed. Click the icon to see how many flows remain to be indexed.

Click Give Priority to This Timespan to move the unindexed flows in the current view to the top of the reindexing queue.

In some cases the warning icon is still visible for several minutes after the reindexing job has finished.

As soon as a flow has been indexed, it is examined by the rules engine. If the flow matches a rule, the flow will be processed according to the instructions in the rule.

To see reindexing jobs, select Capture > Summary > Actions > Reprocess. Reindexing jobs show 1 in the Command column.

ReprocessingAlso see "Reindexing" on the previous page.

In some cases, when a data-enrichment rule sends a query to an external source, or when an Intelligence Service sends a query to the Global Intelligence Network, there is no immediate response. In other cases, you may have altered your indicators or rules, new report attributes may have been included in an updated version of Security Analytics, or you captured data using the Packets Only profile.

53


As necessary, you can select data to be examined again by the data-enrichment process as well as reindexed by Security Analytics.

For certain encrypted protocols such as SSH, IPSEC, and ISAKMP, the tls_heartbeat_attack_attempt attribute will not be indexed during reprocessing. Heartbleed detection is therefore dependent on the tls_heartbeat_mismatch attribute.

Imported PCAPs cannot be reprocessed.

1. On Capture > Summary select a timespan to reprocess.

2. Select Actions > Reprocess. The Reprocessing Jobs page is displayed.

3. Click New. The Time Range shows the same start and end times as you selected on the Capture Summary page. You may change the time range, as desired.

4. Click Save. The selected data is sent back through the rules engine and is also indexed again.

Depending on system load, reprocessing may not initiate for up to an hour. In the case of heavy system load, it may not initialize until after system load is reduced.

5. The columns on the Reprocessing Jobs page are as follows:

n Start Time — The starting time of the data to be reprocessed.

n End Time — The ending time of the data to be reprocessed.

n Processing Start — The time that the reprocessing job starts.

n Processing End — The time that the reprocessing job ends.

n Command — The type of reprocessing job:

o 1 = Reindexing — Packets that were not indexed at time of capture are indexed.

o 2 = Reprocessing — Packets are run again through indexing, rules engine, and data enrichment.

n Source — The origin of the job:

o 1 = Auto — When system resources prevent indexing at time of capture, resulting in classification discards, the system uses its idle time to index that data.

54


Data that is captured during a Packets Only session is not reindexed or reprocessed automatically.

o 2 = Manual — The reprocessing or reindexing job was initiated by the user:

l Reprocessing is manually initiated as described in Steps 1–4.

l Reindexing is manually initiated on the Summary page status bar.

n Percent Complete — Percentage of the job that is completed.

n Actions — Click to cancel the unfinished portion of the job. If the job is 100% complete, this will delete the entry from the list.

To prevent data corruption, the reprocessor will not reprocess the last 150 slots (~10 GB) of captured data.

55


Data AnalysisMetadata Settings 56

Integrated Cyber Defense Exchange (ICDx) 82

Open Parser 86

Summary Views 96

Anomaly Detection 101

Filters 107

Indicators 129

Reports 137

Extractions 152

Artifact Preview 161

Sessions 172

Geolocation 176

Encapsulation Detection 181

Packet Analyzer 184

Metadata SettingsAlso see "Integrated Cyber Defense Exchange (ICDx)" on page 82.

n Select Menu > Settings > Metadata to enable or disable hundreds of report attributes. Saving changes to this page will cause the appliance to reboot.

n For each selected metadata attribute, the following is true:

o You can include its report widget in Summary views. (More than 18 widgets per view will compromise system performance and integrity.)

o Its report is available on Menu > Analyze > Summary > Reports under its respective report group.

o The attribute is available in the primary filter bar.

o Additional system resources are used during the indexing processes.

Table Columns

For each report group there is a table with the following columns:

56


n Report — Name of the report, as presented on the Menu > Analyze > Reports page.

n Attribute — The primary filter attribute that corresponds to the report. Use the attribute when creating queries . The attribute is visible on the Metadata Settings page when resting the cursor on the report name. (See Best Searching Practices in Security Analytics.)

n Description — A description of the data in the report.

n Namespace — The namespace to which the metadata belongs.

o A Summary view that contains report widgets from different namespaces will take longer to complete.

o When creating complex primary filters, attributes from different namespaces are valid only when joined by AND. (See "Complex Filters Across Namespaces" on page 125.)

n Source — The source of the data in the report, such as packet header or metadata indexer. (See "Populating the Reports" on page 379.)

n Format — The format for the data in the report, such as string or integer

n Num/Len — An X in this column means that you can use the length len(<attribute>) or number num(<attribute>) function in the primary filter bar. num(<attribute>) returns the flows that contain the specified number of the attribute; len(<attribute>) returns the attribute with the specified length. For example, len(filename)=6 returns all of the flows that contain a six-character filename, whereas num(filename)=6 returns all of the flows that contain six instances of the filename attribute.

Note: Wildcards are not valid for the len(<attribute>) and num(<attribute>) functions.

n New — An X in this column means that the report is new in Security Analytics 8.1.3.

General Information

n Only the first 4096 bytes of an attribute are stored in the Indexing DB.

n Select Actions > Download Raw TSV from any Menu > Analyze page (Summary | Reports | Extractions | Geolocation) to download a tab-delimited file that contains selected attributes and their values for the timespan. See RAW.TSV Fields.

n See how to use the attributes in the primary filter, including complex filters, in "Creating Complex Filters" on page 123.

57


Metadata Tables

Application

The Application attributes cannot be disabled.

Report Attribute Description Namespace Source

Forma

Num/Len

Application application_id

One of over 2800 recognized applications. See Recognized Applications.

flows DPI engine

string X

Application Group

application_group

One of 35 groups to which the applications are assigned.

flows DPI engine

string

Custom Analytics

The Custom Analytics reports are created by open-parser rules. (See "Open Parser" on page 86.) When you enable or disable the reports on this page, the corresponding rules are also disabled.

Report Attribute Description Namespace Source Format Num/Len New

<rule_name>*

<rule_name>

Reports are populated only when the rule specifies :

n Add flag to metadata

n Add matching value to metadata

n Add succeeding value to metadata until this delimiter

flows Regular expression in open-parser rule

string

Packet Retention

packet_retention

The percentage of packets that are either retained or discarded

flows Internal rule string X

Queue Processor

queue_processor

How much indexing is being processed by each queue processor thread

flows Internal rule integer X

* The name of the open parser rule is converted to all lower-case letters, and underscores replace spaces.

DatabaseReport Attribute Description Namespace Source Format Num/Len

Database Query

database_query

Query sent to the database

flows Packet header, multiple protocols

string X

58


Report Attribute Description Namespace Source Format Num/Len

TNS Base tns_base Name of accessed database

flows Packet header

string X

TNS Client Hostname

tns_client_hostname

Client machine hostname flows Packet header

string X

TNS Client OS

tns_client_os

Client machine operating system

flows Packet header

string X

TNS Client Program Name

tns_client_program_name

Client program name flows Packet header

filename X

TNS Client Program Path

tns_client_program_path

Client program absolute path

flows Packet header

filepath/filename.ext

X

TNS Content Length

tns_content_length

Length in header field flows Packet header

integer X

TNS Login

tns_login

User login; also included in the Social Persona report

flows Packet header

string X

TNS MTU tns_mtu Maximum Transmission data Unit size

flows Packet header

integer X

TNS Password

tns_password

Password to access the TNS server; also included in the Password report

flows Packet header

string X

TNS Query

tns_query

Database query; also included in the Database Query report

flows Packet header

string X

TNS Server Hostname

tns_server_hostname

Database server hostname

flows Packet header

9.9.9.9 | hostname.tld

X

TNS Server OS

tns_server_os

Database server operating system

flows Packet header

string X

TNS Version

tns_version

Version number of Oracle server

flows Packet header

integer X

59


DNS

Also see Attributes for the DNS Reports.


DNS ANCOUNT

dns_ancount Number of records in the answer section

flows Packet header

integer X

DNS Answer Name

dns_name URLs in the answer section of the DNS response

flows Packet header

domain.tld X

DNS ARCOUNT

dns_arcount Number of additional records

flows Packet header

integer X

DNS Autogenerated Domain

autogenerated_domain

DNS server name, SSL common name, or SSL server name that may have been created by a DGA; this attribute cannot be disabled

flows DGA detector

score - protocol - name

DNS Autogenerated Domain Score

autogenerated_domain_score

Probability that the DNS server name, SSL common name, or SSL server name was created by a DGA (9 = highest probability); this attribute cannot be disabled

flows DGA detector

integer

DNS Flags dns_flags 16-bit representation of some DNS header flags: QA, Opcode, AA, TC, RD, RA, Z, RCODE

flows Packet header

hex X

60



DNS Host dns_host DNS server name

flows Packet header

domain.tld X

DNS Host Type

dns_host_type DNS response type: IP address, authoritative name server, primary name server, canonical name, domain name pointer, IPv6 address

flows Packet header

string X

DNS IPv4 Answer

dns_host_ipv4_addr

IPv4 addresses that resolve to the URL

flows Packet header

9.9.9.9 X

DNS IPv6 Answer

dns_host_ipv6_addr

IPv6 addresses that resolve to the URL

flows Packet header

a9a9::a9a9:a9a9 X

DNS Message Type

dns_message_type

Message type: QUERY, RESPONSE

flows Packet header

string X

DNS NSCOUNT

dns_nscount Number of answers in the Authority section

flows Packet header

integer X

DNS QDCOUNT

dns_qdcount Number of queries in the request

flows Packet header

integer X

DNS Query dns_query URL for which a DNS query is made

flows Packet header

9.9.9.9IN-ADDR-ARPA domain.tld

X

DNS Query Type

dns_query_type

DNS query type flows Packet header

string X

DNS Reply Code

dns_reply_code

Return message

flows Packet header

string X

DNS Response Time

dns_response_time

Elapsed time between sending of the DNS request and reception of its response

flows Packet header

9.99 X

61



DNS Reverse Addr

dns_reverse_addr

IP address returned to the pointer request

flows Packet header

9.9.9.9 X

DNS Reverse Addr6

dns_reverse_addr6

IPv6 address returned to the pointer request

flows Packet header

a9a9::a9a9:a9a9 X

DNS Section Type

dns_section_type

Type of section for each DNS answer

flows Packet header

string X

DNS Transaction ID

dns_transaction_id

DNS unique transaction ID

flows Packet header

hex X

DNS TTL dns_ttl Time (in seconds) DNS information returned by the server will be kept in cache

flows Packet header

integer X

DNS Web Application Info

dns_web_application_info

Metadata for the classification of known HTTP-based web applications

flows Packet header

<application>/9.9.9.9

X

EmailReport Attribute Description Namespace Source Format Num/Len

Email Recipient

email_recipient email_address

Email address in the receiver field


[email protected]

X

Email Sender

email_sender email_address

Email address in the sender field


[email protected]

X

Email Subject

subject Email subject flows Packet header, multiple protocols

string X

Email URI

mail_uri URIs extracted from email and HTTP artifacts

flows Default open-parser rule

string

SMTP Header Raw

smtp_header_raw Fields and values in the header

flows Packet header string X

62



SMTP X-Mailer

smtp_xmailer The user agent of the mailer

flows Packet header string X

EncryptionReport Attribute Description Namespace Source Format Num/Len New

SSL Certificate Serial Number

ssl_serial_number

Serial number of certificate flows Packet header

hex X

SSL Cipher Suite

ssl_cipher_suite

Cipher suite used in the SSL session

flows Packet header

string X

SSL Cipher Suite List

ssl_cipher_suite_list

List of cipher suites supported by the client

flows Packet header

string X

SSL Common Name

ssl_common_name

Domain name mentioned in the certificate

flows Packet header

URL X

SSL Handshake Type

ssl_handshake_type

Handshake type flows Packet header

integer

X

SSL Issuer ssl_issuer Certificate authority flows Packet header

string X

SSL Organization Name

ssl_organization_name

Organization name mentioned in the certificate

flows Packet header

string X

SSL Protocol Version

ssl_protocol_version

Indicates which SSL/TLS protocol was chosen by the server for this session

flows Packet header

string X

SSL Request Size

ssl_request_size

Contains the total length in bytes of the request or the response (including SSL headers); this attribute is computed at the end of the request or response

flows Packet header

integer

X

SSL Server Name

ssl_server_name

The host that performs the server role in the SSL session, as identified in the Client Hello message

flows Packet header

string X

SSL Subject Alt Name

ssl_subject_alt_name

Identifies a list of host names that belong to the same certificate

flows Packet header

URL X

SSL Supported Next Protocol

ssl_supported_next_protocol

Supported protocol on top of SSL, specified by the server in the Next Protocol Negotiation TLS extension

flows Packet header

string X

63



SSL Version

ssl_version Protocol version: v2, v3 flows Packet header

string X

TLS Heartbleed Attack Attempted

tls_heartbeat_attack_attempt

Number of sessions in which the payload_length field of the heartbeat_request does not match the (D)TLSPlaintext.length field ; this attribute cannot be disabled

flows Metadata indexer

binary

TLS Heartbleed Mismatch

tls_heartbeat_mismatch

Number of sessions in which the heartbeat_request and heartbeat_response payloads are not equal in length ; this attribute cannot be disabled


binary

n Encrypted Heartbleed Attacks — If a "Heartbleed" attack is contained within anencryptedheartbeat message, the tls_heartbeat_attack_attemptattribute cannot detect it; however, a successful attempt will be detected by tls_heartbeat_mismatch

FileReport Attribute Description Namespace Source Format Num/Len

Detected File Type

file_type Derived from the file_type field in the headers for HTTP, IMAP, POP3, and SMTP. See Detected File Types.


string X

File Extension

file_extension

File extensions derived from the filename field ; this attribute cannot be disabled

flows string

File Name filename File name flows string X

FTP Method

ftp_method FTP commands such as PASS, USER, RETR, and OPTS

flows Packet header

string X

Fuzzy Hash *

fuzzy_hash Fuzzy hash of the artifact groups Rules engine + extractor

hex

MD5 Hash *

md5_hash MD5 hash of the artifact groups Rules engine + extractor

hex

Presented MIME Type

mime_type Content type of the request or the web page flows Packet header

string X

SHA1 Hash *

sha1_hash SHA1 Hash of the artifact groups Rules engine + extractor

hex

SHA256 Hash *

sha256_hash

SHA256 Hash of the artifact groups Rules engine + extractor

hex

64



SMB Command

smb_command

Command number use flows Packet header

integer

X

SMB Command String

smb_command_string

Command name flows Packet header

string X

SMB Dialect

smb_dialect

The version of the SMB Protocol flows Packet header

string X

SMB Dialect Index

smb_dialect_index

Index of the selected SMB Protocol version flows Packet header

integer

X

SMB Domain

smb_domain Domain name flows Packet header

string X

SMB File Attributes

smb_file_attributes

File attributes (bit field) flows Packet header

integer

X

SMB File Chunk Data Offset

smb_file_chunk_data_offset

Offset of the transferred data flows Packet header

integer

X

SMB File Chunk Length

smb_file_chunk_len

Size of the transferred piece flows Packet header

integer

X

SMB File ID

smb_file_id

Identifier of the file affected by the command (USMB v1: 4 char; USMB v2, 32 char)

flows Packet header

hex X

SMB File Name

smb_filename

Full name of the file or directory; also included in the File Name report

flows Packet header

string X

SMB File Size

smb_filesize

Size (byte) of the transferred file flows Packet header

integer

X

SMB Loadway

smb_loadway

The file transfer way (upload or download) flows Packet header

string X

SMB Login smb_login Login of the user; also included in the Social Persona report

flows Packet header

string X

SMB Native LAN Manager

smb_native_lan_manager

The native LAN manager type flows Packet header

string X

SMB Native OS

smb_native_os

Client's operating system flows Packet header

string X

SMB Path smb_path The server/share name of the resource to which the client attempts to connect

flows Packet header

filepath

X

SMB Process ID

smb_process_id

Identifier of the process being affected by the command that follows

flows Packet header

integer

X

65



SMB Query ID

smb_query_id

Indexes and correlates requests and responses

flows Packet header

integer

X

SMB Query Type

smb_query_type

Indicates if the message is a request (1) or a response (2)

flows Packet header

integer

X

SMB Search Attributes

smb_search_attributes

An attribute mask used to specify the standard attributes a file must have in order to match the search

flows Packet header

integer

X

SMB Search Pattern

smb_search_pattern

The file pattern to search for flows Packet header

string X

SMB User ID

smb_user_id

User identifier (SMB USMB v1 only) flows Packet header

integer

X

SMB Version

smb_version

Protocol version flows Packet header

integer

X

VoIP ID voip_id Identifier for a VoIP conversation flows Packet header

integer

X

*

The hash reports are not populated by the DPI engine nor the metadata indexer. Hashes are calculated by the extractor under the following circumstances:

n At least one data-enrichment rule is activated — and that rule sends either a file or a file hash to one of these enrichment providers:

o File Reputation Service o ICAP o Malware Analysis o Calculate and Store Hashes o ClamAV o jsunpack-n

o YARA o Cuckoo o FireEye AX-series o Lastline File or Hash o TitaniumScale o VirusTotal File or Hash

n Fuzzy Hash Only — Fuzzy-hash reports are not populated until after you edit /etc/solera/extractor/extractord.conf as shown and then run systemctl restart solera-extractord:

# Flag to calculate the fuzzy hash calc_fuzzy_hash=1 <== Uncomment this line and set the value to 1

n Because the hash reports contain data that is calculated after the flows are sent through the rules engine, you cannot use hash attributes as valid indicators for rules. For example, md5_hash~93fd02e cannot trigger a rule; however, it can be a valid primary or advanced filter. (See "Primary Filters" on page 107, "Advanced Filters" on page 113, "Indicators" on page 129)

Enable hash calculation for manual extractions on Settings > System. (Those settings do not affect hash-related reports.)

66


n Hash Searches — When using the md5_hash, sha1_hash, and sha256_hash attributes, the match must be exact to produce a result, but for fuzzy_hash you can specify how much of the hash must match.

o Command Line Interface — /fuzzy_hash/_ge_abc123eae%2570/ will find fuzzy hashes that have a 70% or higher match. To specify a range — for example, between 70–80% — type /fuzzy_hash/_ge_abc123eae%2570_and_le_abc123eae%2580/. Note that the percent sign must be URL-encoded as %25.

o Web UI — For fuzzy_hash>=abc123eae%70 the percent sign should not be URL-encoded.

GeographicalReport Attribute Description

Namespace

Source Format Num/Le

Country Initiator

country_initiator

Location of the initiator

flows MaxMind database IP correlation . See "MaxMind City and Country Databases" on page 180.

string

Country Responder

country_responder

Location of the responder

flows MaxMind database IP correlation string

Network Layer n Initiator/Responder Fields — The field that provides the value for these attributes depends on the host’s role in

a flow: the host that sends the first SYN packet is the initiator and the host that sends the corresponding SYN+ACK packet is the responder. Also see "Flows in Security Analytics" on page 373.


Ethernet Initiator

ethernet_initiator ethernet_address

MAC address of session initiator

flows Frame header + metadata indexer

a9:a9:a9:a9:a9:a9

Ethernet Initiator Vendors

ethernet_initiator_vendorsethernet_address_vendors

Vendor name of the initiator NICs

flows Frame header + vendor ID file

string:a9:a9:a9

Ethernet Protocol

ethernet_protocol

Layer 3 protocol (IPv4 or IPv6)

flows Frame header

integer

Ethernet Responder

ethernet_responderethernet_address

MAC address of session responder

flows Frame header + metadata indexer

a9:a9:a9:a9:a9:a9

67



Ethernet Responder Vendors

ethernet_responder_vendorsethernet_address_vendors

Vendor name of the responder NICs

flows Frame header + vendor ID file

string:a9:a9:a9

Flow Duration

flow_duration

Length of the flow in seconds; this attribute cannot be disabled


floating point

Flow ID flow_id Unique identifier for the flow; this attribute cannot be disabled


integer

Interface interface Interface the data was captured on; this attribute cannot be disabled


eth X imptX

IP Bad Checksums

ip_bad_csums

Number of bad checksums; best used with !=0; this attribute cannot be disabled


integer

IP Fragments

ip_fragments

Number of IP fragments; best used with !=0; this attribute cannot be disabled


integer

IP Protocol ip_protocol IP protocols used: TCP, UDP, ICMP, OSPFGP

flows Packet header

string

IPv4 Conversation

n/a IPv4 addresses of both hosts in a session; data for this report is assembled only when the report is called; this report is not visible on the Metadata Settings page and cannot be disabled

Query handler

9.9.9.9-9.9.9.9§

IPv4 Initiator ipv4_initiator ipv4_address

IPv4 addresses of hosts that initiated a session

flows Packet header + metadata indexer

9.9.9.9§

68



IPv4 Port Conversation

n/a IPv4 addresses and ports of both hosts in a session; data for this report is assembled only when the report is called; this report is not visible on the Metadata Settings page and cannot be disabled

n/a Query handler

9.9.9.9§:port- 9.9.9.9:port

IPv4 Responder

ipv4_responder ipv4_address

IPv4 addresses of hosts that answered a session request


9.9.9.9§

IPv6 Conversation

n/a IPv6 addresses of both hosts in a session; data for this report is assembled only when the report is called; this report is not visible on the Metadata Settings page and cannot be disabled

n/a Query handler

a9a9::a9a9:a9a9§ - a9a9::a9a9:a9a9

IPv6 Initiator ipv6_initiator ipv6_address

IPv6 addresses of hosts that initiated a session


a9a9::a9a9:a9a9§

IPv6 Port Conversation

n/a IPv6 addresses and ports of both hosts in a session; data for this report is assembled only when the report is called; this report is not visible on the Metadata Settings page and cannot be disabled

n/a Query handler

a9a9::a9a9:a9a9 §:port - a9a9::a9a9:a9a9:port

IPv6 Responder

ipv6_responder ipv6_address

IPv6 addresses of hosts that answered a session request


a9a9::a9a9:a9a9 §

Link-Local Multicast Name Resolution

machine_id_llmnr

Hostname resolution on the local link

flows Packet header

string X

Machine ID machine_id Name of the caller; also netbios_caller

flows Packet header

string

69



NBNS Query nbns_query NetBIOS name server query sent

flows Packet header

string X

NBNS Query Type

nbns_query_type

NetBIOS name server query type

flows Packet header

string X

NBNS Service

nbns_service

NetBIOS name server service name

flows Packet header

string X

NetBIOS Callee

netbios_callee

Name of the called member

flows Packet header

string X

NetBIOS Caller

netbios_caller

Name of the caller; also the Machine ID report

flows Packet header

string X

NetBIOS Command

netbios_command

Message command value

flows Packet header

string X

NetBIOS Message Type

netbios_message_type

The message type flows Packet header

string X

Packet Length

packet_length

The length of the packets captured

packets Frame header

integer

Port Initiator port_initiator port

Port of sending application

flows Packet header

integer

Port Responder

port_responder port

Port of responding application

flows Packet header

integer

Size in Bytes bytes Number of bytes in the flow


integer

Size in Packets

packets Number of packets in the flow


integer

Syslog Message

syslog_syslog_message

Syslog message body flows Payload string X

TCP Initiator tcp_initiator tcp_port port

TCP port of initiating application

flows Packet header

integer

TCP Responder

tcp_responder tcp_port port

TCP port of responding application

flows Packet header

integer

70



Tunnel Initiator

tunnel_initiator_ip

IPv4 or IPv6 of the GRE tunnel initiator; this attribute cannot be disabled. See "Encapsulation Detection" on page 181.

flows Packet header

9.9.9.9 § a9a9::a9a9:a9a9

Tunnel Responder

tunnel_responder_ip

IPv4 or IPv6 of the GRE tunnel responder; this attribute cannot be disabled

flows Packet header

9.9.9.9 § a9a9::a9a9:a9a9

UDP Initiator udp_initiator udp_port port

UDP port of initiating application

flows Packet header

integer

UDP Responder

udp_responder udp_port port

UDP port of responding application

flows Packet header

integer

VLAN ID vlan_id Virtual LAN ID; this attribute cannot be disabled

flows Frame header

integer

§ For IPv4 and IPv6 networks you can input CIDR notation as follows:

n 198.51.*.* n 198.51.0.0_16 n 198.51.0.0/16 n 2001::/31

SCADA

To select all of the attributes for a particular protocol, select its check box.


CIP Add Status Size

cip_add_status_size

Number of 16-bit words in the additional status array

flows Packet header

integer X X

CIP Attr CCV cip_attr_ccv Value modified each time any nonvolatile attribute is altered; it can be a CRC or a counter, for instance

flows Packet header

integer X X

71



CIP Attr Device Type

cip_attr_device_type

The device profile that a particular product is using

flows Packet header

integer X X

CIP Attr Heartbeat

cip_attr_heartbeat

Sets the nominal interval between production of optional heartbeat messages

flows Packet header

integer X X

CIP Attr Product Code

cip_attr_product_code

A particular product within a device type of an individual vendor

flows Packet header

integer X X

CIP Attr Product Name

cip_attr_product_name

Description of the product/product family represented by the product code; the same product code may have a variety of product names

flows Packet header

string X X

CIP Attr Rev Major

cip_attr_rev_major

The major revision of the item the identity object is representing

flows Packet header

integer X X

CIP Attr Rev Minor

cip_attr_rev_minor

The minor revision of the item the identity object is representing

flows Packet header

integer X X

CIP Attr Serial Number

cip_attr_serial_number

Number used in conjunction with the vendor ID to form a unique identifier for each device on any CIP network

flows Packet header

integer X X

CIP Attr State cip_attr_state

An indication of the present state of the device

flows Packet header

integer X X

CIP Attr Status

cip_attr_status

The current status of the entire device flows Packet header

integer X X

CIP Attr Vendor ID

cip_attr_vendor_id

A unique number assigned to the various vendors of products

flows Packet header

integer X X

CIP Ekey Device Type

cip_ekey_device_type

The device type in the electronic key flows Packet header

integer X X

CIP Ekey Vendor ID

cip_ekey_vendor_id

The vendor in the electronic key flows Packet header

integer X X

CIP Number of Services

cip_number_of_services

The number of services contained within the CIP message (request and reply)

flows Packet header

integer X X

CIP Path Logical Seg Class Value

cip_path_logical_seg_class_value

Class type of the logical segment (lower byte first)

flows Packet header

integer X X

CIP Path Logical Seg Format

cip_path_logical_seg_format

The format of the logical segment flows Packet header

integer X X

CIP Path Logical Seg Type

cip_path_logical_seg_type

The type of logical segment flows Packet header

integer X X

CIP Path Seg Type

cip_path_seg_type

The type of path segment flows Packet header

integer X X

72



CIP Reply Service Code

cip_reply_service_code

Service code that has been sent by the request

flows Packet header

integer X X

DNP3 AL Confirm

dnp3_al_con Confirm application-layer control flag packets Packet header

binary X

DNP3 AL Control

dnp3_al_control

Application-layer control flags byte packets Packet header

integer X

DNP3 AL Final

dnp3_al_final Final application-layer control flag packets Packet header

binary X

DNP3 AL First

dnp3_al_first First application-layer control flag packets Packet header

binary X

DNP3 AL Function Code

dnp3_al_function_code

Function code, identifying the type of message at the application layer

packets Packet header

integer X

DNP3 AL IIN1

dnp3_al_iin1 First byte of the DNP3 Internal Indication (IIN) 16-bit word, set by a slave station to indicate states and diagnostic results


integer X

DNP3 AL IIN2

dnp3_al_iin2 Second byte of the DNP3 Internal Indication (IIN) 16-bit word, set by a slave station to indicate states and diagnostic results


integer X

DNP3 AL Obj Qualifier Field

dnp3_al_obj_qualifier_field

Byte specifying the range of the first object. Only the first object is handled


integer X

DNP3 AL Obj Type Field

dnp3_al_obj_type_field

First object type in the application-layer control field. Only the first object is handled


integer X

DNP3 AL Sequence

dnp3_al_sequence

Sequence number of an application message fragment


integer X

DNP3 AL Unsolicited

dnp3_al_uns Unsolicited application-layer control flag packets Packet header

binary X

DNP3 DL Control

dnp3_dl_control

Data link-layer frame control byte packets Packet header

integer X

DNP3 DL CRC

dnp3_dl_crc CRC checksum field packets Packet header

integer X

DNP3 DL Destination

dnp3_dl_destination

Destination address of the frame packets Packet header

integer X

DNP3 DL Direction

dnp3_dl_direction

Physical transmission direction control flag


binary X

DNP3 DL Frame Count Bit

dnp3_dl_fcb Frame Count Bit data link-layer control flag


binary X

73



DNP3 DL Frame Count Valid

dnp3_dl_fcv Frame Count Valid data link-layer control flag


binary X

DNP3 DL Function Code

dnp3_dl_function_code

Function Code identifying the frame type at the data-link layer


integer X

DNP3 DL Function Code Name

dnp3_dl_function_code_name

Function code name, corresponding to the DL Function Code


integer X

DNP3 DL Invalid Codes

dnp3_invalid_codes

Invalid-message error codes packets Packet header

integer X

DNP3 DL Length

dnp3_dl_length

DNP3 frame length packets Packet header

integer X

DNP3 DL Primary

dnp3_dl_prm Primary data link-layer control flag packets Packet header

binary X

DNP3 DL Source

dnp3_dl_src Source address of the frame packets Packet header

integer X

DNP3 DL Start Sync

dnp3_dl_start_sync

Header start magic field packets Packet header

integer X

DNP3 TL Control

dnp3_tl_control

Transport-layer control flag byte packets Packet header

integer X

DNP3 TL Final

dnp3_tl_final Final transport-layer control flag packets Packet header

binary X

DNP3 TL First

dnp3_tl_first First transport-layer control flag packets Packet header

binary X

DNP3 TL Sequence

dnp3_tl_seq Frame-sequence number field packets Packet header

integer X

ENIP Command

enip_command Command code that has been sent by the request

flows Packet header

integer X X

ENIP CSD CPF Data Item Count

enip_csd_cpf_data_item_count

Number of items to follow in the packet flows Packet header

integer X X

ENIP CSD CPF Item Length

enip_csd_cpf_item_length

Size of the encapsulated item flows Packet header

integer X X

ENIP CSD CPF Item Type ID

enip_csd_cpf_item_type_id

Type of encapsulated item flows Packet header

integer X X

ENIP CSD Interface Handle

enip_csd_interface_handle

Communications interface ID flows Packet header

integer X X

74



ENIP CSD Timeout

enip_csd_timeout

Timeout in seconds used by routers flows Packet header

integer X X

ENIP Data Item Count

enip_data_item_count

Number of items to follow in the packet flows Packet header

integer X X

ENIP Data Length

enip_data_length

Length in bytes of command data section

flows Packet header

integer X X

ENIP Data Type ID

enip_data_type_id

Type of encapsulated item flows Packet header

integer X X

ENIP Declassify Override

enip_declassify_override

Specifies whether the current session path maybe be declassified

flows Packet header

integer X X

ENIP Options enip_options Options, for future use flows Packet header

integer X X

ENIP Session Handle

enip_session_handle

Session ID flows Packet header

integer X X

ENIP Status enip_status Status code flows Packet header

integer X X

MODBUS AND Mask

modbus_and_mask

AND mask applied when writing the data of the register


integer X

MODBUS Byte Count

modbus_byte_count

The number of data bytes to follow packets Packet header

integer X

MODBUS Coil Status

modbus_coil_status

Status code of the coil. packets Packet header

binary X

MODBUS Event Count

modbus_event_count

Event counter packets Packet header

integer X

MODBUS Events

modbus_events Data containing statuses of MODBUS send or receive operations


string X

MODBUS Exception Code

modbus_exception_code

The extraction of the exception code specifies that the function code is an exception function code; the value specifies the type of error


integer X

MODBUS FIFO Count

modbus_fifo_count

Quantity of data registers in the queue packets Packet header

integer X

MODBUS FIFO Pointer Address

modbus_fifo_pointer_address

Queue content address packets Packet header

integer X

MODBUS File Number

modbus_file_number

Identifier of the file packets Packet header

integer X

MODBUS File Response Length

modbus_file_resp_length

File length packets Packet header

integer X

75



MODBUS Function Code

modbus_function_code

The kind of action to perform. The values indicates the public function codes used for classification


integer X

MODBUS Function Subcode

modbus_function_subcode

Specifies the MODBUS function code action. See SCADA Function Codes.


integer X

MODBUS Invalid Codes

modbus_invalid_codes

Error code when reading a specific MODBUS function


integer X

MODBUS Length

modbus_length A byte count of the following fields, including the unit identifier and data fields


integer X

MODBUS MEI Type

modbus_mei_type

MODBUS encapsulated interface transport unique number


integer X

MODBUS Message Count

modbus_message_count

Quantity of messages processed by the remote device


integer X

MODBUS OR Mask

modbus_or_mask

OR mask applied when writing the data of the register


integer X

MODBUS Output Address

modbus_output_address

The data address of the coil or register packets Packet header

integer X

MODBUS Output Data

modbus_output_data

Exception status outputs, packed into one byte (one bit per output)


integer X

MODBUS Output Value

modbus_output_value

Value to write packets Packet header

string X

MODBUS Outputs Value

modbus_outputs_value

Requested ON/OFF coil states packets Packet header

integer X

MODBUS PDU

modbus_pdu The protocol data unit is defined by the function code and the data fields


integer X

MODBUS Protocol ID

modbus_protocol_id

MODBUS protocol is identified by the value 0


integer X

MODBUS Quantity of Coils

modbus_quantity_of_coils

Total number of coils requested packets Packet header

integer X

MODBUS Quantity of Outputs

modbus_quantity_of_outputs

The number of coils or registers to write packets Packet header

integer X

MODBUS Read Registers Value

modbus_read_registers_value

Register value packets Packet header

string X

76



MODBUS Record Data

modbus_record_data

The data of the record packets Packet header

string X

MODBUS Record Length

modbus_record_length

The length of the record to be read packets Packet header

integer X

MODBUS Record Number

modbus_record_number

Starting record number within the file packets Packet header

integer X

MODBUS Reference Address

modbus_reference_address

Address of the reference packets Packet header

integer X

MODBUS Reference Type

modbus_reference_type

Type of reference; must be 6 packets Packet header

integer X

MODBUS Request Data Length

modbus_request_data_length

Request data length, in terms of number of bytes


integer X

MODBUS Response Data Length

modbus_resp_data_length

Data length of the response packets Packet header

integer X

MODBUS Starting Address

modbus_starting_address

The data address of the first coil or register


integer X

MODBUS Status

modbus_status The data address of the first coil or register: 0x0000 "OK" | 0xFFFF "busy processing a previous remote command"


binary X

MODBUS Transaction ID

modbus_transaction_id

Transaction Identifier set by the client to uniquely identify each request; used for transaction pairing


integer X

MODBUS Unit ID

modbus_unit_id

Identifier used to communicate via devices that use a single TCP/IP connexion to support multiple independent MODBUS units


integer X

MODBUS Write Registers Value

modbus_write_registers_value

Value of register to be written packets Packet header

string X

PCCC Object CMD

pccc_object_cmd

Command type of the PCCC object flows Packet header

integer X X

PCCC Object Ext STS

pccc_object_ext_sts

Extended status code (response); in the request this attribute is replaced by object_fnc

flows Packet header

hex X X

77



PCCC Object FNC

pccc_object_fnc

Function code related to the command type (request); in the reponse this attribute is replaced by object_ext_sts

flows Packet header

hex X X

PCCC Object STS

pccc_object_sts

Status of the PCCC object; it should be always 0x00 for a request message

flows Packet header

hex X X

PCCC Object TNS

pccc_object_tns

Transaction identifier of the PCCC object; request and related response must share the same TNS value

flows Packet header

integer X X

PCCC Routing Info DST Link

pccc_routing_info_dst_link

Destination link address flows Packet header

integer X X

PCCC Routing Info DST Node

pccc_routing_info_dst_node

Destination node address flows Packet header

integer X X

PCCC Routing Info SRC Link

pccc_routing_info_src_link

Source link address flows Packet header

integer X X

PCCC Routing Info SRC Node

pccc_routing_info_src_node

Source node address flows Packet header

integer X X

Social PersonaReport Attribute Description

Namespace

Source Format

Num/Len

Password password Cleartext passwords flows Packet headers, multiple protocols

string X

Social Persona

social_persona

User name of account; login

flows Packet headers, multiple protocols

string X

User Name ‡

user_name Username as identified by LCS

flows Login Correlation Service string

‡ Data for this report is available only if you are running the Login Correlation Service. (See "Login Correlation" on page 222.)

Threat Intel

Because the threat intel reports contain data that is calculated after the flows are sent through the rules engine, you cannot use threat intel attributes as valid indicators for rules. For example, malware_analysis_verdict>8 cannot trigger a rule; however, it can be a valid primary filter.

78


To populate these reports you must license and enable the data-enrichment provider mentioned in the Source column, either as a subscription or as an on-site appliance.


File Signature Verdict

file_signature_verdict Degree of risk of the file hash

verdicts SymantecFile Reputation Service

integer

Local File Analysis

local_file_analysis_verdict

Degree of risk of the file hash

verdicts Local File Analysis providers

integer

Malware Analysis Verdict

malware_analysis_verdict

Degree of maliciousness based on direct file analysis

verdicts Malware Analysis appliance

integer

Third-Party Verdict

third_party_integration_verdict

Degree of risk of the file hash

verdicts ReversingLabs ® TitaniumScale ® server

integer

Threat Category

threat_category Category of threat verdicts ReversingLabs TitaniumScale server

integer

Threat Description

threat_description Description of threat verdicts ReversingLabs TitaniumScale server

string

Threat Severity

threat_severity Severity of threat verdicts ReversingLabs TitaniumScale server

integer

URL Categories

url_categories Known category of the URL; this attribute cannot be disabled

verdicts Web Reputation Service

string

URL Risk Verdict

url_risk_verdict Degree of risk of the URL; this attribute cannot be disabled

verdicts Calculated by Security Analytics

integer

When inputting a verdict attribute in the filter bar, use the numerical values for these text equivalents.

Value Text Equivalent

1 Very Low Risk

2

3 Low Risk

4

5 Unknown/Unrated

79


Value Text Equivalent

6 Moderate Risk

7

8 High Risk

9

10 Very High Risk

WebReport Attribute Description Namespace Source Format Num/Len

HTTP and Email URIs

uri URIs extracted from HTTP and email artifacts

flows Payload URI X

HTTP Auth Username

http_auth_username

Login used in the HTTP Authorization request extension for authentication. The supported authentication methods are Basic and Digest.

flows Packet header

string X

HTTP Code

http_code Return code sent by the server flows Packet header

integer X

HTTP Content Disposition

http_content_disposition

Information related to the disposition of the content present on the web page

flows Packet header

string X

HTTP Content Encoding

http_content_encoding

The type of encoding used on the data flows Packet header

string X

HTTP Content Length

http_content_len

The content length of the HTTP request/response

flows Packet header

integer X

HTTP Content Type

http_content_type

The MIME type of the body of POST and PUT requests

flows Request packet header

string X

HTTP Cookie

http_cookie

An HTTP cookie previously sent by the server with Set-Cookie

flows Packet header

string X

HTTP Forward Address

http_forward_addr

IPv4 DNS address to which the client is redirected. This is the HTTP header X-Forwarded: for=<ip_address>

flows Packet header

URL X

HTTP Header Name

http_header_name

Fields that are included in the HTTP header, such as Accept, Accept-Language, Referer, Content-Type, or Cache-Control

flows Packet header

string X

80



HTTP Header Raw

http_header_raw

Field names in the header plus the field values, such as Accept-Encoding: gzip,deflate,sdch or Keep-Alive: timeout=300, max=946

flows Packet header

string X

HTTP Header Status Line

http_header_statusline

The status line just before the header lines, such as HTTP/1.1 200 OK or GET<filepath>/<filename>HTTP/1.1

flows Packet header

string X

HTTP Header Value

http_header_value

Field values that are included in the HTTP header, independent of field names

flows Packet header

string X

HTTP Index

http_index Identifier of the request and response in an HTTP flow. The indices of a completed flow are 1 through N, with 1 being the first request, 2 being the response to the request, and N being the last transaction in the flow.

flows Packet header

integer X

HTTP Last Modified

http_last_modified

The date and time at which the origin server recorded the last modification to the file

flows Packet header

day, DD MMM YYYY hh:ii:ss ZZZ

X

HTTP Location

http_location

Destination address where the client is redirected

flows Packet header

URL X

HTTP Method

http_method

HTTP command sent by the client: GET, POST, HEAD, CONNECT, and so on

flows Packet header

string X

HTTP NTLM Domain

http_ntlm_domain

Domain attribute of the NT LAN Manager protocol; included in the HTTP Authentication field

flows Packet header

string X

HTTP NTLM User

http_ntlm_user

User attribute of the NT LAN Manager protocol; included in the HTTP Authentication field

flows Packet header

string X

HTTP NTLM Workstation

http_ntlm_workstation

Workstation attribute of the NT LAN Manager protocol; included in the HTTP Authentication field

flows Packet header

string X

HTTP Part Header Name

http_part_header_name

Fields that are included in the HTTP part header, such as Accept, Accept-Language, Referer, Content-Type, or Cache-Control; extracted only if Content-Type is multipart

flows Packet header

string X

HTTP Part Header Value

http_part_header_value

Field values that are included in the HTTP part header, independent of field names; extracted only if Content-Type is multipart

flows Packet header

string X

81



HTTP Post Variable Decoded

http_post_variable_decoded

The 'name/value' metadata from each web-form CGI parameter found in a POST HTTP request. The name and value strings are normalized. The parameters are extracted from the URL of the request, and/or from the x-www-form-urlencodedPOST data.

flows Packet header

string X

HTTP Proxy Auth

http_proxy_auth

Authentication type on the proxy: basic, digest, NTLM

flows Packet header

string X

HTTP Proxy Login

http_proxy_login

Authentication credentials flows Packet header

string X

HTTP Referrer

referer The address of the previous web page from which a link to the currently requested page was followed; was "Referrer" in versions previous to 7.3.2

flows Packet header

URL X

HTTP Server

http_server

The FQDN of the server flows Packet header

URL X

HTTP Server Agent

web_server Server type: Apache, IIS, nginx; was "Web Server" in versions previous to 7.3.2

flows Packet header

string X

HTTP Set Cookie

http_set_cookie

Contains a cookie stored by the server (Set-Cookie)

flows Packet header

string X

HTTP URI http_uri The domain name of the server plus the path to the file

flows Packet header

URI X

HTTP User Agent

user_agent Software used by the client to access the web page

flows Packet header

string X

Web Query web_query Database query flows Packet header; multiple protocols

string X

Integrated Cyber Defense Exchange (ICDx)New in Security Analytics 8.1.1

Symantec Integrated Cyber Defense Exchange (ICDx) is an open platform that gives you control over your enterprise security data: how much you collect, how long you retain it, and where it resides. It also provides a standard, cross-product schema for analytics, reports, and dashboards.

ICDx integrates Symantec enterprise security products by:

n Collecting events from Symantec Integrated Cyber Defense products

n Normalizing the collected events to the Integrated Cyber Defense Schema

82

https://www.symantec.com/theme/integrated-cyber-defense-exchange


n Filtering and forwarding the collected events to different customer destinations, such as RabbitMQ, Splunk, Elasticsearch, or ServiceNow

On the ICDx server you must create at least one exchange of type AMQP to receive Security Analytics metadata.

There are two ways to send metadata to an ICDx server from Security Analytics:

n ICDx Metadata Forwarding — Send selected metadata for all traffic

n ICDx Remote Notifications — Send alert metadata for traffic that matches a rule

ICDx Metadata ForwardingIn this use case you select metadata attributes to send, and then Security Analytics sends those attributes, for all traffic, to the ICDx server. The metadata is marked with "Informational" severity. Each individual event on the ICDx server represents a distinct flow.

To send selected metadata for all traffic to an ICDx server, follow these steps:

1. "Select the Metadata to Export" below

2. "Specify the ICDx Server" on the next page

Select the Metadata to Export

Follow these steps to select which metadata to export to the ICDx server.

1. Select Settings > ICDx Metadata.

2. Review the metadata attributes to ensure that the metadata you want is visible on this page. (The aggregate_<X>_hooks items are often drawn from multiple attributes.) The following attributes are enabled by default and cannot be disabled:

n start_time

n stop_time

n flow_id

n initiator_ip

n responder_ip

n initiator_port

n responder_port

3. If you do not see the desired metadata attributes, go to Settings > Metadata and select the desired attributes.

83


When you save new metadata attributes on that page the appliance automatically reboots.

Only attributes in the flows namespace will appear on the ICDx Metadata page. Consult "Metadata Settings" on page 56 to see the namespace for each attribute.

4. On the ICDx Metadata page select the desired attributes. Do not click Save yet.

Specify the ICDx Server

Follow these steps to configure the ICDx server for this function. These are not the same server settings as are on the Communication Settings page.

1. On Settings > ICDx Metadata select the Enable ICDx check box.

2. Under Integrated Cyber Defense Exchange (ICDx) Settings input the username and password to access the server.

3. Select Use SSL Encryption to encrypt traffic to the ICDx server.

4. Select Verify Server Certificate to perform a certificate check on the ICDx server. If you select this option you must upload the certificate authority bundle for the ICDx server on Settings > Security > PKI and SSL > Additional Certificate Authority Bundle.

5. Specify the IP or hostname of the ICDx server as well as the port. Default: 5672 for unencrypted or 5671 for encrypted.

6. For Exchange specify an exchange on the ICDx server.

7. Click Test Server Settings.

8. If the test is successful click Save. Security Analytics begins to send the metadata to the ICDx server.

n To stop the flow of metadata clear the Enable ICDx check box and click Save.

Metadata for Each Flow

The example below shows the JSON-formatted data that is sent for each flow. The pivot URL is valid only for sensors that are connected to a CMC: copy pivot_url to a browser to view the flow through the sensor's first CMC.

{ "log_name": "<log name>", "timezone": <integer>, "type_id": <integer>, "product_data": { "flow_id": "<integer>", "start_time": "<epoch>.999999999", "stop_time": "<epoch>.999999999", "<attribute1>": "<value1>", "<attribute2>": "<value2>", ... "<attributeN>": "<valueN>",

84


"pivot_url": "https://<SA hostname>/deepsee#{\"ac\":\"Summary\",\"ca\":{\"start\":<epoch>,\"end\":<epoch>},\"pb\":[\"flow_id=<integer>\"],\"icdx\":{\"cmc_pivot\":1}}" }, "product_name": "Symantec Security Analytics", "uuid": "<uuid>", "ref_uid": "<flow ID>", "log_time": "YYYY-MM-DDThh:ii:ss.zzzZ", "product_ver": "Solera release 8.1.3 (8.1.3_99999)", "device_ip": "<SA ip>", "device_name": "<SA hostname>", "category_id": <integer>, "connection": { "dst_ip": "<ip>", "dst_port": <port>, "src_ip": "<ip>", "src_port": <port> }, "id": <integer>, "severity_id": <integer> }

ICDx Remote NotificationsIn this use case you send alert metadata to the ICDx server only for traffic that matches a rule. The metadata that is sent to the ICDx server is not the metadata that is present on the ICDx Metadata page; rather, it is controlled by the default ICDx template (see "Default Template Output" on page 246) or by an ICDx template that you create. None of the settings on the ICDx Metadata page are connected to these remote notifications.

To send alert metadata to an ICDx server you must follow these steps:

1. "Specify the ICDx Server" below

2. "Select a Template" on the next page

3. "Create Rules for Data to Export" on the next page

Specify the ICDx Server

Follow these steps to configure the ICDx server for this function. These are not the same server settings as on the ICDx Metadata page.

1. Select Settings > Communication.

2. Under Integrated Cyber Defense Exchange (ICDx) Settings input the username and password to access the server.

3. Select Use SSL Encryption to encrypt traffic to the ICDx server.

4. Select Verify Server Certificate to perform a certificate check on the ICDx server. If you select this option you must upload the certificate authority bundle for the ICDx server on Settings > Security > PKI and SSL > Additional Certificate Authority Bundle.

85


5. Specify the IP or hostname of the ICDx server as well as the port. Default: 5672 for unencrypted or 5671 for encrypted.

6. For Exchange specify an exchange on the ICDx server.

7. Click Test Server Settings.

8. If the test is successful click Save at the bottom of the page.

Select a Template

Follow these instructions to specify the format of the data that you export to ICDx.

n Review the default ICDx Template output on "Default Template Output" on page 246 to verify that it suits your needs.

n If you would like to send different metadata, select Settings > Communication > Templates > New and follow the instructions in "Choose or Create a Template" on page 245.

Create Rules for Data to Export

Follow these steps to create rules that export data to ICDx.

1. Select Analyze > Indicators. Determine whether existing indicators specify the type of traffic that you want to match. If they do not, select Actions > New to create new indicators. See "Indicators" on page 129 for more information.

2. Select Analyze > Rules and click New.

3. Specify a name for the rule and populate First Event with the indicator(s) that you have chosen for this rule.

4. Optional — Select Open Parser. See "Open Parser" below for instructions.

5. Select the rule type. (See "Rules" on page 230 for more information.) Select None if you do not want any other action performed on the traffic that matches this rule.

6. Specify whether to share this rule with other users of this appliance. Once you set this attribute you cannot change it.

7. Under Remote Notifications select ICDx, select the ICDx template to use, and click Save. The rule is enabled by default when it is created.

The number of alerts produced on the Security Analytics appliance may be smaller than the alerts on the ICDx server. Security Analytics counts as one alert an alert that had one parent and three child alerts, but on ICDx it may be counted as three alerts.

Open ParserUse the open parser to create customized reports and report widgets that you can use in the same way as other Security Analytics reports. With the open parser you can include regular expressions in rule definitions as well as user-

86


defined Lua scripts.

Open parser rules can consume considerable system resources by generating a large number of rule hits. Use indicators that detect the smallest amount of network traffic possible.

Open Parser ConventionsKeep the following in mind when using the open parser:

n Regular expressions must be RE2-compliant.

n The operator between regex lines is OR.

n The open parser rule name is converted into a report name by making all letters lower-case and replacing all spaces with an underscore. For example, Phone Numbers becomes phone_numbers.

n An open parser report is available only when its corresponding rule is active.

n New in Security Analytics 8.1.1 Lua scripts must conform to the following rules:

o Must have the .lua extension.

o Must not contain a function that is not whitelisted. The following functions are whitelisted:

87


assert coroutine.create coroutine.resume coroutine.running coroutine.status coroutine.wrap error ipairs math.abs math.acos math.asin math.atan math.atan2 math.ceil math.cos math.cosh math.deg math.expmath.floor math.fmod

math.frexp math.huge math.ldexp math.log math.log10 math.max math.min math.modf math.pi math.pow math.rad math.random math.sin math.sinh math.sqrtmath.tan math.tanh next OpenParser.setCallback OpenParser.setFlowEndCallback

OpenParser.createMeta OpenParser.createAlert OpenParser.classify OpenParser.getFlowData OpenParser.payloadToString OpenParser.findStringInPayload os.clock os.difftime os.time os.date pairs pcall select string.byte string.char string.find string.format string.gmatch string.gsub

string.lenstring.lower string.match string.rep string.reverse string.sub string.upper table.foreach table.insert table.maxn table.remove table.sort tonumber tostring type unpack _VERSION xpcall

Create an Open-Parser Rule

1. Select Menu > Analyze > Rules and click New.

2. For Name, specify a unique name for the rule. It must begin with a letter, must not exceed 60 characters, and cannot be the same as an existing report name. (See " Metadata Tables" on page 58.)

3. For First Event, specify one or more indicators or create new indicators. (See "Indicators" on page 129.)

Do not click Add Second Event. Multiple events are not supported with the open parser.

4. Select the Open Parser check box.

5. For Regular Expressions, type or paste a regular expression and click Add. The expression is copied to the space below. You may add up to eight expressions, and each expression must not exceed 1024 characters.

n To delete an expression, select it and click Remove.

6. For Metadata Options, select one of the following:

88


n Select Add flag to metadata — A Boolean is written to the indexing database entry to indicate that the flow matches the regular expression. The report shows how many flows are Matched but does not contain the matching values.

n Select Add matching value to metadata — The values that match the regular expression are written to the indexing database, where they are visible in the report.

n Select Add succeeding value to metadata, until this delimiter — The characters that come after the string that matches the regular expression, up to the RE2-compliant delimiter, are written to the indexing database, where they are visible in the report.

n Select Take no action — No values are written to the indexing database. A report will be available for this rule but it will never contain data.

n Select Execute Lua script — Click Browse to select a Lua script to execute when the regular expression is matched.

o Click Download Script to download a Lua script that is already uploaded.

When a Lua script is uploaded to an open-parser rule, the script is executed for validation purposes before the rule is saved. If the GUI stops responding, it means that the script contains an error that prevents it from being validated; for example, it contains an os.execute command or non-zero exit codes.

n For Type, select the rule type and click the corresponding link for instructions on completing the rule:

o "Alert Rule" on page 233

o "Data-Enrichment Rule" on page 233

o "PCAP Export Rule" on page 235

o "IPFIX Export Rule" on page 235

o ""None" Rule" on page 236

89


View the Report Data

Select Menu > Analyze > Summary and click the Reports tab. Reports that contain data from active open parser rules are available under Custom Analytics.

Select Menu > Analyze > Summary > Reports and select Application > Application ID. The rule name is present to show that data from the rule was generated during the timespan.

90


Click the entry to add the rule to an application_id filter to help you locate the artifact that matched the rule.

Add the Open Parser Report Widget to a Summary View

1. Select Menu > Analyze > Summary. Select an existing view or create a new view where the widget will be displayed.

2. Select Actions > Add/Edit Widgets. From the Available Reports list, select the custom analytics report, move it to the Selected Reports list, and click Add/Edit Widgets.

Open Parser AlertsAn alert from an open-parser rule shows the regular expression that triggered the alert.

91


To see the value that matched the regular expression, click View Report Summary and select a view that contains the report widget that corresponds to the rule. When you pivot from an alert to a widget, the widget displays all of the matching values that are present in the same flow.

PII Reports ExampleThis example shows how to create open-parser rules to find personally identifiable information (PII) in HTTP and EML files and then display the PII in reports.

Create an indicator

1. Select Menu > Analyze > Indicators and select Actions > New.

2. Create an indicator named HTTP with the filter application_group=web

3. Verify that the Email indicator exists on the appliance (application_group="Mail", application_group="Webmail").

The HTTP and Email indicators will detect a large amount of traffic. For your network, you may want to add more indicators to exclude traffic that is unlikely to contain PII.

Create the rule

Create an open-parser rule that extracts likely phone numbers.

92



2. Create a rule named [Phone Numbers | Social Security Numbers | Credit Card Numbers] with the Email and HTTP indicators as the First Event.

3. Select the Open Parser check box. In the regular expressions field, enter the regular expression ["Phone Numbers" on the next page | "Social Security Numbers" on the next page | "Credit Card Numbers" on the next page] and click Add.

4. For Metadata Options, select Add matching value to metadata.

5. For Type select None so that no alerts are generated.

n Alternatively, if you select Alert, you can set the Importance for each rule hit.

6. Optional — Select Shared to make the rule viewable by everyone who has access to this appliance.

7. Remote Notifications — Optional — Select one or more remote-notification types. You may select the default template or configure a template on Settings > Communication > Templates. (See "Choose or Create a Template" on page 245.) Verify that the appropriate server(s) have been configured. (See "Logging and Communication" on page 306.)

n SMTP — Optional — Specify email accounts to receive the alert notifications.

93


8. Endpoint Providers — Optional — Select to send endpoint data to external endpoint analysis providers. (See "Endpoint Providers" on page 217.)

9. Click Save. The rule is displayed in the Rules list. Verify that the rule is activated .

Phone Numbers

This regular expression detects likely phone numbers in the United States and Canada.

n Name — Phone Numbers

n Regular Expression — ((?:\+?1[ .-]\s*)?((($\s*[2-9]\d{2}\s*$\s*[ .-]?)|([2-9]\d{2}\s*[ .-])))\s*[2-9]((1[02-9])|([02-9]\d{1}))\s*[ .-]\s*\d{4})

Social Security Numbers

This regular expression detects likely U.S. Social Security numbers.

n Name — Social Security Numbers

n Regular Expression — ((?:[0-6]\d{2}|7([0-6]\d|7[012]))[-]\d{2}[-]\d{4})

Credit Card Numbers

This regular expression detects likely MasterCard, Visa, Discover, and American Express card numbers.

n Name — Credit Card Numbers

n Regular Expression — (4[0-9]{3}[0-9]{4}[0-9]{4}[0-9](?:[0-9]{3})?|[0-9]{4}[-][0-9]{4}[-][0-9]{4}[-][0-9]{4}|5[1-5][0-9]{2}[0-9]{4}[0-9]{4}[0-9]{4}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|6(?:011|5[0-9]{2})[0-9]{12}|(?:2131|1800|35\d{3})\d{11})

n Metadata Options — Select Execute Lua script and upload the following file, which can also be found on the appliance at /usr/lib64/lua/5.1/userDefined/pii_parser.lua_tmpl:

94


require"OpenParser" function callback_method(data)

local token = data[TOKEN_KEY]locallen = data[TOKEN_SIZE_KEY] -- Validate using Luhns Algoodd =0even =0total =0numdigit =0nDigits =lenreverse=string.reverse(token)

for count =0,nDigits-1do

num =0digit =tonumber(string.sub(reverse, count+1,count+1)) if digit then

numdigit = numdigit +1if((numdigit%2) ~=0)then

odd = odd + digitelse

num = digit*2if num >9then

num = num -9endeven = even + num

endend

end total = odd + even if((total %10) ==0)then

OpenParser.createMeta(token)end

end OpenParser.setCallback(callback_method)

This file must have the .lua extension before it can be uploaded.

Open Parser Data MatchingOpen parser rules run their regular expressions against the following types of fields:

n Content — Fields such as FTP:CONTENT, HTTP:CONTENT, FACEBOOK_MAIL:CONTENT, and POP3:CONTENT

n Message — Fields such as ICMP:MESSAGE, SYSLOG:MESSAGE, and GMAIL_CHAT:MESSAGE

95


n Attachments — Attachments to emails, such as GMAIL:ATTACH_CONTENT, SMTP:ATTACH_CONTENT_DECODED, and POP3:ATTACH_CONTENT

n General data — The entire data portion of a data protocol, including headers and body.

Summary Views

The Menu > Summary views in Symantec Security Analytics are collections of report widgets on a single page. Report widgets are discrete graphical elements that summarize data according to selected criteria. A collection of widgets can then be run against a user-selected time period and a user-defined set of filters. (See "Timespan Filters" on page 112, "Primary Filters" on page 107)

See "Menu > Analyze > Summary" on page 410 for a description of all page elements.

Report Widgets

Menu > Analyze > Summary

While the data is still loading for the Summary page, you may click the red Stop Reports button to stop the data from processing.

Included on Security Analytics are report widgets that correspond to the available reports. (See " Metadata Tables" on page 58.)

Select a summary view from the view selector.

96


Use the edit control to change the name, share the view, duplicate the view, or specify a view as the default.

Create a Summary ViewYou can create a new summary view from a blank view, or you can modify an existing view.

1. Select Menu > Analyze > Summary.

2. Click the view selector and select Add New View.

3. Type a name for your new view.

4. Optional — Select Use flow-based columns to permit the report widgets to adjust to the available width of the window. Clearing this check box forces the report widgets to stay in a fixed-grid location.

5. Optional — Select Shared to share the view.

6. Optional — Select Duplicate Existing View? to select a view to duplicate as the new view.

7. Optional — Select Set as default to make this the default view.

8. Click Save. You get a blank summary screen and the Add/Edit Widgets dialog box is displayed.

9. Select one or more report widgets from the Available Reports list and add them to the Selected Reports list. Press Ctrl to select more than one report, and then click the single arrow button to move them to the Selected Reports list.

97


n The more report widgets in a view, the longer it takes to load the view. For optimal performance and system integrity, limit the number of widgets to 18 per view.

n If the report widgets in the same view are from different namespaces, the reports will take longer to generate.

n Application Group includes the Application Group and the Application Group over Time widgets.

10. Click Add/Edit Widgets.

Report Widget ControlsTo reveal the report widget controls, place your cursor over the widget header.

1 Move Widget

2 Widget Settings

3 Delete Widget

98


1 Sort-by Field — Select from the widget name or bytes, packets, sessions, IP fragments, or bad checksums.

2 Order — Ascending, Descending

3 View — Table, Pie, Column, Bar

4 Resolution — Select the check box and slide the selector to the desired resolution.

The settings affect only this report widget in this view. If this report widget is present in other views, the settings on those views will be not changed.

Application Group Widgets

Two widgets — Application Group and Application Group over Time — are different from the other widgets; user configuration is limited to session-resolution settings. The Application Group widget has Bytes, Packets, and Sessions columns. The Application Group over Time widget is a histogram of the Application Group widget. Place your cursor over a data point to see the details.

When adding widgets to a view, selecting Application Group adds both the Application Group and the Application Group over Time widget to the view.

99


Apply Filters to Summary ViewsTo apply a filter to a summary view, see "Primary Filters" on page 107 and "Indicators" on page 129.

Save the Output of a Summary ViewThe output of a summary view can be saved on the appliance and viewed on the Report Status list.

1. Select Menu > Analyze > Summary and select the desired view.

2. Add, delete, and modify the report widgets as desired. Add any filters that you want.

3. Select Actions > Save in the upper-right corner of the interface.

4. Type a name for the saved output (max 300 characters).

5. If you click Save before the system has finished processing the data, you have the option to:

n Save and Stop — Save only the data that was processed before you clicked Save and Stop.

n Save and Continue — The save operation will continue until all data is processed.

6. If you click Save after Status shows Finished (100%), all of the results are saved.

7. Retrieve the saved results by selecting Analyze > Report Status > List. There is a separate report entry for each widget.

8. Click View Report to see the report in the Reports (not Summary) view.

Session ResolutionIn the Summary, Reports, and Geolocation views, the session resolution percentage is located on the status bar. The purpose of this feature is to limit reports to a subset of data, which allows quicker display of data.

Adjust Session Resolution

1. Click the session resolution value for the view.

100


2. Slide the bar to the percentage of data that you want to view.

Anomaly DetectionAlso see: "Anomaly Detection Process" on page 398.

Anomaly Detection and Modeling (ADM) provides visibility into abnormalities in your traffic patterns. By evaluating traffic in 10-minute analysis windows, ADM determines which traffic is normal for your network and then creates alerts for outlier network behavior.

Because ADM folds all received traffic into the baseline, regularly occurring "anomalies" will eventually become part of the baseline. The longer ADM runs, the fewer false positives it will register.

ADM requires an appliance or VM with at least 64 GB RAM to function properly. Less memory will result in degraded performance and missed alerts. To disable anomaly detection, select the appropriate data enrichment profile. (See "Data Enrichment Profiles" on page 49.)

Enabling Anomaly DetectionADM is automatically enabled when newly installing or upgrading to Security Analytics 7.2.x through 7.3.1.

n Beginning in version 7.3.2, ADM is not automatically enabled on new installations unless the appliance has more than 128 GB RAM. Anomaly detection is not disabled when upgrading an appliance that is already running ADM.

n It takes approximately 6 hours for ADM to establish a baseline and then begin to report anomalies. See "Anomaly Detection Process" on page 398 for more information.

To disable or enable ADM, go to Menu > Settings > Data Enrichment and select the following Profile:

n Enable

o Full Data Enrichment with Anomaly Detection

n Disable

o Full Data Enrichment (No Anomaly Detection)

o Packets Only

To enable remote notification of anomalies go to Menu > Settings > Communication > Advanced.

101


n Under Remote Notifications, select the Anomaly Events check box for Email, SNMP, or Remote Syslog, as desired. (Select the check box for Local to see anomalies in the Audit Log).

n Set up the corresponding remote notification method(s) on Settings > Communication > Server Settings.

n See the "Anomaly Notification Format" on page 105.

Anomalies PagesSelect Analyze > Anomalies to see the Anomalies pages: Summary and List.

Anomalies Summary

The Anomalies Summary page displays a series of tables that show which IP addresses, URL categories, countries, and applications have been involved in anomalous traffic. Click a value to add it to the advanced filter. (See "Advanced Filters" on page 113.)

Anomalies List

The Anomalies List displays the following (also see "Interpreting Anomaly Messages" on page 400):

1 Anomaly — Anomaly message. 7 Function — Type of operation used to detect the anomaly.

2 Time of Detection — Start time of the analysis window, which ends 10 minutes later.

8 Field — The attribute that is to be analyzed as a metric.

3 Score — Amount of deviation from the baseline on a scale of 0–9; higher numbers indicate greater deviation.

9 Over Field — The initiator or responder IP that is associated with the anomalous activity. (For the URL categories anomaly this is a By Field, which is a specific value of the field that analyzed as a metric.)

102


4 Clear — Click to delete all visible anomalies.

10 Partition Field — Each distinct value in this field constitutes a separate category for analysis. Not present for all anomalies.

5Actions

— Click to view the

anomaly in the Anomaly Investigationview with the over-field value in the primary filter bar.

11 Baseline Value — The mean value of this same combination of Field, Over Field, and Partition Field during a comparable analysis window.*

6 Analysis Window — Timespan for the view when you click View Report

Summary .

12 Anomalous Value — An outlier value, compared to several standard deviations from the baseline.

Filtering Anomaly AlertsThe Advanced Filter on the Anomalies page permits you to filter the messages by the attributes shown on the Advanced-Filter Attributes page. (See "Advanced-Filter Attributes" on page 115.) To find a particular type of anomaly you might need to search on two fields.

Message Search On

Large data transfer by <ip_address>, located in <country>

partition_field_name~country

Excessive data transfer by <ip_address> while using <applications>

partition_field_name~id

<ip_address> sending long strings to DNS server <dns_name>

function~info

<ip_address> using numerous applications field_name~id

Many conversations between <ip_address> and multiple <ips/ports>

function~distinct AND (field_name~ip OR field_name~port)

<ip_address> contacting a high number of countries

field_name~country

URL category <category> getting high amount of traffic.

by_field_name~url

Anomaly Investigation ViewThe Anomaly Investigation view is a default summary view that is opened when you pivot from View Report Summary

. The half-hour timespan for the report begins 20 minutes before the analysis window starts so that you can more clearly see when the anomaly occurred in the Application Group over Time histogram.

Included in the Anomaly Investigation view are report widgets for most of the attributes that ADM analyzes.

103


n Application Group

n Application Group over Time

n Application

n IPv4 Initiator

n IPv4 Responder

n Flow Duration (sorted ASC by duration)

n Size in Bytes (sorted ASC by bytes)

n DNS Answer Name

n Country Initiator

n Country Responder

n Port Initiator

n Port Responder

On this page you can:

n Select Actions > Save to save the metadata on Analyze > Report Status.

n Select Actions > Download PCAP to save the packet data.

n Add or delete widgets from the view.

n Edit widgets for a customized display.

n Select Actions > Analyze Packets to see the packets in a Wireshark-like interface.

Anomaly DetectorsThe ADM detectors consist of the following parameters:

Message Function Field Over Field Partition Field

Large data transfer by IP [initiator | responder] <ip_address>, located in <country>

high_sum total_bytes initiator_ip

initiator_country

responder_ip

responder_country

Excessive data transfer by IP [initiator | responder] <ip_address> while using <application_ids>

high_sum total_bytes initiator_ipresponder_ip

application_ids

IP [initiator | responder] <ip_address> sending long strings to DNS server(s)

high_info_content

dns_name initiator_ip responder_ip

—

IP [initiator | responder] <ip_address> using numerous applications

high_distinct_count

application_ids

initiator_ip responder_ip

—

Many conversations between IP [initiator | responder] <ip_address> and multiple [[initiator | responder] ips | [initiator | responder] ports]

high_distinct_count

responder_ip responder_port

initiator_ip

—

initiator_ip

responder_ip

104


Message Function Field Over Field Partition Field

IP [initiator | responder] <ip_address> contacting a high number of countries

high_distinct_count

initiator_country responder_country

initiator_ip responder_ip

—

URL category <url_categories>§ getting high amount of traffic.

high_count

— url_categories*

—

* This is a By Field rather than an OverField.

§ URL categories for anomalies are available only with the Web Reputation Service. (See "Symantec Intelligence Services" on page 193.)

Anomaly Notification Format

Format for anomaly notifications in the audit log. Not all fields are present in every message:

Anomaly: score=<integer> anomaly_score=<floating_point> typical=<floating_point> actual=<floating_point> probability=<floating_point> actual_probability=<floating_point[ e-<integer>]> create_time=<YYYY>-<MM>-<DD>T<hh>:<ii>:<mm>-<zzzz> start_time=<YYYY>-<MM>-<DD>T<hh>:<ii>:<mm>-<zzzz> end_time=<YYYY>-<MM>-<DD>T<hh>:<ii>:<mm>-<zzzz> function='<text>' partition_field_name='<text>' partition_field_value='<text>' field_name='<text>' by_field_name='<text>' by_field_value='<text>' over_field_name='<text>' over_field_value='<text; dotted-decimal>' link='https://<appliance>/<path_to_summary_page>'

Web UI Display Correlation

The attributes in the notifications correspond to the web UI fields as follows:

n score — A normalization of probability to values 0–9, Score uses the same schema as the data-enrichment verdicts.

n anomaly_score — A sophisticated aggregation of the anomaly records. The calculation is optimized for high throughput, gracefully ages historical data, and reduces the signal-to-noise levels. It adjusts for variations in event rate, takes into account the frequency and the level of anomalous activity and is adjusted relative to past anomalous behavior. The higher the anomaly_score, the more likely the anomaly is worthy of further investigation.

n typical — Baseline Value

n actual — Anomalous Value

n probability — Calculated using anomaly_score and actual_probability and normalized to values 0.00–100.00.

n actual_probability — Statistical probability of the anomalous value occurring during a comparable analysis window*

n create_time — Time of Detection

n start_time — Analysis Window start time

105


n end_time — Analysis Window end time

n function — Function

n partition_field_name — Partition Field

n partition_field_value — Value in Partition Field

n field_name — Field

n by_field_name — By Field

n by_field_value — Value in By Field

n over_field_name — Over Field

n over_field_value — Value in Over Field

n link — Opens to the default Summary view (not the Anomaly Investigation view).

Tuning ADM SettingsThe following settings in /etc/solera/config/adm-conn-config.json control some of the behavior of ADM:

{"connector_config" : {

"anomaly_threshold" : 80.00,"long_poll_timeout" : 60,"hours_to_limit_anomalies" : 6

}}

n anomaly_threshold — Valid values: 0.00–100.00. Anomalies with a score lower than this value are not posted. ADM uses a scale of 0.00–100.00, and the web interface normalizes this score to a scale of 1–10.

n long_poll_timeout — Valid values: 30–200. Number of seconds for ADM to respond to a query before Security Analytics repeats the query.

n hours_to_limit_anomalies — Valid values: 0–720. Amount of time before anomalies will begin to be posted. If the value is set to 0, ADM will run for ~50 minutes before posting anomalies.

After making any changes to the configuration file, restart the ADM connector: systemctl restart adm-connector

The default behavior of ADM is therefore:

n For the first 6 hours of system uptime, no alerts are generated while ADM establishes a baseline.

n Only anomalies that have a score of 8 or higher are posted.

n Security Analytics polls ADM for anomaly results every 60 seconds until it gets a response.

106


FiltersSymantec Security Analytics employs the following types of filters:

n "Primary Filters" below — Applied to Summary, Reports, Extractions, Sessions, and Geolocation pages, primary filters return all flows that contain matching traffic.

n "Dynamic Filters" on page 109 — Apply capture filters to interfaces only when traffic matches a dynamic filter rule.

n "Data Enrichment Filters" on page 109 — Specify which file types to send to each enrichment provider. (See "Enrichment Providers" on page 190.)

n "Timespan Filters" on page 112 — Applied in the same contexts as the primary filter. Use the narrowest possible timespan filter to conserve system resources.

n "Advanced Filters" on page 113 — Applied to the flows that are generated on Reports, Extractions, Sessions, Geolocation, Alerts, and Audit Log pages, advanced filters eliminate extraneous data from matching flows. (See "Flows in Security Analytics" on page 373.)

n "Capture Filters" on page 115 — Applied to capture interfaces and PCAP downloads.

Primary Filters n Valid parameters for the filter bar are on "Metadata Settings" on page 56.

n Recognized Applications

n "Indicators" on page 129

The filter bar — present on Menu > Analyze > [Summary | Reports | Extractions | Geolocation] — is at the heart of Security Analytics. With these filters, you can display specific time frames or attributes of the captured data.

1 Filter bar

2 Timespan filter selector

Using the Filter Bar

Type directly in the filter bar to create a new filter.

1. Select Menu > Analyze > [Summary | Reports | Extractions | Sessions | Geolocation].

2. Click in the filter bar and begin typing a filter attribute.

107


3. The system will begin suggesting attributes or indicators based on your typing. You can select the desired attribute by clicking it or by using the arrow keys.

4. Type the operator. (See "Filter Operators" on page 127.)

5. Type the desired value after the operator. You can use wildcard expressions. (See "Wildcard Usage" on page 121.) For CIDR notation, use one of the following formats:

n 10.5.*.* n 10.5.0.0_16 n 10.5.0.0/16

6. Press Enter. The system completes the filter by enclosing it in a gray box. Click the green Update button to apply the filter.

Whenever you change a filter, you must always click Update to regenerate the results. This permits you to change multiple aspects of the filter before regenerating the results.

Changing the browser language setting while filters or processes are active is not supported.

108


7. All applied filters appear as white text against a blue background.

8. To modify a filter, click the blue field and edit as desired. Press Enter or click outside the blue field; the box will become gray again. Click Update to apply the modified filter.

You can also create complex primary filters using AND and OR. See "Creating Complex Filters" on page 123.

Preloaded Indicators

Security Analytics is preloaded with indicators such as non-standard protocols, common MIME types, and known malware passwords. (See "Preloaded Indicators" on page 129.) You can use these indicators as primary filters.

1. Select Menu > Analyze > [Summary | Reports | Extractions | Sessions | Geolocation].

2. Expand the filter bar to see a list of indicators. Select the desired indicator.

n Alternatively, select Analyze > Indicators. Under Actions for the desired indicator, click Add to Filter

Bar . The Summary view will be displayed with that indicator in the filter bar.

3. The indicator appears in the filter bar and is applied to the operation (report, extraction, geolocation).

4. For instructions on creating and editing indicators, see "Indicators" on page 129.

Dynamic FiltersSee "Dynamic Filters" above.

Data Enrichment Filters

Menu > Settings > Data Enrichment > Default Data Enrichment Filter

Per-provider filters specify which file types to send to providers that evaluate files and hashes, such as the File Reputation Service and ClamAV. The default filter sends the following file types to the enrichment providers. (Consult "Data Enrichment Filters" on page 247 to see which file types are included in each category.)

109


n The filters apply only to real-time extractions, which occur when traffic matches rules. On-demand reputation queries are not affected by these filters.

n The checked boxes indicate the file types to send to the enrichment providers; clear the check boxes for file types that you do not want to send to the providers.

n After you have finished making changes to this filter, click Save.

By default all of the enrichment providers use the Default Data Enrichment Filter except integrations with Malware Analysis, which has a default filter to permit Adobe PDF, Archives, Debian Packages, Office Documents, and Programs and Libraries.

Customize a Data Enrichment Filter

To customize the data enrichment filter for a provider, follow these steps:

1. Select Menu > Settings > Data Enrichment.

2. For the enrichment provider click Edit.

110


3. Clear the Use Defaults check box.

4. Clear and select the file-type check boxes as desired and click Save. See "Data Enrichment Filters" on page 247 to see which file types are included with each filter.

5. A list of file types that are selected for the filter is displayed.

File-Type Promotions

Sometimes it is difficult to understand how Security Analytics defines file types for the data-enrichment filter. Security Analytics now exposes the "promotions," which are rules that define how Security Analytics classifies a file for the data-enrichment filter when certain combinations of characteristics are true.

The promotions are defined in /etc/solera/config/tonicfilterconf under "promotions". For example:

111


Promotion Explanation

{ "detected_types": [ "bin", "text" ], "presented_types": [ "javascript" ], "presented_extensions": [ "js" ], "promoted_type": "javascript" },

When the detected MIME type is bin or text AND (the presented MIME type is javascript OR the presented extension is js) the file type is promoted to javascript for the purposes of the data-enrichment filter.

You may edit, delete, or add new promotions. The valid values for the _type fields correspond to the file-type filter names: archives bin code config deb documents email executables

images ipa jar javascript multimedia pdf text

To see which MIME types are included in each filter, see "Data Enrichment Filters" on page 247.

Timespan Filters

Timespan filters are present on Menu > Analyze > [Summary | Reports | Extractions | Sessions | Geolocation]. By default, the system displays the last 15 minutes of data captured.

Expand the control to select another predefined timespan or click the date/time fields to specify a particular time.

112


See "Data Availability" on page 49 for an explanation of the calendar-shading colors.

Advanced Filters n See valid "Advanced-Filter Attributes" on page 115

With the advanced filters, you can easily and rapidly apply additional filters to the report data. When an advanced filter is applied, the charts and tables change automatically to reflect the new criteria.

n Advanced filters are applied directly to the data in the view, whereas applying a primary filter causes the operation, for example an extraction, to be performed again.

n Advanced filters affect only what is shown in the current view; they do not affect what is shown in other views (Summary, Reports, Extractions, Sessions, Geolocation) nor can they be carried across to other views.

Create an Advanced Filter

1. Select Menu > Analyze > [Reports | Extractions | Sessions | Geolocation | Alerts].

2. Select the desired view from the view selector.

3. Click Add a Filter to select a list of valid attributes for this view.

113


4. Select an operator.

5. Type or select the desired value and press Enter. The system applies the filter to the displayed data.

Create Nested Filters

This example shows how to convert the following expression into a nested advanced filter:

(file_size>=1000 AND file_extension=ico) OR (file_type=image/x-icon AND file_size>=1000) 1. Begin by selecting the Boolean

that will link the first group of filters to the second group—in this case, OR— and then click Add Filter Group.

2. Select the Boolean that links the terms within the first group (AND) and then add the filters.

3. To add the second group, click the same Add Filter Group icon as for the first group, and then add the filters for the second group.

Create Filters from Graphical Screen ElementsYou can instantly create a primary, advanced, or timespan filter from many of the graphical elements on the Web interface. The example below shows what happens when you click the value in the URI Host field of an extracted

114


artifact:

Depending on the attribute, you have the options of:

n adding the value to the filter bar or advanced filter

n adding the value as one of multiple attributes

n using one of up to four logical operators

Other graphical elements with this feature include:

n Report and widget charts and graphs

n Items in results lists: locations, IP addresses, applications

n The Application Group over Time widget, as shown below:

Capture FiltersSee "Capture Filters" above.

Advanced-Filter AttributesThe values for the advanced filter are different for each page. See "Advanced Filters" on page 113 for an explanation of how advanced filters work. Also see "Metadata Settings" on page 56.

Alerts

The Menu > Analyze > Alerts pages offer the following options:

115


n appliance — CMC Only.Sensor on which the alert was registered

n artifact_identifier — Add the identifier from the Alerts List page, as shown above

n cached — Specify true for reports that were retrieved from the cache

n destination_ip — Destination IP address

n destination_mac — Destination MAC address

n destination_port — Destination port number

n flow_id — Identifier for the flow that triggered the alert

n import_id — Specify the Import ID as shown on the Menu > Capture > Import PCAP page

n importance — 1 = Notification, 2 = Warning, 3 = Critical

n indicator — Name of the indicator that triggered the alert

n integration_provider — Derived from the values in the rule's Send to field

n owner_name — Name of the user to whom the alert is assigned

n match_criteria — Regular expression in an open parser rule that triggered the alert

n name — Name of the open-parser rule that triggered the alert

n rule — Name of the rule that triggered the alert

n score — Score returned by the integration provider

n source_ip — Source IP address

n source_mac — Source MAC address

n source_port — Source port number

n type — Specify file or url

n workflow_state — State that has been assigned to the alert

Anomalies

The Menu > Analyze > Anomalies pages offer the following options. See "Anomaly Detection" on page 101 for an explanation of the attributes and valid values:

116


n appliance — CMC Only. Sensor on which the anomaly was detected

n by_field_name — Name of the By Field attribute

n by_field_value — Value for the By Field

n field_name — Name of the Field attribute

n function — Function used to detect the anomaly

n over_field_name — Name of the Over Field attribute

n over_field_value — Value for the Over Field

n partition_field_name — Name of the Partition Field attribute

n partition_field_value — Value for the Partition Field

n score — Anomaly score (0–10)

Audit Log

See "Audit Log" on page 307.

Extractions

Consult the table below to see which advanced-filter attributes are available in the various Menu > Analyze > Summary > Extractions views. Artifacts and Artifacts Timeline provide identical attributes.

Field Description Artifacts

Email

IM Media

email_bcc Email addresses in the Blind Carbon-Copy field X X

email_cc Email addresses in the Carbon-Copy field X X

email_from Email addresses in the From field X X

email_messageid

Email message ID X X

email_priority

Email priority X X

email_replyto

Email addresses in the Reply To field X X

email_subject

Email subject line X X

email_to Email addresses in the To field X X

file_extension

Extension of file (DOCX, COM, EXE, JPG) X X

file_size Size of file in kilobytes (KB) X X

file_type Presented MIME type X X

117



Email

IM Media

file_type_mismatch

All entries where the presented MIME type is different from the detected type.

X

fuzzy Fuzzy hash of artifact X X

hex Hexadecimal value X

http_header String in HTTP header X

http_method post or get X

http_request_header

String in HTTP Request headers only X

http_response_code

Three-digit HTTP response code, e.g., 404, 302 X

http_response_header

String in HTTP Response headers only X

image_height Image height (x-value) in pixels X X

image_hw_ratio

Height-to-width ratio of the image X X

image_wh_ratio

Width-to-height ratio of the image X X

image_width Image width (y-value) in pixels X X

ip_address Any IP address (IPv4 or IPv6) X X X X

ip_initiator Source IP address (IPv4 or IPv6) X X X X

ip_responder Destination IP address (IPv4 or IPv6) X X X X

keyword Text string inside an artifact. Not valid from the CMC. X X X

keyword_arabic

Cleartext keyword in Arabic alphabet (UTF-8, ISO 8859-6). Not valid from the CMC.

X

keyword_european

Cleartext keyword in Latin alphabet (UTF-8, ISO 8859-1, Windows 1252). Not valid from the CMC.

X

keyword_japanese

Cleartext keyword in Japanese characters (UTF-8, Japanese Shift-JIS, ISO-2022-JP, EUC-JP). Not valid from the CMC.

X

keyword_korean

Cleartext keyword in Korean characters (UTF-8, EUC-KR). Not valid from the CMC.

X

keyword_utf8 Keyword in UTF-8 characters. Search is case-insensitive. Not valid from the CMC.

X

md5 MD5 hash of artifact X X X

port Any port number X X X X

118



Email

IM Media

port_initiator

Destination port number X X X X

port_responder

Source port number X X X X

protocol Protocol X X

referer Referrer of artifact X X

sha1 SHA1 hash of artifact X X X

sha256 SHA256 hash of artifact X

url URL of artifact X X

user Username of participant in IM conversation X

Extraction Status

The Menu > Analyze > Extraction Status page has the following search terms:

n artifacts — Number of artifacts

n db_size — Size of extraction metadata in the PostgreSQL database

n disk_size — Size on disk of the extracted artifacts

n extraction_end — Time when the extraction stopped

n extraction_start — Time when the extraction was initiated

n filter_end — End time of the timespan filter

n filter_start — Begin time of the timespan filter

n id — Extraction identifier

n name — Name of user who initiated the extraction

n percentage — Percent complete

n state — Current or final state of the extraction

n user_name — Name of the user who launched the extraction

Sessions

The Menu > Analyze > Summary > Sessions advanced filter options correspond to the columns selected to display on the Sessions table. For example if the Sessions table has columns for ipv4_initiator, port_initiator, ipv4_responder, port_responder, application_id, packets, and bytes, these are the options that can be set for advanced filters.

119


Tip: Use the Actions menu to select which columns to display on the Sessions table.

Geolocation

The Menu > Analyze > Summary > Geolocation advanced filter offers the following options:

n bytes — Number of bytes

n ip_count — Number of IP addresses at a location

n location — Name of location

Job Queue

For the Job Queue page (accessed by clicking the Job Queue icon in the upper-right corner) the advanced filter offers the following options:

n id — Job identifier

n status — Job status

n type — Type of job

Reports

For Menu > Analyze > Summary > Reports, the advanced filter offers the following options:

n <report_attribute> — See "Metadata Settings" on page 56 for the list.

n bad_checksums — Number of erroneous checksums

n bytes — Number of bytes

n fragments — Number of IP fragments

n packets — Number of packets

n sessions — Number of sessions

Report Status

The Menu > Analyze > Report Status pages have the following search terms:

n field — Attribute for the report.

n id — Unique ID for the report

n name — Name of the saved report; field is blank if the report has not been saved

n state — Current or final state of the report

n username — Name of user who generated the report

120


Wildcards and Logical Operators

Wildcard Usage

Indicators and filters support two regular-expression characters: the question mark (?) and the asterisk (*):

? = single character

* = zero or more characters

These wildcard expressions may be used in the primary filters and for indicators. (See "Logical Operators in Advanced Filters" on page 128.)

Expression Description Returns Excludes

filename=*solera* All file names that contain the string solera. soleramysolerastuffsolerastuffmysolera

sol123erasollera

filename=*solera All file names that end with solera. soleramysolera

solerastuff

filename=solera* All file names that begin with solera. solerasolerastuff

mysolera

filename=sole*ra All file names that begin with sole and end with ra.

solerasolemncapybara

solenoidmordedura

filename=sol?ra All file names that start with sol and end with ra and that have a single character between sol and ra.

solerasol1ra

sol123ra

filename="*solera*"

All file names that are exactly *solera*. The double quotes disable the character expansion.

*solera* soleramysolera

filename="sol?ra" All file names that are exactly sol?ra. sol?ra solera

filename=\*solera* All file names that begin with *solera. The backslash disables the character expansion for the first wildcard only.

*solera*solerastuff

solerastuffmysolerastuff

filename!=* The file name does not exist. All entries without filenames

All entries that have filenames

To include a hyphen in a filter value, use a backslash, e.g., http_uri=wp\-admin

121


Logical Operators in Primary Filters

Filters are applied from left to right, such that the first value on the left is filtered first and each filter is applied afterward, in order.

For this filter the data is filtered first on the application_id value and then on the ipv4_initator value, which returns all entries where the application is HTTP and the initiator IP is not10.10.2.123.

The default logic joins unlike attributes with AND and identical attributes withOR.

In this filter, the operator after application_id is AND, whereas between the two ipv4_initiator filters the operator is

OR. Click the More Information icon in the status bar to see the query that is passed to the system.

Logical Display

When you enter filter definitions in primary filters, the logical equivalent is displayed below the graphical display.

The logical display shows how Boolean AND joins filters with different attributes, whereas filters with the same attribute are joined with OR. This is the query path:

122


The logical display also shows how filters that contain multiple, comma-delimited values for the same attribute are joined by AND.

If the application_id values were entered as individual attributes, they would be joined by OR.

Creating Complex Filters

With the logic exposed on the line below, you can directly edit the operators (AND, OR only) and change the parentheses, thereby creating "complex filters."

123


For example, when you change the second AND to OR, it forces a second set of parentheses.

Because the default logic does not permit OR between unlike attributes, the graphical filters disappear; however, the filter is still valid. Notice that the query path, below, contains escaped curly and square brackets, which indicates that the filter is complex.

Likewise, you can move the parentheses to a different location, and the filter is still valid.

124


Complex Filters Across Namespaces

All filter attributes belong to one of four namespaces: flows, verdicts, packets, and groups. The " Metadata Tables" on page 58 show the namespace for each attribute. A complex filter cannot contain attributes from different namespaces. For example, all four namespaces are present in this filter:

Because AND joins all of the attributes, the filter is valid. However, if you change one or more ANDs to OR, the filter is not valid, and an error message is displayed.

Likewise, if you add parentheses the filter is not valid.

Logical Display of Indicators

When an indicator is included in the primary filter:

n The individual filters in an indicator are not shown in the logical display, because indicators can contain an extremely high number of filters.

n The individual filters inside an indicator are treated as individual filters, and then the default logic is applied.

For example, the default Local File Analysis indicator contains these filters:

125


Because all of the attributes are the same, the filters are joined by OR when the indicator is added to the path bar or used in a rule. When another filter is included with the indicator ("favorite"), the displayed Boolean is always AND.

However, the actual logic of this filter is

(file_extension=exe OR file_extension=pdf OR file_extension=html OR file_extension=htm OR file_extension=js OR file_extension=swf file_extension=jar)

Boolean OR is the operator because all of the filters use the same attribute: file_extension.

When an indicator contains unlike attributes, the logic differs depending on the Boolean that joins the indicator with the other filters. For example, a custom indicator called OCSP Japan contains two filters, each using a different attribute:

When adding another filter that has one of the same attributes as the indicator, the logical display shows AND.

However, the actual logic is

(application_id="ocsp" and (country="Japan" OR country="China"))

If you change the AND to OR, the logic changes to

126


((application_id="ocsp and country="Japan") OR country="China")

The filters in the graphical display are not shown, because the OR is not supported by the default logic.

Filter Operators

Operation Syntax Example Result

AND <attribute>=<"value1","value2">

ipv4_address="1.1.1.1","2.2.2.2"

Returns entries with both 1.1.1.1 and 2.2.2.2 as host addresses.

<attribute1>=<value><attribute2>=<value>

ipv4_address=1.1.1.1 application_id=http

Returns HTTP entries with host address 1.1.1.1.

OR <attribute>=<value1><attribute>=<value2>

ipv4_address=1.1.1.1 ipv4_address=2.2.2.2

Returns entries with either 1.1.1.1 or 2.2.2.2 as host addresses.

RANGE <attribute>=<value1-value2>

ipv4_address=1.1.1.1-1.1.1.254

Returns entries with any host address between 1.1.1.1 and 1.1.1.254.

NOT <attribute>!=<value> application_id!=http Returns all applications except HTTP.

!indicator !MIME Type BIN Returns everything that does not match mime_type="application/bin", "application/binary", "application/x-msdownload"

contains <attribute>~<value> http_uri~yahoo Returns all URIs that contain yahoo.

does not contain <attribute>!~<value> http_uri!~twitter Returns all URIs except those that contain twitter.

is null <attribute>!=* referer!=* Returns all entries where the referer field is empty or non-existent.

greater than <attribute>><value> vlan_id>45 Returns all entries that have VLAN ID numbers larger than 45.

greater than or equals

<attribute>>=<value> packet_length>=1024 Returns all entries that have packet lengths of 1024 bytes or larger

less than <attribute><<value> interface<3 Returns all entries from interfaces with an ID less than 3.

127


Operation Syntax Example Result

less than or equals

<attribute><=<value> port_initiator<=35000 Returns all entries that have port initiator number of 35000 or lower

n OR is operational only with the same attribute types, for example, two application_id filters or multiple port filters. If the attribute types are different, the operation is always AND.

n To apply a primary filter to a different view (Summary, Reports, Extractions, Geolocation), select the view while the filter is still present in the filter bar.

n To save a primary filter, click the star to add it to the indicators list.

n To delete an individual filter, click its white and click Update or press Enter.

n To delete everything in the filter bar, click and click Update or press Enter.

n To modify an attribute/value pair, click it to enter edit mode, type the new value, and press Enter.

n Applying a primary filter causes an operation such as extraction to be performed again, whereas advanced filters are applied only to the data already in the view.

Logical Operators in Advanced Filters

n NOT (does not equal) is treated as a negative AND. When there are multiple NOTs in the filter, they are treated as a single AND operator.

n Any special character between double quotes is treated as plain text: the asterisk in "A*C" is treated as plain text, whereas in A*C it is a wildcard.

n The term null is valid for the = and != operators: referer!=null will return all entries where the referer field contains a value.

Universal ConnectorWith the Universal Connector, you can directly add IP addresses to the filter bar from a web browser.

n To install the Universal Connector, select About > Universal Connector.

n Under Browser Bookmarklet, right-click the Bookmark button and select Add to favorites, Bookmark this link, or Add link to bookmarks (depending on your browser).

Add an IP Address to the Filter Bar with the Universal Connector

1. Browse to a page with one or more IP addresses on it. (The IP addresses must be in dotted-decimal notation: 203.0.113.17, not domain.tld.)

2. Launch the Universal Connector by opening Bookmarks and double-clicking Universal Connector.

128


3. The Universal Connector underlines all IP addresses (linked and plain text). Place your cursor over an IP address to invoke the Add control and click.

4. The IP address is added to the list; alternatively, you can click the IP Address field and type the address manually.

5. Optional — For Endpoint, select Either, Source, or Destination.

6. Optional — For Port, type a port number and select the Type and Endpoint values.

7. Optional — Select a new date or time (default: last 15 minutes).

8. For Appliance, type the hostname or IP address of your appliance.

9. Click Investigate in Security Analytics.

10. The filter is added to the filter bar in the Menu > Analyze > Summary view.

IndicatorsAn indicator consists of one or more primary filters (attribute/value pairs). Indicators are used to filter report results and to trigger rules and alerts. (See "Primary Filters" on page 107, "Rules" on page 230, "Alerts" on page 236.)

Preloaded IndicatorsSymantec Security Analytics is preloaded with a variety of indicators, including but not limited to the following:

n Presented MIME Types

n Presented File Types

n Commonly Scanned Ports

n Non-Standard Protocol Traffic

n SSL Certificate Validity

n RFC1918 IPv4 Addresses

Live-Feed Indicators

Security Analytics includes live-feed indicators such as:

129


From rules.emergingthreats.net

o CI Army Threat Intel

o Botnet C2

o Compromised IPs

o Spamhaus Block List

From abuse.ch

o Ransomware Tracker Domains, IPs, URLs

o Feodo Tracker

o Zeus Tracker-Bad Domains, IPs

From malwaredomains.com

o DNS-BH - MalwareDomains

From isc.scans.edu

o SANS ISC - IP Block List

o SANS ISC - Suspicious Domains

C

h

aracteristics

n The live-feed indicators will be updated only after they have been activated .

n After activating a live-feed indicator, click Edit to make sure that:

o the update schedule is convenient (default: daily at 03:33)

o your appliance can reach the URI

n Every update replaces the entire indicator: deletions, additions, changes

n To create your own live-feed indicators, follow the instructions in "Import Indicators from a List, or Create a Live-Feed Indicator" on page 132.

Indicator Specifications n The size of the filters in an indicator cannot exceed 512 MB, which is calculated by character count. For

example, an indicator can contain ~900,000 ipv4_address filters or ~150,000 http_server filters (~200 characters for the URL values).

n When an indicator has more than 1000 filters, the filters cannot be edited or deleted using the web UI.

n A maximum of 1024 indicators can be active (in rules) at the same time.

Using IndicatorsTo use indicators, do one of the following:

n Select Menu > Analyze > Indicators. For the indicator, click Add to Filter Bar . The indicator is added to the filter bar on the Summary page.

n Select Menu > Analyze >[Summary | Reports | Extractions | Geolocation] and

o Expand the filter bar to select the desired indicator.

130


o Type part of a name and select the indicator from the options that the system presents. You can choose to include or exclude the indicator: <indicator> or !<indicator>.

n Create a rule and add the indicator to the rule under First Event.

Create a New Indicator

1. Select Menu > Analyze > Indicators.

2. Select Tools > New. The Create an Indicator dialog box is displayed.

3. Specify a Name for the indicator.

4. For Filter, type one or more primary filter attributes (see " Metadata Tables" on page 58) or the names of existing indicators. Begin typing to get suggestions. You can use "Wildcards and Logical Operators" on page 121.

131


The rules engine cannot detect values for attributes that are in the verdicts or groups namespaces. Those values are produced by data enrichment processes, which populate the Indexing DB after the data has passed through the rules engine. (See "Data Enrichment" on page 188.) Attributes in the packets namespace (such as" SCADA" on page 71) are also not supported by the rules engine, with the exception of packet_length.

5. Optional — Clear the Shared check box.

6. Click Save.

Create an Indicator from the Filter Bar 1. In the filter bar, type the desired filter attributes. (See " Metadata Tables" on page 58). Consult "Wildcards and

Logical Operators" on page 121.

2. Click the star to save the indicator.

3. Provide a name for the indicator and indicate whether it is to be shared.

4. Click Save. You can view the new indicator on Menu > Analyze > Indicators or in the filter bar drop-down list.

Import Indicators from a List, or Create a Live-Feed Indicator

1. Select Menu > Analyze > Indicators and select Actions > Import. The Import an Indicator dialog is displayed.

2. For File Type, select one of the following:

n DShield — Access the feed at feeds.dshield.org/block.txt. This file, updated daily, shows the top 20 attacking Class C networks over the past three days.

n Snort® — Recommended rules are located at rules.emergingthreats.net/blockrules/. See "Snort Rules" on the next page for conversion conventions.

n JSON — Indicators formatted as JSON arrays, such as indicators that have been exported from a Security Analytics appliance. (See "JSON Formatting for Indicators" on page 137.)

n List — Import a text file that contains one or more values for a single filter attribute. Delimiters determine the Boolean operator. (See "Format a List of Indicators" on page 136.)

3. Specify a Name for the indicator.

4. Snort Only — Select the Honor rule directionality check box to preserve inbound- and outbound-specifics. See "Snort Rules" on the next page.

5. Location — Select one of the following:

132

http://feeds.dshield.org/block.txt

http://rules.emergingthreats.net/blockrules/


n Browser Upload — Click Browse and select a file to upload.

n Remote — Use this option for third-party live feeds or for your own live updates. Specify the URI where the file containing the indicators is located, then set the schedule for how often the indicators are to be uploaded. (The scheduler is similar to the scheduler for reports. (See "Scheduled Reports" on page 143.) Each time the file is updated, the indicator changes to include all additions, deletions, and edits to the file.

6. Click Save.

Snort Rules

Imported Snort files (.rules) are converted to filter attributes as follows:

n The Layer 4 protocol becomes ip_protocol=tcp or ip_protocol=udp. The protocol is not attached to a specific IP address or port as it is with the Snort rule.

n Fields such as msg, reference, flags, classtype, and sid are ignored.

n The IP addresses and ports are extracted from Snort rules as ipv4_address=[x] and port=[x] unless you select Honor rule directionality to specify initiator or responder:

o $EXTERNAL_NET -> [$HOME_NET] creates IP and port initiator filters

o $HOME_NET -> [$EXTERNAL_NET] creates IP and port responder filters

example

This Snort rule, imported with Honor Rule Directionality selected

alert tcp $HOME_NET any -> 203.0.113.211 1023 (msg:"ET CNC Shadowserver Reported CnC Server Port 1023 Group 1"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405004; rev:4233;)

becomes this indicator:

No other attributes besides IP protocol, source/destination IP/port, and direction are extracted from Snort rules.

Export IndicatorsFollow these steps to export JSON indicators, which can be imported to another Security Analytics appliance.

133


1. Select the check box for the indicator(s) that you want to export.

2. Select Actions > Export.

3. Follow the prompts to save indicators.json to your workstation.

Edit Indicators 1. To edit an indicator, do one of the following:

n Select Menu > Analyze > Indicators and click Edit for the indicator to modify.

n Click on an indicator anywhere on the web UI to open the Edit Indicator dialog.

2. Make the desired changes to the filters or the name of the indicator and click Save.

If you change the name of the indicator, the indicator's name will be changed for all of the alerts, including alerts that were posted when the indicator had its previous name.

134


Delete IndicatorsWhen you delete an indicator, you also delete every other indicator, alert, and rule that contains only that indicator. A rule that still contains an indicator that has not been deleted will not be deleted.

example

The following items contain Indicator1:

n Indicator3 contains Indicator1 and application_group~web.

n AlertABC contains Indicator1 and another indicator called Email.

n AlertXYZ contains ChinaWeb and Indicator3.

The alerts that are triggered by the rules, by indicator, are as follows:

When Indicator1 is deleted, these are the results:

135


n Indicator3 is deleted because it contained Indicator1.

n AlertXYZ is not deleted because it has a remaining indicator, ChinaWeb.

n AlertABC is not deleted because it has a remaining indicator, Email.

n All alerts that were triggered by Indicator1 and Indicator3 are deleted.

n The alerts that were triggered by Email and ChinaWeb still remain.

Format a List of IndicatorsYou can import a list of values for a single filter attribute. Importing a list of values in this manner automatically creates the indicator as attribute=value. The list delimiter determines the Boolean operator.

Delimiter Example Text File Indicator(s) Created

Comma (AND) network management, file server, file transfer, network service

attribute="network management, file server, file transfer, network service"

198.51.*.*, 192.0.0.0_8, 203.0.113.0/24

attribute="198.51.*.*, 192.0.0.0_8, 203.0.113.0/24"

Line Break (OR)

22 33 44 55

attribute="22"attribute="33"attribute="44"attribute="55"

*solera* sol?ra "solera"

attribute="*solera*"attribute="sol?ra"attribute="\"solera\""

n The system will automatically escape double quotation marks, backslashes, and other non-wildcard characters. (See "Wildcards and Logical Operators" on page 121.)

n For other operators, nesting, or multiple attributes, see "JSON Formatting for Indicators" on the next page.

136


JSON Formatting for Indicators n Define the indicators to import using JSON. (See "Import Indicators from a List, or Create a Live-Feed

Indicator" on page 132.) The file should be UTF-8 encoded without BOM.

n Imported indicators that have the name of an existing indicator will be renamed <indicator> 2.

n Valid values for attribute and value are shown in the " Metadata Tables" on page 58.

n Valid values for <operator> are equals (=), does not equal (!=), less than (<), less than or equals (<=), greater than (>), greater than or equals (=>), contains (~), does not contain (!~). Format single-level indicators as follows:

{"indicator_name_1":

["attribute_1<operator>value_1","attribute_2<operator>value_2"],

"indicator_name_2":["attribute_3<operator>value_3","attribute_4<operator>value_4"]

}

Nested JSON Indicators

To nest indicators, the lowest-level indicators must be defined first in the file, followed by the "container" indicator. The container cannot reference indicators that already exist on the appliance. The following example creates four indicators: three "sub-indicators" and one "container" that includes the sub-indicators.

{"sub-indicator_1":

["attribute_1=value_1"],

"sub-indicator_2":["attribute_2=value_2"],

"sub-indicator_3":["attribute_3=value_3"],

"CONTAINER_INDICATOR":["indicator=sub-indicator_1", "indicator=sub-indicator_2", "indicator=sub-indicator_3"]

}

ReportsThe Reports page presents a detailed, filterable view of every kind of report. Select which reports are available on

Menu > Settings > Metadata. On the Summary page, double-click the heading of a widget to open that report on the Reports page.

137


n See "Menu > Analyze > Summary > Reports" on page 411

n See a list of available reports on "Metadata Settings" on page 56

Reports Page

Menu > Analyze > Summary > Reports

1 Report Summary Chart

2 Total [Unit] over Time histogram

3 Report comparison controls and advanced filter

4 Report results list

5 Column selector control

Report Results ListThe report results list is a table of the individual records as well as the bytes, packets, sessions, IP fragments, and bad checksums associated with that record. (You can display the IP fragments and bad checksums by clicking the column selector control.) The column values are shown as both an absolute number and as a percentage. Click on any of the column headers to sort on the column value; click a second time to invert the sort order. To specify how many rows to display at a time use the Results per Page control at the bottom of the page. (Permanently set this value by

selecting [Account Name] > Preferences.)

Reports are limited to 100,000 rows.

138


When you change the sort topic or the sort order, the Report Summary and Total [unit] over Time charts are updated to reflect the changed topic or order.

Compare Report ResultsOn the Reports page, you can compare the amount of change over time.

1. Select Menu > Analyze > Summary > Reports.

2. Select the desired view from the view selector.

3. Select Enable Report Comparison.

4. Optional — Select the unit of measurement to compare: Bytes, Packets, or Sessions.

5. Optional — The Comparison Time Range box displays the From and To times in the main timespan selector. Expand the timespan control to select a timespan (last 15 minutes, last 60 minutes, etc.) or click the date/time to specify another time.

6. The change over time is displayed both as the amount (Change column) and the percentage (Change % column). The default sort order is Change in absolute values, with the greatest value first.

7. The Total [Unit] over Time chart displays a line that represents the older timespan.

8. In the Selected Totals chart, change the display settings to Bar Chart or Column Chart to see the comparison line. (See Report Summary Chart.)

Save Report ResultsYou can save report results to view later.


2. From the view selector, select the view to save.

3. Optional — Use the primary filter or timespan filter, as desired.

139


4. Select Actions > Save.

5. Type a name for saved output (max. 300 characters).

6. Click Save.

7. Retrieve the saved results by selecting Menu > Analyze > Report Status > List and clicking View

Report for that entry.

Export ReportsYou can export basic reports in CSV or PDF format. (Compared results cannot be exported.)


2. From the view selector, select the view to export. Filter and modify the results as desired.

3. Select Actions > Download [PDF | CSV].

n CSV file:

o Follow the prompts to save <timespan>_<report_attribute>_report.csv.

n PDF file:

o A message indicates that the generation of the report has begun.

o Click the notification at the upper-right corner of the web interface. The entry shows PDF generation in progress.

o When the process has completed, the status changes from Processing to Download. Click the entry and follow the prompts to save deepsee-report.pdf.

Risk and Visibility Report Generate a PDF document to provide non-analysts, executives, and other members of your organization with a general overview of the latest threats that have been detected by Security Analytics.

The logged-in user must be in a group that has permission to generate the report under

Menu > Analyze > Reports in the permissions table. (See "Group Permissions" on page 261.)

If you import a PCAP, pivot to the Summary page, and then run the Risk and Visibility report for the PCAP, you should add a few minutes to the timespan so that data-enrichment verdicts can be included in the report.

140


1. Select [Account Name] > Risk and Visibility Report.

2. Select the desired timespan. By default the timespan in the current window is selected.

3. Select one or both options:

n Email — In the space provided, specify one or more comma-delimited email addresses. For this option,

you must also specify an email server on Menu > Settings > Communication > Server Settings > Email Settings. (See "Email Alerts" on page 308.)

n Download — A PDF of the report is generated. When it is finished, you can download it from the system notifications. (See "Job Queue and System Alerts" on page 314.)

4. You can monitor the progress of the report by selecting Menu > Analyze > Report Status > List. The reports are displayed with Risk Report in the Name column. To stop the Risk and Visibility report, select the check boxes for all of the reports and click Delete.

Report Status Pages

Menu > Analyze > Report Status

The Report Status pages display reports that are running or that have completed. Use the information on these pages to keep track of system resources and of report-generation history.

Menu > Analyze > Report Status > Summary

The Report Status Summary page displays report totals by the following:

n State — The current state of a report. Possible values are:

o New — The report request has been sent to the query handler.

o Starting — The query handler has begun generating the report.

o Active — The report is currently running but is not complete.

141


o Stopped — The report was stopped by the user clicking the Stop Report button , by browsing away for more than a minute, or by closing the browser window where the report was initiated.

o Stopping — The stop command has been sent to this report but it has not stopped yet.

o Complete — The report has run to completion.

n User — Username of person who ran the report.

n Field — Attribute name of the report. For example, if you select Menu > Analyze > Summary and the selected view has four widgets on it, each widget will have its own entry in this list.

Menu > Analyze > Report Status > List

The Report Status List displays the details about every report that has been saved or that has not timed out. Reports that have not been viewed for one hour will be removed from this list. Saved reports do not time out.

On this page use the check box for each report and the Delete button to:

n Stop reports that were started accidentally

n Stop reports that hang instead of completing

n Delete reports that take up too much space

n Delete saved reports that are no longer needed

Report Status Columns

n ID — Unique ID number of the report

n Username — User who ran the report

n Field — Attribute name of the report

n Timespan Start — Start time for the report data

n Timespan End — End time for the report data

n Start — Time at which the report was started

n End — Time at which the report was completed

n Processing Time — Interval between Start and End; the amount of time to generate the report

n Name — Name of the saved report; field is blank if the report has not been saved

n Saved — Whether the report has been saved; non-saved reports (false) will time out of this list after one hour

n Disk Usage — Amount of space that the report occupies; empty reports are typically 16 kB

142


n State — The current state of a report. Possible values are:

o New — The report request has been sent to the query handler.

o Starting — The query handler has begun generating the report.

o Active — The report is currently running but is not complete.

o Stopped — The report was stopped by the user clicking the Stop Report button , by browsing away for more than a minute, or by closing the browser window where the report was initiated.

o Stopping — The stop command has been sent to this report but it has not stopped yet.

o Complete — The report has run to completion.

n Actions — Click View report summary to see the report in Menu > Analyze > Summary > Reports or

click to see the report details.

Scheduled ReportsYou can set up reports to be run at predetermined times on a regular basis. These reports are sent to specified email accounts.

Prior to receiving scheduled reports, you must configure SMTP settings as shown in "Email Alerts" on page 308.

1. Do one of the following:

n Select Menu > Analyze > Scheduled Reports.

n Select Menu > Analyze > Summary > Reports > Actions > Schedule Report.

2. Click New.

3. For Name, specify a unique name for the schedule. This name will be the filename of the report.

4. For Recipients, type one or more email addresses to receive the reports.

5. For Output Format, select PDF or CSV.

6. Specify whether the scheduled report is to be shared. (A shared report can be edited by all of the authorized users on the appliance; however, the reports will be sent only to the accounts that are specified in the Recipients field.)

How often will the report run?

7. Select the tab that represents the frequency of the report to be run and set the parameters.

143


n In the Hour fields, 00 = midnight.

n For Custom, you can select multiple values for Months, Weeks, and Days.

n The value in [x]Week of the Month is defined according to ISO 8601 conventions, which means that the week in which the first day of the month appears is the first week, even when the first day falls on a weekend.

What is on the report?

8. For Report Type, select one of the available report types. Begin typing to skip to the report name. (See " Metadata Tables" on page 58.)

9. Optional — For Filter, type filter attributes and values to apply. Begin typing to get suggestions.

The attributes for imported PCAPs — interface=imptX and import_id=Y — are not valid for this field unless you select Only Once for the timespan.

10. For the report timespan, select whichever option is available:

n Standard Range — Select the amount of time to be included in the report. The time is calculated backwards from the time the report will run. For example, if you schedule a report to run daily at 13:00 and you specify a range of 2 hours, the report will contain data from the two hours previous to 13:00, that is, 11:00 to 13:00.

n Custom Range — Specify the timespan.

11. Click Save. The scheduled report is displayed in the Scheduled Reports list.

Summary Views

The Menu > Summary views in Symantec Security Analytics are collections of report widgets on a single page. Report widgets are discrete graphical elements that summarize data according to selected criteria. A collection of widgets can then be run against a user-selected time period and a user-defined set of filters. (See "Timespan Filters" on page 112, "Primary Filters" on page 107)

See "Menu > Analyze > Summary" on page 410 for a description of all page elements.

Report Widgets


While the data is still loading for the Summary page, you may click the red Stop Reports button to stop the data from processing.

144


Included on Security Analytics are report widgets that correspond to the available reports. (See " Metadata Tables" on page 58.)

Select a summary view from the view selector.

Use the edit control to change the name, share the view, duplicate the view, or specify a view as the default.

Create a Summary View

You can create a new summary view from a blank view, or you can modify an existing view.

1. Select Menu > Analyze > Summary.

2. Click the view selector and select Add New View.

3. Type a name for your new view.

145


4. Optional — Select Use flow-based columns to permit the report widgets to adjust to the available width of the window. Clearing this check box forces the report widgets to stay in a fixed-grid location.

5. Optional — Select Shared to share the view.

6. Optional — Select Duplicate Existing View? to select a view to duplicate as the new view.

7. Optional — Select Set as default to make this the default view.

8. Click Save. You get a blank summary screen and the Add/Edit Widgets dialog box is displayed.

9. Select one or more report widgets from the Available Reports list and add them to the Selected Reports list. Press Ctrl to select more than one report, and then click the single arrow button to move them to the Selected Reports list.

n The more report widgets in a view, the longer it takes to load the view. For optimal performance and system integrity, limit the number of widgets to 18 per view.

n If the report widgets in the same view are from different namespaces, the reports will take longer to generate.

n Application Group includes the Application Group and the Application Group over Time widgets.

10. Click Add/Edit Widgets.

Report Widget Controls

To reveal the report widget controls, place your cursor over the widget header.

146


1 Move Widget

2 Widget Settings

3 Delete Widget

1 Sort-by Field — Select from the widget name or bytes, packets, sessions, IP fragments, or bad checksums.

2 Order — Ascending, Descending

3 View — Table, Pie, Column, Bar

4 Resolution — Select the check box and slide the selector to the desired resolution.

The settings affect only this report widget in this view. If this report widget is present in other views, the settings on those views will be not changed.

147


Application Group Widgets

Two widgets — Application Group and Application Group over Time — are different from the other widgets; user configuration is limited to session-resolution settings. The Application Group widget has Bytes, Packets, and Sessions columns. The Application Group over Time widget is a histogram of the Application Group widget. Place your cursor over a data point to see the details.

When adding widgets to a view, selecting Application Group adds both the Application Group and the Application Group over Time widget to the view.

Apply Filters to Summary Views

To apply a filter to a summary view, see "Primary Filters" on page 107 and "Indicators" on page 129.

Save the Output of a Summary View

The output of a summary view can be saved on the appliance and viewed on the Report Status list.

1. Select Menu > Analyze > Summary and select the desired view.

2. Add, delete, and modify the report widgets as desired. Add any filters that you want.

3. Select Actions > Save in the upper-right corner of the interface.

4. Type a name for the saved output (max 300 characters).

5. If you click Save before the system has finished processing the data, you have the option to:

n Save and Stop — Save only the data that was processed before you clicked Save and Stop.

n Save and Continue — The save operation will continue until all data is processed.

6. If you click Save after Status shows Finished (100%), all of the results are saved.

7. Retrieve the saved results by selecting Analyze > Report Status > List. There is a separate report entry for each widget.

8. Click View Report to see the report in the Reports (not Summary) view.

Session Resolution

In the Summary, Reports, and Geolocation views, the session resolution percentage is located on the status bar. The purpose of this feature is to limit reports to a subset of data, which allows quicker display of data.

148


Adjust Session Resolution

1. Click the session resolution value for the view.

2. Slide the bar to the percentage of data that you want to view.

Populating the ReportsAlso see:

"Flows in Security Analytics" on page 373, "Alerts" on page 236, "FRS Prefilter Process" on page 392, Best Searching Practices in Security Analytics, and "Metadata Settings" on page 56.

Where's my data?

If you do not see data in your reports and report widgets, it is possible that the features that populate the reports have not been activated or properly set up. This section explains how each report is populated so that you can troubleshoot empty or sparsely populated reports.

Metadata Settings

User-selectable metadata permits you to decide which metadata attributes are written to the Indexing DB. Report data

is not written to the Indexing DB unless it has been selected on Menu > Settings > Metadata.

Natively Indexed Metadata

The data for most Security Analytics reports is extracted directly from the packet headers by the deep-packet inspection (DPI) engine, or it has been added by system processes at the time of indexing. The reports that contain this data are available within seconds of the data being captured, provided that system resources are available. (See "Reindexing" on page 52.)

149


Packet-Header Metadata

n IP/port and Ethernet addresses

n IP protocol

n Email sender, receiver, subject line

n File name, extension, MIME type

n HTTP status code, method, URI, content disposition, server, referrer, user agent, location (redirect), content length

n Username, social persona (user identifier), or password

n Database or web queries

n DNS fields

n Packet length

n User-selectable metadata

System-Added Metadata

n Capture interface or import ID

n Application ID, application group

n Flow ID, flow duration

n NIC vendor

n File type

n Autogenerated domain and score

n Country initiator and responder

n Machine ID

For the other reports, specific conditions must be true before the data is written to the metadata array:

n "Conversation Reports" below

n "Data Enrichment Verdicts" below

n "Hash Reports" on the next page

n "Open-Parser Rules" on page 152

Conversation Reports

The data for the Conversation reports is assembled only when the report is queried. For example, if you invoke the IP Layer View on the Analyze > Summary page, the IPv4 and IPv6 conversations for that timespan will be assembled and presented in their respective report widgets.

n IPv4 Conversation

n IPv4 Port Conversation

n IPv6 Conversation


The values in the Conversation reports are cached but are not written to the metadata DB.

To specify a conversation in the primary filter bar, enter IPv[x]_address="<ip_address1>","<ip_address2>" There is no ipv[X]_conversation attribute.

Data Enrichment Verdicts

Also see: "Data Enrichment Process" on page 389.

Data for the reports in the verdicts namespace is produced by the data-enrichment process. The following conditions must be true for a data-enrichment report to contain data:

150


n The corresponding enrichment provider is licensed and activated.

n Traffic matches a data-enrichment rule for the provider.

n The provider has returned the verdict to Security Analytics OR the verdict for that artifact is already in the verdict cache.

The data-enrichment reports are populated as follows:

Report Providers

File Signature Verdict File Reputation Service, FRS prefilter

URL Categories Local Web Reputation Service, Global Intelligence Network (GIN)

URL Risk Verdict Local Web Reputation Service, GIN

Local File Analysis Calculate and Store Hashes, ClamAV, Custom Hash List, jsunpack-n, YARA

Malware Analysis Verdict Malware Analysis appliance; also see FRS Prefilter

Third-Party Verdict ReversingLabs® TitaniumScale® server

Threat Category ReversingLabs TitaniumScale server

Threat Description ReversingLabs TitaniumScale server

Threat Severity ReversingLabs TitaniumScale server

User Name (flows namespace)

Login Correlation Service

Exception: URL Risk Verdict

With one exception, you cannot use the data-enrichment verdict attributes as indicators for rules, because the data for those attributes is written to the Indexing DB after the rules engine inspects the traffic.

For URL Risk Verdict data, however, the process is as follows:

1. The Web Reputation Service is licensed and activated.

2. A Web Reputation Service rule that contains the url_risk_verdict attribute is activated.

3. The metadata indexer sends all URLs to the local copy of the Web Reputation Service, which returns a verdict (1-10) with 5 being unknown.

4. When a verdict has been returned for every URL in a flow, the metadata indexer sends the flow to the rules engine.

5. If url_risk_verdict is 5 or higher, the system queries GIN to obtain a definitive verdict for that URL.

6. The verdict is written to the Indexing DB.

Hash Reports

The hash reports are not populated by the DPI engine nor the metadata indexer. Hashes are calculated by the extractor under the following circumstances:

151









Open-Parser Rules

Report data for open-parser rules is written to the Indexing DB only when the following are true:

n The open-parser rule is active.

n The rule specifies that metadata be written to the Indexing DB.

ExtractionsSymantec Security Analytics extracts and reconstructs most common file types so that you can see accurate copies of the images, web pages, and documents that have been transported across your LAN. (See "Artifact Preview" on page 161.) Reconstructed files are called "artifacts" in Security Analytics.

Security Analytics performs two types of extractions:

n Manual — When the user selects Menu > Analyze > Summary > Extractions. (See "Menu > Analyze > Summary > Extractions" on page 412.)

n Real Time — When a Data Enrichment rule registers a hit.

ArtifactsArtifacts are objects such as Microsoft Word files, executables, JavaScript files, and HTML pages.

152


When an artifact is transferred via HTTP or email, the MIME type is specified in the header ("presented" in system nomenclature). If it differs from the file type that the system detects, using the magic number or file signature, the value in the Type column is shown in red text. You can also use the file_type_mismatch attribute in the advanced filter to find all such artifacts.

Click an entry in the Results list to see additional information about the artifact.

1 HTTP Response Codes 4 Actions

2 MD5, SHA1, and SHA256 hashes*

5 HTTP method

3 Fuzzy hash * 6 Displayed MIME or file type

A set of actions along the bottom provides the following functionality:

Preview See "Artifact Preview" on page 161

153


Download Download the artifact in its native format, as a ZIP file, or as PCAP(NG)

Analyze PCAP View all artifact packets in the packet analyzer (See "Packet Analyzer" on page 184.)

Explore Root Cause

See "Root Cause Explorer" on page 159

Reputation View reputation-service information (See "Reputation Providers" on page 1.)

* Enable hash computation for manual extractions on the Web UI. Select Menu > Settings > System and select or clear the following options: MD5, SHA1, SHA256, Fuzzy. (Fuzzy hash is disabled by default.)

Extraction Status Page

Menu > Analyze > Extraction Status

The Extraction Status page displays all recent extractions plus any saved extractions. From this page you can see which extractions are still in cache and delete or stop any extractions that have not yet completed or that you want to remove. Extractions remain in cache for one hour.

154


When you save an extraction by selecting Actions > Save on the Extractions page, the extraction is saved on this page until you delete it. Extractions that are not saved will be deleted from this page after six hours.

Field Description

Click to delete the extraction from the page and from disk

Stop the extraction

Pivot to the Extractions page to view the extraction

Click to copy the PCAP path to clipboard

Status Whether the extraction is running, canceled, or complete

Created By The user who initiated the extraction

ID The extraction ID

Start Timespan start time

End Timespan end time

Length Amount of time between Start and End

Started Time that the extraction was initiated

Finished Time that the extraction ended

Duration Amount of time to perform the extraction

Database Size of extraction metadata in the PostgreSQL database (/var/lib/pgsql)

Disk Size of the artifacts on the system disk (/home/apache/artifacts)

Artifacts Number of artifacts in the extraction

MIME-Type Display

Specify which method determines the displayed file type of an artifact on [Account Name] > Preferences:

n Artifact MIME-Type Display — Specify how the file type is displayed in the Type column on the Extractions page:

o Presented — Use the value in the Content-Type field of the HTTP or email header, else show unknown.

o Detected — Use the embedded magic number or file signature, else show unknown.

o Derived — If both presented and detected values are present, use internal logic to display the most likely file type.

155


SMB Artifacts

For artifacts transmitted over SMB, an extra field is displayed.

SMB Fragment displays whether the artifact is a known SMB fragment (true). To display SMB fragments, go to

Menu > Settings > System and select the Display fragments check box.

HTTP POST Payloads

For HTTP POSTs, the payload has a separate entry from the original POST and is displayed below it.

The payload artifact does not display an HTTP method or the HTTP response icon.

Click Show Payload to see the Artifact Details for the payload.

VoIP Extractions

The VoIP artifacts are extracted and displayed by segment and payload type rather than by participant. The figure below shows the segments from one side of the call: PCMU (default audio), CN (comfort noise), and video/H263

156


(which is present in the VoIP implementation but unused in this particular call). (Consult RFC 3551 for payload formats.)

From the main (multipart/x-voip) artifact entry, you can download the entire call in Ogg or WAV format or as a PCAP(NG).

To preview the call, select the Ogg or WAV format and then listen to the call.

Following the main artifact are separate artifacts that display each segment separately. From each separate entry you can download the raw version of that segment.

157

https://tools.ietf.org/html/rfc3551


Save Extractions and ArtifactsYou may save the extraction results at any time, even if the extraction process for that view has not finished.

1. Open an Extractions page and apply any desired filters.


3. Type a name for the results.

4. If you click Save before the extraction process is finished, you are provided with two options:

n Save and Stop — Everything that was extracted until you click Save and Stop will be saved.

n Save and Continue — The save operation will continue until the extraction process is completed.

5. If you click Save after Status shows Finished (100%), all of the results in the view will be saved.

6. Click Save.

7. Go to Menu > Analyze > Extraction Status to retrieve the extraction. Saved extractions persist on disk until you manually delete them.

Save Multiple Extraction Items 1. Open an Extractions page and apply any desired filters.

2. Select the check boxes for the artifacts to save.

3. In the left panel, under Selected Actions (X), click Download Artifacts and follow the prompts to save the artifacts to your workstation in a ZIP file.

158


Cancel an ExtractionWhile an extraction is running, you can cancel it without saving the results.

1. Select Actions > Stop Extraction. A few minutes may elapse before the extraction stops completely.

2. When the extraction has fully stopped, the status will show Canceled 100% regardless of how much data was processed.

3. Optional — Select Actions > Save to save the data that was extracted before the process was canceled. After you have saved the data, you may restart the extraction by selecting Actions > Rerun.

Artifact PreviewSee "Artifact Preview" on page 161.

Root Cause ExplorerThe root cause explorer presents the chain of referrers for a given artifact.

1. To view referrer URL information, select Menu > Analyze > Summary > Extractions.

2. Click an artifact.

3. If there is a value in the Referrer field, click Explore Root Cause. The system will display the referring artifact. If that artifact also has a referrer, that artifact will be displayed as well, until no more referrers are found. All of the referrers must be in the same extraction session (same timespan and filters) for the referrer to be included.

Artifacts TimelineThe Artifacts Timeline view displays the distribution of artifacts across time.

n You can view the timeline by initiator/responder IP or port or by file type.

n Click the artifact or [X]Artifacts to see more information.

n Once you have selected an individual artifact, you can view it the same way as a single artifact.

Email ExtractionsThe Email view provides information about email messages (EML) and their attachments. If an attachment is included in an email, it can be exported using the FTP File Mover. (See "Configure Integration Providers" on page 216.)

Security Analytics extracts only non-encrypted email messages. To decrypt SSL/TLS-encrypted messages, install a Symantec SSL Visibilty Appliance upstream of the Security Analytics appliance.

159

https://www.symantec.com/products/information-protection/encrypted-traffic-management/ssl-visibility-appliance


n Click Preview to see the email.

n Click the attachment to select the file-type for download.

n Click View Attachment Details to see more information.

IM ConversationsThe IM Conversations view displays a list of IM conversations.

Security Analytics extracts only non-encrypted IM conversations. To decrypt SSL/TLS-encrypted messages, install Symantec SSL Visibilty Appliance upstream of the Security Analytics appliance.

IM Conversation Preview

160

https://www.symantec.com/products/information-protection/encrypted-traffic-management/ssl-visibility-appliance


1 Participant list, including avatars

2 Click to view more about each participant

3 Conversation details

4 Date of capture, such as the date the PCAP file was imported or the conversation was captured

5 Click to hide or show status changes

6 Conversation date

Media PanelThe media panel displays thumbnails of captured image, audio, and multimedia files. By default, images that are smaller than 2 Kb are not displayed.

1. Under Filter Results, you can select one or more image or audio file types.

2. Use the Advanced Filter to narrow the search.

3. Preview small, medium, or large thumbnails.

4. Place your cursor over a thumbnail to see a summary of its attributes (URL, source/destination IP, file size, MIME type). Click the thumbnail to see the image's actual size.

5. For audio files, click to launch an audio player for the file.

Tune the Extraction Process

Menu > Settings > System

Use these settings to better adapt the extraction process to your environment.

n Enable signature-based extraction — Enable this setting to determine how to extract artifacts from the protocols.

n Display fragments — Enable this setting to display whether the artifact is a known SMB fragment.

n Assemble partial content — Enable this setting to reassemble partial HTTP content, when possible.

n Extractor Tuning Parameters — Use this field only in conjunction with Symantec Support.

Artifact PreviewThe Preview function provides the following views:

161


n Audio — Audio player for VoIP calls and other audio files

n Email — The actual email message

n EXIF — The Exchangeable Image File data for JPG/JPEG files

n File Info — Output of the file command

n HTTP Headers — Request and response headers for the artifact

n Hex — Hex dump of the plain text

n Web Page — The HTML document with or without graphics, style sheets, and JavaScript®

n Image — The actual image: GIF, BMP, PNG

n jsunpack-n — The jsunpack-n results

n Strings — Output of the strings command

n Text — The plain text or formatted code, including FTP and Telnet sessions

Artifact ViewsThe Artifact Preview window displays all of the tabs for all of the views so that you can see different renderings for each artifact, regardless of the presented or detected file type.

Audio

A playable audio interface for audio files:

Any file can be displayed in the Audio view, and if you click the Play button, your browser will attempt to launch the file in its native application. Take care not to accidentally launch malware in this way; instead, click Download Artifact to obtain the artifact in a ZIP archive.

See "File Names Sent to Providers" on page 228 for an explanation of the default extractor file name.

162


Email

The email message in HTML.

EXIF

For JPG/JPEG files, the embedded EXIF information.

File Info

Results from the File command, such as the artifact filename, file modification date/time, application version, and flags.

163


See "File Names Sent to Providers" on page 228 for an explanation of the default extractor file name.

HTTP Headers

The HTTP request and response headers for the artifact, such as GET, POST, error codes, cookies.

In the results list, you can also place your cursor over the icon to see the HTTP response code, if any.

164


Hex

A conventional hex dump of the text.

165


Web Page

For text/html, the stripped-down web page.

Click View Options to add other elements (images, cascading style sheets, scripts) to the view.

n Captured Data — Retrieve from your capture drive.

n External — Retrieve from the Internet.

166


n Click View Page Elements to see a list of images, CSSs, and scripts that are included on the web page.

When you view scripts (captured or external), you risk infecting your system with any malware in the scripts. To prevent the importation of external images, stylesheets, and scripts during HTML preview, select Settings > Web Interface and clear the Enable External HTML Elements Preview check box.

Security Best Practice Clear the Enable External HTML Elements Preview check box.

n Click Download Artifact to save the HTML page (but not the page elements).

167


Image

The actual image, if it can be rendered.

jsunpack-n

The results from jsunpack-n. In most cases, there is no JavaScript inside the artifact, so it will return [nothing detected] and info:[0] no JavaScript.

For JS, PDF, HTML, and SWF files, the process will usually return more details. The phrase [nothing detected] means that no malicious code was found. (Most error messages are generated by the script as it attempts to access data and variables in other files; they are not an indication that the file has been corrupted.)

168


For a corrupted file jsunpack-n will designate elements as "malicious" or "suspicious":

169


Strings

Results from the Strings command.

Text

The artifact in plain text. You can select one of the Syntax Highlighting options to see code in its native formatting.

Syntax Highlighting Options

ActionScript®3

CSS Formatted

HTML Formatted

Perl® Scala

Bash/Shell Delphi JavaScript PHP SQL

ColdFusion Diff JS Formatted Plain Text

Visual Basic®

C# Erlang Java Python XML

C/C++ Groovy JavaFX® Ruby XML Formatted

CSS HTML

170


Encoder/Decoder Tool

When the text consists of obfuscation-encoded characters such as BASE-64 or URL, you can decode the text by

copying the text and selecting [Account Name] > Encoder/Decoder Tool. Paste the text to decode in Encoded Text, select the Algorithm, and click Decode. (Alternatively, you can paste plain text into Decoded Text, select an algorithm, and click Encode to encode the text.)

171


For FTP sessions, the Text preview shows the sequence of events .

For Telnet sessions, the Text preview (HTML Formatted) displays the messages with <server> and <client> tags.

SessionsNew in Security Analytics 8.1.1

See also "Menu > Analyze > Summary > Sessions" on page 414

The Sessions table presents a detailed, filterable view of sessions seen by Security Analytics. A session is a defined conversation between two endpoints. By filtering the sessions for a specific time range and for certain attributes, you can diagnose and troubleshoot network problems.

172


Example of how the sessions table can be useful:

1. Your firewall sends an alert about traffic between two endpoints. You want to understand what was happening on the network between these two endpoints, both at the time of the alert and for a few days before.

2. To troubleshoot this issue, go to the Sessions tab in Security Analytics, set the timespan filter to the time of the alert and for the preceding 72 hours, and set the IP address filters to the two endpoints.

3. Analyzing the Sessions table, you see that most of the traffic has been classified as HTTP, although not necessarily on standard HTTP ports (80 and 443). What URLs are being accessed and from what countries? You need to add some additional columns to find out.

4. On the Actions menu, select Add/Edit Columns, and add HTTP URI and Country Responder.

5. End result: The Sessions table displays all of the information (IP, ports, application IDs, URI paths, responder countries) necessary to help troubleshoot the issue and identify outliers.

Sessions Page

Menu > Analyze > Summary > Sessions

1 Filter bar—Enter attributes to filter the session results. See "Using the Filter Bar" on page 107.

2 View selector—Create named session views so that you can quickly retrieve them later. The view includes the type and order of columns, but not the filter.

3 Advanced Filter

173


4 Session results list

5 Status bar

6 Actions:

Analyze—View packets for the selected session in the packet analyzer (See "Packet Analyzer" on page 1.)

Extract—Open the selected session in the Extractions view. See "Extractions" on page 1.

Download—Download the pcap of the selected session. See "PCAP Files" on page 1.

Session Results TableThe sessions table lists the sessions that match the attributes defined in the advanced filter for the defined time range. Click on any of the column headers to sort on the column value; click a second time to invert the sort order. To specify how many rows to display at a time use the Results per Page control at the bottom of the page. (Permanently set this

value by selecting [Account Name] > Preferences.)

Security Analytics tracks a variety of statistics for the sessions that it sees. By default, the sessions table displays fields for initiator IP address and port, responder IP and port, application ID, packets, and bytes. To specify additional fields, select Actions > Add/Edit Columns.

In the session results table, some items are colored black (such as date/time values) and others are blue (IP addresses, ports, etc.). Blue values are hot links that display a shortcut menu when clicked. This shortcut menu provides options for building a filter based on the value. For example, if you click http in the application_id column, you can build a filter application_id="http". For more information, see "Create Filters from Graphical Screen Elements" on page 114.

Detail View

To see detailed statistics and information about a particular session, use Detail View. Detail View shows over 30 different fields for the selected session, including application_group, bytes, flow_duration, ip_protocol, and packets. These details appear within the session results table, directly below the selected session row; rows below the selected row slide down to make space for the details.

174


To display the details associated with a selected session, do one of the following:

n Click in an empty area of a cell in the session row.

Note: Don't click on blue values in a cell—this data is a hot link that displays a shortcut menu. If you do that accidentally, just click on an empty area.

n Use the up- and down-arrow keys on the keyboard to select the session row, then press the right-arrow key.

To hide the details, click again in an empty area of the cell or press the left-arrow key.

Additional Notes

n You are allowed to display Detail View of as many sessions as you like. Note that details are not saved with the report.

n There is not a keyboard control for displaying the next page in the sessions results; click Next to display the next page of results.

Save Session ResultsYou can save session results to view later.

1. Select Menu > Analyze > Summary > Sessions.

2. Optional — Use the primary filter or timespan filter, as desired.


4. Type a name for saved output (max. 300 characters).

5. Click Save.

6. To retrieve the saved results:

a. Select Menu > Analyze > Report Status > List.

175


b. In the Name column, locate the name you assigned to the saved sessions report.

c. Click to view the report.

GeolocationSymantec Security Analytics provides "geolocation," which is a representation of a host location on a world map.

n Select Menu > Analyze > Summary > Geolocation to view the geolocation report. (See "Menu > Analyze > Summary > Geolocation " on page 415.)

n The Report Summary panel displays a geographic representation of the filtered data. By default, the map is centered on the Greenwich meridian at the equator (0 lat, 0 long).

n The geographic location of every IP address is identified by a dot on the map. The size of the dot indicates amount of data transferred to or from that geographical area, and the saturation of the color indicates the concentration of markers: darker dots indicate that, upon zooming in on that location, you will see multiple markers.

Geolocation can locate only IP addresses that have location information in the MaxMind databases.

Map NavigationUse the controls in the upper-left corner to zoom and center the map.

Press Shift and drag your cursor to select a specific area of the map to enlarge. The results will change to list only the results that are in the view.

To return to the full view, click the globe icon.

176


Place your cursor over a dot to see how many IP addresses and how much traffic is associated with that location.

To save the view (the magnification and area), select Save Current Map as View.

Fill in the fields as desired and click Save. The view is now available from the view selector.

Results List

Click a location to see all of the IP addresses that are associated with that location.

177


The locations in the list will be as specific as possible. A general item such as “United States” contains all of the IP addresses in the U.S. for which a more specific location could not be found. It is not the total of all IP addresses in the United States.

Saving Geolocation Results 1. To save the results, click Actions > Save.

2. Give the results a name and click Save.

3. Retrieve the results from Analyze > Saved Results. Click View Report to open the results as an IPv4 Conversation report.

Notes on the Accuracy of Geolocation Data

n Geolocation can identify only the server location, not a specific device.

n Routing randomization with services such as Tor® or Onion may produce unreliable geolocation data.

n IP addresses can be spoofed with readily available technology.

Geolocation Settings

Select Menu > Settings > Geolocation to open the Geolocation page. On this page you can view and specify values used when examining the geographic location of connections. These include internal subnets, Google Earth country colors, and MaxMind city databases.

178


Internal Subnets

Use the Internal Subnets controls to specify the geographic location of an internal subnet (or multiple subnets). This marks all the traffic on that subnet as occurring at a single location.

By definition, internal subnets do not have an externally knowable geographic location and by default are located at 0 latitude, 0 longitude. Use the Internal Subnets feature to specify where your subnets are located on the world map.

example

A company has offices in New York, Vancouver, and Tokyo. Their network IPs are 10.1.0.0/16 for New York, 10.2.0.0/16 for Vancouver, and 10.3.0.0/16 for Tokyo. Without setting the internal subnet values, they would all appear at 0,0 on the map. With the Internal Subnets feature, the subnets appear in their proper locations.

Specify Geographic Locations for Internal Subnets

1. Select Menu > Settings > Geolocation.

2. Under Internal Subnets, select the Enable Internal Subnets check box.

3. Type the IPv4 address for the subnet using a CIDR notation that includes zeroes: 192.168.0.0/16. For IPv6 addresses, do not include a subnet mask.

4. Type the latitude and longitude for the subnet.

5. Type a label for the subnet.

The label that you specify can be anything you want; it will be displayed in the data table and when users place their cursors over the dot on the map.

6. To specify additional internal subnets, click add a new subnet.

Geolocation FiltersThe Advanced Filter control in the Results panel allows you to easily and rapidly apply additional filtering to the report data.

To apply an advanced filter, click the Add a Filter box and select the filter term you want to use. To apply a primary filter, follow these steps:

179


1. Select Menu > Analyze > Summary > Geolocation.

2. In the Results panel, under Location, click the city name to look at. The item expands, displaying a list of the IP addresses that are associated with that geographic location.

3. Click an IP address to examine.

4. For each IP address to add as a filter, click Add to Filter Bar > As[attribute]>[Equals | Not Equals]. The filter is added to the filter bar.

n If you click Add to Filter Bar only, the filter ipv4_address="x.x.x.x" is added to the filter bar.

5. When you have finished adding filters, click Update.

MaxMind City and Country DatabasesThe system can use either the free (GeoLite2® City) or paid (GeoIP2® City) versions of the MaxMind City Databases or the MaxMind Country Databases in both IPv4 and IPv6. For more information on these databases, visit GeoLite2 or GeoIP2 and download the MaxMindDB binary.

n Once a MaxMind City database is uploaded, it cannot be removed.

n Download the database from the MaxMind site and then unzip the file. Only MMDB-formatted files can be uploaded.

n MaxMind releases new, free databases every month and a new paid database every week. You must upload these updated versions manually.


2. Under Upload MaxMind [X] Database, click Browse.

3. Locate and select the database file.

4. Click Upload. This uploads the database to Security Analytics, and it is immediately available for geolocation as well as the Country Initiator and Country Responder reports.

180

https://dev.maxmind.com/geoip/geoip2/geolite2/

https://dev.maxmind.com/geoip/


Google EarthUse the Google Earth settings to control the default color used for markers and routes in Google Earth, enable and disable the display of routes, and set the color used for transactions that start or end in a country.

Google Earth can color the routes to captured IP addresses differently from the defaults or those of a different country.


2. Under Google Earth Country Colors, do the following:

n Click the color swatch for Default Color to change the pin color.

n Select Enable Routes.

n Select Enable Country Colors.

3. If you selected Enable Country Colors, select a country.

4. Click the Color swatch to open the color picker.

5. Specify the color and click Select.

6. To specify colors for additional countries, click add a new color.

7. Click Save.

Google Earth Files (KML, KMZ)

KMZ files are compressed KML files.

1. On Menu > Analyze > [Summary | Reports | Extractions | Geolocation], select Actions > Google Earth.

2. Select Save File and click OK.

3. The KMZ file is saved to your downloads directory.

4. To display KMZ and KML files, open them in the Google Earth application.

Encapsulation DetectionSecurity Analytics can detect and display various types of packet encapsulation.

PPPoEThis figure from the Packet Analyzer shows part of an HTTP session that contains PPP-over-Ethernet encapsulation.

181


The Layer 2 protocol is visible only in the Packet Analyzer, whereas the Ethernet Protocol and IP Protocol reports display IPv6 and TCP, respectively.

IPv6 in IPv4For IPv6-in-IPv4 encapsulation, as shown in this figure from the Packet Analyzer, both types of IP addresses are indexed.

The IPv6 addresses are displayed in the IPv6 Initiator and IPv6 Responder reports, and the IPv4 encapsulation is displayed in the Tunnel Initiator and Tunnel Responder reports.

182


GRE EncapsulationSymantec Security Analytics can identify the endpoints and reconstruct the content of GRE-encapsulated IPv4, IPv6, and WCCP flows. The following figure shows how GRE-encapsulated traffic appears on the Summary page in a customized view. (See "Create a Summary View" on page 145.)

The endpoints of the GRE tunnel are displayed in the Tunnel Initiator and Tunnel Responder report widgets. The IPv4 Conversation report widget shows the IPv4 sessions that were encapsulated in the GRE tunnel. The IPv6 Conversation report widget would show any GRE-encapsulated IPv6 sessions.

Capture filters can be configured to find GRE-encapsulated IPs using offsets. (See BPF Syntax in the Security Analytics 8.1.x Reference Guide on support.symantec.com.)

The Extractions page displays the artifacts that passed through the GRE tunnel.

183



Packet Analyzer

Select Actions > Analyze Packets on Menu > Analyze > [Summary | Reports | Extractions | Geolocation] to see the data in an interface similar to Wireshark’s.

By default, the Packet Analyzer will load only the first 1000 packets of the specified PCAP. As you scroll down to packet number 1001, Packet Analyzer will automatically load the next 1000 packets onto the screen. (For reference, the PCAP path is displayed at the top of the window.) It is recommended that you not load more than 10,000 packets, to avoid performance degradation.

Packet Analyzer FiltersThe Packet Analyzer filter uses the same syntax as Wireshark® display filters. Type the desired filter string in the space provided and click Apply Filter. For more examples and information, see wiki.wireshark.org/DisplayFilters.

Action Filter Syntax

Show only SMTP (port 25) and ICMP traffic. tcp.port eq 25 or icmp

Show packets originating from 192.0.2.0 and destined for 203.0.113.0.

ip.src == 192.0.2.0/24 and ip.dst == 203.0.113.0/24

Show packets originating from 2620:3b:afa:2030::1 and not destined for 2620:3b:afa:2aaf::202

ipv6.src eq 2620:3b:afa:2030::1 and ipv6.dst ne 2620:3b:afa:2aaf::202

TCP buffer full — Source is instructing Destination to stop sending data.

tcp.window_size == 0 &&tcp.flags.reset != 1

Filter on Windows — Filter out noise, while watching Windows Client/DC exchanges.

smb || nbns || dcerpc || nbss || dns

Match packets that contain the 3-byte sequence 0x81 0x60 0x03 anywhere in the UDP header or payload.

udp contains 81:60:03

Match HTTP requests where the last characters in the URI are the characters gl=se. The $ character is a PCRE punctuation character that matches the end of a string, in this case the end of the http.request.uri field.

http.request.uri matches "gl=se$"

Packet ListThe Packet List pane has 8 columns and as many rows as needed to show the data being analyzed. You cannot change the columns, the sort order, or the colors. The default columns show the following data:

No. The number of the packet in the capture file. This number will not change even when a filter is used.

Time The timestamp of the packet. The presentation format of this timestamp cannot be changed.

Source The IP address of the packet’s origin

184

http://wiki.wireshark.org/DisplayFilters


Src Port The port of the packet’s origin

Destination The IP address of the packet’s destination

Dst Port The port of the packet’s destination

Protocol The protocol name in a short (perhaps abbreviated) version

Info Additional information about the packet content

Follow TCP Stream

Click a TCP or HTTP field in the packet list to invoke the Follow TCP Stream control.

If there are fields in the TCP stream, the Follow TCP Stream dialog will open to display color-coded text for both sides of the conversation.

185


You can also select one side of the conversation to view.

Packet DetailsThe Packet Details pane shows the selected packet in a detailed form that explicitly identifies the packet’s protocols. Click a protocol to see details.

Packet Bytes PaneThe Packet Bytes pane shows the data of the selected packet in a standard hex-dump style. As is usual for a hex dump, the left column shows the offset, the middle columns show the data in hexadecimal, and the right column shows the corresponding ASCII characters.

You can select the hex characters independently of the other hex-dump columns and then paste them into the Encoder/Decoder tool. (See "Encoder/Decoder Tool" on page 171.)

186


187


Data EnrichmentReputation Queries 188

Activate a Data-Enrichment Resource 189

Exclude from Lookup 189


Enrichment Providers 190

Rules 230

Alerts 236

Remote Notifications 245


Use data enrichment (also called "real-time extraction" or "micro-extraction") to send selected artifacts and flows to additional resources for analysis. Among the resources are:

n "Symantec Intelligence Services" on page 193

n "Symantec Analysis Providers" on page 202

n "Reputation Providers" on page 210

n "Additional Symantec Threat Intelligence Resources" on page 194

n "Third-Party Integration Providers" on page 214

Also see "Data Enrichment Process" on page 389.

Reputation QueriesSymantec Security Analytics supports two kinds of reputation queries:

n On Demand — The user initiates a reputation query from the web UI.

n Data-Enrichment Rule — A data-enrichment rule sends matching traffic to one or more enrichment providers, such as Symantec Intelligence Services.

188


Activate a Data-Enrichment ResourceSome of the data-enrichment resources must be licensed before they can be used.

n Contact Symantec Support to obtain a Symantec Intelligence Services subscription, a Symantec DeepSight or MATI login, Symantec Malware Analysis, Symantec Content Analysis, Symantec Endpoint Protection, or Symantec Endpoint Detection and Response.

n The Third Party On-Demand Reputation Providers are licensed by default.

n Licenses for the Third Party On-Demand Integration Providers are the responsibility of the user.


2. In the Actions column, click the deactivated icon to activate that resource.

Consult "Security Analytics Ports and Protocols" on page 298 to configure your network firewalls for data-enrichment traffic.

Exclude from LookupYou can specify IP addresses and domains to exclude from lookup under Settings > Data Enrichment > Exclude from Lookup.

n This setting applies only to providers that evaluate URLs and IPs, such as the Web Reputation Service and VirusTotal URL.

n Non-routable addresses are excluded by default: 127/8, 10/8, 192.168/16, 172.16/12, 169.254/16.

n For IP Subnets, type those IP addresses that you want to exclude. Use CIDR notation without zeros: specify 127.0.0.0/8 as 127/8.

n For Internal Domains, type domain names to exclude.

n Type each entry on its own line.

n Alternatively, in the Alerts list, you can click a responder IP address to add it to this list.

189


Data Enrichment FiltersSee "Data Enrichment Filters" on page 109.

Enrichment ProvidersFor data enrichment, Security Analytics provides a broad range of options to get the latest threat intelligence on your network traffic.

URL and IP EnrichmentTo get additional threat intelligence on URLs and IP addresses, use these providers:

n Symantec Web Reputation Service*

n URL support for Symantec Malware Analysis*

n Symantec Threat Explorer*

n Symantec DeepSight*

n Symantec DeepSight MATI*

n Symantec EDR Manager*

n Customized Pivot-Only Providers

n Third-Party Integration Providers:

o VirusTotal® URL*

n Third-Party On-Demand Reputation Providers:

o Domain Age Reporter§

o Google Safe Browsing®

o Google® Search

o RobTex® Host

o RobTex IP

o SANS ISC® Host

o SANS ISC IP

o SORBS DNSBL Host

o SORBS DNSBL IP

o WHOIS Host §

o WHOIS IP§

* Requires additional licensing or subscription from Symantec or the vendor.

§ Domain Age Reporter and WHOIS cannot be used behind a proxy.

190


File and File-Hash EnrichmentTo get additional threat intelligence on files or file hashes, use these providers:

n Symantec File Reputation Service*

n Symantec Malware Analysis* §

n Symantec Content Analysis*

n Symantec Endpoint Protection*

n Symantec Threat Explorer*

n Symantec DeepSight*

n Symantec DeepSight MATI*

n Symantec EDR Manager*

n Customized Pivot-Only Providers

n Local File Analysis:

o ClamAV®

o Custom Hash List

o jsunpack-n

o YARA rules

n Third-Party On-Demand Reputation Providers:

o Google Search

n Third-Party Integration Providers:

o Cuckoo®§

o FireEye®AX-series*§

o Lastline® File* § or Hash

o ReversingLabs® TitaniumCore* §

o VirusTotal File* §

o VirusTotal Hash*

* Requires additional licensing, subscription, or system from Symantec or the vendor.

§Security Analytics sends the actual file to the provider.

Other Enrichment n Login Correlation — Get username/IP correlation from Microsoft® Active Directory logs.

n Endpoint — Send information on endpoints to providers such as EnCase® Cybersecurity by Guidance® Software.

Data Enrichment Resources in Dark SitesIn environments where the Security Analytics management interface (bond0) does not have Internet access, the availability of data-enrichment providers and other resources is as follows:

Provider Available Offline

Symantec Web Reputation Service Partially

Symantec File Reputation Service No

Symantec EDR Manager With on-site deployment

Symantec Content Analysis Yes

191


Provider Available Offline

Symantec DeepSight and MATI No

Symantec Endpoint Protection With on-site deployment

Symantec Malware Analysis Yes

Symantec Threat Explorer No

Anomaly Detection Yes

ClamAV With configuration change

Cuckoo Yes

Custom Hash List Yes

Domain Age Reporter No, nor behind a proxy

FireEye Yes

FTP File Mover Yes

jsunpack-n Yes

Lastline With on-site deployment

Live-Feed Indicators With internal mirror

Local File Mover Yes

SCP File Mover Yes

ReversingLabs TitaniumScale With on-site deployment

VirusTotal No

WHOIS No, nor behind a proxy

YARA Yes

n Symantec Web Reputation Service (WRS) — Partial offline support. Security Analytics first queries the locally hosted copy of the Web Reputation Service database. If the data-enrichment system cannot find the URL in the local database, and it cannot access the Symantec Global Intelligence Network, the verdict is Unrated.

n Symantec File Reputation Service (FRS) — No offline support; Internet connection required.

n Symantec EDR Manager (ATP) — Offline support with on-site deployment. The EDR Manager appliance's location relative to Security Analytics determines its availability.

n Symantec Content Analysis (CA) — Offline support with on-site deployment. The Content Analysis appliance's location relative to Security Analytics determines its availability.

n Symantec DeepSight and MATI — No offline support; Internet connection required.

n Symantec Endpoint Protection (SEP) — Offline support with on-site deployment. The Endpoint Protection Manager appliance's location relative to Security Analytics determines its availability.

192


n Symantec Malware Analysis (MA) — Offline support. When the FRS prefilter is enabled, Security Analytics attempts to retrieve a verdict from FRS. Where there is no verdict or no Internet connection, the data-enrichment system sends the file to the locally deployed MA appliance for detonation.

n Symantec Threat Explorer — No offline support; internet connection required.

n Anomaly Detection and Modeling (ADM) — Offline support. The ADM system does not use Internet resources.

n ClamAV — Offline support with configuration change. By default, ClamAV retrieves updates from the Internet, but it also supports private local mirrors for its signature database. Refer to the ClamAV documentation online (https://www.clamav.net/documents/private-local-mirrors) and in the man files for /etc/freshclam.conf for information on configuring ClamAV to use a local mirror.

n Cuckoo — Offline support. The Cuckoo sandbox is deployed locally by the user. Responsibility for update mechanisms resides with Cuckoo and is external to Security Analytics and Symantec. More information is available at http://www.cuckoosandbox.org/.

n Custom Hash List — Offline support. The custom hash list accepts MD5, SHA1, and SHA256 hashes as input by the user but does not use Internet resources.

n Domain Age Reporter — No offline support. Domain Age Reporter cannot be used behind a proxy.

n FireEye — Offline support. FireEye’s MAS and AX appliances are deployed locally by the user. Responsibility for update mechanisms resides with FireEye and is external to Security Analytics and Symantec .

n FTP File Mover, Local File Mover, SCP File Mover — Offline support. The file servers are deployed locally by the user; no Internet resources are necessary.

n jsunpack-n — Offline support. This open-source utility is wholly contained on the Security Analytics appliance; no online or offline updates are necessary.

n Lastline — Offline support with on-site deployment. Typically deployed as a cloud-based sandbox solution, Lastline can also be deployed on-site, which removes the need for Internet access.

n Live-Feed Indicators — Offline support with internal mirror. By default the live-feed indicators require Internet access for updates, but the indicators can be edited to point to a local mirror instead.

n TitaniumScale — Offline support. The ReversingLabs TitaniumScale server is deployed locally by the user. Responsibility for update mechanisms resides with ReversingLabs and is external to Security Analytics and Symantec .

n VirusTotal — No offline support. VirusTotal is a cloud-based antivirus scanner that requires Internet connectivity.

n WHOIS — No offline support. WHOIS cannot be used behind a proxy.

n YARA — Offline support. YARA rules are maintained locally by the user; no Internet resources are necessary.

Symantec Intelligence ServicesUse the Symantec Intelligence Services as integration providers for Data Enrichment Rules or as reputation providers for on-demand queries.

193

https://www.clamav.net/documents/private-local-mirrors

http://www.cuckoosandbox.org/


The following features are available only with an Intelligence Services subscription. Contact support for more information.

n File Reputation Service (FRS) — The SHA256 hashes of files that match a rule are sent to the Symantec Global Intelligence Network (GIN), which returns a verdict based on the file-reputation information from more than 15,000 customers and 75 million endpoints that contribute to GIN’s threat intelligence, which includes:

o A blacklist of 3.5 billion file hashes

o Additional black and white lists from three major security organizations

o Symantec Malware Analysis detonation results from the field

o Research results from Symantec Labs

o Symantec controls the final verdict behind a File Reputation Service score with algorithms and logic to minimize some of the noise; for example, weighting detections from less-reputable vendors differently

n Web Reputation Service (WRS) — The URLs associated with artifacts that match the rule are sent to GIN, which returns one or more URL categories that Security Analytics evaluates for its threat level.

The Intelligence Services provide the following reports and report widgets:

n File Signature Verdict — Verdicts that are returned by the File Reputation Service.

n Malware Analysis Verdict§ — Verdicts that are returned by SymantecMalware Analysis.

n URL Categories — URL category, returned from GIN.

n URL Risk Verdict — Risk level assigned by Security Analytics based on the URL categories.

n Local File Analysis — Verdict on common file types from the local file analysis providers (YARA, ClamAV, jsunpack-n).

§ Data for this report is available only from a Symantec Malware Analysis or Content Analysis appliance. (See "Content Analysis Integrations" on page 202.)

To report false positives for Symantec services go to this link: https://symsubmit.symantec.com/

Additional Symantec Threat Intelligence Resources

n Endpoint Protection — View which hosts have a particular file, and then apply policies to infected hosts.

n Endpoint Detection and Response — Pivot directly from SHA256 hashes, URLs, and IP addresses to your Symantec Endpoint Detection and Response (ATP) manager.

n DeepSight — Pivot directly from Security Analytics to DeepSight from URLs and file hashes (MD5, SHA1, SHA256).

194

http://sitereview.bluecoat.com/categories.jsp

https://symsubmit.symantec.com/

https://www.symantec.com/products/endpoint-hybrid-cloud-security/endpoint/advanced-threat-protection


n ICAP — Integrate with Symantec Content Analysis. To obtain Content Analysis, contact Symantec Support.

n Local File Analysis — A feature that is provided by default, local file analysis resources include YARA rules, ClamAV, and a user-defined hash list.

n Malware Analysis — Files that trigger a user-defined rule are sent automatically to one or more Symantec Malware Analysis or Content Analysis appliances to evaluate their behavior in a sandbox or virtual environment. Files can be manually sent for Malware Analysis (called "on-box sandboxing" on Content Analysis) from Security Analytics as well. Malware Analysis returns a verdict to indicate the level of maliciousness. To obtain Content Analysis, contact Symantec Support.

Web Reputation Service Database Updates

To configure the updates for the local copy of the Web Reputation Service database, select Settings > Data Enrichment and scroll down to Web Reputation ServiceUpdate Location.

n Web Reputation ServiceVersion — Displays the current Web Reputation Service version and when it was last updated.

n Initiate Web Reputation Service Update — Click Update to force a local Web Reputation Service update.

n Update Interval in Seconds — Specify how many seconds between automatic Web Reputation Service updates.

n Enable Custom Update Location — Select the check box to configure an alternate location from which to update the Web Reputation Service database.

o URL — Specify the location. If the database is controlled by Basic HTTP Auth, also specify the Username and Password.

Troubleshooting Symantec Intelligence Services

If you are not getting responses from the Global Intelligence Network (GIN), try investigating the following issues:

n Time and NTP Settings — Incorrect time may prevent SSL validation, which prevents access to GIN.

n SSL Intercept — Security Analytics does not support SSL intercept of management traffic (bond0), because the intercept devices send different WRS and FRS certificates to Security Analytics.

n OCSP Validation and Connectivity — If OCSP fails and certificate revocation is enabled, GIN also fails. (See "Certificate Revocation Checks for Symantec and Security Analytics Services" on page 296.)

Intelligence Services Diagnostic Tests

The Intelligence Services diagnostic tests display relevant information to assist in troubleshooting your Intelligence Services connections. Alternatively, you can run the GIN Diagnostic Script.

1. Under Symantec Intelligence Services, click the Test Service icon for Web Reputation Service or File Reputation Service and select one or more of the tests to run:

195

https://www.symantec.com/products/web-and-cloud-security/atp-content-malware-analysis

https://www.symantec.com/products/web-and-cloud-security/atp-content-malware-analysis


Web Reputation Service Tests

n Web Reputation Service Rules Config — Displays whether the Web Reputation Service and the Web Reputation Service rule are active.

n Web Reputation Service Credentials — Verifies that the Web Reputation Service credentials are correctly stored in the vault.

n Web Reputation Service Database Status — Displays the last time that the local copy of the Web Reputation Service was downloaded.

n Web Reputation Service — Sends a test request to the Web Reputation Service and displays the result.

File Reputation Service Tests

n File Reputation Service Rules Config — Displays whether the File Reputation Service and the File Reputation Service rule are active.

n File Reputation Service Credentials — Verifies that the File Reputation Service credentials are correctly stored in the vault.

n File Reputation Service — Sends a test request to the File Reputation Service and displays the result.

2. Click Run. The results are displayed below. Click the arrow by each test result to see details.

3. Click Download Diagnostic Data to download gin.diag.out.<ID>.tar.gz, which contains the PCAPs of the tests as well as the log. It may take a few minutes to generate the file:

n gin.diag.out.<ID>.bcwf.ocsp.pcap — Testing the Web Reputation Service with OCSP.

n gin.diag.out.<ID>.bcwf.pcap — Testing the Web Reputation Service without OCSP.

n gin.diag.out.<ID>.frs.ocsp.pcap — Testing the File Reputation Service with OCSP.

n gin.diag.out.<ID>.frs.pcap — Testing the File Reputation Service without OCSP.

n gin.diag.out.<ID>.log — Test log.

GIN Diagnostic Script

The gindiag.sh script gathers relevant information to assist in troubleshooting your GIN connection. When you run gindiag.sh, it conducts a series of tests on the NTP setup, the DNS settings, and the File Reputation Service (FRS) and Symantec WebFilter (BCWF) connections, both with and without OCSP validation. The PCAPs for those tests plus the log are archived in /tmp/gin.diag.out.<ID>.tar.gz, where ID is a unique number for each time the script is run. You can analyze the PCAPs yourself or send them to Symantec Support.

[root@hostname ~] gindiag.shbeginntpdnsfrs credsbcwf credsbcwf dirfrs testbcwf testshine logendcollect files into archive:-rw------- 1 root root 2922377 YYYY-MM-DD hh:ii gin.diag.out.<ID>.bcwf.ocsp.pcap-rw------- 1 root root 2774852 YYYY-MM-DD hh:ii gin.diag.out.<ID>.bcwf.pcap-rw------- 1 root root 7675 YYYY-MM-DD hh:ii gin.diag.out.<ID>.frs.ocsp.pcap

196


-rw------- 1 root root 10241 YYYY-MM-DD hh:ii gin.diag.out.<ID>.frs.pcap-rw------- 1 root root 3440147 YYYY-MM-DD hh:ii gin.diag.out.<ID>.logPlease submit /tmp/gin.diag.out.<ID>.tar.gz

Symantec On-Demand ProvidersIntegrate Symantec Security Analytics with various other Symantec solutions to obtain additional threat intelligence or to enact policies on your endpoints.

n Symantec Endpoint Protection

n Symantec DeepSight

n Symantec EDR Manager

n Symantec Threat Explorer

Symantec Endpoint Protection

Symantec Endpoint Protection is designed to address today’s threat landscape with a comprehensive approach that spans the attack chain and provides defense in depth. By utilizing the world’s largest civilian threat-intelligence network, Symantec Endpoint Protection can effectively stop advanced threats with next-generation technologies that apply advanced machine-learning, file reputation analysis, and real-time behavioral monitoring.

Customers who have deployed Symantec Endpoint Protection (SEP) in their environment can configure Security Analytics to send actionable information to SEP directly from the Security Analytics web UI. To obtain SEP, contact Symantec .

Also see "Endpoint Providers" on page 217.

Integrate Endpoint Protection Manager with Security Analytics

Follow these steps to integrate Security Analytics with Endpoint Protection.


2. Under Symantec On-Demand Providers, click the edit icon for SEP.

3. Provide the Location (IP or hostname), Username, and Password for the Endpoint Protection Manager.

4. For Data Enrichment Actions, select one or more of the following options to provide on the web UI:

n List Infected Hosts — Display the endpoints that have received this file. Security Analytics sends the file hash to SEP, which returns the endpoints where the file resides.

n List Infected Host — Display the endpoint for this instance of the file. Security Analytics sends the source and destination IPs for this artifact to SEP, and then SEP returns the endpoint that has the file.

n Remediate File — Apply the remediation policy to all instances of the file on all endpoints that are managed by the Endpoint Protection Manager.

197

https://www.symantec.com/products/endpoint-protection

https://www.symantec.com/products/endpoint-protection


o The remediation policy quarantines the file and adds the file hash to the File Fingerprint List on the Endpoint Protection Manager.

l You can view the File Fingerprint List by selecting Policies > Policy Components > File Fingerprint Lists.

l Entries in the File Fingerprint List that were added by Security Analytics can be deleted by selecting Clients > Policies > System Lockdown. Under Application File Lists, select an entry in the File Fingerprint List and click Remove.

o In the Endpoint Protection Manager quarantine log, the Risk is listed as "Manually Generated Anomaly."

n Remediate File by IPs — Apply the remediation policy to all of the selected hosts with the same source and destination IPs. Security Analytics sends the source and destination IP addresses to SEP, and then SEP applies the remediation policy to all instances of the file that match the IPs.

5. Click Save.

6. Click the Deactivated icon to Activate the SEP integration.

Perform SEP Actions

1. On the Extractions page, expand an artifact.

2. Click the file name and then select Perform Action > SEP > [action].

3. Security Analytics sends the information (source/destination IPs, file hash) to the SEP manager, which displays the requested information or performs the specified action.

When you select List Infected Host(s), the SEP manager queries all hosts, which then perform their own searches for the file hash. During that time, the request to SEP may time out. In that case, wait a few minutes and then repeat the request. Security Analytics will return the results from cache.

DeepSight Intelligence Services

198


Get a complete range of threat intelligence along with supporting research tools that encompass information on vulnerabilities, malware, indicators of compromise, campaigns, tactics/techniques/ procedures, and adversary profiles. SymantecDeepSight Intelligence provides you with a complete view of relevant threats and exposures. DeepSight Managed Adversary and Threat Intelligence (MATI) research, Directed Threat Research (DTR), a full range of technical intelligence, and management mechanisms for Data feeds and the API are accessible via this customizable portal. A separate subscription from Symantec is required to access these resources.

I

ntegrate DeepSight with Security Analytics

Follow these steps to integrate DeepSight or DeepSight MATI with Security Analytics.


2. Under Symantec On-Demand Providers, click the Deactivated icon to Activate each DeepSight integration.

Pivot to DeepSight or MATI

Follow these steps to use the DeepSight integrations with reports or artifacts.

Reports for DeepSight

1. Open a Summary View or a Reports page.

2. Click one of the following fields:

n DNS Answer Name n DNS IPv4 Answer n DNS IPv6 Answer n DNS Query n HTTP Referrer

n HTTP Server n HTTP URI n IPv4 Addresses n IPv6 Addresses n MD5 Hash

3. Select View Reputation Information > DeepSight.

Artifacts for DeepSight



n HTTP Referrer n IP Addresses n MD5 n SHA256 n URI Host

3. Select View Reputation Information > DeepSight.

4. Pivot to DeepSight

199

https://www.symantec.com/services/cyber-security-services/deepsight-intelligence

https://www.symantec.com/services/cyber-security-services/deepsight-intelligence


Reports for MATI

1. Open a Summary View or a Reports page.


n DNS IPv4 Answer (MATI IP) n DNS IPv6 Answer (MATI IP) n DNS Query (MATI Domain) n HTTP Server (MATI Domain)

n IPv4 Addresses (MATI IP) n IPv6 Addresses (MATI IP) n MD5 Hash (MATI Hash) n SHA256 Hash (MATI Hash SHA256)

3. Select View Reputation Information > MATI [X].

Artifacts for MATI



n IP Addresses (MATI IP) n MD5 Hash (MATI Hash) n SHA256 Hash (MATI Hash SHA256) n URI Host (MATI Domain)

3. Select View Reputation Information > MATI [X].

Endpoint Detection and Response (EDR)

Uncover the stealthiest threats that would otherwise evade detection by using global intelligence from one of the world’s largest cyber intelligence networks combined with local customer context. ATP provides a layered approach at the email, cloud, network, and endpoint levels. To obtain EDR, contact Symantec.

Integrate EDR Manager with Security Analytics

Follow these steps to integrate ATP with Security Analytics.


2. Under Symantec On-Demand Providers, click the edit icon for EDR.

3. For Location enter the IP address or hostname of the EDR Manager and click Save.

4. Click the Deactivated icon to Activate the EDR integration.

Pivot to EDR

Follow these steps to use the EDR integration with reports or artifacts.

200



Reports

1. Open one of the following reports in a Summary View or on the Reports page:

n SHA256 Hash n HTTP Server n IPv4/IPv6 Addresses

2. Click one of the values in the report.

3. Select View Reputation Information > EDR.

Artifacts



n SHA256 Hash n IPv4/IPv6 Addresses n URI Host

3. Select View Reputation Information > EDR.

Threat Explorer

Returning in Security Analytics 8.1.1 Drawing on the full resources of Symantec Global Intelligence Network (GIN)—which includes WebPulse as well as feedback from Malware Analysis sandboxing and millions of Symantec customers—Threat Explorer provides a portal where you can get extensive threat intelligence on IP addresses, URLs, files, and file hashes. To obtain a Threat Explorer subscription, contact Symantec.

n You do not need to configure anything on Security Analytics: just enable the Threat Explorer provider on Menu

> Settings > Data Enrichment.

Pivot to Threat Explorer

Follow these steps to use the Threat Explorer integration with reports or artifacts.

Reports

1. Open one of these reports in a Summary View or on the Reports page:

n IPv4 Addresses n DNS IPv4 Answer n MD5 Hash n SHA1 Hash n SHA256 Hash n HTTP Forward Address n HTTP Referrer n HTTP Server n HTTP URI

201



2. Click one of the values in the report.

3. Select View Reputation Information > Threat Explorer.

Artifacts


2. Click one of these fields:

n Source IP Address n Destination IP Address n MD5 n SHA1 n SHA256 n Original URL n URI Host n Referrer

3. Select View Reputation Information > Threat Explorer.

Symantec Analysis ProvidersSymantec analysis providers leverage the analytical capabilities of existing Symantec solutions — legacy Malware Analysis and Content Analysis— to enrich captured data. Malware Analysis has typically been provided by SymantecMalware Analysis appliances. The functionality of the Malware Analysis appliance has been incorporated into Content Analysis as of version 2.2.

If you have not upgraded your legacy Malware Analysis appliance to Content Analysis 2.2 or later, follow the steps in the Security Analytics 7.3.x Help Files (Data Enrichment > Providers > Symantec Analysis Providers) to integrate that appliance with Security Analytics.

Content Analysis Integrations

You can integrate Content Analysis with Security Analytics using one or both of these methods:

n Malware Analysis (Content Analysis 2.2 or later, with subscription)

o Send actual files (not file hashes) to the Content Analysis appliance.

o Specify the sandbox or iVM function as the analytical method, or you can select both.

o When the verdict is 7 or higher you get a malware alert. From this alert you can pivot to the Malware Analysis task page on the Content Analysis appliance for further information.

o The verdicts are displayed in the Malware Analysis Verdict report on Security Analytics.

202

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-network-security/security-analytics/7-3.html


o Analyze compressed archives.

o Analyze URLs (requires iVM function)

n ICAP (any version of Content Analysis) — Send ICAPs of matching data for virus-scanning and analysis.

o Send ICAPs of matching traffic.

o ICAPs are subjected to virus-scanning, predictive analysis, and any other analytical method you have configured on Content Analysis.

o When the verdict is 7 or higher you get a file alert. From this alert you can view the alert results.

o ICAP verdicts are not displayed in reports.

The latest Content Analysis documentation is located on the Broadcom Security Support portal.

Integrate Using the Malware Analysis Function

n Manually send URLs to Malware Analysis from an artifact's Original URL field, provided that the Malware Analysis entry on the Data Enrichment Settings page includes at least one iVM — Sandbox only is not supported for URLs.

n Files are sent to Malware Analysis under the following circumstances:

o The user manually submits an artifact to Malware Analysis from the artifact entry.

o The user has created a rule that sends specified files to Malware Analysis, and:

l The FRS Prefilter (if enabled) does not exclude the file.

l The data enrichment filter for Malware Analysis permits the file type.

n You can send details about EXE and DLL analyses to the SymantecGlobal Intelligence Network (GIN) to share with other users via GIN-based resources. Select Settings > Web Interface and select Enable Global Intelligence Network Feedback.


Set up Malware Analysis on the Content Analysis appliance

The Symantec Malware Analysis feature on Content Analysis

203

https://support.broadcom.com/security




Generate an API Key

This API key is used with the admin user name only. Creating a different account to use with Security Analytics is not valid.

1. Log in to the Content Analysis console via SSH with administrator credentials.

2. Enter enable mode and provide the enable password:

CAS> enable Password: <enable password>

3. Create an API key for use with Security Analytics. You must associate this key with the admin user account.

CAS# ma-actions api-key create role administrator user adminNote that keys are not stored on the system in plain text and cannot be retrieved later.Created new API Key: <API key> (Key ID <X>)

4. Copy the generated API key to a text file and document the key ID for later key management.

There is no password-backup option. Follow best key-maintenance practices by manually recording the password and its ID, and by keeping a copy in a secure location that is separate from the appliance.

Configure Malware Analysis on Security Analytics

1. Log on to Security Analytics with administrator credentials.

2. Select Menu > Settings > Data Enrichment. Under Symantec Analysis Providers click Edit for Malware Analysis.

3. For Name, provide a name.

4. For Address, type the IP address and the port for the administrative interface (default: 8082): <IP_ address>:8082. Do not include http:// or https:// . Do not use a hostname.

5. For Username, type admin.

6. For API Key paste the key that you generated on the Content Analysis appliance.

7. Click Save. A Malware Analysis/profile pair is displayed.

Symantec recommends that you click the name of the appliance and then click

Test the Connection .

8. For that entry, select a profile. The values in the list are the profiles that are configured on the Malware Analysis appliance, for example, SandBox, Windows 7 SP2.

204


To send URLs to Content Analysis (on-demand only), at least one of the profiles must be an iVM. If only the Sandbox profile is available, Content Analysis cannot evaluate the URL.

9. Optional — Click Add a new appliance/profile pair. A duplicate of the first entry is displayed. Do one of the following:

n Select a different profile for Malware Analysis.

n Click the name of the Malware Analysis appliance, select Connect to a new Malware Analysis appliance, and repeat the procedure to add the new Malware Analysis appliance.

10. If you have more than one Malware Analysis/profile pair, configure How should the profiles be queried?:

n In Parallel — Queries are sent to all of the Malware Analysis/profile pairs at the same time.

n Sequentially — Queries are sent to the Malware Analysis/profile pairs one at a time, beginning with the first pair.

205


n When you add two or more Malware Analysis/profile pairs, you can set the conditions for sending the query to the next Malware Analysis/profile pair: If the result is [operator] [value] continue to [Malware Analysis/profile pair].

n You can drag the Malware Analysis/profile pairs to change their order in the sequence.

11. Select FRS Prefilter to not send files to Malware Analysis if the File Reputation Service already has a verdict for that file. (See "FRS Prefilter Process" on page 392.)

12. By default only Adobe PDF, Archives, Debian Packages, Office Documents, and Programs and Libraries are sent to Malware Analysis. To change this setting, go to "Data Enrichment Filters" on page 109.

These file types require that the corresponding file-type filters be activated:

n APK — JAR Archives

n iOS — Archives and Binaries

n IPA — Archives

13. When you are ready to begin sending samples to Malware Analysis from Security Analytics, click the

(inactive) control to activate the Malware Analysis appliance entry.

14. Select Menu > Analyze > Rules and activate the Symantec Malware Analysis Service rule.

Sample Analysis

Samples that are submitted to multiple Malware Analysis/profile pairs are processed according to the following rules:

n A sample is sent one time to Malware Analysis, where it is processed in a separate task for each profile.

n For samples sent in parallel, Security Analytics sends the sample to the SandBox first (provided that the SandBox supports the file type); if the results indicate a suspicious sample, the sample is sent to the iVM profile(s). This measure prevents filling the iVM queues with innocuous samples.

n As soon as one profile returns a significant result, that result is returned to Security Analytics instead of waiting for all profiles to complete before sending a verdict.

n Malware Analysis automatically routes mobile samples (Android APK) to the MobileVM, regardless of which profiles are configured on Security Analytics.

To see the health of the Malware Analysis connection, open the System Utilization window in the upper-right corner of the web UI.

206


Green — The connection is active.

Yellow — There is an alert condition on Content Analysis.

Black — The connection is inactive.

Malware Analysis Alerts

Verdicts will be displayed as follows:

n In the Malware Analysis Verdict report and report widget.

n On the Menu > Analyze > Alerts pages, if the verdict is 7 or higher.

o When Malware Analysis returns a verdict, the Malware icon is displayed with the alert. Click Reputation Report for an overview of the detonation results.

o Click Go to MAA to view the full detonation results on the Content Analysis appliance.

Manually Send Samples

You can send individual artifacts to Malware Analysis from the Security Analytics interface.

1. Select Menu > Analyze > Extractions. Select the timespan and apply any filters to display the artifact to send.

2. Expand the artifact entry.

207


3. Click the File Name field and select View Reputation Information > Malware Analysis. The file is sent to the

Malware Analysis profiles that you configured on Menu > Settings > Data Enrichment.

4. The results are displayed in a pop-up window.

Compressed-Archive Analysis

The Security Analytics extractor recognizes the archive types that are listed on "Data Enrichment Filters" on page 109, but it does not extract files from those archives and display them as artifacts on the Extractions page.

However, when an archive matches a Malware Analysis rule, the data-enrichment process extracts the files from the archive before sending them to Malware Analysis, according to the default Malware Analysis data-enrichment filter.

The data-enrichment process handles archive-extraction according to the default settings:

n Files are extracted two directory layers deep.

n The files inside archives that are larger than 500 MB are not extracted.

n Archived files that are larger than 100 MB are not extracted.

n Files with paths longer than 260 characters are not extracted.

n Only the first 100 files that do not exceed the size or path-length limits are extracted.

Integrate Using the ICAP Functionality

Send ICAP-formatted data to any version of Symantec Content Analysis. Files are sent to the ICAP provider under the following circumstances:

n The user manually submits an artifact to ICAP from the artifact entry.

n The user has created a rule that sends specified files to the ICAP provider and the data enrichment filter for ICAP permits the file type.

Configure Security Analytics for ICAP

Follow these steps to configure Security Analytics to send ICAP service objects to Content Analysis:

208


1. Optional — On Content Analysis go to Services > Sandboxing > General Settings. Under File Types select Sandbox for those file types that you want to send to the sandbox for analysis, and then select the Wait For Result option for those file types, so that an alert will be generated on Security Analytics if the verdict is 7 or higher.

2. On Security Analytics select Menu > Settings > Data Enrichment.

3. Under Symantec Analysis Providers click Edit for the ICAP entry.

4. For Location specify the IP address and port number of the Content Analysis appliance: <IP or hostname>:1344. Security Analytics does not support port 11344.

5. For Data Enrichment File Types, use the defaults as shown or customize the filter.

6. Activate the ICAP provider by clicking the (inactive) control to activate the ICAP entry. At this point you can use the ICAP provider for on-demand reputation lookups.

7. To automatically send ICAPs to the provider, follow the instructions to create a data-enrichment rule.

Manually Send ICAP Service Objects

You can send individual artifacts as ICAP service objects from the Security Analytics interface.

1. Select Menu > Analyze > Extractions. Select the timespan and apply any filters to display the artifact to send.

2. Expand the artifact entry.

3. Click the File Name field and select View Reputation Information > ICAP. The file is sent to the ICAP provider that you configured on Settings > Data Enrichment.

4. The results are displayed in a pop-up window.

209


ICAP Alerts

n Any results with a verdict higher than 7 will be displayed on the Menu > Analyze > Alerts pages.

o When Content Analysis returns a verdict, the File icon is displayed with the alert. Click Reputation Report for an overview of the scan results.

n Content Analysis ICAP verdicts are not available in reports.


Reputation ProvidersReputation providers supply threat intelligence on web sites, IP addresses, file hashes, and artifacts. You can access reputation information in one of two ways:

n On Demand

n Data Enrichment Alerts

Symantec Reputation Providers

Symantec's proprietary reputation providers leverage the full power of the Symantec Global Intelligence Network (GIN) as well as additional Symantec legacy and Symantec products.

Symantec Intelligence Services

Perform on-demand reputation queries against GIN as well as create customized data-enrichment rules to send specified files to GIN automatically. License and activate the following Symantec Intelligence Services:

n Web Reputation Service

n File Reputation Service

Symantec Analysis Providers

Perform on-demand reputation queries against these Symantec analysis providers as well as create customized data-enrichment rules to send specified files to the providers:

n Content Analysis (ICAP)

n Malware Analysis

Symantec On-Demand Providers

Perform on-demand reputation queries against these Symantec on-demand reputation providers:

n Endpoint Protection

n Advanced Threat Protection

210


https://www.bluecoat.com/products-and-solutions/global-intelligence-network


n DeepSight Intelligence

n DeepSight Adversary (MATI) Intelligence

Providers Activated by Default

As soon as you install Security Analytics, these providers are activated:

n Calculate and Store Hashes

n ClamAV®

n Custom Hash List

n Domain Age Reporter

n Google® Search

n Google Safe Browsing

n jsunpack-n

n RobTex® Host

n RobTex IP

n SANS ISC® Host

n SANS ISC IP

n SORBS DNSBL® Host

n SORBS DNSBL IP

n WHOIS Host

n WHOIS IP

n YARA

To disable any of these providers, select Menu > Settings > Data Enrichment and click the Activated icon.

Local File Analysis Providers

Local file analysis provides on-box analysis of extracted files without contacting external resources. These local providers have been separated out so that you can select each one for a data-enrichment rule, or you can get the on-demand reputation results shown in this table.

Local File Analysis Provider

Service ProvidedArtifact Fields: On-Demand Reputation

Calculate and Store Hashes

Calculate MD5, SHA1, and SHA256 hashes for files that match the rule and write them to the indexing database.

n/a

ClamAV® File scanning for known viruses File Name

Custom Hash List Upload your own black and white hash lists. File Name*

jsunpack-n On-board analysis of JavaScript, PDF, HTML, and SWF files.

Artifact Preview

YARA Helps detect live exploits before they are known to the Symantec Global Intelligence Network.

File Name

* Because this provider requires hash types other than MD5, the artifact itself must be sent; therefore, the on-demand reputation is associated with the File Name field instead of the hash fields.

Third-Party On-Demand Reputation Providers

The following third-party sources provide on-demand reputation information. The Reports, Alerts List, and Artifact Fields columns show the fields for which the providers can give information:

211

https://www.bluecoat.com/products-and-solutions/global-intelligence-network


Third-Party Reputation Provider

Service Provided Reports Alerts List Artifact Fields

Domain Age Reporter The amount of time elapsed since the domain was first registered

DNS QueryHTTP Server

URI Host

Google Safe Browsing URL validation HTTP URI Original URL

Google® Search Pivot to Google search results for the item

all IPv4 addressesIPv6 addresses

all

RobTex® Host Pivot to hostname-based reputation

DNS Query, HTTP Server

URI Host

RobTex IP Pivot to IP-based reputation

IPv4 addressesIPv6 addresses



SANS ISC® Host Hostname lookups against known-bad hostnames


URI Host

SANS ISC IP IP lookups against known-bad IPs

IPv4 addresses IPv4 addresses IPv4 addresses

SORBS DNSBL® Host DNS reputation DNS Query, HTTP Server

URI Host

SORBS DNSBL IP IP address reputation IPv4 addresses IPv4 addresses IPv4 addresses

WHOIS Host Domain registration information


URI Host

WHOIS IP IP address information IPv4 addresses IPv4 addresses IPv4 addresses

* Because this provider requires hash types other than MD5, the artifact itself must be sent; therefore, the on-demand reputation is associated with the File Name field instead of the hash fields.

Activate Reputation Providers

The Third-Party On-Demand and Local File Analysis providers are activated by default. Other reputation providers must be licensed or activated or both.

1. Go to Menu > Settings > Data Enrichment.

2. For any reputation provider, click the inactive icon to activate the resource.

3. Click Save.

After you click Save, approximately two minutes elapse before the changes take effect in the data-enrichment process.

212


On-Demand Reputation Queries

You have several means at your disposal to make on-demand reputation queries. A provider must be activated on Settings > Data Enrichment to be available in the reputation lists:

n Click an IP address in an alert entry and select View Reputation Information >[reputation service provider].

n Click an entry in any results lists (Reports, Extractions, Geolocation) and select View Reputation Information >[reputation service provider].

n Click a field in the artifact details and select View Reputation Information >.

213


n Expand an item in the Extractions list, and then click Reputation to show all reputation information for all fields.

Third-Party Integration ProvidersSymantec Security Analytics supports the following third-party integration providers. Also see "Enrichment Providers" on page 190.

Licensing and installation of these services is the responsibility of the user.

These providers can be selected for a data-enrichment rule, or you can get the on-demand reputation results on the Extractions page, as shown in this table.

Provider ServiceArtifact Fields: On-Demand Reputation

<custom pivot-only provider>

Add custom pivot-only providers from the web UI (or use scm pivot_only_provider in the Security Analytics 8.1.x Reference Guide on support.symantec.com).

MD5, SHA1, SHA256, Fuzzy, URL, IP, Hostname

214



Provider ServiceArtifact Fields: On-Demand Reputation

Cuckoo Send extracted files to a Cuckoo® sandbox for detonation.

n The default port number is 8090.

n Only version 0.6 and later is supported by Security Analytics 7.1.x and later.

n The file api.pymust be run on the server side. See the Cuckoo documentation for more information.

n The Cuckoo response is written to /var/log/messages, where you can find the link to the Cuckoo report.

File Name

FireEye Send extracted files to your FireEye® Malware Analysis System, AX-series solution for detonation. For more information, visit http://www.fireeye.com/products-and-solutions/malware-analysis.html Also see Specify Which FireEye Profile to Use.

File Name

FTP File Mover

Send extracted files to a remote server via FTP. n/a

Lastline® File

Send extracted files to Lastline's cloud-based sandbox for malware analysis. For more information, visit https://www.lastline.com/platform/integrations/blue-coat-security-analytics-platform

File Name

[Lastline Hash]

Send MD5 file hashes to Lastline to check against known-bad hashes. (Change the Category for Lastline File to hash.)

MD5

Local File Mover

Write files to a local directory on the Security Analytics. n/a

Titanium Scale

Send extracted files to your ReversingLabs® TitaniumScale® server. File Name

SCP File Mover

Send extracted files to a remote server via SCP. You must also set up SSH authentication on the remote server.

n/a

VirusTotal® File

Send extracted files to VirusTotal for malware analysis. For more information, visit https://www.virustotal.com/en/documentation/

File Name

VirusTotal Hash

Send MD5 file hashes to VirusTotal to check against known-bad files. MD5

VirusTotal URL

Send URLs to VirusTotal to check against known-bad URLs. Original URLReferrer

HTTP URI (Report)

Activate Integration Providers

n When you create a new Integration Provider, it is automatically activated, as shown by the green Activated

icon .

215

http://docs.cuckoosandbox.org/en/latest/

http://docs.cuckoosandbox.org/en/latest/

http://www.fireeye.com/products-and-solutions/malware-analysis.html

https://www.lastline.com/platform/integrations/blue-coat-security-analytics-platform

https://www.lastline.com/platform/integrations/blue-coat-security-analytics-platform

https://www.virustotal.com/en/documentation/


n To activate an inactive Integration Provider, click the red Deactivated icon .

Configure Integration Providers

You may configure as many entries for each provider type as you wish. For example, if you have three FTP servers, you can configure three FTP entries and then specify which servers will receive the extracted data in the data-enrichment rule.

1. Select Settings > Data Enrichment.

2. Under Integration Providers, click edit for the desired entry or click New.

3. Specify or edit the Name and add a Description, as desired.

4. Select the Type of provider.

5. Select the Category, as provided, to specify which field supports the reputation lookup:

n Hash (MD5)

n Host

n IP

n SHA1

n SHA256

n URL

6. Supply the information for the provider type:

n Cuckoo — Provide the Location (hostname or IP address). If you are upgrading from Security Analytics 7.1.x, specify port 8090 (<cuckoo_ip>:8090) or use dsportmapping to change the port to 8090.

n FireEye — Provide the Location (hostname or IP address) and account credentials. Optionally, see "Specify Which FireEye Profile to Use" on the next page.

n FTP File Mover — Provide the Location (hostname or IP address), account credentials, target directory, and FTP mode.

n Before sending files to the FTP server, Security Analytics renames the files to avoid conflicts. The new filename is the MD5 hash of [artifact time, source IP/port, destination IP/port, MD5 file hash]. Select Preserve Original Filename to append the original filename to the new name: <md5-hashed_filename>_<original_filename>

n Lastline — Provide the Token and Location for your account.

n Local File Mover — Provide the Directory. Take care not to overfill system directories or performance may be severely degraded.

n Pivot — Enter the URL of the resource as http://<url>%{TOKEN} or https://<url>%{TOKEN}. The %{TOKEN} string will be automatically replaced by the value to search. If the %{TOKEN} string cannot be at the end of the URL, enclose the entire URL in double quotation marks: "http://<url>"%{TOKEN}"<string>" For examples see scm pivot_only_provider in the Security Analytics 8.1.x Reference Guide on support.symantec.com.

216



n SCP File Mover — First, you must set up SSH authentication on the remote server and then provide the Location (hostname or IP address), Username of the <remote_user>, and target Directory.

n TitaniumScale — Provide the Location.

n VirusTotal — Provide the account Key.

7. See "Data Enrichment Filters" on page 109 to see how to specify which file types to send to the provider.

8. Click Save.

Specify Which FireEye Profile to Use

FireEye integration requires that SCP enable the diffie-hellman-group1-sha1 algorithm for this integration provider only.

Follow these instructions to specify which profile to use when sending a file to a FireEye AX-series server.

1. Log in to the FireEye console and run this command:

malware analyze sandbox url file:/file guestos ?

2. The list of available guest operating systems (profiles) is displayed. Make a note of the exact name of the guest OS.

3. On Security Analytics, open the ax_malware_analyze.sh script for editing:

[root@hostname ~] vi /opt/tonic/share/ax_malware_analyze.sh

4. Locate this line — around line 186 — and edit it as shown:

send "malware analyze sandbox url file:/$filename guestos <guest OS> force\r"

5. Save and close the script, and then restart data-enrichment and related services:

scotus stopscotus start

Endpoint Providers

Symantec SEP Integration

You can integrate the functionality of Symantec SEP with Symantec Security Analytics. See "Symantec Endpoint Protection" on page 197.

Rule-Based Endpoint Providers

Security Analytics can provide endpoint information to external endpoint-analysis providers such as EnCase® Cybersecurity by Guidance® Software. Using a Security Analytics Web API, endpoint analysis providers can retrieve source and destination IPs, source and destination ports, and the timespan for selected alerts. With this information, the provider can conduct its own endpoint investigations.

217


It is the responsibility of the user to license and install third-party endpoint analysis solutions.

Enable endpoint analysis support on the New/Edit Rule dialog by selecting the Endpoint Providers check box.

Custom Hash List n The Custom Hash List is an UnQLite embedded NoSQL database.

n The list accepts MD5, SHA1, and SHA256 hashes.

n Hashes must be designated as either "white" (known good) or "black" (known bad).

n The hash lists are stored here:

o /var/lib/solera/meta/local_hash_repo_md5.unq

o /var/lib/solera/meta/local_hash_repo_sha1.unq

o /var/lib/solera/meta/local_hash_repo_sha256.unq

n Both black and white hashes for each type of hash are contained in the same UNQ file.

n On a fresh install or upgrade from Security Analytics 7.1.x or earlier, the UNQ files do not exist; the Custom Hash List is empty until the user adds hashes to it.

n When a blacklist hash matches a file, the verdict is 10; a whitelist hash currently produces no score.

Add Hashes to the Custom Hash List

The lhr_flat_to_qdb command converts flat files of hashes (one hash per line) into database format. Only one kind of hash can be present in each file: Do not attempt to use a file that contains both MD5 and SHA1 hashes, for example.

syntaxlhr_flat_to_qdb -[5|1|2] -[b|w] -f <filename> [-d] [-v]

parameters

-5, --md5 Process file as MD5 hashes

218


-1, --sha1 Process file as SHA1 hashes

-2, --sha256 Process file as SHA256 hashes

-b, --black Add hashes to blacklist

-w, --white Add hashes to whitelist

-f, --file=<ARG> Read hashes from <ARG>

-o, --output=<ARG> Write database files with <ARG> prefix

-d, --debug Turn debug logging on

-v, --verbose Turn verbose logging on

-n, --noexec Perform a dry run; do not read or write files

-h, --help Display usage and help info

ld library path

lhr_flat_to_qdb requires access to the SO files in /usr/local/share/tonic/plugins.

examplesLD_LIBRARY_PATH=/usr/local/share/tonic/plugins /usr/local/bin/lhr_flat_to_qdb --verbose --sha1 --black --file=sha1_blacklist.txt

Uploads the SHA1 hashes in sha1_blacklist.txt to /var/lib/solera/meta/local_hash_repo_sha1.unq, marks them as blacklist hashes, and enables verbose logging.

LD_LIBRARY_PATH=/usr/local/share/tonic/plugins /usr/local/bin/lhr_flat_to_qdb -5 -w -n -f md5_hashes.txt

Shows the results of uploading md5_hashes.txt to /var/lib/solera/meta/local_hash_repo_md5.unq and marking them as whitelist hashes, but without performing the operation.

LD_LIBRARY_PATH=/usr/local/share/tonic/plugins /usr/local/bin/lhr_flat_to_qdb -2 -b -d -f sha256_blacklist.txt -w -f sha256_whitelist.txt

Uploads the SHA256 hashes in sha256_blacklist.txt as black hashes and sha256_whitelist.txt as white hashes to /var/lib/solera/meta/local_hash_repo_sha256.unq and enables debug messages.

Create a Flat File of Hashes

Follow these steps to create flat files of hash lists from files that are on a Linux or Unix system.

list of files<hash> sum <list-of-files> | awk '{ print $1; }' > <output_file>

all files in current directory<hash> sum -b * | awk '{ print $1; }' > <output_file>

219


exampleOn a Unix server you have a directory /malware_files that contains 21 known-bad PDFs. To save their SHA256 hashes as sha256-bad.txt, run this command from inside /malware_files:

sha256sum -b * | awk '{print $1; }' > sha256-bad.txt

With sha256-bad.txt copied to the root of Security Analytics, add the hashes to the Custom Hash Database:

[root@hostname ~]# LD_LIBRARY_PATH=/opt/tonic/lib /opt/tonic/bin/lhr_flat_to_qdb -2 -b -v -f sha256-bad.txthash type: sha256 hash color: black input filename: sha256-bad.txt db file prefix: /var/lib/solera/meta/local_hash_repo processing sha256 black-list file sha256-bad.txt ... 21 sha256 entries added to black-list [root@hostname ~]# cd /var/lib/solera/meta/[root@hostname meta]# lsdomain_users

groups local_hash_repo_sha256.unq

packets rules space_table_journal_v3.backup

verdicts_journal

flows groups_journal

lost+found prelerts space_table_journal_v3

verdicts

YARA RulesYARA rules (v. 3.8.1) can help detect live exploits before they are known to the Symantec Global Intelligence Network (GIN). YARA rule hits are displayed as follows:

n On the Alerts pages when the score is 7 or higher

n In the Local File Analysis report

n In the reputation information for individual artifacts

Activate YARA Rules

The YARA analysis provider and its corresponding rule (Local File Analysis - Live Exploits) are enabled by default.

Enable the YARA Analysis Provider

Follow these steps to edit the provider:

220



2. Under Local File Analysis Providers you can

n Enable or disable YARA .

n Edit the per-provider data enrichment filter.

Take care when creating rules that use the YARA provider. Only one YARA task runs at a time. If the rules engine sends excessive artifacts to the YARA provider, the verdict may take too long to be returned. Furthermore, when the YARA queue is full, new requests are dropped.

Enable the YARA Rule

Do one of the following:

n Select Menu > Analyze > Rules and enable or disable the Local File Analysis - Live Exploits rule.

n Create or edit a data-enrichment rule and select YARA in the Send to field.

The Live Exploits Indicator

The Local File Analysis - Live Exploits indicator, which is used by the Local File Analysis - Live Exploits rule, specifies multiple mime_type=<mime_type> values and then specifies uri_risk_verdict=5 (Unrated). The uri_risk_verdict filter is included to prevent overloading the YARA rules engine: only activity from unrated URLs is analyzed. The local copy of the Web Reputation Service database provides the uri_risk_verdict attribute.

The uri_risk_verdict attribute is available only with an Intelligence Services license.

Customize YARA Rules

You can customize your YARA rules by following these steps:

1. Select Menu > Settings > Data Enrichment, scroll down to the YARA File Manager section, and click Download to download the current file: rules.yar.

n Alternatively, you can open the YARA rules file: /usr/share/solera/yara_rules/rules.yar.

2. Use a text editor to add, delete, or modify YARA rules, as desired.

221


Avoid writing overly complicated rules: If a rule takes longer than two seconds to process, the process is terminated.

3. Specify meta information to generate alerts for YARA hits. The risk_score attribute specifies the lowest score for which alerts are generated. Because the system threshold for alerts is 7, user-defined rules should specify 7 or higher:

{meta:

author = "MyOrganization"risk_score = <integer 7–10>

strings:<strings>

condition:<condition>

}

If you do not specify a risk score, you will not get alerts or manual reputation results.

4. Save the file, and then on the web UI click Upload to upload the new file to the appliance. If you are editing the file directly, you must restart the data-enrichment service.

systemctl restart tonicd

5. To test the new rule set, open the Extractions page, expand an artifact entry, and then click Reputation. YARA rules should return a result.

6. To restore the YARA file to its default, click Restore.

Login CorrelationThe Login Correlation Service (LCS) for Microsoft® Active Directory® associates network activity with Microsoft Active Directory (AD) domain users. The LCS sends the following information to Symantec Security Analytics:

n Username

n IP address (as found in the domain server's DHCP log)

n Login time

n Authentication method

How the LCS Works

The LCS has two components:

n LCS agent — Detects user logons and logoffs and creates an IP-to-username correlation. Resides on a domain controller (DC).

n adlistener-d — A Linux daemon that adds the correlation information to the Indexing DB, from which the User Name report is generated. Resides on Security Analytics.

222


The LCS agent parses the logon/logoff events of a DC's security logs. Specifically, it monitors the logs for these event IDs:

n 4624 — An account was successfully logged on.

n 4634 — An account was logged off. After detecting this event ID, the LCS agent sends a WMI query to the workstation to verify whether the user has actually logged off.

The LCS agent extracts the following information from those events:

n User Name n Domain n Logon ID

n Logon Type n Workstation Name n Source Network

Address

n Source Port n Time n Date

The LCS agent correlates User Name with Source Network Address and sends the pairings to adlistener-d over port 8843, which adds the information to the Indexing DB.

Requirements

n .NET Framework 3.5 or later

n Windows Server

o 2012 (R2) (Domain Controller)

o 2016 (Domain Controller)

o 2019 (Domain Controller)

The LCS agent supports read-only domain controllers.

Configure the Domain Controller

These instructions include wording for both 2008 and 2016/2019 versions, with differences indicated in parentheses.

For every Active Directory domain controller that you want to monitor for logon events, perform these steps:

Configure the Advanced Audit Policy Setting

User logon information is stored in security logs on the DC. The LCS derives its information from these logs. To capture logon events, the DC’s advanced audit policy must be configured to audit successful logon and logoff events.

To configure an advanced domain login audit policy setting, follow these steps:

1. Log on to the DC as a member of the local administrators group.

2. Select Start > [Windows] Administrative Tools > Group Policy Management.

223

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4634


3. In the console tree, double-click your forest, e.g., Forest: domain.com.

4. Double-click Domains, and then double-click the domain controller, e.g., controller.com.

5. Right-click Default Domain Policy, and then click Edit.

6. Open the following items in this order:

a. Computer Configuration

b. Policies

c. Windows Settings

d. Security Settings

f. Advanced Audit Policy (Configuration)

g. (System) Audit Policies

h. Logon/Logoff

i. (Audit) Logon

7. Select the Configure the following audit events check box, select the Success check box, and then click OK.

8. Set (Audit) Logoff to Success as well.

Configure the Group Policy to Enable WMI Access to a Remote Machine

n The LCS uses remote WMI queries to verify whether a domain user is logged off. If a domain workstation does not respond to a WMI query, then the LCS regards the user as not logged off.

n If the user does not log off gracefully, Windows does not generate an event log; therefore, the LCS does not detect the event. This missed event can sometimes be inferred when a user logs on later to a workstation with the same IP address.

1. Select Administrative Tools > Group Policy Management > [Forest] > Group Policy Objects. Right-click Default Domain Policy and select Edit.

2. Select Start > [Windows] Administrative Tools > Group Policy Management.

3. In the console tree, double-click your forest, e.g., Forest: domain.com.

4. Double-click Domains, and then double-click the domain controller, e.g., controller.com.

5. Under default domain policy, select Computer Configuration > (Policies) > Administrative Templates > Network > Network Connections > Windows (Defender) Firewall > Domain Profile. Right-click the Allow inbound remote administration exception and enable.

6. Repeat the previous steps for Standard Profile.

224


Update the Group Policy Settings


n Select Start > All Programs > Accessories, right-click Command Prompt, and click Run as administrator.

n Open Windows PowerShell.

2. If the User Account Control dialog box is displayed, confirm that the action it shows is what you want, and then click Yes.

3. Type gpupdate and press Enter.

Verify That the Audit Policy Settings Were Applied Correctly

1. Type auditpol.exe /get /category:"Logon/Logoff" and press Enter.

C:\Windows\system32>auditpol /get /category: "Logon/Logoff"

System audit policyCategory/SubcategoryLogon/LogoffLogonLogoff

Setting Success Success

2. Verify that the setting for both Logon and Logoff is Success.

Install the LCS Agent


2. Click Download Version [x] of the Login Correlation Service Installation File and save DSLoginCorrelation.exe to your workstation.

Only one LCS agent is required per domain. You must install the LCS agent on the domain controller.

3. Run DSLoginCorrelation.exe on the target machine and follow the prompts to install it. During installation you are required to provide administrator credentials for a domain administrator account or an account that has permission to read domain-controller security event logs and execute WMI queries. DSLoginCorrelation.exe installs the following:

n The LCS agent

n A GUI application to configure the LCS

The installation process requires a system restart to complete.

225


4. When the domain controller has finished rebooting, launch Symantec Corporation > Login Correlation Service or double-click the desktop shortcut.

5. On the welcome page click Next.

6. On the Select Installation Folder page, specify the folder and click Next. The LCS agent begins to install.

7. On the Installation Complete page, click Close.

Configure the LCS Agent

1. Launch Login Correlation Service and click Connect.

2. No DCs are detected. Click Add.

3. Click Add again.

4. In the Domain Controllers section:

n For Domain Name, type the name of the current domain controller, e.g., ad.domain.com.

n For Domain IP, type the IP of the DC.

n For Login Name and Password, type the name and password of the administrator account for the DC.

n Click Apply.

5. In the Security Analytics sensors section:

n Click Add.

n For Appliance IP, type the IP address of Security Analytics.

n For Login Name and Password, type the name and password of the root account.

6. Optional — If Security Analytics requires a client certificate, select the Use Client Certificate check box.

Client authentication occurs when the adlistener-d service on the appliance requests a certificate from the LCS agent during the SSL handshake; an LCS agent cannot initiate a request to be authenticated.

7. Click Import SSL Certificate and upload a PEM-format certificate that will permit the LCS agent to access the appliance.

8. Click Apply.

9. Select File > View > Read-Only Tree View to see a hierarchical view of the DCs and appliances.

Import DCs and Appliances from a CSV File

You can import multiple DCs and Security Analytics appliances from a CSV file.

226


Syntax for DCsDomainController-IP,username,password

example192.0.2.55,administrator,<password>198.51.100.55,administrator,<password>2001::40da:223c,administrator,<password>

Syntax for Security AnalyticsAppliance-IP,username,password,SSL_agent_certificate_path

example192.0.2.20,root,<password>198.51.100.219,root,<password>,F:\shares\certificates\adl-cacert.pem 2001:3eda::4008,root,<password>

Enable LCS on the Appliance

1. Select Menu > Settings > Security on the web interface.

2. Scroll down to Login Correlation Service. Do one of the following:

n Select the Allow All Agent IPs check box. With this setting enabled, the login events from all LCS agents will be accepted by this Security Analytics appliance.

n To specify which LCS agent events to accept, clear the Allow All Agent IPs check box.

o For Server, type the address of a domain controller that has the LCS agent.

o Optional — Click add another agent IP for additional LCS agents.

3. On Menu > Settings > Security click Configure Firewall.

4. A default rule permits all Login Correlation traffic (port 8843) from all IPs. Create more firewall rules as desired.

5. Click Save.

View LCS Activity

From the CLI

1. Log on to the appliance via the CLI as root and execute the following command:

ps -aux | grep adl

2. You should see a display similar to the following:

227


In the Log File

The log file DomainLogonWatcher.log is created in the application data folder on the machine where the LCS agent resides: C:\Users\<username>\AppData\Roaming\Symantec Corporation\. The file has a maximum size of 100 Mb.

The \AppData\ directory is hidden by default.

Login Correlation Service activity appears similar to the following:

Domain Admin Account4/12/2020 8:02:33 PM Updated configuration will be applied to domain :<domain_name>4/23/2020 8:02:33 PM Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors 4/23/2020 8:02:33 PM Trying to authenticate at appliance 203.0.113.149 4/23/2020 8:02:33 PM AcknowledgeReceiverThread started for ip 203.0.113.149 4/23/2020 8:02:33 PM Authenticated to ADListner 203.0.113.149 4/23/2020 8:02:33 PM Adding domain controller<domain_name>: 203.0.113.150 4/23/2020 8:02:33 PM Adding domain controlle <domain_name>: 203.0.113.151

Non-Admin Account4/23/2020 6:11:06 PM Updated configuration will be applied to domain :<domain_name>4/23/2020 6:11:08 PM trying to connect to domain controller<domain_name>[ 203.0.113.151 ] 4/23/2020 6:11:08 PM Exception received while connecting to Domain Controller<domain_name>: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) 4/23/2020 6:11:11 PM Exception received while connecting to Domain Controller<domain_name>: Access denied 4/23/2020 6:11:18 PM trying to connect to domain controller<domain_name>[ 203.0.113.151 ] 4/23/2020 6:11:18 PM Exception received while connecting to Domain Controller<domain_name>: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) 4/23/2020 6:11:21 PM trying to connect to domain controller<domain_name>[ 203.0.113.150 ]

On the Web Interface

To see AD user names in the web interface, do one of the following:

n On the a Summary view, add the User Name widget.

n On the Analyze > Report page, select the Social Persona > User Name report.

Add user_name=<username> to the primary filter and run the IPv[x] Initiator report to see the user's IP address.

File Names Sent to ProvidersWhen Security Analytics sends the actual file (rather than a file hash) to data enrichment providers, the name of the file may be altered, according to the provider and its settings. The alteration is made to distinguish among identically named files that are captured at different times, from different sources, and that may have different contents.

Default Extractor Filename

By default the extractor assigns each artifact a new name, which includes the hostname of the appliance that captured the artifact, the date and time that the artifact was captured, and the MD5 hash of the file itself.

228


<hostname>_<YYYY-MM-DD>T<hh:ii:ss>-<zzzz>_<src_IP>-<src_port>_<dst_IP>-<dst_port>_<md5_hash>.<original_extension>

example

For the file 2020-executive-report.pdf, the default extractor filename might be:

SA-0324_2020-11-03T03:32:29-0700_198.51.100.10-8080_203.0.113.11-80_edc26aac26b6eb93c20e2bf4db77f5f9.pdf

Security Analytics sends artifacts with the default extractor filename to these providers:

n Cuckoo

n FireEye AX-series

n Lastline

n VirusTotal File

Other File Names

These providers do not receive artifacts with the default extractor filename.

Malware Analysis

The filename that Security Analytics sends to the Malware Analysis appliance differs depending on which process sends the artifact.

Real-Time Extraction

When traffic matches a Malware Analysis rule, Security Analytics sends a byte stream that has a title, which is the original file name. The title is derived from each protocol according to its packet headers: for example, FTP specifies a file name, emails have attachment filenames, HTTP specifies the file name in the URI or the POST content.

examplespdfcreator-1.3.2-en.win.exe watch_as3-vflGW0leG.swf 2020-executive-report.pdf

Manual Reputation Request

In an artifact entry on the Extractions page, click the file name and then select View Reputation Information > Malware Analysis. The name of the artifact is the default extractor filename.

In Malware Analysis you can further edit the Label of any sample (file) that you send from Security Analytics.

FTP Mover

The FTP Mover settings include the Preserve Original Filename option.

229


n Enabled — <unix_epoch_start_time>__<src_ip>_<dst_ip>__<original_filename>.<original_extension>

n Disabled — <unix_epoch_start_time>__<src_ip>_<dst_ip>.<original_extension>

examples

For the file 2020-executive-report.pdf, the filenames might be:

n Enabled — 1476834423.12753__198.51.100.10_203.0.113.11__2020-executive-report.pdf

n Disabled — 1476834423.12753__198.51.100.10_203.0.113.11.pdf

RulesUse rules to trigger a process on any flow that matches one or more indicators.

The rule types on Symantec Security Analytics are:

n Alert — Matching traffic triggers an alert.

n Data Enrichment — Matching traffic is submitted to additional resources for analysis.

n Discard Packets — Matching traffic is indexed and the rules engine is applied, but the packets are discarded and not written to the capture drive.

n Dynamic Filter — The first few packets of matching traffic are written to the capture and indexing drives, then all subsequent matching flows are excluded from the drives for a specified interval.

n PCAP Export — Matching traffic is saved as a PCAP to an external server.

n IPFIX Export — Matching traffic is sent to an external IPFIX collector.

n None — Matching traffic triggers a remote notification without producing an alert.

Rules Activated by DefaultAs soon as you upgrade to or install Security Analytics 8.1.x, these rules are applied to all incoming traffic:

n Alert - Heartbleed Attack Attempt — Alerts on traffic that matches the tls_heartbeat_attack_attempt indicator

n Alert - Non-Standard SSH — Alerts on traffic that matches application_id=ssh AND tcp_responder!=22

n Local File Analysis - Live Exploits — Applies YARA rules to traffic that matches the Local File Analysis indicator

Activate and Deactivate Rules

1. The rule is displayed in the Menu > Analyze > Rules list. The green icon indicates that the rule is active.

230


2. Click the green icon to deactivate the rule .

Prepare to Create a Rule

If you intend to use the open parser in a rule, follow the instructions in "Open Parser" on page 86.

The following rule types require prior setup:

n Alert — Optional — Set up the SMTP server on Menu > Settings > Communication > Server Settings to send alerts via email.

n Data Enrichment — Enrichment providers such as Intelligence Services and Content Analysis must be

configured and activated on Menu > Settings > Data Enrichment. (See "Symantec Intelligence Services" on page 193.)

n Dynamic Filter — Create one or more indicators to specify which types of flows to exclude. (See "Indicators" on page 129.)

n PCAP Export — Configure a directory (mount point) on an external server where the PCAPs will be sent.

n IPFIX Export — Deploy an IPFIX collector on your network. The IPFIX files that Security Analytics produces are IPFIX (NetFlow) v.10-formatted.

Create a New Rule


2. For Name, specify a unique name for the rule.

3. For First Event, specify one or more indicators or create new indicators.

The rules engine cannot detect values for attributes that are in the verdicts or groups namespaces. Those values are produced by data enrichment processes, which populate the Indexing DB after the data has passed through the rules engine. (See "Data Enrichment" on page 188.) Attributes in the packets namespace (such as" SCADA" on page 71) are also not supported by the rules engine, with the exception of packet_length.

4. Do you want to add more events?

231


Yes — Will you be using the open parser?

Yes — You cannot add multiple events. Follow the instructions in "Open Parser" on page 86.

No — Continue the procedure.

No — Skip to this step.

5. Click Add Second Event.

6. For Then Within, specifies the amount of time that monitoring for the second event will take place, after the first event has occurred.

7. For Second Event, specify one indicator.

8. Optional — Click Add Condition. Specify which attribute of the first event should match/not match the second event. You may add as many as four conditions, each of which must be unique.

9. Optional — Click Add Third Event, specify the timespan, one indicator, and as many as four conditions.

10. For Type, select the rule type and click the corresponding link for instructions on completing the rule:

n "Alert Rule" on the next page

n "Data-Enrichment Rule" on the next page

n "Discard Packets Rule" on page 234

n "Dynamic Filter Rule " on page 234

n "PCAP Export Rule" on page 235

n "IPFIX Export Rule" on page 235

n ""None" Rule" on page 236

232


Alert Rule

This type of rule posts alerts and sends remote notifications for matching traffic but takes no further action.

n Email Frequency — Optional — Specify how often email alerts are sent (15 minutes, hour, day, and week). You must also select SMTP for Remote Notifications and set up an SMTP server on Settings > Communication to receive email alerts.

n Importance — Select the importance level.

If you change the importance level of an alert, you must deactivate then activate the rule for the change to take effect.

n Shared — Optional — Select to make the rule viewable by everyone who has access to this appliance. After you set this attribute, you cannot change it.

n Remote Notifications — Optional — Select one or more remote-notification types. You may select the default

template or configure a template on Menu > Settings > Communication > Templates. (See "Logging and

Communication" on page 306.) Verify that you have configured the appropriate server(s) on Menu > Settings > Communication > Server Settings. For ICDx you must also activate the metadata types, as described in ICDx.

o SMTP — Optional — Specify email accounts to receive the alert notifications. If you specify no email

accounts, the default email address on the Menu > Settings > Communication > Server Settings page will be used.

n Endpoint Providers — Optional — Select to send endpoint data to endpoint analysis providers.

n Click Save.

Data-Enrichment Rule

This type of rule sends data to one or more enrichment providers and posts an alert if the score is 7 or higher.

n Send to — Select one or more enrichment providers. The options for this field are derived from the items on the Data Enrichment Settings page.

n You can select a provider that is not active or licensed, but the rule will not produce a result for that provider until the provider is activated.

n The importance level (critical, warning, notice) is determined by the score that the provider returns.

233








n Endpoint Providers — Optional — Select to send endpoint data to external endpoint analysis providers.

n Click Save.

Consult Security Analytics Ports and Protocols to configure your network firewalls for data-enrichment traffic.

Discard Packets Rule

New in Security Analytics 8.1.1This type of rule prevents matching packets from being written to the capture drive. See "Intelligent Capture" on page 34.


n Click Save. When network traffic matches the event(s), the traffic is indexed and the rules engine is applied but the packets are not written to the capture drive.

Dynamic Filter Rule

See "Dynamic Filters" on page 36 for an explanation of this rule type. Before creating a dynamic filter rule, review "Guidelines for Creating Dynamic Filters" on page 37.

To see which protocols and applications are supported for indicators, go to Recognized Applications in the Security Analytics 8.1.3 WebGuide on support.symantec.com and download the XLSX or CSV file.

Use the dynfilter command to manage the dynamic filters. (More information in the Security Analytics 8.1.x Reference Guide on support.symantec.com.)

234




n Select at least one attribute from the 5-tuple that Security Analytics uses to identify a flow. Symantec recommends that you use IP protocol and IP responder only:

o IP/port initiator — Selecting the initiator port can add significant workload to the system.

o IP/port responder

o IP protocol (TCP or UDP)

n Filter Duration in Seconds — Specify the number of seconds to apply this rule before disengaging the rule.


n Click Save. When network traffic matches the event(s), the system creates a capture filter using the selected attributes and applies it for the specified interval. An alert is not produced for this type of rule, but the Audit Log will show when the rule is applied.

PCAP Export Rule

This type of rule converts matching flows to PCAP or PCAPNG files and exports them to an external server.

n Server — Select an existing mount point on an external server or click the Manage Connections icon to configure a new mount point.

n PCAPNG — Select to export in PCAPNG format.







n Click Save. When network traffic matches the events, the entire flow is exported to the specified directory as a PCAP(NG) file. The file will be named <hostname>/<rule_name>/<indicator_name>/<filename>.pcap(ng)

IPFIX Export Rule

This type of rule converts matching flows to IPFIX v.10 and exports them to an external IPFIX server. It is the responsibility of the user to deploy an IPFIX server that supports v.10 formatting.

n IPFIX Server IP — Specify the IP address or hostname of the IPFIX collector.

n IPFIX Server Port — Specify the port number that the IPFIX collector uses.

235








n Click Save. When network traffic matches the indicator(s), the entire flow is exported to the external IPFIX collector.

"None" Rule

This type of rule can be used to send remote notifications of matching traffic without producing an alert.

n Shared — Optional — Select to make the rule viewable to everyone who has access to this appliance. After you set this attribute, you cannot change it.


template or configure a template on Menu > Settings > Communication > Templates. If you have not already done so, configure the appropriate server(s).


accounts, the Default Email Address on the Menu > Settings > Communication > Server Settings page will be used.

n Click Save.

AlertsThe Alerts Management Dashboard is the default landing page. From there you can easily access the Alerts Summary and Alerts List.

Alert Creation WorkflowFollow this procedure to populate the Alerts pages.

1. Determine what data you want to be alerted on and create one or more indicators to detect that data. (See "Indicators" on page 129.)

2. If you need to use a regular expression to detect the data, prepare and verify the expression. (See "Open Parser" on page 86.)

3. Determine what you want to know about that data.

236


Security Analytics detected the data — Follow the steps in "Rules" on page 230 to create a simple alert.

Security Analytics got a significant verdict from a data enrichment provider regarding the data — Continue the procedure.

4. Decide which enrichment providers should evaluate the data. Ensure that each provider is licensed and activated. (See "Enrichment Providers" on page 190.)

5. Verify that your firewalls permit the data enrichment traffic. (See "Security Analytics Ports and Protocols" on page 298.)

6. Ensure that the file-type filter on the enrichment provider permits the data type to reach the enrichment provider. (See "Data Enrichment Filters" on page 190.)

7. Create a data enrichment rule that includes the indicators and/or regular expression, and that sends the data to the proper enrichment providers. (See "Rules" on page 230.)

Alert ManagementThe Alerts List provides alert management and immediate data visibility.

n Assign alerts to specific users

n Assign a state to each alert to track the investigation

n Delete alerts individually or across a selected timespan

n Add responder IP addresses to the Exclude from Lookup list.

n When the alerts table exceeds 100,000 rows, the deletion algorithm removes Closed alerts first.

237


1 Alert check box.

n To toggle between Select All and Clear All, press Shift Alt *

n To expand selected alerts press Shift Alt +

n To collapse selected alerts press Shift Alt –

8 Start time for the flow that contains the alert. This value is affected by reindexing and by retaining timestamps for a PCAP import.

2 Select All check box. This check box controls only the alerts on the current page.

9 Modified on/ Modified time — Time at which the most recent child alert was posted

3 Importance level:

n Critical

n Warning

n Notice

10 Alert State — Select the alert's check box, select Actions > Set State, and select [Unassigned | Assigned | In progress | On hold | Resolved | Closed]

4 Name of the rule that produced the alert 11 Alert Owner — Select the alert's check box, select Actions > Set Owner, and select a user account.

n Users in this list have Analyze > Rules permissions.

o On a CMC, the users must have remote group permissions for the sensor; users on the sensor are not displayed on the CMC.

n To change an alert's owner, a user must have Settings > Users and Groups > User Names permissions.

238


5 Name of the indicator that matched the flow; click to view or edit the indicator.

12 Actions menu. For some actions, you have the option to apply the action to:

n all alerts that meet the filter criteria

n only the alerts with the check box selected

6 Layers 2–4 Flow Data — Ethernet and IP addresses, port numbers, and the system-assigned flow ID

Click a responder IP address to view the geolocation, get a reputation report, or select Whitelist IP for URL Reputation to add it to the Exclude from Lookup list on Settings > Data Enrichment. Adding the IP to the Exclude from Lookup list does not delete alerts that have already been posted.

13 View Report Summary — Click to view the flow in the default Summary View

7 Time when the alert was posted 14 View Artifacts — Click to extract the artifacts in this flow

Data Enrichment AlertsData enrichment alerts are generated by data-enrichment rules that you explicitly configure and enable on Analyze > Rules.

Symantec Web Reputation Service Alerts

Symantec Web Reputation Service alerts are available with an Intelligence Services subscription. Contact Symantec Support for more information.

To activate Web Reputation Service alerts:

239



2. Under Symantec Intelligence Services, click the icon to activate Symantec Web Reputation Service.

3. Select Menu > Analyze > Rules and click the icon to activate the Symantec Web Reputation Service rule. This rule sends all URLs with a url_risk_verdict equal to or higher than 5 (unknown) to the Web Reputation Service.

4. You may edit the indicators for this rule and also specify the Web Reputation Service as a provider for other data enrichment rules, either existing or user-defined.

5. In addition to the basic alert, a Web Reputation Service alert includes child alerts for the parent:

1 Parent alert — Contains all of the information in the basic alert. Double-click the parent to toggle between expanding and collapsing the child alerts.

6 Whether the verdict was retrieved from cache. Run scm db clear_redis tonic to clear the verdict cache.

2 Child alert — Only the parent alert is counted in the tally. All child alerts come from the same flow.

7 Time when the child alert was posted

3 Alert type: URL 8 Reputation Report — Click to see verdict details

4 Risk score, as returned by the Web Reputation Service

9 URL that triggered the alert

5 Number of child alerts for the parent 10 Enrichment provider that returned the verdict

240


Symantec File Reputation Service Alerts

Symantec File Reputation Service alerts are available with an Intelligence Services subscription. Contact Symantec Support for more information.

To activate File Reputation Service alerts:


2. Under Symantec Intelligence Services, click the icon to activate Symantec File Reputation Service.

3. Select Menu > Analyze > Rules and click the icon to activate the Symantec File Reputation Service rule. This rule sends all files that match the filters in the Symantec File Reputation Service Presented File Extensions, Symantec File Reputation Service File Types, and Symantec File Reputation Service Presented MIME Types indicators to the File Reputation Service.

4. You may edit the indicators for this rule and also specify the File Reputation Service as a provider for other data enrichment rules, either existing or user-defined.

5. When an artifact matches the indicators, the artifact is extracted, the SHA256, SHA1, and MD5 hash values are written to the Indexing DB, and an entry is displayed on the Alerts pages.

6. In addition to the basic alert, a File Reputation Service alert includes child alerts for the parent:

241


1 Parent alert — Contains all of the information in the basic alert. Double-click the parent to toggle between expanding and collapsing the child alert.




3 Alert type: File 8 Reputation Report — Click to see verdict details

4 Risk score, as returned by the File Reputation Service

9 MD5 hash plus file name of artifact that triggered the alert


242


Symantec Malware Analysis Alerts

Symantec Malware Analysis alerts are available if you have a Symantec Malware Analysis appliance. Contact Symantec Support for more information.

To activate Malware Analysis alerts:

1. Integrate your Malware Analysis appliance with Security Analytics by following these instructions.

2. When you are ready to begin sending samples to Malware Analysis, select Menu > Settings > Data Enrichment.

3. Under Symantec Analysis Providers, click the icon to activate the Malware Analysis Appliance.

4. Select Menu > Analyze > Rules and click the icon to activate the Symantec Malware Analysis Service rule. This rule sends all files that match the filters in the Symantec File Reputation Service Presented File Extensions, Symantec File Reputation Service File Types, and Symantec File Reputation Service Presented MIME Types indicators to Malware Analysis.

Because the Malware Analysis and File Reputation Service rules have the same default indicators, enabling both rules at the same time will produce duplicate alerts. Symantec recommends that you do one of the following:

n Select the FRS Prefilter option when configuring the Malware Analysis provider, and then enable only the Malware Analysis rule.

n Enable only one of the rules at a time.

n Edit the indicators so that each rule detects mutually exclusive traffic or artifacts.

5. You may edit the indicators for this rule and also specify Malware Analysis as a provider for other data enrichment rules, either existing or user-defined.

6. In addition to the basic alert, a Malware Analysis alert includes child alerts for the parent:

243


The FRS Prefilter option — enabled by default — has a substantial effect on Malware Analysis alerts and reports by returning FRS verdicts for known artifacts and then sending only the unknown artifacts to the Malware Analysis appliance.

1 Parent alert — Contains all of the information in the basic alert. Double-click the parent to toggle between expanding and collapsing the child alert.



8 Reputation Report — Click to see verdict details.

3 Alert type: Malware 9 Go to MAA — Click to open the task page on the Malware Analysis appliance.

4 Risk score, as returned by a Malware Analysis appliance

10 MD5 hash plus file name of artifact that triggered the alert



244


Remote NotificationsWith the remote notifications feature, you can customize the alert notifications that the system sends to configured ICDx, SMTP, SNMP, Splunk Phantom®, or syslog servers.

To send remote notifications follow these steps:

1. "Configure the Server" below

2. "Choose or Create a Template" below

3. "Select the Notification When Creating or Editing a Rule" on page 247

Configure the ServerConfigure server settings by following these instructions:

n "ICDx Remote Notifications" on page 85

n "Email Alerts" on page 308

n "SNMP Settings" on page 309

n "Splunk Phantom" on page 312

n "Syslog Settings" on page 311

Choose or Create a TemplateYou can select an existing template or create one or more new templates with a customized format.

1. Select Menu > Settings > Communication > Templates.

n Several preconfigured templates are already present on this page. They cannot be edited or deleted.

2. Click New. The New Template dialog is displayed.

3. For Template Name, specify a name.

4. For Type, select SNMP, SMTP, or syslog.

n If you selected SMTP, type the Subject Line for the email message.

5. For Available Fields, select the fields to include in the template. The fields correspond to the primary filter attributes plus Flow Timestamp, which is start_time="".

6. Use the up and down arrows to put the fields in the desired order.

7. For Delimiter, select which character to put between the fields.

8. The Template Output Characters field displays the template and counts the characters. This field is not editable.

9. Click Save.

245


10. These templates are available in the Rules dialog boxes (Create, Edit) under Remote Notifications. When you select a remote notification type, a drop-down list is displayed with the available templates.

Default Template Output

The default templates cannot be edited. To get other attributes create a new template. The default output is as follows:

CEF

CEF syslog messages conform to ArcSight CEF version 17.

CEF:0|<OB_CEF_DEVICE_VENDOR>|<OB_CEF_DEVICE_PRODUCT>|<VERSION>|<OB_CEF_EVENT_ID_ALERT>|<OB_CEF_EVENT_NAME_ALERT>|<alert importance>|src=<ipv4_initiator> spt=<port_initiator> dst=<ipv4_responder> dpt=<port_responder> start=<UNIX timestamp> end=<UNIX timestamp> smac=<ethernet_initiator> dmac=<ethernet_responder> msg="Rule: '<rule name>' was triggered by indicator: '<indicator name>'"

File Reputation

File reputation syslog messages are semicolon-delimited.

mime_type="<mime type>";file_type="<file type>";filename="<file name>";application_id="<application id>";md5="<md5 hash>";sha1="<sha1 hash>";sha256_hash="<sha256 hash>";ipv4_initiator="<ipv4 initiator>";ipv4_responder="<ipv4 responder>";ipv6_initiator="<ipv6 initiator>";ipv6_responder="<ipv6 responder>";ip_protocol="<ip protocol>";port_initiator="<port initiator>";port_responder="<port responder>";http_uri="<uri>";

ICDx

Security Analytics sends a JSON-formatted message to the ICDx server. This example message comes from an alert rule with only the default metadata selected on ICDx Metadata. For data-enrichment alerts the details from the enrichment provider are included.

{"log_name": "<log_name>","timezone": <integer>,"type_id": <integer>,"product_data":{"connection":{"src_ip": "<initiator ip>","dst_ip": "<responder ip>","src_port": <initiator port>,"dst_port": <responder port>,"src_mac": "<initiator mac>","dst_mac": "<responder mac>"},"ref_url": "https://<host ip>/deepsee#{\"ac\":\"Summary\",\"ca\":{\"start\":<epoch>,\"end\":<epoch>},\"pb\":[\"flow_id=<id>\"],\"icdx\":{\"cmc_pivot\":1}}","ipv4_initiator": "<initiator ip>","port_initiator": "<initiator port>","ipv4_responder": "<responder ip>","port_responder": "<responder port>","start_time": "<epoch>:999999999"},"message": "<rule or provider name>","product_name": "Symantec Security Analytics","uuid": "<uuid>","ref_uid": "<integer>","log_time": "YYYY-MM-DDThh:ii:ss.069Z","product_ver": "Solera release 8.1.3 (8.1.3_99999)","device_ip": "<host ip>","device_name": "<hostname>","category_id": <integer>,"severity_id": <integer>,"device_time": <epoch>},

Sandboxing Malware Analysis

Sandboxing Malware Analysis syslog messages are semicolon-delimited.

mime_type="<mime type>";file_type="<file type>";filename="<file name>";application_id="<application id>";md5="<md5 hash>";sha1="<sha1 hash>";sha256_hash="<sha256 hash>";ipv4_initiator="<ipv4 initiator>";ipv4_responder="<ipv4 responder>";ipv6_initiator="<ipv6 initiator>";ipv6_responder="<ipv6 responder>";ip_protocol="<ip protocol>";port_initiator="<port initiator>";port_responder="<port responder>";maa_report="><data from Malware Analysis appliance>";http_uri="<uri>";

246


SMTP

SMTP messages are tab-delimited.

ipv4_initiator=<ipv4 initiator>→port_initiator=<port initiator>→ipv4_responder=<ipv4 responder>→port_responder=<port responder>→start_time=<UNIX timestamp>

SNMP

SNMP messages are pipe-delimited.

ipv4_initiator=<ipv4 initiator>|port_initiator=<port initiator>|ipv4_responder=<ipv4 responder>|port_responder=<port responder>|start_time=<UNIX timestamp>

Splunk Phantom

Security Analytics sends JSON-formatted data. This output does not have a template associated with it, and you cannot create a custom template for this output.

{"cn1":<verdict>,"cn1Label":"verdict","cs4":"<rule_name>","cs5":"<indicator_name>","dmac":"<destination_MAC_address>","end":"<artifact_end_unix_time>","msg":"Rule '<rule_name>' was triggered by Indicator: '<indicator_name>'","smac":"<source_MAC_address>","start":"<artifact_start_unix_time>""title":"<file_name>|<url>"}

Web Reputation

Web reputation syslog messages are semicolon-delimited.

http_uri="<http url>";mime_type="<mime type>";application_id="<application id>";ip_protocol="<ip protocol>";ipv4_initiator="<ipv4 initiator>";ipv4_responder="<ipv4 responder>";ipv6_initiator="<ipv6 initiator>";ipv6_responder="<ipv6 responder>";port_initiator="<port initiator>";port_responder="<port responder>";

Select the Notification When Creating or Editing a RuleFor more information see "Rules" on page 230.

n Near the bottom of the New Rule and Edit Rule dialogs there is a Remote Notifications section.

n Select one or more check boxes for the remote notifications that you want to send.

n For most check boxes that you select you can select the template to use for the notification.

n When the rule is active, data is sent to the configured server in the format that you have selected.

n To stop the data from being sent you have these options:

o Deactivate the rule

o Edit the rule to clear the check box for the notification

Data Enrichment Filters

Menu > Settings > Data Enrichment > Default Data Enrichment Filter

247


This table displays the file and MIME types that are included in each Data Enrichment File-Type Filter. Data Enrichment File-Type Filter.

Filter Name MIME Types

Adobe® PDF application/acrobatapplication/pdfapplication/x-pdftext/pdftext/x-pdf

Archives application/bz2 application/bzip2 application/epub+zip application/gzip application/gzip-compressed application/gzipped application/rar application/vnd.ms-cab-compressed application/x-7z-compressed application/x-bz2 application/x-bzip application/x-bzip2 application/x-cab application/x-cab-compressed application/x-cabinet application/x-compress application/x-compressed application/x-cpio application/x-gunzip application/x-gzip application/x-gzip-compressed application/x-rar application/x-rar-compressed application/x-redhat-package-manager application/x-rpm application/x-tgz application/x-xz application/x-zip application/x-zip-compressed application/zip gzip/document multipart/x-zip

Binaries application/binapplication/binaryapplication/octet-stream

248



Code application/cgi application/force-download application/php application/x-cgi application/x-httpd-php application/x-httpd-php3 application/x-httpd-php3-preprocessed application/x-httpd-php4 application/x-httpd-php-source application/x-php text/html text/phptext/x-ctext/x-c++wwwserver/shellcgi

Configuration Files application/isf.sharing.configapplication/vnd.centra.client.configuration

Debian® Packages application/osx.app-archive application/vnd.debian.binary-package application/x-apple-diskimage application/x-deb application/x-debian-package application/x-debian-package-iphoneos application/x-debian-package-osx application/x-ios-app

Email application/emailapplication/x-emailmessage/rfc822

IPA Files application/ios.app-archive

249



Images application/bmp application/jpeg application/png application/x-bmp application/x-png application/x-win-bitmap image/bmp image/gif image/jpeg image/jpg image/ms-bmp image/pjpeg image/png image/vnd.swiftview-jpeg image/x-arib-png image/x-bitmap image/x-bmp image/x-citrix-pjpeg image/x-ms-bmp image/x-png image/x-win-bitmap image/x-windows-bmp image/x-xbitmap images/jpeg images/png img/png

JAR Archives application/jar application/java-archive application/vnd.android.package-archiveapplication/x-jar application/x-java-applet application/x-java-archive application/x-java-bean

JavaScript application/javascriptapplication/js application/vnd.javascript application/x-javascript application/x-js text/javascript text/js text/x-javascript text/x-js

250



Multimedia, Audio, Video application/x-troff-msvideo application/asx application/flv application/swf application/vnd.ms-asf application/x-fcs application/x-flv application/x-mplayer2 application/x-pn-mpg application/x-shockwave-flash application/x-shockwave-flash2-preview audio/aiff audio/asf audio/avi audio/mp3 audio/mpeg audio/mpeg3 audio/mpg audio/vnd.rn-realaudio audio/wav audio/wave audio/x-amzaudio audio/x-mp3 audio/x-mpeg audio/x-mpeg3 audio/x-mpegaudio audio/x-mpg audio/x-pn-realaudio audio/x-pn-realaudio-plugin audio/x-pn-wav audio/x-realaudio audio/x-wav image/avi image/mov image/mpg video/avi video/flash video/fli video/flv video/mp2t video/mp4 video/mpeg video/mpeg2 video/mpg video/msvideo video/quicktime video/x-flv video/x-mpeg video/x-mpeg2a video/x-mpg

251



video/xmpg2 video/x-ms-asf video/x-ms-asf-plugin video/x-msvideo video/x-ms-wm video/x-ms-wmv video/x-ms-wmx video/x-pn-realvideo video/x-quicktime

252



Office Documents appl/text application/cdfv2 application/cdfv2-corrupt application/doc application/msexcel application/mspowerpnt application/mspowerpoint application/ms-powerpoint application/msword application/powerpoint application/rtf application/vnd.ms-excel application/vnd.ms-excel.12 application/vnd.ms-excel.addin.macroEnabled application/vnd.ms-excel.addin.macroEnabled.12 application/vnd.ms-excel.sheet.binary.macroEnabled application/vnd.ms-excel.sheet.binary.macroEnabled.12 application/vnd.ms-excel.sheet.macroEnabled application/vnd.ms-excel.sheet.macroEnabled.12 application/vnd.ms-excel.template.macroEnabled application/vnd.ms-excel.template.macroEnabled.12 application/vnd.ms-office application/vnd.ms-officetheme application/vnd.mspowerpoint application/vnd.ms-powerpoint application/vnd.ms-powerpoint.addin.macroEnabled application/vnd.ms-powerpoint.addin.macroEnabled.12 application/vnd.ms-powerpoint.presentation.12 application/vnd.ms-powerpoint.presentation.macroEnabled application/vnd.ms-powerpoint.presentation.macroEnabled.12 application/vnd.ms-powerpoint.slideshow.macroEnabled application/vnd.ms-powerpoint.slideshow.macroEnabled.12 application/vnd.ms-powerpoint.template.macroEnabled application/vnd.ms-powerpoint.template.macroEnabled.12 application/vnd.msword application/vnd.ms-word application/vnd.ms-word.document.macroEnabled application/vnd.ms-word.document.macroEnabled.12 application/vnd.ms-word.template.macroEnabled application/vnd.openxmlformats-officedocument.presentationml.presentation application/vnd.openxmlformats-officedocument.presentationml.slideshow application/vnd.openxmlformats-officedocument.presentationml.template application/vnd.openxmlformats-officedocument.spreadsheetml.sheet application/vnd.openxmlformats-officedocument.spreadsheetml.template application/vnd.openxmlformats-officedocument.wordprocessingml.document application/vnd.openxmlformats-officedocument.wordprocessingml.template

253



application/vnd.wordperfect application/winword application/word application/x-dos_ms_excel application/x-excel application/xls application/x-msexcel application/x-ms-excel application/x-msw6 application/x-msword application/x-powerpoint application/x-rtf text/richtext text/rtf

Programs and Libraries application/bat application/exe application/vnd.ms-dll application/x-bat application/x-dosexec application/x-exe application/x-msdos-program application/x-msdownload application/x-msi application/x-ole-storage application/x-vbs text/vbs text/vbscript text/x-msdos-batch

254


Appliance SecurityUser Accounts and Groups 255

Account Settings 265

Remote Authentication 267

Common Access Card Authentication 276

Using RADIUS and LDAP in Parallel on Security Analytics 278

LDAP Group Inheritance 279

Remote Access 284

Passwords 290

SSL Certificates and Keys 291

Security Analytics Ports and Protocols 298

Disable SSH Root Logins 301

SSH Authentication 302

MD5-Encrypted Password for Bootloader 303

Federal Information Processing Standards 304

Security Best Practice n Do not run "software hardening" scripts on Security Analytics; such scripts are

likely to change internal settings that will cause the system to malfunction.

n Never modify system settings via the CLI (such as CONF files) unless you are explicitly directed to by Support or the user documentation. Modifying system settings in this manner may lead to an insecure or malfunctioning device.

n To fine-tune security settings that are not described in user documentation, contact Symantec Support.

User Accounts and Groups

Select Menu > Settings > Users and Groups to configure local user accounts and their groups. With these groups you can exercise RBAC (Role-Based Access Control). RBAC gives administrators the ability to assign specific view or modify permissions to "roles" (which are represented by "groups" on Security Analytics), and then to assign the users to one or more groups. In this way, administrators can impose a granular level of control over what users are permitted to do or see on Security Analytics.

255


Local Users n You can create up to 256 local users on the Security Analytics appliance.

n User names and passwords support the UTF-8 character set.

n Password strength can be configured on Settings > Security.

n To enable two-factor authentication for your account, see "Two-Factor Authentication" on page 275.

Security Best Practices n Do not modify password complexity settings except to increase password length.

n Specify different passwords for each user when setting up local user accounts.

n Require that user passwords be regularly changed, using "password aging." 90 days should be the maximum age.

n Notify users 7 days before their passwords expire.

Add a User

1. Select Menu > Settings > Users and Groups > Users.

2. Select Tools > New.

3. Under Login Details, specify the username and type the password twice. The username cannot contain spaces.

4. Optional — For User Groups, the default user group is present. You can delete this group or add other user groups, as desired.

A user account that does not belong to any groups does not have access to the appliance.

5. Optional — Under Account Details specify the user's real name and email address.

6. Click Save.

n If you lose access to all of the admin-level accounts on the web interface, log on to the CLI with root permissions and run the following:

/gui/dsweb/Console/cake --app /gui/dsweb solera_acl elevate <username>

256


n where <username> is the name of an existing user account. The command places the user in a new group with administrator privileges called elevated-admin-<YYYY-MM-DD>T<hh:ii:ss>. Log on with this account using its original password, and then edit the account and the group in Settings > Users and Groups.

Modify User Accounts

Use the controls on the Users and Groups page to modify or delete user accounts.

Local User — This user account was created directly on the appliance. When you delete this user, the user’s group membership and login data are deleted, so the user cannot log in to the appliance again.

Edit Account — Click to change the user’s password, enable or disable the account, or change group membership.

Delete User — If a user is logged in when its account is deleted, the user’s next action will fail.

Non-Local Account — This user has logged in to the appliance using remote-server credentials such as LDAP or RADIUS. When you delete a non-local user from the appliance, the user is deleted from all local groups, but the account on the remote server is unaffected. When the user logs in to the appliance again using those remote credentials, the user account appears again on the Users and Groups page in the default group. The admin may then manually add or remove the user from the group.

To prevent remote users from gaining unwanted access, do one of the following:

n Create a group that has few access privileges and designate it as the default group.

n In the LDAP search settings, select a Group DN that excludes unwanted users. (See "LDAP Group Inheritance" on page 279.)

Enabling and Disabling User Accounts

n User accounts are disabled automatically after a specified number of failed login attempts. (See "Web Access"

on page 286.) You can re-enable the user account by clicking its Edit icon and clearing Account Disabled.

n Likewise, you can manually disable a user account by selecting the Account Disabled check box.

Shell-Only UsersShell-only user accounts can access the appliance through an SSH session only. They do not appear on and cannot be modified in the web interface. The password for a shell-only user expires after 60 days.

To create a shell-only user, log in to the CLI with root credentials.

257


syntaxscm solera_acl shell_only [<parameters>]

parameters

<username> User name for the shell account; this account must already exist on the appliance, created either on the web interface or with the dsadduser command.

-r Remove the shell-only flag from the account.

examplesscm solera_acl shell_only

Displays a list of shell-only users.

scm solera_acl shell_only <username>

Converts the username account on the web UI to shell only. The account is no longer displayed in the web UI.

scm solera_acl shell_only -r <username>

Removes the shell-only flag from the user account.

Account Profile SettingsClick the name of the current account to change user name, email, password, display, and authentication preferences.

Settings

[Account Name] > Account Settings

1. For Name, type a display name for your account.

2. For Email, type the email address to associate with the account.

3. Optional — Click Change Password.

n The default requirements for password strength are:

o 14 characters

o digit (numeral)

o other character (non-alphanumeric [#, &, %])

o upper-case letter

n To change these rules, go to Settings > Security. (See "Passwords" on page 290.)

o Type the current (old) password.

o Type and then retype the new password.

258


4. API Key — The API key is used for web services APIs. You must be logged in to the account to generate its API key. Admin-level accounts cannot generate API keys for other accounts.

n The API key is not visible on the web UI by default.

n Click Reset API Key to view and copy the API key.

n After you close the Account Settings dialog, the API key will not be available again. You must click Reset API Key to generate a new key.

n When you click Reset API Key, the previous API key is deleted.

n A new user account does not have an API key until the user logs in to the web UI, opens Account Settings, and clicks Reset API Key.

5. Time Prefix, Time Suffix — See Single Time-Value Configuration in the Security Analytics 8.1.x Reference Guide on support.symantec.com.

Preferences

[Account Name] > Preferences

n Number of Entries per Page — Select the number of rows to display for the data tables.

n Network Traffic — Select the unit of measurement to display: bits, bytes, packets.

n Language — Select the language for the interface.

n Enable Google Authenticator — Select to enable 2FA.

Do not enable 2FA until after you have installed Google Authenticator on your smart phone; otherwise, you may be locked out of the web interface.





User GroupsSecurity Analytics has three preconfigured user groups:

n admin — Full modification rights via the web interface and the CLI

n auditor — View and download logs

259



n security_admin — Full modification rights but no capture or analyze permissions

n user — View and modify capture and analysis pages; all new users are assigned to this group by default.

Create or Modify a Group

1. Select Menu > Settings > Users and Groups > Groups.


n Click the Edit icon for an existing group.

n Click Actions > New and specify a unique Name.

3. Optional — Select Default to make this the default group. All new users will placed into this group by default.

4. Optional — For Description, describe the group characteristics.

5. Specify the group's access rights. See Group Permissions, below.

6. Optional — For Filter, specify which data this group can access. (See "Data Access Control" on page 265.)

7. Optional — For Users, type the names of the group's members. You can also leave this field blank and return later to add names.

8. Is LDAP authentication enabled on this appliance?

Yes — Optional: For LDAP Groups, type any value that exists within the search scope of the Group DN field on the Authentication Settings page. See "Limiting LDAP User Searches" on page 269 and "LDAP Group Inheritance" on page 279 for more information.

No — Continue the procedure.

9. Click Save.

260


Group Permissions

Security Best Practices Provide users with only the level of access that is required for their roles.

n Use the security_admin group for users who must verify that the appliance's security settings conform to your organization's policies.

n If a user needs to view reports but will not be responsible for making configuration changes, assign the user to a group that does not have Settings permissions or that has read-only access to the Settings pages.

n Assign a user who is an auditor to the default audit group, which has permission to view and download logs only.

n Use data-access control to restrict access to particular types of report and artifact data. For example, if Filter contains application_group!=web, the user cannot view data that has been classified in the Web Application Group.

When assigning group permissions, you can select a parent permission to include all of its children permissions, or you can select each permission separately. When you select the Capture check box, for example, you assign all capture-related permissions to the group, or you can clear Capture child permissions individually.

n The Security Administrator has access to all settings and the CLI but cannot capture or analyze data.

n New in Security Analytics 8.1.1 Read-only (view) permissions have been provided for some common features. New permissions are shaded in yellow. These new permissions are automatically enabled for the admin group upon upgrade.

n Click the link below to see the table.

261


Default Group PermissionsPermission Admin

Sec. Admin

Auditor User

Full modify permissions X

Settings — Modify all Settings pages. X X

Authentication — Remote login services (LDAP, RADIUS, Kerberos) X X

Central Manager — Add and remove CMC control X X

Communication — SNMP, syslog, notifications X X

View — View communications X X

Modify — Modify communications X X

Data Enrichment — Data-enrichment server setup; reputation providers X X

View — View data enrichment settings X X

Modify — Modify data enrichment settings X X

Data Retention — Time-based data deletion; summary graph data purge X X

Date/Time — Time zone, NTP X X

View — Read date/time settings X X

Edit — Modify date/time settings X X

Geolocation — Google Earth, MaxMind databases, internal subnets X X

ICDx — View and modify ICDx settings X X

View — View ICDx settings X X

Edit — Modify ICDx settings X X

License — View, install, and download license X X

View — View license information X X

Edit — Modify license information X X

Metadata — Enable and disable reports and indexing attributes. X X

Network — IP address, hostname, DNS, proxy X X

Security — Firewall, access control, session control X X

System X X

CSR — Download the Customer Service Report X X

Reboot X X X

Shut Down X X

Upgrades — Initiate upgrades X X

262


Permission AdminSec. Admin

Auditor User

Users and Groups — View, create, and modify user and group accounts X X

User Names — View user names only X X X

User Records — Create, update, and view user records X X

Web Interface — Session timeouts, referrers, and message of the day X X

Statistics — View statistics pages X X X

Logs — View and download logs X X X

Capture — Perform all capture, playback, and PCAP functions X

Capture Summary — View Capture Summary Graph X X

Capture — Stop and start capture X X

Playback — Stop and start playback X X

Reindexing — Initiate reindexing X X

Capture Statistics — View capture rate and system statistics X X

Filters — Create, modify, and apply capture filters X

Import PCAP — Import PCAP files X X

Import Remote PCAP — From remote servers X X

Import Local PCAP — From local directories and USB drives X

Import PCAP from Browser — Import PCAPs using a browser X X

PCAPs — Download and analyze PCAPs X X

PCAPs without Access Restrictions — Download PCAPs using BPF filter; ignore data-access restrictions

X X

Analyze — Analyze PCAPs X X

Download — Download PCAPs X X

Analyze — All pages under Analyze X X

Summary — View Summary page X X

View — View the Summary page X X

Edit — Modify the Summary page X X

Reports — View, generate, schedule, and modify reports X X

Risk and Visibility Report — Generate the Risk and Visibility report X

View — View reports X X

Modify — Modify reports X X

Scheduled Reports — Create and modify scheduled reports X X

263


Permission AdminSec. Admin

Auditor User

Artifacts — View and download artifacts X X

Download — Download and preview artifacts X X

Metadata — View artifact metadata X X

Geolocation — View the Geolocation page X X

View — View the Geolocation page X X

Edit — Modify the Geolocation page X X

Rules — Create, edit, and delete rules and alerts X X

Current User Only — Create, edit, and delete rules for the logged-in user account; view related alerts

X X

All User Rules — Edit and delete rules from all users; view all alerts X X

Edit Rules — Create, edit, and delete rules for the logged-in user account

X X

Indicators — View, create, and modify indicators X X

View — View indicators X X

Edit — Create, upload, edit, and delete indicators X X

CLI — Restricted-shell access to the CLI via SSH X X

Base Permissions — Read-only commands such as ls, pwd, less X X

Tier 1 Permissions — Networking and file system management, as specified in /etc/sudoers.d

X X

Tier 2 Permissions — File system and admin utilities, process and drive Management, as specified in /etc/sudoers.d

X X

Job Queue — View the Job Queue page, delete jobs and download files X X

View — View the Job Queue page X X

Delete — Delete jobs X X

Download — Download files from the jobs X X

Security Best Practice Assign only Base-level permissions for shell access.

264


Data Access Control

n Use data access control to specify which data types a group can access. All primary filter attributes are valid for this field. (See " Metadata Tables" on page 58.)

n For example, if you specify application_group=web, the users in the group can access only the data that is related to the Web application group. Leave the field blank to grant access to all data types.

Remote-Authentication Users n When remote authentication is enabled (LDAP, Kerberos, RADIUS), users can log on to the appliance without

the admin creating the user on the appliance.

n When a user logs on to the appliance with remote credentials, the user automatically appears on the Settings > Users and Groups page and is placed in the default group.

Create a default user group on Security Analytics with minimal or zero permissions so that when the user logs in to the appliance for the first time, the user will not be able to access sensitive information. After you verify that the user is a legitimate Security Analytics user you can move the user into a group that has suitable permissions.

n Remote users are designated by this icon , whereas local users are designated thus:

n If remote authentication is enabled, you cannot create a local username that is identical to a username on a remote authentication server.

Account Settings

The settings in this menu affect only the logged-in account. To configure general user settings, see "User Accounts and Groups" on page 255 or "Remote Authentication" on page 267.

265


n Account Settings — Change the display name, associated email, and password; set the time prefix and suffix for APIs, and view the account's API key.

n Preferences

o Number of Entries per Page — Select the default number of rows to show in results tables.

o Network Traffic — Select the unit of measurement: bits, bytes, or packets to display on the capture interface boxes.

o Language — Select the display language for the web interface.

o Use Dark Theme — New in Security Analytics 8.1.1 Select to change the UI colors from a light background to a dark background. After clicking Save, refresh the browser.

o Enable Two-Factor Authentication — Select to enable Two-Factor Authentication.

Do not enable 2FA until after you have verified the following; otherwise, you may be locked out of the web interface*:

n The TOTP app is installed on your smart phone and is working.

n The time on the Security Analytics appliance is correct and coordinated with NTP. Because the 2FA token is valid for only 30 seconds, the appliance will reject a token that appears to be outside the validity timespan.

*Use the scm tally command to restore access.





n Risk and Visibility Report— Generate a PDF document that contains summaries of key findings, threat analysis, network visibility, and anomalies for a selected timespan.

n Encoder/Decoder Tool — Convert copied text to and from encoding algorithms such as URL and Base 64.

266


Remote Authentication

Security Best Practices n Because remote-authentication servers may provide stronger password-storage

and password-guessing protections than local user accounts, implement third-party authentication instead of using local accounts.

o Create a default user group with minimal permissions so that remote-authentication users cannot automatically access sensitive information.

n Active Directory and LDAP should have encrypted connections to Security Analytics.

o Security Analytics should initiate authenticated connections with the remote authentication server—not the other way around.

n Encrypt connections to authentication servers with TLS. Security Analytics 7.3.1 and later uses TLS 1.2 only.

LDAP AuthenticationWith the LDAP authentication service, users can log on to the Security Analytics appliance using a username/password combination stored on an external LDAP server. These credentials are valid for both the web interface and the CLI.

Because each network is unique, Symantec cannot make specific recommendations as to how you should integrate LDAP with Security Analytics.

When a user attempts to authenticate via LDAP, the process is as follows:

1. The user logs in via HTTP or SSH.

2. The appliance sends a BIND request containing the BIND DN credentials to the LDAP server.

3. The LDAP server returns success or failure.

4. The appliance sends the LDAP user credentials and search base criteria to the LDAP server.

5. The LDAP server returns success or failure.

6. The appliance allows authentication; if successful, the user is added to the user list in the default user group on the Users and Groups settings page.

267


Create a default user group on Security Analytics with minimal or zero permissions. When an LDAP user logs in to the appliance for the first time, the user will not be able to access sensitive information. If the user is a legitimate Security Analytics user you can move the user into a group that has suitable permissions.

Enable LDAP

1. Select Menu > Settings > Authentication.

2. Select the Enable LDAP Authentication check box. The system will automatically attempt to discover an LDAP server.

3. Decide whether to enable/disable the Use Radius for authentication check box:

n Is RADIUS also enabled? If not, this option is not applicable and will be ignored.

n Disable this option when you want Security Analytics to use LDAP for authentication if RADIUS authentication fails. If LDAP authentication also fails, Security Analytics will attempt to authenticate the user with the local user database.

n Enable this option when you want Security Analytics to only use RADIUS for authentication. If RADIUS authentication fails, the user cannot log in, even if the user is also defined on the LDAP server or the local user database.

4. If the auto-discover is unsuccessful, the LDAP Auto-Discover dialog box is displayed. Do one of two things:

n Click Cancel and manually specify the LDAP settings.

n Supply the BIND domain FQDN and click Save.

o Follow the prompts to provide the LDAP BIND authentication credentials for the domain controller. For an anonymous LDAP BIND, leave these fields blank.

o Click Save. The system discovers the configuration information from Active Directory or LDAP server and populates the Authentication page.

At any time during LDAP configuration, you can click the Test LDAP button to see if the settings are valid

Modify LDAP Server Settings

If there is more than one domain controller on the system, by default the system discovers the primary server configured. You can change the settings to use another domain controller by following these steps:

1. For Server, enter the LDAP server’s hostname or IP address.

2. For Port, enter one of the following:

268


n 636 for secure LDAP

n 389 for LDAP

n 3268 for Active Directory®

3. Select the Encryption Type.

n For SSL/TLS or StartTLS, you should select the Verify Server Certificate check box only if your LDAP server has a certificate from a valid certificate authority.

n If the LDAP server certificates are self-signed, clear the Verify Server Certificate check box.

4. Enter the BIND DN and BIND Password for an account that has rights to search the containers where the LDAP users are located. If your LDAP server does not require an authorized login, you may leave the Authenticated BIND fields blank.

5. Select Enable Credentialed Group BIND if you want to determine group membership by querying LDAP as the logged-in user instead of using the authenticated BIND credentials.

6. Click Save. The appliance will immediately try to connect to the LDAP server.

Limiting LDAP User Searches

To improve LDAP login performance, you can constrain the range of containers to be searched when looking for an LDAP user.

Search Base

The starting container where the LDAP server will begin searching for LDAP users. Only one search base is allowed. Specify using LDIF, e.g., DC=<subdomain>,DC=<domain>.

Scope

How the LDAP server will search within that container.

n base — Queries only the search base but nothing below it

n one — Queries only the first level under the search base but not the search base itself

n sub — Queries the search base and every level under it

Group DN

The group whose members will be added to the default user group on the Security Analytics appliance.

Before you specify the Group DN, you must correctly set the Group Membership Attribute under Schema Configuration. This attribute's syntax varies according to your LDAP implementation. If the attribute is specified incorrectly, the Group DN field will not populate properly.

Examples of the group members that are included in the search parameters are displayed.

269


Warning: When configuring LDAP, do not leave Group DN blank, as all LDAP users in the search scope will be able to authenticate as members of the default user group. Doing so poses a security risk.

Before you specify Group DN, create a default user group on Security Analytics with minimal permissions so that the LDAP users are not accidentally granted more permissions than desired. Later, you can manually assign each user to the desired groups.

Membership in the Security Analytics user group is established when the LDAP user logs in to Security Analytics for the first time. If you change the default user group or the Group DN, the membership of users who have logged in once to Security Analytics will not change.

After you specify a Group DN, you can add other LDAP groups to different Security Analytics user groups such that the LDAP group inherits the permissions of the Security Analytics group. See LDAP Group Inheritance.

Group Name Attribute

Specify the attribute to use for the group name.

Identifying the LDAP Schema Configuration

Because LDAP schema mappings vary between LDAP implementations, you can select an appropriate schema mapping such as InetOrgPerson, Microsoft® Active Directory®, and Microsoft Services for Unix®. Select the LDAP schema that your server uses from the list. Most Open LDAP implementations will work with the InetOrgPerson configuration. If your server’s schema is not in the list, select User Defined and fill out the resulting fields.

Note on Server-Side Changes to LDAP

LDAP server settings are performed with each proprietary LDAP implementation. Depending on the LDAP server being used, schema may need to be extended to allow for certain attributes such as Unix attributes to be added to the user objects themselves. This may require elevated rights to make the necessary modifications to either the LDAP schema or the LDAP users. The attributes that must be present on the LDAP users are uidnumber, gidnumber, and homeDirectory.

Specify a Mapped LDAP Schema

1. Select Menu > Settings > Authentication and scroll down to Schema Configuration.

2. For LDAP Schema select one of the following options:

n InetOrgPerson — Standard LDAP configurations

n Microsoft Active Directory — Microsoft Active Directory configurations

270


n Microsoft Active Directory (RFC 2307) — MS Active Directory configurations compliant with the ITEF RFC 2307 standard

n Microsoft Services for Unix 2.0 — MS Active Directory configurations compliant with the Unix 2.0 standard

n Microsoft Services for Unix 3.5 — MS Active Directory configurations compliant with the Unix 3.5 standard

n RFC 2307 Network Information Service — Network Information Service compliant with the ITEF RFC 2307 standard

n RFC 2307bis Network Information Service — Network Information Service compliant with the ITEF RFC 2307bis standard

n User Defined — All other LDAP configurations. If you select this option, go to "Define a New LDAP Schema" below.

3. Click Save. The appliance will now use these values when searching for LDAP users.

Define a New LDAP Schema

1. Scroll down to the Schema Configuration section.

2. For LDAP Schema, select User Defined.

3. Specify the User Object Class.

4. For Login Name Attribute, type the LDAP distinguished name.

5. For Full Name (GECOS) Attribute, type the full name of the user (or application name, if the account is for a program). You can also append the following (separated by commas):

n Building and room number or contact person

n Office telephone number

n Any other contact information (pager number, fax, etc.)

6. For User Password Attribute, type the account password.

7. Select the Password Change Method:

n Active Directory (ASDI) n Cleartext n Cleartext (remove old password first) n Crypt n IBM® RACF

n MD5 n Novell® NDS n RFC 6032 n RFC 6032 (send old and new

passwords)

8. Specify the User ID Number Attribute and Home Directory Attribute.

9. For User Shell Attribute, type the name of the shell that the user will use to log in.

10. Specify any Shadow Object Class.

271


11. Specify the Group Object Class and Group ID Number Attribute for nested and dynamic groups.

12. For Group Membership Attribute, type the name of the attribute where group membership should be derived. This attribute must match the schema on the LDAP server.

13. Select Distinguished Name or UID for Group Membership Type.

14. Click Save. The appliance will now use these mapping values when searching for LDAP users.

CAC AuthenticationInstead of entering credentials in the Security Analytics login screen, users can insert a Common Access Card (CAC) in a card reader connected to their workstation. Note that the user accounts (names and passwords) must be previously defined on an external LDAP server, and the CAC must be signed with a CA bundle. For more information about configuring Security Analytics for CAC authentication, see "Common Access Card Authentication" on page 276.

Note: Before enabling CAC, make sure to complete steps 1 and 2 in "Configure Security Analytics to Authenticate with a CAC" on page 277.

To enable CAC authentication:


2. Make sure LDAP has been enabled, configured, and tested.

3. Locate the Smart Cards and Certificates section.

4. Select the Use Certificate / Card for Authentication check box.

5. Click Save.

Troubleshooting LDAPFor further assistance, contact Symantec Support.

problem

The system returns the error message: Your LDAP settings were not discoverable. Please enter the BIND Domain FQDN and another attempt will be made.

solution

Verify that the name servers are configured properly. The search base and domain should not be pointing to the wrong domain in /etc/resolv.conf.

problem

The system returns the error message: Your LDAP settings were not discoverable. Please check the username and password. If that still does not fix the problem, cancel this dialog and manually enter your settings.

272


solution

Select Settings >Network and verify that DNS is configured correctly and is pointing to a Windows domain controller. Verify that the username and password are correct for the domain controller.

problem

Security Analytics sends too many login requests to the LDAP server.

solution

In versions 7.3.2 and later, create /etc/ldap_throttle.conf with the following arguments to control the number of milliseconds between sequential LDAP login requests.

./pam_ldap.c:#define THROTTLE_MIN <milliseconds>

./pam_ldap.c:#define THROTTLE_MAX <milliseconds>

When /etc/ldap_throttle.conf does not exist, the system performs no throttling.

Kerberos AuthenticationIf Kerberos® is implemented on your network, you can provide single sign-on (SSO) access to the Security Analytics appliance.

Kerberos SSO and Active Directory authentication via an LDAP group DN are mutually exclusive. If Kerberos is enabled, anyone in the domain can authenticate to the Security Analytics appliance successfully. If you specify a group DN in the Searches section, Kerberos authentication will be automatically disabled.

LDAP Server Setup

Install and configure the Active Directory or LDAP server. Consult the LDAP vendor's documentation for instructions.

Create a default user group on Security Analytics with minimal or zero permissions. When a Kerberos user logs in to the appliance for the first time, the user will not be able to access sensitive information. If the user is a legitimate Security Analytics user you can move the user into a group that has suitable permissions.

Security Analytics Setup

1. Select Menu > Settings > Date/Time and select the Use Network Time Protocol (NTP) check box.

2. For Primary NTP, type the FQDN of the LDAP server and click Save.

3. Select Settings > Network. Make a note of the Hostname.

273


4. On all of the DNS servers that are listed in the Domain Name Servers section, add forward and reverse lookup entries for the Security Analytics appliance hostname: <ip_address> = <hostname>

5. Follow the steps in "Enable LDAP" on page 268 to configure LDAP authentication.

6. For Group DN, verify that nothing is selected.

7. Select the Enable Kerberos check box. The Domain Controller, Realm, and Domain fields should be auto-populated with the LDAP configuration settings

8. Specify the Username and Password to bind the appliance to the Kerberos domain.

9. Click Save.

Single Sign-On Setup

For every device that is to authenticate to the Security Analytics appliance using single sign-on, perform these steps:

1. Verify that the device is in the same Kerberos domain as the Security Analytics appliance.

2. The FQDN of the Security Analytics appliance must be specified as a trusted site, according to browser settings:

n For Firefox®, go to the about:config page and modify the network.negotiate-auth.trusted-uris setting to include the FQDN of the appliance.

n For Internet Explorer, go to Internet Options > Local Intranet, and add the FQDN of the Security Analytics appliance as a local intranet site. (If you are using the Windows short name, you do not need to perform this step.)

3. Configure the browser to negotiate with Kerberos instead of NTLM (NT LAN Manager).

4. Users must navigate to the domain name of the Security Analytics appliance instead of its IP address. This domain name can be the Windows short name or the FQDN. (The FQDN is recommended, because that is the name in the certificate for HTTPS management.)

RADIUS AuthenticationYou can configure Security Analytics to accept RADIUS authentication.

Create a default user group on Security Analytics with minimal or zero permissions. When a Kerberos user logs in to the appliance for the first time, the user will not be able to access sensitive information. If the user is a legitimate Security Analytics user you can move the user into a group that has suitable permissions.

Also see "Using RADIUS and LDAP in Parallel on Security Analytics " on page 278.


2. Select the Enable RADIUS Authentication check box.

274


3. Fill in the fields as follows:

n Server — IP address or hostname of the RADIUS server. In Security Analytics 8.1.1 you may use IPv6 addresses.

n Port — Port number (default: 1812)

n Shared Secret — Passphrase

n Timeout (Seconds) — Number of seconds before an idle RADIUS session times out

4. Click Save.

Two-Factor AuthenticationTwo-factor authentication (2FA) requires a token in addition to the username and password to access the web interface. The authentication token is created by a TOTP-compatible mobile app such as Symantec VIP or Google Authenticator®.

Do not enable 2FA until after you have verified the following; otherwise, you may be locked out of the web interface*:

n The TOTP app is installed on your smart phone and is working.

n The time on the Security Analytics appliance is correct and coordinated with NTP. Because the 2FA token is valid for only 30 seconds, the appliance will reject a token that appears to be outside the validity timespan.

*Use the scm tally command to restore access.

1. Download the TOTP app and follow the instructions to install the application on your smart phone.

2. On the web interface, select [Account Name] > Preferences.

3. Select the Two-Factor Authenticationcheck box.

4. Enter the secret key to the TOTP app in one of two ways:

n Scan the QR code.

n Type the case-sensitive secret key into the space provided.

5. Click Save. 2FA is now enabled for this user account.

2FA is enabled per user account, not per appliance; therefore, some user accounts on the same appliance can require 2FA to log in while others do not.

275


2FA Logins

When logging in to the web interface with a 2FA-enabled account, follow these steps:

1. Type the username and password as usual and click Log In.

2. A second login prompt is displayed. Type the authentication token as provided by the TOTP app and click Log In.

The authentication token changes about every 30 seconds, so you must consult the TOTP app for each login instance.

Common Access Card AuthenticationNew in Security Analytics 8.1.1

Certificates and private keys can be stored in multiple locations. On the client, one such location is a Common Access Card (CAC). However, a smart card or reader is not required for SSL mutual authentication, you can install the certificates on your browser and into Security Analytics's truststore.

The following example describes an SSL mutual authentication transaction using a CAC that has been signed with a CA bundle.

1. The user accesses Security Analytics by entering its IP address in a supported browser. Instead of entering credentials in the Security Analytics login screen, the user inserts a CAC into a reader connected to the workstation.

2. Security Analytics presents its certificate to the browser.

276


3. The browser validates the appliance certificate. This includes the following checks:

n The certificate subject must match the appliance’s hostname.

n The certificate must be issued by a CA listed in the browser’s Trusted Root Certificate store.

4. The browser confirms that the appliance has the certificate's private key by challenging the appliance to sign random data. The browser validates the signature using the appliance's certificate.

5. If appliance authentication succeeds, the browser accesses the client certificate and private key on the CAC. It then presents the certificate to the appliance.

6. The appliance validates the certificate that the browser presents. This includes the following checks:

n The certificate must be issued by a CA included in Security Analytics's truststore.

n The appliance confirms that the browser has the certificate's private key by challenging the browser to sign random data. The appliance validates the signature using the browser’s certificate.

n The certificate must have a valid signature and not be expired.

7. If authentication succeeds, the appliance grants access to the user.

Configure Security Analytics to Authenticate with a CACFollow these steps to configure Security Analytics to authenticate LDAP users with a Common Access Card.

Note: The user accounts (names and passwords) must be previously defined on an external LDAP server.

Step 1: Configure LDAP Authentication

With the LDAP authentication service, users can log on to the Security Analytics appliance using a username/password combination stored on an external LDAP server. Instead of users manually logging in to Security Analytics with these LDAP credentials, they can use a CA-signed CAC onto which the LDAP user information is stored.

Thus, the first step in CAC configuration is to configure Security Analytics to use LDAP authentication. See "LDAP Authentication" on page 267.

Step 2: Configure Client Certificate

Configure the following client certificate settings:

n Require a client certificate to be submitted to the browser when users access the Security Analytics web interface.

n Upload the certificate that validates client certificates. Configure your Client Certificate Authority Bundle with the CA bundle that signed your smart card.

277


n Decide whether to use Online Certificate Status Protocol (OCSP) to determine whether the certificate has been revoked.

See "Additional Certificate Requirements" on page 295 for details.

Step 3: Enable CAC

The final configuration step is to tell Security Analytics to use the CAC for authentication. Select the Use Certificate / Card for Authentication check box in the LDAP settings. See "CAC Authentication" on page 272 for more information.

Step 4: Log in with CAC

At the Security Analytics login screen, instead of entering your credentials, insert your smart card into a reader connected to your workstation.

Using RADIUS and LDAP in Parallel on Security Analytics New in Security Analytics 8.1.1

Note: A new feature was added in SA 8.1.1 that changes the behavior of authentication when RADIUS and LDAP are both enabled.

Behavior in SA 8.1.1When both RADIUS and LDAP are configured on a Security Analytics appliance, RADIUS is used for credential authentication and LDAP is used for authorization (permissions) of users. A new option, introduced in SA 8.1.1 and 8.0.4, controls how Security Analytics proceeds in case RADIUS authentication fails.

n If the Use Radius for authentication option is disabled, Security Analytics will attempt to use LDAP for authentication if RADIUS authentication fails. If LDAP authentication also fails, Security Analytics will attempt to authenticate the user with the local user database.

n If the Use Radius for authentication option is enabled, only RADIUS is used for authentication. If RADIUS authentication fails, the user cannot log in, even if the user is also defined on the LDAP server or the local user database.

Behavior in SA 8.0-8.3When both RADIUS and LDAP are configured on a Security Analytics appliance:

1. RADIUS authentication is usually tried first.

n If the user account is defined only on the RADIUS server, the login fails.

n RADIUS user accounts must also be defined elsewhere, either in the local user database or on the LDAP server.

2. If RADIUS rejects the account credentials, Security Analytics will attempt LDAP authentication.

278


Functionality and ProcessIn Security Analytics:

n RADIUS serves one purpose — Authentication, which addresses the question: "Is this username/password tuple valid?"

n LDAP serves two purposes — Authentication and Authorization, which addresses the question: "May this user access the resource?"

n The local user database serves three purposes — Authentication, Authorization, and Accounting, as it records user activity in the log.

Logging in to Security Analytics has a different workflow depending on where the user-account information is defined:

n When a username/password tuple is defined only on the RADIUS server, the user will not be allowed to log in to a RADIUS-configured Security Analytics appliance, even if the correct username and password are given, because RADIUS does not serve the Authorization function. For a RADIUS-defined user to access an appliance, a corresponding user account must also be defined in a system that provides Authorization—the Security Analytics local user database or the LDAP server.

n When a user account is defined only on the LDAP server, the user can to log in even when no local user account has been defined on Security Analytics, because an LDAP user account provides both the Authentication and Authorization functions.

When both RADIUS and LDAP are configured on a Security Analytics appliance, user login attempts may trigger several transactions to both LDAP and RADIUS servers, because Security Analytics needs to resolve both the Authorization and Authentication questions.

Typically, one might first see Authorization-related queries to the LDAP server followed by Authentication-related queries to the RADIUS server, so the question of which authentication protocol is tried first has different answers depending on whether Security Analytics needs Authentication or Authorization information.

LDAP Group InheritanceSymantec Security Analytics supports the inheritance of local Security Analytics group membership based on user groups that are stored in a remote LDAP server.

example

These two LDAP users are members of three LDAP groups, as follows:

n bilbo (adventurer, hobbit)

n ggrey (adventurer, wizard)

In this example, members of the adventurer group will be added to the default user group (user) but only members of the wizard group will inherit admin privileges.

279


Step 1: Verify the LDAP Schema

Group memberships on the LDAP server must be stored as full distinguished names (DNs), not only as user names, because the pam_ldap module on Security Analytics forms a query filter based on the DN.

Step 2: Map the Group Membership Attribute

Depending on your schema you may need to manually specify the group membership attribute. This attribute is required for all group-membership lookups.

280


Step 3: Set the Group DN

To enable group permission inheritance, you must specify the Group DN.Each LDAP user in that group will be added to the default Security Analytics user group when the user logs in for the first time. Users who are not in that group cannot log in to Security Analytics.

281


Warning: When configuring LDAP, do not leave Group DN blank, as all LDAP users in the search scope will be able to authenticate as members of the default user group. Doing so poses a security risk.

Before you specify Group DN, create a default user group on Security Analytics with minimal permissions so that the LDAP users are not accidentally granted more permissions than desired. Later, you can manually assign each user to the desired groups.

Membership in the Security Analytics user group is established when the LDAP user logs in to Security Analytics for the first time. If you change the default user group or the Group DN, the membership of users who have logged in once to Security Analytics will not change.

Step 4: Configure Inheritance

Select Menu > Settings > Users and Groups > Groups. Edit the admin group and specify wizards for LDAP Groups. Members of wizards will inherit admin privileges the next time they log in to Security Analytics.

282


An LDAP user who is a member of wizards — but is not in the group specified by Group DN — cannot log in.

283


Step 5: Verify Group Inheritance

On Menu > Settings > Users and Groups > Users, you can see the users who have logged in to Security Analytics at least once. Both user entries show membership in the default group; however, ggrey does not show membership in admin.

On the Groups tab, you can see that the wizards LDAP group has admin privileges, but individual users in wizards are not listed in the admin group. If desired, you could manually remove ggrey from user so that ggrey has only admin permissions.

Remote AccessControl how users and other network devices connect to and interact with the appliance.

Firewall

Menu > Settings > Security

284


Security Best Practice If you are not using the FTP File Mover, delete the firewall rules that permit ftp-data

through port 20.

n Enable Firewall — Select to enable and view the firewall.

n Configure Firewall — Click to modify the firewall.

o The icmpDROP rules in both the IPv4 and IPv6 firewalls apply to ICMP types 13, 14, and 128. Click

Information to see the string for each rule. These types of rules cannot be edited nor can they be added via the web UI, because the web UI currently does not support all of the needed attributes. Symantec recommends that you not delete these rules.

o The default ACCEPT rule before the last default DROP rule specifies ESTABLISHED,RELATED in the State field to allow incoming traffic on the connections that Security Analytics initiated.

o When enabling and configuring many Security Analytics features, a firewall rule is added automatically; for example, when enabling syslog,

To add a new rule follow these steps:

1. Click New Rule.

All values are case-sensitive.

2. For Interface enter the interface name: bond0, tun+, and lo are some of the acceptable values. Leave blank for ANY.

3. For Protocol, enter the protocol in lower-case: udp, tcp, icmp, ssh. Leave blank for ANY.

4. For Source Address and Port, enter the IP address, IPv4 network in CIDR notation, or MAC address. Leave blank for ANY.

5. For Destination Address and Port, enter the IP address, IPv4 network in CIDR notation, or MAC address. Leave blank for ANY.

6. Optional — For State, specify one of the following connection states: NEW, ESTABLISHED, RELATED, INVALID.

7. For Policy, specify the action to take: ACCEPT, DROP, QUEUE, RETURN, or other valid iptables policy.

8. Optional — For Comment, add a comment in printable, ASCII characters.

9. Click OK. The rule is displayed at the bottom of the list.

10. Optional — Click and drag the rule to its desired position.

285


The word Modified in the upper-right corner of the interface indicates that neither the new rule nor the rule order have been saved.

11. Optional — Click Revert Changes to return to the last-saved version of the firewall or click Restore Defaults to return to the factory-installed rule set.

12. When you are satisfied with the rule set, scroll to the bottom of the page and click Save.

Web Access


These settings affect how users access the appliance via the web interface.

Security Best Practices n Set the Maximum Login Attempts to no more than 3.

n Set the Unsuccessful Login Timeout to at least 1200 seconds.

You can also use the scm tally commands in the CLI for some of these settings. (See scm tally in the Security Analytics 8.1.x Reference Guide on support.symantec.com.)

n Maximum Login Attempts — Specify the number of login failures before an account is disabled. Default: 3

n Unsuccessful Login Timeout (Seconds) — Specify the number of seconds that elapse before a disabled account is automatically enabled. To prevent accounts from being automatically enabled, enter 0 (zero) or leave the field blank. Default: 1200

n Maximum Concurrent Sessions — Specify the number of sessions that can access the appliance at the same time. Default: 10

n Require HTTPS — Select to require that users access the appliance via HTTPS.

o When an account is disabled by failed login attempts, you can re-enable it in one of these ways:

l Wait for the interval in Unsuccessful Login Timeout to expire.

l Access the user account on Settings > Users and Groups and clear the Account Disabled check box.

l With root access on the CLI, run scm tally.

286



o Users are not notified that their accounts have been disabled by unsuccessful login attempts.

o The root account for the CLI is not disabled after reaching the maximum number of unsuccessful logins.

Web Access Ports

Security Best Practice n To prevent malicious access on ports that aren’t being used, disable unused

ports.

n Disable port 80 by deleting its entry in the firewall tables, as Security Analytics automatically redirects all inbound HTTP requests to HTTPS.

n See "Security Analytics Ports and Protocols" on page 298 in the Security Analytics 8.1.x Administration and Central Manager Guide on techdocs.broadcom.com.

n HTTP Port — Type an integer for the new HTTP port number.

n HTTPS Port — Type an integer for the new HTTPS port number.

BEFORE you change any web-access port number, you must add a corresponding rule to the firewall. If you are locked out, you must edit /etc/sysconfig/httpd and run systemctl restart httpd to regain access to the web UI.

All CMCs and their sensors must use the same port number for HTTPS.

Click Restore Defaults to reset as follows:

n Maximum Login Attempts — 3

n Unsuccessful Login Timeout — 1200

n Maximum Concurrent Sessions — 10

n Require HTTPS — Enabled

n HTTP Port — 80

n HTTPS Port — 443

287



SSH Access


Security Best Practice n Disable root access via SSH.

n If you disable SSH root logins, be sure to review log files for root logins and activity.

n Allow SSH Access — Select to permit access to this appliance via SSH.

n SSH Port — Type an integer for the new SSH port number.

n Restore Defaults — Click to restore the SSH port to 22.

n The timeout value for the web interface also controls the SSH/console timeout .

Also see "SSH Authentication" on page 302 and "Disable SSH Root Logins" on page 301.

Ping (ICMP)


Security Best Practice n Do not enable ping response except to test a deployment.

n Enable "ignore broadcast requests."

n Respond to Pings (ICMP) — Select to permit this appliance to respond to ICMP (ping) requests on the management interface (bond0).

Because the capture interfaces do not have an IP stack, they cannot be assigned an IP address and therefore cannot be pinged.

To enable "ignore broadcast requests" follow these steps:

288


1. Log in to the console as root.

2. Run these commands:

[root@hostname ~]# /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1[root@hostname ~]# /sbin/sysctl -w net.ipv4.route.flush=1[root@hostname ~]# /bin/ed /etc/sysctl.conf << END g/^net\.ipv4\.icmp_echo_ignore_broadcasts.*=/d \$a net.ipv4.icmp_echo_ignore_broadcasts = 1 .wq [root@hostname ~]# END

Web Interface Settings

Menu > Settings > Web Interface

Inactivity Timeout

n Maximum time of inactivity before logout — Select the desired interval. The timeout value for the current browser session is updated immediately. The timeout value for other active browser sessions will not be updated until the page is changed or refreshed.

Security Best Practice Set the inactivity timeout to 10 minutes or less.

HTML Preview

n Enable External HTML Elements Preview — Select to permit the Web page preview function to retrieve external images, style sheets, and scripts from the Internet. When this feature is disabled, you can view only images and CSSs that are already written to the capture drive.

Anonymous Usage Tracking

n Enable Anonymous Usage Tracking — Select to permit your appliance to send the following data to Symantec :

o Randomly unique identifier that is not tied to any known information

o Public IP address of the appliance

o Country and city of the appliance

o Version, build, and model number

o User ID

o Browser type and version

o Time in use

o Pages accessed and actions taken

o Time to generate reports and extractions

o Query attributes used (not values)

o Widgets in use

o Number of indicators, rules, PCAPs, replays, filters

289


Message of the Day

Add custom text to the system login screen and the CLI.

n Message of the Day — Type the text in the space available:

o Limit of 5000 characters (including formatting).

o The only supported HTML tags are B and U.

Allowed Referrers

n Allowed Referrers — Type the hostname or IP address of a host that is allowed to link back to this appliance.

PasswordsThe passwords to access features on a Symantec Security Analytics appliance are as follows:

n "Local Users" on page 256

n "MD5-Encrypted Password for Bootloader" on page 303

n "SNMP Settings" on page 309

n "Remote Authentication" on page 267

n "Account Settings" on page 265

n "Email Alerts" on page 308

n Root

n "Two-Factor Authentication" on page 275

n "Syslog Settings" on page 311

Security Best Practices n Do not modify password complexity settings except to increase password length.

n Specify different passwords for each user when setting up local user accounts.

n Require that user passwords be regularly changed, using "password aging." 90 days should be the maximum age.

n Notify users 7 days before their passwords expire.

Password-Complexity RulesThe password-complexity rules affect the local and remote users (including the admin account) and root (SSH). To alter the password-complexity rules, follow these steps:

1. Select Menu > Settings > Security and scroll down to Password.

2. Adjust the Length as desired.

3. Select or clear the check boxes to require digits (numerals), other characters (non-alphanumeric), or upper-case letters.

4. Click Restore Defaults to reset as follows:

290


n Length — 14

n Require Digits — Enabled

n Require Other Characters — Enabled

n Require Uppercase — Enabled

n Require Lowercase — Enabled

Set Notification Interval for Password Expiry 1. Log in to the console as root.

2. Run this command to alert users 7 days before their passwords expire:

[root@hostname ~]# sed -i "s/^PASS_WARN_AGE.*/PASS_WARN_AGE 7/" /etc/login.defs

SSL Certificates and KeysYou may install a certificate for Symantec Security Analytics or require that browsers have a certificate to access the web interface. A self-signed certificate and key are automatically included on the appliance with a new Security Analytics installation.

n Security Analytics 7.3.x and later uses TLS 1.2 only.

n Only HIGH ciphers are enabled by default, for both the web server and clients: HIGH:!MEDIUM:!LOW:!EXP:!3DES:!MD5:!aNULL:!eNULL:!NULL:@STRENGTH

n The following HIGH ciphers are available:

o ECDHE-RSAC-AES-256-GCM-SHA384

o ECDHE-RSA-AES-256-CBC-SHA384

o DHE-RSA-AES-256-GCM-SHA384

o DHE-RSA-AES-256-CBC-SHA256

o RSA-AES-256-GCM-SHA384

o RSA-AES-256-CBC-SHA256

o ECDHE-RSA-AES-128-GCM-SHA256

o ECDHE-RSA-AES-128-CBC-SHA256

o DHE-RSA-AES-128-GCM-SHA256

o DHE-RSA-AES-128-CBC-SHA256

o RSA-AES-128-GCM-SHA256

o RSA-AES-128-CBC-SHA256

n In Security Analytics 7.1.x and earlier, self-signed certificates used the SHA-1 algorithm and 1024-bit keys. A new installation of Security Analytics 8.1.3 comes with SHA-512 and 4096-bit keys.

n Upgrading to version 8.1.3 from 7.1.x or earlier does not overwrite the existing certificate or key. Change the supported client ciphers by editing /etc/environment and rebooting.

291


Security Best Practices n Create a certificate to secure bond0 using a 2048-bit or stronger RSA keypair and

SHA-256 or stronger encryption algorithm.

n Get a certificate that is signed by a trusted CA.

n Use SSL/TLS certificates.

Install a New Certificate and KeyFollow these steps to replace the existing certificate and key on Security Analytics.

All certificates must be PEM-formatted.

Step 1: Back Up the Current Certificate and Key

Before installing new certificates and keys, Symantec strongly recommends that you create a backup copy of the current certificate and key:

mkdir backup cp /etc/pki/tls/private/localhost.key backup cp /etc/pki/tls/certs/localhost.crt backup

Step 2: Obtain a New Certificate and Key

Use one of these methods to generate the certificate-signing request and its key:

n Using the web UI

n Using the CLI

Step 2a: Using the Web UI

Generate a certificate-signing request from the web UI.

1. On Menu > Settings > Security scroll down to the bottom of the PKI and SSL section.

2. Fill in these fields:

n Country Name — Two-letter country designator (ISO-3166-1 Alpha-2)

n State or Province Name — Spelled-out name of state or province

n Locality Name — City or town

n Organization Name — Company name

292

https://www.iso.org/obp/ui#search


n Organizational Unit Name — Division or department

n Common Name — Domain name (CN) of the server

n Email Address — Contact email address

3. Click Download Certificate-Signing Request to save localhost.csr to your workstation. The corresponding key should remain on the appliance.

4. Send localhost.csr to a valid Certificate Authority. When the signed certificate is returned, go to Step 3.

Step 2b: Using the CLI

These commands generate a new key, certificate, and certificate-signing request (CSR; not to be confused with the CSR) on the appliance that will be using the certificate, but they do not overwrite the appliance's current certificate and key.

1. Generate the new key:

openssl genrsa -out newKey.key [4096|2048]

2. Generate a certificate-signing request with that key:openssl req -new -sha[512|256] -key newKey.key -out newCsr.csr

You will be prompted to provide the following information for the distinguished name (DN):

n Two-letter country code

n State or province name

n Locality (city) name

n Organization name

n Organizational unit name

n Your or your server's name (Common Name [CN])

n Email address

3. Generate a temporary self-signed certificate to use until you get the CA-signed certificate: openssl req -x509 -sha[512|256] -days 365 -key newKey.key -in newCsr.csr -out newCert.crt

4. Copy the new key and temporary certificate to the proper locations: /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt

5. Restart the web server to use the new certificate:systemctl restart httpd

6. Export newCsr.csr to your workstation and send it to a CA to be signed.

Because of the security risk, Symantec strongly warns against copying a key off the device that will be using the key and its certificate.

293


Enable theSSL Issuer report on Settings > Metadata > Encryption and create an indicator with All Valid Root CAs favorite.json ( in the in the Security Analytics 8.1.3 WebGuide on support.symantec.com), which contains most valid root CAs.

Step 3: Install the CA-Signed Certificate

Use one of these methods to install the certificate:

n Using the Web UI

n Using the CLI

Step 3a: Using the Web UI

1. Select Menu > Settings > Security and scroll down to PKI and SSL.

2. The temporary self-signed certificate for the appliance is displayed along with the key that you used to generate both the self-signed certificate and the CSR.

localhost.localdomain and localhost.key are always the names of the certificate and key that are currently installed.

3. Click edit for Appliance Certificate to upload the CA-signed certificate.

4. Click Save to apply the changes and restart the web server.

5. Go to "Additional Certificate Requirements" on the next page.

Step 3b: Using the CLI

Follow these steps to install the certificate from the Security Analytics root directory.

If you use this method to install the certificate, you bypass audit and record-keeping controls — which might be in violation of your organization's security policy.

294



1. Copy the CA-signed certificate to the root directory.

2. Overwrite the current certificate with the new certificate:

mv certificate.crt /etc/pki/tls/certs/localhost.crt

3. Restart the web server:

systemctl restart httpd

If you upload a key or certificate using the web UI and click Save, the internal HTTP server always restarts. If the key and certificate do not match, the web UI displays an error message; however, if you attempt to restart the HTTP server manually before both the key and its corresponding certificate have been installed, the web server will not restart.

Additional Certificate RequirementsAs required by your organization's security policy, implement the following security measures that are available on Settings > Security > PKI and SSL.

Require that Browsers Present a Certificate to the Appliance

If you want to require a valid client certificate to be presented when a user tries to access the Security Analytics web interface, you enable the Require Client Certificate to Access Web Interface check box and configure the other options in the Client PKI Settings section. This is required when configuring Security Analytics for authentication via a Common Access Card (CAC). See "Common Access Card Authentication" on page 276 for more information.

When you enable this feature, all web browsers that do not have a valid certificate from the Issuing Authority — including your workstation browser — will be prevented from accessing the web interface.

1. Select the Require Client Certificate to Access Web Interface check box. Several additional fields are displayed.

2. Upload the certificate that validates client certificates to Client Certificate Authority Bundle.

3. Decide whether to use Online Certificate Status Protocol (OCSP) to determine whether the certificate has been revoked. For OCSP for Client Revocation, choose one of the following:

Off — Don't do an OCSP revocation check.

On — Do an OCSP revocation check with the URL contained within the client certificate.

Override — Do an OCSP revocation check with the URL provided in the OCSP Responder URL field.

295


Troubleshooting

If there is a problem with the certificates, you will not be able to log in through the browser. If you want to undo the requirement that a valid certificate be presented to Security Analytics in order for the requester to receive the authentication page, you can make the following changes.

Note: You will need root access to the console to perform these steps.

$> vim /etc/sysconfig/httpd

Change:

export SSL_VERIFY_REQUIRE="SSLVerifyClient require"

to:

export SSL_VERIFY_REQUIRE="" $> service httpd restart

Certificate Revocation Checks for Symantec and Security Analytics Services

Menu > Settings > Security > PKI and SSL > Perform certificate revocation check for Symantec

The certificate-revocation check is disabled by default in version 7.3.1 and later. Specify the URL for the certificate revocation list in the space provided. Security Analytics retrieves updates on the 1st and 16th of every month at 23:00. The services that are affected by this option are:

n Symantec Web Reputation Service

n Symantec File Reputation Service

n Syslog over TLS or TLS-FIPS

Require Client Certificate for Login Correlation

Do the following:

1. If you have deployed the Login Correlation Service, select the Require Client Certificate for Login Correlation Service check box. (See "Login Correlation" on page 222.) Additional fields are displayed.


Authenticate to an Internet Proxy

If your appliance connects to the Internet via an authenticated proxy, and the proxy has a certificate handshake for SSL traffic, add the additional CA certificate bundle using any of these methods:

296


Using the Web Interface

1. Select Menu > Settings > Security and go to the PKI and SSL section.

2. For Additional Certificate Authority Bundle, click Browse to upload the certificate.

3. Click Save to restart the web server.

Using the CLI

1. Copy the bundle to /etc/pki/ca-trust/source/anchors/ and then run

update-ca-trust

2. Reboot to apply changes.

Certificates Between CMCs and SensorsIf you have a CMC environment, you may set up one of the following scenarios:

n All sensors (clients) present a certificate to the CMCs (servers).

n All CMCs (clients) present a certificate to the sensors (servers).

n Both the CMCs and the sensors present certificates to each other. (Perform both server and client steps on all appliances.)

Server Role

On the appliance that requires the certificate (server role), do the following:

1. Select Require Client Certificate to Access Web Interface. Additional fields are displayed.

When you enable this feature, all web browsers that do not have a valid certificate from the Issuing Authority — including your workstation browser — will be prevented from accessing the web interface.



Client Role

1. On the appliance that is required to present a certificate (client role), do one of the following:

n Select the Use Appliance Certificate as Client Certificate check box to use the appliance certificate for the client role. This option is valid only if the appliance certificate can function in both server and

297


client roles.

When you select the Use Appliance Certificate as Client Certificate check box and click Save, the web interface will be refreshed and the check box will be cleared. The client table will display the Common Name and Fingerprint information from the appliance.

n Under Upload Separate Client Certificate and Key, do the following:

2. Click edit for Client Certificate to upload the PEM-formatted client certificate.

3. Click edit for Client Certificate Key to upload the certificate's key.


Security Analytics Ports and ProtocolsConsult this table to configure your firewalls, according to the services that you have activated on your Symantec Security Analytics appliance. Configure the Security Analytics firewall on Settings > Security.

Also see:

n Required Ports, Protocols, and Services for Symantec Enterprise Security Products

n "Data Enrichment Resources in Dark Sites" on page 191

During the licensing and license-update procedures, the appliance communicates with license.soleranetworks.com over TCP 443. (See "Licensing" on page 318.)

Inbound Connections to Security AnalyticsService URL/IP Ports Comment

Central Management VPN

bond0 of CMC TCP/UDP 1194 or as specified

All sensors must be able to access the CMC's bond0 over port 1194.

298

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/common/ports_reference.pdf


Service URL/IP Ports Comment

FTP File Mover [as needed] TCP/UDP 20TCP/UDP 21

Use port 21 for active mode. If you are not using FTP File Mover, you should delete the internal firewall rules that permit ftp-data through port 20.

HTTP [none] TCP/UDP 80 All HTTP requests are automatically redirected to HTTPS. Symantec recommends that you delete the internal firewall rules that permit http through port 80.

HTTPS 1 [none] TCP/UDP 443 Change the default on Settings > Security. All CMCs and their sensors must use the same HTTPS port.

SSH 1 [none] TCP 22 The port can be changed on Settings > Security.

AWS Traffic Mirroring via VXLAN Tunnel

[none] UDP 4789 Used in AWS deployments for secure transmission of capture data.

1 Service is always used by Security Analytics.

Outbound Connections from Security AnalyticsService URL/IP Ports Comment

Active Directory® [none] TCP/UDP 3268

For LDAP authentication

Endpoint Detection and Response (ATP) Manager 3

[as needed] TCP 443

Central Management VPN

bond0 of CMC TCP/UDP 1194 or as specified

All sensors must be able to access the CMC's bond0 over port 1194.

ClamAV® 1 *.clamav.net TCP 80 Requires only HTTP access to update the signature database. Analysis is performed locally on the appliance.

Cuckoo 3 [as needed] TCP/UDP 8090

DeepSight 1,3 sso.trm.symantec.com TCP 443

DNS 2 [as needed] TCP/UDP 53

Domain Age Reporter 1,4

[same as WHOIS] [same as WHOIS]

The WHOIS settings also permit Domain Age Reporter traffic.

File Reputation Service 1,3

*.es.bluecoat.com185.2.196.2048.28.16.233199.116.169.204103.246.38.204

TCP 8443 The URL for the File Reputation Service will usually be frs.es.bluecoat.com; Symantec recommends that you create a rule for all of the listed IP addresses.

Future Engineering Services resources will also be provided from the *.es.bluecoat.com domain.

299



FireEye® 3 [as needed] [as needed] AX-series is supported.

Google Safe Browsing®

sb-ssl.google.com TCP 443 Uses Internet connection from workstation.

Google® Search google.com TCP 443 Uses Internet connection from workstation.

HTTP 2 [none] TCP/UDP 80 Change the default on Settings > Security.

HTTPS 2 [none] TCP/UDP 443 Change the default on Settings > Security. All CMCs and their sensors must use the same HTTPS port.

Intelligence Services 1,3

— — See File Reputation Service and Web Reputation Service

ICAP 3 [as needed] TCP 1344 (plaintext)

Security Analytics does not support port 11344 for Content Analysis integration.

ICDx [as needed] TCP 5672

Lastline® 1,3 analysis.lastline.com TCP 443

LDAP authentication [none] TCP/UDP 389

Live-feed indicators rules.emergingthreats.net:80mirror1.malwaredomains.com:80*.abuse.ch:443 isc.sans.edu:443

TCP/UDP 80TCP 443


[none] TCP 8843 This port is used to communicate between the LCS and the agent's UI application. The Security Analytics firewall has a rule to accept this traffic.

Malware Analysis 3 [as needed] TCP/UDP 80, 443

MATI deepsightapi.symantec.com/v1 TCP 443

NTP [as needed] UDP 123

OCSP requests ocsp.entrust.net TCP 80 Various Security Analytics services use OCSP for certificate-chain validation.

RADIUS [as needed] UDP 1812, 1813

RobTex® 1 robtex.com TCP 80 Uses Internet connection from workstation.

SANS ISC® 1 isc.sans.edu TCP 443 Host and IP queries are transmitted over SSL.

SEP [SEP Manager hostname/IP] TCP 8446

SMTP [as needed] TCP 25

300



SNMP [as needed] TCP 161 (polling)TCP/UDP 162 (trap)

SORBS DNSBL® 1 dnsbl.sorbs.net UDP 53

Splunk Phantom [as needed] TCP 443

syslog [as needed] UDP 514

ThreatExplorer1,3 threatexplorer.symantec.com TCP 443 Service must be enabled on Settings > Data Enrichment.

VirusTotal® 1,3 www.virustotal.com TCP 443

Web Reputation Service 1,3

sp.cwfservice.net TCP 443

Web Reputation Service local database updates 1,3

list.bluecoat.com TCP 443 Used by the Web Reputation Service and ADM

WHOIS 1,4 [as needed] TCP 43 The WHOIS lookup service will query different WHOIS servers based on the registry associated with the top-level domain of the target. Consult this authoritative list of WHOIS servers.

1 Service requires internet access.2 Service is always used by Security Analytics.3 Licensing for this service is the responsibility of the user.4 Service cannot be used behind a proxy.

Disable SSH Root Logins

Security Best Practice n Disable root access via SSH.

n If you disable SSH root logins, be sure to review log files for root logins and activity.

This procedure disables root access over SSH connections but preserves root access via console.

1. Edit the sshd_config file:

[root@hostname ~]# vi /etc/ssh/sshd_config

301

http://www.iana.org/domains/root/db/

http://www.iana.org/domains/root/db/


2. Uncomment the line #PermitRootLogin yes and set the value to no:

PermitRootLogin no

3. Save and exit sshd_config.

4. Restart the SSH daemon to apply the changes:

[root@hostname ~]# systemctl restart sshd

To disable the root account entirely, append /settings/initial_config to the appliance's IP address or hostname in the address bar of the browser. Under Root Password, select Lock Root Account.

Warning: You cannot re-enable the root account unless you have console access to the appliance, and then you will have to contact Symantec Support for assistance.

SSH AuthenticationAlso see "Disable SSH Root Logins" on the previous page and "SSH Access" on page 288.

Security Analytics does not support versions of PuTTY earlier than 0.67.

To set up SSH public-key authentication between a Security Analytics appliance and a client, follow these steps:

1. Generate the SSH key on the client.

2. As root or admin, create the .ssh directory on the Security Analytics appliance. Note the leading dot in the directory name.

mkdir .ssh

3. Open the authorized_keys file for editing. You cannot cd into this directory; you must directly open the file in an editor.

vi .ssh/authorized_keys

4. Paste the public key from the client.

5. Save and exit the file.

Using ssh-copy-id to modify .ssh/authorized_keys is not supported.

Generate an SSH Key for Data Enrichment ProvidersFollow these instructions to set up SSH authentication between the data-enrichment ("tonic") user on the Security Analytics appliance and a remote server, such as the SCP File Mover integration provider, and all external providers

302


while in FIPS mode.

1. Log on to the Security Analytics appliance as the superuser (root).

2. Create the SSH key directory for the tonic user:

[root@hostname ~] mkdir -p ~tonic/.ssh

3. Create an SSH key in the directory. When prompted for a passphrase, press Enter twice. (Do not create a passphrase.)

[root@hostname ~] cd ~tonic/.ssh [root@hostname .ssh] ssh-keygen -t rsa -f id_rsa

4. You do not need to save the fingerprint or randomart image. Verify that id_rsa and id_rsa.pub were created.

[root@hostname .ssh] ll

5. Establish correct ownership and permissions for the key directory and files. Note the leading dot on the directory name.

[root@hostname .ssh] cd .. [root@hostname tonic] chmod 700 .ssh [root@hostname tonic] chown -R tonic:tonic .ssh

6. As the tonic user, copy the public key from the appliance to the remote user account that will be receiving artifacts. If the remote system runs Linux, use this command:

[root@hostname tonic] sudo -u tonic ssh-copy-id -i ~tonic/.ssh/id_rsa.pub <remote_user>@<remote_host>

7. Verify that the remote host key file (known_hosts) was created in tonic's SSH directory:

[root@hostname tonic] ls ~tonic/.ssh

8. Verify the key setup by attempting a manual file transfer as the tonic user; for example:

[root@hostname tonic] echo "test" > /tmp/test [root@hostname tonic] chmod a+r /tmp/test [root@hostname tonic] sudo -u tonic scp -B /tmp/test <remote_user>@<remote_host>:<remote_dir>

MD5-Encrypted Password for BootloaderThis page applies only to Dell-based hardware and virtual machines.

Security Best Practice Password-protect the bootloader.

1. Use the grub2-setpassword utility:

[root@hostname ~]# grub2-setpassword

303


Enter password: <grub_password>Confirm password: <grub_password>

Follow best key-maintenance practices by manually recording this password and keeping a copy in a secure location that is separate from the appliance.

2. When attempting to edit the grub menu the credentials are root and the grub password. Do not use the root system password here.

Enter Username:rootEnter Password:<grub_password>

Federal Information Processing StandardsOn 7 Feb 2017, Symantec Security Analytics 7.2.3 completed FIPS 140-2 Level 2 Functional Testing on Symantec S500 hardware. You can view the FIPS 140-2 Non-Proprietary Security Policy document at https://www.symantec.com/docs/DOC11425.

Entering FIPS Mode

Entering FIPS mode is a destructive process. Many services such as remote notification will have to be reconfigured.

Prior to entering FIPS mode, verify that your appliance's system clock is accurate and that NTP is enabled.

To enter FIPS mode:

1. Go to Menu > Settings > Security and scroll to the bottom of the page.

2. Select Toggle FIPS mode and click Save. The appliance reboots.

3. During this reboot, the appliance undergoes the following changes:

n All configuration files are archived.

n All TLS and SSH keys are zeroized and reset.

304

https://www.symantec.com/docs/DOC11425


n User passwords are reset to the default (Solera).

n Enhanced random number generator requirements increase the boot time by about 1 minute.

If any FIPS-mode conversions are not successful, the appliance will halt in an error state; no input or output is permitted, and the process of entering FIPS mode will be reversed.

4. While in FIPS mode the following conditions are true:

n Because all TLS keys were zeroized and reset, all certificates, keys and certificate authority bundles must be re-uploaded to the appliance.

n All remote-notification methods require mutual authentication.

n Booting directly from a USB is disabled.

n Unauthorized or unvalidated algorithms such as MD5 cannot be used.

n The root account is disabled. (Many functions have been transferred to the admin account.)

n RPM and YUM are disabled.

n System software cannot be upgraded.

Exiting FIPS Mode

Exiting FIPS mode is a destructive process. Many services such as remote notification will have to be reconfigured.

To exit FIPS mode:

1. Go to Menu > Settings > Security and scroll to the bottom of the page.

2. Clear Toggle FIPS mode and click Save. The appliance reboots.

3. During this reboot, the appliance undergoes the following changes:

n All configuration files are archived.

n All TLS and SSH keys are zeroized and reset.

n User passwords are reset to the default (Solera).

305


System MaintenanceLogging and Communication 306

Job Queue and System Alerts 314

Software Upgrades 315

Upgrading from a TAR File 317

Licensing 318

Network Settings 319

System Date and Time 320

Statistics 321

Drive-Space Management 324

Reboot or Shut Down 328

Troubleshooting 329

Logging and CommunicationSymantec Security Analytics communication consists of logging, alerts, SNMP, and "Remote Notifications" on page 245.

Security Best Practice For highest security when sending the audit log data, make sure to use the following

settings when configuring the servers on Menu > Settings > Communication > Server Settings:

n Email—Enable Use STARTTLS. This setting upgrades an insecure connection to a secure connection using SSL or TLS. It does not encrypt the email content.

n SNMP—Select the Enable Authentication check box for Inform and/or Trap servers to enable SNMPv3.

n Syslog—Send encrypted syslog messages over TLS or TLS-FIPS.

LoggingFor each event, the logs record the date and time of the event as well as the priority and the category.

306


You can also use the dslogdump command in the CLI for these settings. (More information in the Security Analytics 8.1.x Reference Guide on support.symantec.com.)

Audit Log

Menu > Settings > Audit Log

n Click Download Log to download the audit log as comma-delimited file.

Security Best Practice To securely download the CSV log file, verify that you are logged into the web UI over

HTTPS.

n Use the advanced filter to search the logs by priority, category, or event.

To specify which event categories to display in the audit log, go to Settings > Communication > Advanced and select the Local check box for the category.

307



Event Categories

n Alert Events — Alerts cleared

n Anomaly Events — Anomaly detected (See "Anomaly Notification Format" on page 105.)

n Capture Events — Stop or start capture; add, modify, or remove capture filters; PCAP import started and stopped; mount points added, modified, or deleted; interfaces aggregated or separated

n Enrichment Events — Modifications on the Settings > Data Enrichment page, such as providers activated or deactivated; providers added, modified, or deleted; manual Web Reputation Service updates and settings changes, IP or hostname exclusion lists, file-type filter modifications

n Hardware Events — Power supply status, chassis fan status, disk status

n Indexing Events — Reindexing and reprocessing jobs created, stopped, or completed

n Indicator Events — Indicators created, modified, or deleted

n Miscellaneous — Modifications to the Settings > Security, Settings > System, Settings > Communication, and Settings > Central Management pages

n Playback Events — Playback started or stopped

n Report Events — Reports created, stopped, viewed, or deleted; extractions created, stopped, or viewed; Capture > Summary page viewed, scheduled reports created, modified, or deleted; communication templates created, modified, or deleted; PDF or CSV report generated or downloaded; report PCAP downloaded

n Rule Events — Rules activated, created, modified, or deleted

n System Events — Insufficient disk space, program segfaults, changes to Settings > Date/Time and Settings > Network pages, Malware Analysis appliance health

n Unclassified — Currently no messages

n User Events — Users and user groups created, modified, or deleted; user login success or failure, user logout

System Logs

From the CLI, you can access two additional logs:

n /var/log/audit/audit.log — User-initiated events written by auditd

n /var/log/messages — System events from all components

Email Alerts

You can also use the dslc command in the CLI for many of these settings. (More information in the Security Analytics 8.1.x Reference Guide on support.symantec.com.)

Security Analytics can send email alerts to any standard email address, either directly or through an SMTP server gateway. Configuring the email settings will automatically send outbound emails for log entries to one or more email addresses. You can specify any email address you prefer in the From field.

308



Security Analytics uses the sendmail application and must therefore have Internet access to send a message to an external email address. You can also configure the appliance to point to an internal SMTP server; however, that SMTP server must be set up to relay email from the Security Analytics appliance.

1. Select Menu > Settings > Communication > Server Settings.

2. For To, type at least one valid email address. Separate multiple email addresses with a comma.

3. For From, type the email address to be displayed in the From field. This field is required if you plan to run scheduled reports or the Risk and Visibility Report. (See "Scheduled Reports" on page 143 and "Risk and Visibility Report " on page 140.)

4. For SMTP Server and SMTP Port, type the server IP address or hostname and its port number.

5. Does the SMTP server require authentication?

Yes — For Username and Password, type the credentials for SMTP server access.

No — Select the No authentication required check box.

6. Select the Use STARTTLS check box if the SMTP server requires it.

7. For Default Email Address, type the email address that will be used whenever no email address is specified for an Alert. (See "Alert Rule" on page 233.)

8. Click the Advanced tab.

9. Under Remote Notifications, select the Email check box for the desired event categories and click Save.

SNMP Settings


Security Best Practice Enable SNMPv3 to prevent non-authorized users from monitoring the appliance.

309



By default, the appliance will respond to incoming public queries from external SNMP devices. Security Analytics can be configured to send SNMP traps and inform messages to external SNMP servers. SNMP traps are error messages that do not require acknowledgment of receipt; SNMP informs require that the receiving server send back an acknowledgment.

n You can specify the same server to receive both trap and inform messages.

n Security Analytics supports only SHA for authentication and AES for privacy.

Any special character — including a space — that is entered in these SNMP fields will be converted to an underscore (_). The exception is the @ character, which will be left as-is.

1. Select Menu > Settings > Communication > Server Settings and scroll down to SNMP Settings.

2. Under Polling, configure these settings:

n Optional — Select Enable Polling.

n Enter the read-only community name in the space provided, or accept the default (public).

n Enter the read-only username in the space provided, or accept the default (public).

o New in Security Analytics 8.1.1 Add a second read-only username.

n Optional — Select Enable Authentication.

o Specify the authentication and privacy-encryption passwords.

o New in Security Analytics 8.1.1 Add a second authentication and privacy-encryption password.

3. Under Trap, configure these settings:

n Specify the name for the trap community.

n Specify the inform and trap server settings.

n Optional — Select Enable Authentication for a server.

o Specify the read-only username and the authentication and privacy-encryption passwords.

4. Optional — Select Enable Authtrap.

5. Click Save.


7. Under Remote Notifications, enable the SNMP check box for the desired event categories and click Save.

310


Syslog SettingsSyslog records information about the operation of a computer or computer-related device. Syslog messages can be sent to an external syslog server.


1. Select Menu > Settings > Communication > Server Settings and scroll down to Syslog Settings.

2. Optional — If multiple syslog messages are issued simultaneously, select the Enable Coalescing check box to group the messages before they are sent. This setting applies to all syslog servers.

3. For Syslog facility, select one of the following:

Kernel User Mail Daemon Auth syslog LPR

News UUCP Cron AuthPriv FTP Local Use 0–7

4. For Syslog Servers, type the hostname or IP address and port number.

5. Select one of four protocols to use for syslog:

n TCP

n UDP

n TLS

n TLS-FIPS

Syslog uses the certificate-revocation list that is configured on Settings > Security > PKI and SSL. Security Analytics updates the list on the 1st and 16th of every month at 23:00.

6. Click add a new host for multiple syslog servers to use the same facility.

To set up a many-to-many relationship among syslog servers and facilities, use dslc add syslog server <server> <port> <protocol> <facility>. Each server entry will be visible on the web interface but the facility that is associated with each entry will not be visible at this time. Run dslc show syslog to see the facilities that are associated with each server. (More information in the Security Analytics 8.1.x Reference Guide on support.symantec.com.)

7. Click Save.

311





9. Under Remote Notifications, enable the Remote Syslog check box for the desired event categories and click Save.

Splunk PhantomIf you have deployed a Splunk Phantom® (formerly: Phantom Cyber) server you can send it flow metadata when traffic matches a rule.

1. Select Menu > Settings > Communication > Server Settings and scroll down to Splunk Phantom Settings.

2. Input the Server hostname and its API Key.

3. Go to "Remote Notifications" on page 245 for instructions on setting up the remote notification in a rule. You can see the output that is sent to the Splunk Phantom server under "Default Template Output" on page 246.

Communication Settings

Import Settings

Use the dslc import command in the CLI for these same settings. (More information in the Security Analytics 8.1.x Reference Guide on support.symantec.com.)

Select an existing communication configuration file and apply those settings to your Security Analytics appliance.

Importing settings is valid only for transferring configurations between the same models of hardware; for example, from one Dell R730xd to another Dell R730xd.

1. Select Menu > Settings > Communication > Advanced.

2. Under Import/Export Communication Settings, click Browse.

3. Locate and select a settings file, e.g., logging_config.dat, and click Open.

4. The New Settings File box shows the path to the selected file.

5. Click Import Communication Settings.

Your existing settings will immediately be overwritten, and — unless you had previously exported them — will not be recoverable.

312



Export Settings

You can export your current communication settings to view them or to import to an identical hardware model of appliance.

Do not modify the text file in an attempt to modify the settings.


2. Under Import/Export Communication Settings, click Export Settings. This saves your settings file as logging_config.dat.

Export Log Entries

Click Download to save the log as a CSV file.

Security Best Practice To securely download the CSV log file, verify that you are logged into the web UI over

HTTPS.

MIB FilesSecurity Analytics supports remote logging via SNMP and syslog. To use SNMP logging, you must export the MIB and install it on your SNMP system.

Do not modify the MIB text in an attempt to modify the settings.


2. Under Download SNMP MIB click Download MIB to save mibfiles.zip in your local downloads directory. This archive contains these files:

n SOLERA-AGENT-MIB.mib

n SOLERA-SMI-MIB.mib

313


Resetting System Logs

Once the log files have been cleared, the information that was in them cannot be recovered.


2. Under Reset Log, click Clear Log Entries. This deletes all audit log entries.

Use the dslc factory command in the CLI to restore the logging system to its default settings. (More information in the Security Analytics 8.1.x Reference Guide on support.symantec.com.)

Job Queue and System AlertsIn the upper-right corner of the web UI you can see the job queue and the system alerts.

Job Queue

n Click the job-queue icon to see various jobs that have been queued. These jobs will be available in the job queue:

o Risk and Visibility Report

o PDF reports

o Offline PCAP downloads

n After you download the PDF or PCAP, the item is no longer available in the job queue.

n Use the "Advanced Filters" on page 113 to narrow your search of jobs. See "Job Queue" on page 120 for a list of filter terms.

System Alerts

View system alerts (also called "notifications") by clicking the alert icon .

314



Click a notification to go to the corresponding audit-log message. Once you click-through to the message, the notification should be cleared.

File-System NotificationsNotifications are generated when these file systems reach 80% of capacity: / (root)

/home/apache

/tmp

/ds

/var

See "Drive-Space Management" on page 324 for instructions on clearing disk space.

System-Critical NotificationsWhen the file systems are nearly full or when other system-critical conditions occur a prominent alert is displayed along the top of the web UI. To clear such an alert, you must contact Symantec Support.

Software UpgradesTo upgrade Symantec Security Analytics, you must have a link to an upgrade server, and then you must download the new image from the upgrade server, initiate the upgrade, and reboot.

Also see "Upgrading from a TAR File" on page 317.

Prior to upgrading, remove all USB drives from the Security Analytics appliance.

315


Add an Upgrade ServerDuring the licensing procedure for the appliance, the upgrade server upgrade.soleranetworks.com should have been added to the Upgrade Servers list. If there is no entry in the Upgrade Servers list, follow these steps to add the upgrade server manually.

1. Select Menu > Settings > Upgrade. The Upgrade Servers page is displayed.

2. Click New. The Add Upgrade Server dialog box is displayed.

3. For Protocol, select https.

n When you select https you can also enable the Validate SSL/TLS Certificate check box. The certificate validation takes place as follows:

n upgrade.soleranetworks.com — If the Perform certificate revocation check for Symantec check box is enabled on Settings > Security > PKI and SSL, the server's certificate is validated against the appliance's local Certificate Authority bundle, and an OCSP verification is performed for all issuing authorities. If the Perform certificate revocation check for Symantec check box is disabled, the OCSP verification is not performed.

n Custom upgrade server over HTTPS — The remote certificate is validated against the appliance's local Certificate Authority bundle. (There is no OCSP or CRL check.)

n Custom upgrade server over HTTP — No certificate validation is performed; however, the upgrade file is encrypted with a private key, so the file can be decrypted only with the appliance's public key.

4. To add the upgrade server, follow these steps:

n For Host, type upgrade.soleranetworks.com

n For Path, type /upgrades/

n Under Login Information, type the credentials to access the upgrade server. The username and password are your license key.

5. To add a different upgrade server, specify the hostname and file path for the manifest.xml file on that server. Add login credentials, as necessary.

6. Click Save. The server is added to the list of available upgrade servers.

316


Upgrade Security Analytics

1. Select Menu > Settings > Upgrade. The Upgrade Servers page is displayed.

2. Recommended — Click Upgrade Precheck to see disk usage. You should have about 8 GB of disk space available on /home.

n Manage Extractions — Click to go to the Extraction Status page, where you can select which extractions to delete.

n Delete Extractions — Click to immediately delete all extractions, both saved and in cache.

3. For the desired upgrade server, click Upgrade from Server .

4. Select the upgrade version and click Download Upgrade.

5. When the download is complete, click Initiate Upgrade. The new image is downloaded, verified, and unpacked.

6. When prompted click Reboot. The system restarts, and the new image is installed.

The system will continue to operate normally until you click Reboot. During the reboot/upgrade, all capture and logging are suspended. The upgrade may take as long as 30 to 45 minutes, depending on your configuration. When the upgrade is complete, the system will automatically resume capture and logging.

7. When you log in again, verify that you are using the upgraded version by placing your cursor over the Symantec logo.

Upgrading from a TAR FileFollow these instructions to upgrade a Security Analytics appliance from the CLI, using a TAR file. This method is the

equivalent of upgrading the appliance on Menu > Settings > Upgrade in the web UI.

1. Obtain the TAR from Symantec Support or upgrade.soleranetworks.com/upgrades. The username and password are your license key.

2. On the appliance go to the /ds/upgrade directory and delete any files that are there.

3. Verify that the directory /home/apache/tmp/upgrade_iso.d exists and that it is empty. If it does not exist, create it.

4. Transfer the TAR to /home using SCP or the equivalent.

5. In /home run the upgrade script.

/etc/utils/verify-reboot-upgrade.sh atpsa-8.1.3-99999-x86_64-DVD.tar

317

https://upgrade.soleranetworks.com/upgrades


6. When the script has successfully run, /home/apache/tmp/upgrade_iso.d should be empty, and you should see the following files and directory in /ds/upgrade:

/imagesatpsa-8.1.3-99999-x86_64-DVD.isoks.cfgmetapocrypha.patchmonit.state

7. Reboot.

LicensingDuring initial configuration, you are presented with the license dialog, where you must install a license before you can continue. (See "Install the License" on page 18.) To update or change a license, follow these steps:

1. Contact Symantec Support to purchase the renewal or upgrade. You will use your original license key for this procedure.

To see your serial number, select Settings > About. To see your license key, select Settings > Upgrade. The characters up until the bang (!) are your license key.

2. Select About and then click License Details.

3. Does your appliance have access to the Internet (license.soleranetworks.com; port 443)?

318


Yes — Under Retrieve License, input the License Key and click Send Request.

n If applicable, select the desired license type.

n The appliance sends the license key and the license seed file to the license server, which generates the appropriate license file (license.tgz) and returns it to the appliance, which automatically reboots.

No — Click Download DS Seed to download the seed file (dsseed.tgz) to your workstation.

n On a workstation that has Internet access, go to license.soleranetworks.com.

n Type your license key, upload dsseed.tgz, and click Update.

n If applicable, select the desired license type and click Update.

n Save the license file (license.tgz) to your workstation.

n Return to the License Details dialog.

n Click Browse and select license.tgz.

n The license is uploaded and the appliance automatically reboots.

Network Settings

Menu > Settings > Network

n Fully Qualified Hostname — The name typed here is displayed as part of the prompt when anyone logs in to the command line on this appliance. Failure to use an FQDN here will cause the system name to appear as "localhost" in log messages as well as cause other unexpected behaviors.

o To specify multiple hostnames for this appliance select Settings > Web Interface and add the names under Allowed Hostnames.

n Use DHCP — If you select this check box, it is recommended that you use the DHCP reservation feature of your DHCP server to statically map the MAC address of the management interface to an IP address. DHCP is not supported for multiple management interfaces.

n Use Multiple Management Interfaces — Select this check box and then select the check box for one other physical interface that you want to bind to the management interface, bond0. By default eth0 is bound to bond0. Any other interface that you select as a management interface will be unavailable for capture.

n IP Address, Netmask, Default Gateway — Enter these values in dotted-decimal format.

n IPv6 Address — Input the appliance's address.

n IPv6 Secondaries — Separate each address with a single space.

319

https://license.soleranetworks.com/


n IPv6 Dynamic Address and IPv6 Dynamic Secondaries — Automatically assigned by the IPv6 system.

n HTTP Proxy — If your appliance accesses the Internet through a proxy, type the IP address of the proxy in the following format: <IP>:<port>

o If your appliance accesses the Internet through an authenticated proxy, edit /etc/environment as follows:

http_proxy="http://<username>:<password>@<IPv4>:<port>"https_proxy="http://<username>:<password>@<IPv4>:<port>"

or

http_proxy="https://<username>:<password>@[<IPv6>]:<port>" https_proxy="https://<username>:<password>@[<IPv6>]:<port>"

Also see "Authenticate to an Internet Proxy" on page 296.

n No Proxy — Enter a comma-delimited list of IP addresses or domains that will not use the HTTP proxy to access the Internet: .maa.ourdomain.com,192.168.2.55, 2508:34ed:af:2d1::3d33

The value hostname is always present in the No Proxy field, even though it is not visible.

n Secondary Network Address — Specify the IP information for the failover interface for bond0. Only IPv4 addresses are supported in this section.

n Primary DNS, Secondary DNS, Tertiary DNS — Specify up to three DNS servers. If you intend to add this appliance to your domain name service, or if you will be specifying hostnames for other devices in this appliance's settings, then you must specify at least one DNS server.

n When you change the hostname, HTTP proxy settings (including No Proxy), or time zone, the appliance will automatically reboot.

n When you change the IP address you may need to wait for ~10 seconds before attempting to connect to the new IP address.

System Date and TimeTime is an important parameter for PCAP file generation, playback, and certificates; therefore, it is recommended that you use NTP to synchronize time between the management workstation and the appliance whenever possible.

1. Select Menu > Settings > Date/Time.

2. For Date, type the date as MM/DD/YYYY.

3. For Time, type the time as hh:ii:ss.

320


4. For Time Zone, select the appropriate time zone for your location.

You must manually input the time and date even if you intend to enable NTP.

5. Optional — Select the Use Network Time Protocol (NTP) check box. You may use the default NTP servers or specify others.

6. Optional — To enable NTP encryption:

n For each NTP server:

o Select the Use Autokey check box to enable encryption.

o Click Browse to upload the group key that was generated by the NTP server. When the key has been accepted, the Current Group field will be populated with the following: ntpkey_iff_[<ntp_server_name>|<IP>]

n Optional — Type the Group Key Password if a password was generated for the group key. This password must be the same for all of the servers' group keys.

n Select the Generate NTP Host Keys check box to generate a certificate and a host key for the appliance. These files will expire after one year.

n When you change the name of an NTP server, you must upload a new group key.

n When you change the hostname of the appliance on the Network Settings page, you must generate new NTP host keys.

7. Click Save. If you changed the time zone, the appliance will automatically reboot.

Statistics

Network SystemThe Network System page displays network interface statistics for SymantecSecurity Analytics. Select a specific network interface to view the statistics for that interface. Select Automatically Refresh Statistics to continuously update the displayed information.

Some of the "total" statistics will be reset after an upgrade or a reboot.

321


Statistic Description

Current Packets Captured per Second

The number of packets per second currently being captured. This is a snapshot statistic.

Current Packets Filtered per Second

The number of packets per second currently being filtered. This is a snapshot statistic.

Current Bytes Captured per Second

The current number of bytes per second currently being captured. This is a snapshot statistic.

Max Packets Captured per Second

The maximum number of packets received in a second.

Max Packets Filtered per Second

The maximum number of packets filtered in a second.

Max Bytes Captured per Second

The maximum number of bytes received in a second.

Total Packets Captured The total number of packets captured. Depending on the storage size, these packets may have already been overwritten.

Total Bytes Captured The total number of bytes captured. Depending on the storage size, these packets may have already been overwritten.

Total Packets Filtered The total number of filtered packets matching the filter.

Total Bytes Filtered The total number of bytes recorded from the filtered packets received.

Slot Allocation Misses The number of packets dropped due to no available memory slots.

Space Map Errors The number of packets dropped due to no available allocation for network interface.

DSR Read Misses The Disk Space Record was not found.

Active Slot The memory slot currently receiving packets.

Address of Active Slot The memory address of the active slot.

Packets Captured in Active Slot

The number of packets stored in the current memory slot.

Ring Buffers in Active Slot The total number of ring buffers (on the network capture card) used to capture packets.

Bytes Captured in Active Slot The total number of bytes stored in the active memory slot.

Metadata in Active Slot (Bytes) The total metadata bytes in the active memory slot.

Size on DiskThe Size on Disk page displays a pie chart that depicts the total bytes of storage used by capture operations on each Ethernet interface. This data is a representation of disk space used to store the data and not necessarily the exact amount of data stored. For example, a pie slice showing 25 GB may be a combination of 23 GB of actual payload data and 2 GB of overhead. Place the cursor over a segment of the graphic to see how large the segment is.

322


Storage SystemThe Storage System page displays a list of storage device statistics. Select Automatically Refresh Statistics to continuously update the displayed information.

Disk Space Record ID


Disk Space Type The identified purpose of the storage.

Disk Space Active Identifies if the storage space is in use.

Disk Space Date/Time Time stamp of the disk space creation.

Member Count The number of logical storage devices.

Disk ID The kernel reported drive type (e.g., 20 = SATA).

Partition ID The name of the logical disk partition.

Slot Size (bytes) The number of bytes allocated for each slot.

Total Slots The total number of memory slots available for storage.

Cluster Size (bytes) The cluster size in bytes.

Total Clusters The total number of clusters available for storage.

Total 4K Blocks The total number of 4K blocks available for storage.

Disk Record Blocks The total number of disk record blocks.

Logical Data Area Start The start address for the logical data area.

Start of Slot Data The start address of slot data.

Space Table Size (bytes) The total size of the space table, in bytes.

Recycle Count The number of times the capture drive has filled to capacity.

Active Slot Chains

For each interface, the Storage System page shows the following data:


Start Cluster Address of the start cluster

End Cluster Address of the end cluster

Start Time Start time and date

End Time End time and date

Slot Count Number of slots occupied

Elements Number of elements

Size (bytes) Bytes in the chain

Active Slot Active slot number

323



Active Slot Address

Address of active slot

Packets Number of packets in the chain

Ring Buffers Number of ring buffers

Total Bytes Total bytes in the chain

Total Metadata Bytes

Total bytes that contain metadata

Total CapturedThe Total Captured page displays a pie chart that depicts the total bytes captured by each Ethernet interface. Place your cursor over a segment to display the actual amount captured by that interface.

Total FilteredThe Total Bytes page displays a pie chart depicts the total bytes for each filtered interface. Place your cursor over a segment to display the amount of filtered data captured by that interface.

Drive-Space ManagementThis page describes how Symantec Security Analytics organizes data so that you can delete the appropriate data sets if you need to free up space for new data.

Capture and Index DrivesThe data on both the capture and index drives is automatically overwritten according to the method described in "Data Overwriting" on page 370. To purge all data from the capture and index drives, run dszap from the command line.

You cannot retrieve data that you erase with the dszap command. Go to dszap to see exactly which types of data are deleted.

System DriveSecurity Analytics saves the following data on the system drive, so the data is not affected by the overwrite cycles on the capture and index drives:

n Indicators and rules†

n Logs

n Capture summary graph data

n Real-time extractions

n Capture filters†

n Statistics

n Saved extractions†

n Packet analysis data

324


†Save operation initiated by user

Delete Controls for Data Types

Some data is deleted with a special button; other data is deleted through settings and other controls. This table shows how to delete each data type.

Data Type UI CLI

Indicators Analyze > Indicators > n/a

Rules Analyze > Rules > n/a

Saved Reports Analyze > Report Status > List >

About > Data-Retention Settings

Included in dszap deletion

Saved Extractions Analyze > Extraction Status >


Included in dszap deletion

Audit Logs Settings > Communication > Advanced > Clear Log Entries

dslogdump --clear

Statistics n/a dsstats --reset

Packet Analyzer n/a rm -fr /home/apache/hammerhead

Captured Packets and Metadata

n/a dszap

Capture Summary Drive Data


>

Delete ALL Capture Summary Data

325


You cannot retrieve data that you erase with the dszap command.

Home Drive

Select Menu > Analyze > Extraction Status. The text at the top of the page indicates how much space is available on the home drive.

You can also select Menu > Settings > Upgrade and click the Upgrade Precheck button to see the same information.

The following data types are stored on the home drive.

n Saved extractions

n PCAPs to be downloaded n Packet analysis data§

§ Data from the last 10 invocations of the packet analyzer are automatically stored.

You can delete data from the home drive in the following ways:

n On Menu > Analyze > Extraction Status, delete one or more entries. (Non-saved entries are deleted after six hours.)

n On Menu > Analyze > Report Status, delete one or more entries. (Non-saved entries are deleted after one hour.)

n On Menu > Settings > Upgrade > Upgrade Precheck, click Manage Extractions to select which extractions to delete or click Delete Extractions to immediately delete all extractions.

n On About > Data-Retention Settings, enable time-based data deletion.

Time-Based Data DeletionYou can specify the amount of time that the system retains your data before automatically deleting it.

1. Select About > Data-Retention Settings.

2. Select the Enable Time-Based Data Deletion check box.

326


3. For Delete data older than, specify the number of days and hours to keep capture and metadata before deletion.

4. Optional — Select Delete Saved Reports and Artifacts.

5. Click Save.

Data-retention rules do not affect captured packets or indexed metadata; instead, the saved reports and artifacts that are derived from them are deleted.

If you have time-based data deletion enabled for saved reports and extractions, then the following behaviors may occur:

1 A saved item that straddles the deletion time will display the data that is still present but not the data that has been deleted.

327


2 A saved extraction with a start and end time that is after deletion will continue to appear in the Saved Extractions list but with Time Deletion in the Status column. When you attempt to view the saved extraction, you will be prompted to delete the item from the list.

3 A saved item that is being viewed during the deletion operation will be visible until the data is deleted. A message will then be displayed to inform the user that the data has been deleted.

Reboot or Shut Down

Never power off a Symantec Security Analytics appliance manually.

From the Web Interface

1. Select Menu > Settings > System.


n Under Reboot Appliance, click Reboot.

n Under Shut Down Appliance, click Shut Down. The appliance immediately shuts down. You must have physical access to the appliance to reboot it.

3. If you are unsuccessful and you have physical access to the appliance, press Ctrl+Alt+Delete on the console keyboard to initiate a clean system restart, then power down the appliance using the power button on the appliance — after the system POST (power-on self-test) but before system begins to boot.

From the CLI 1. Open an SSH session and navigate to the management interface's IP address.

2. Log in using an account with administrator or root privileges.

3. Type the command shutdown -r and press Enter. The appliance will shut down and then reboot itself. You should then be able to log in normally.

328


Using the IPMI Interface 1. Connect to the IP address of the IPMI port from a web browser.

If Security Analytics is installed on a Dell® server, consult Dell iDRAC user documentation to obtain this same functionality.

2. Click Remote Control.

3. Click the Remote Control tab and then click Launch Console to open a hardware-level console connection to the appliance. (Java® software is required for this operation.)

4. To remotely power on, power down, or reset the appliance, click the Power Control button and select the desired option.

Selecting any of the following IPMI menu options — Power Off Server – Immediate, Reset Server, or Power Cycle Server — will not perform a graceful shutdown of the appliance. Select one of these options only if you are unable to power down the appliance using the interfaces (web or CLI).

TroubleshootingUse these resources to address any problems that may arise.

Search the Knowledge Base n https://support.broadcom.com/home-search-

results.html?segment=SE&prodName=Security%20Analytics&cFacet=knowledge_base&q=*

Contact SupportYour serial number is visible in About.

329

https://support.broadcom.com/home-search-results.html?segment=SE&prodName=Security%20Analytics&cFacet=knowledge_base&q=*

https://support.broadcom.com/home-search-results.html?segment=SE&prodName=Security%20Analytics&cFacet=knowledge_base&q=*


Note: Symantec support is now handled through the Broadcom support ecosystem. For more information on that change, refer to this article: https://www.broadcom.com/support/symantec/getting-started.

n How to contact support, open tickets, and search the Broadcom Knowledgebase: https://knowledge.broadcom.com/external/article?articleId=163980.

n Broadcom support portal: https://support.broadcom.com/security

n Security Analytics Documentation: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-network-security/security-analytics/8-1.html

n Documentation Feedback: [email protected]

Submit a Support CaseFor many problems you should download the customer service report (CSR) and attach it to your case. The CSR contains multiple log files and other diagnostic output.

1. Select Menu > Settings > System.

2. Click Download CSR and save csr-report-<x>.tar.bz2 to your desktop. It will take several minutes to generate the file. Alternatively, run csr.sh.

3. Log in to https://support.broadcom.com/security.

4. Select Case Management.

5. Follow the prompts to create a case. Attach the CSR to the case.

Consult Help Topics n "Troubleshooting LDAP" on page 272

o "Using RADIUS and LDAP in Parallel on Security Analytics " on page 278

n "Troubleshooting Symantec Intelligence Services" on page 195

n Troubleshooting the Virtual Appliance Installation

n "Populating the Reports" on page 379

n Tap Placement and Capture Optimization Best Practices

n "FRS Prefilter Process" on page 392

n "Data Enrichment Process" on page 389

330

https://www.broadcom.com/support/symantec/getting-started

https://knowledge.broadcom.com/external/article?articleId=163980




mailto:[email protected]



Introduction to the Central Manager Console

Security Best Practice n Update the CMC VPN key to a 2048-bit RSA keypair. If you are upgrading to

version 7.3.x or later from version 7.1.x or earlier, you must recreate the CMC VPN; all new connections between 7.3.x or later CMCs and their sensors use a 2048-bit RSA keypair.

n Provide a password when downloading the authorization key.

(missing or bad snippet)

The Symantec Security Analytics CMC is a dedicated appliance that is licensed as a CMC. With the CMC, you can manage multiple sensors (formerly "managed appliances") and analyze data from the sensors. Specifically, the CMC provides:

n An aggregated view of data across multiple sensors

n An interface for sensor management

n Centralized sensor software upgrades

This illustration shows one possible configuration: three sensors being managed by one CMC. Notice that all connections between the sensors and the CMC are conducted over VPN connections. The browser for the CMC’s web interface uses an HTTPS connection.

Each link between a sensor and the CMC has its own VPN connection.

331


n Because each of these connections is a separate tunnel, no sensor can "see" or communicate with another sensor through the VPN.

n The VPN can cross network boundaries.

n CMC-to-sensor traffic that is captured by Security Analytics is classified as udp > openvpn or tcp > openvpn in the Tunneling application group.

CMC Initial SettingsFollow these steps when installing a new CMC.

1. Complete the steps to configure a standalone appliance. configure a standalone appliance.

Before you create the VPN network, verify that the system timethe system time for the CMC is correct. Symantec recommends that you enable NTP on all CMCs and their sensors.

2. The Central Management Settings page should be the next display on the CMC interface, after the Initial

Settings page. If you are not on this page, select Menu > Settings > Central Management > Settings.

3. Select TCP or UDP as the VPN connection protocol.

4. Select IPV4 or IPV6 for Network Type. The IPV6 option is available only if the CMC has an IPv6 address for bond0, the management interface. You cannot set up both IPv4 and IPv6 subnets on the same CMC; for a mixed environment, Symantec recommends an IPv4 network.

5. Specify the following:

n IPv4 Network

o Subnet — Specify the IP addresses to be used for the VPN connections between the sensors and the CMC. The default is 10.8.0.0/16. This subnet must be different from any other subnet on your network.

o Netmask — Specify the netmask for the VPN subnet. The address space should be large enough to provide four IP addresses for each sensor that the CMC controls.

o Port — Specify the port for the VPN connection on the sensors: Default is 1194. It is strongly recommended that you not use ports 22, 80, or 443, because they are reserved for other applications and protocols.

n IPv6 Network

o IPv6 Unique Local Addresses — Specify a subnet for the Unique Local IPv6 Addresses (ULAs). This non-routable address should be unique on your network. Symantec recommends

332

https://tools.ietf.org/html/rfc4193


that you not change the default (fdf9:568f:54b9::/64) unless it conflicts with the ULA for another CMC.

o Port — Specify the port for the VPN connection on the sensors: Default is 1194. It is strongly recommended that you not use ports 22, 80, or 443, because they are reserved for other applications and protocols.

n If you have more than one CMC on your network, the VPN subnets must be unique for each CMC.

n The CMC is always xx.xx.xx.1 on an IPv4 VPN subnet, and it assigns addresses to the sensors automatically: xx.xx.xx.2–254. For IPv6 VPNs, the CMC's address is the subnet designation and then it assigns addresses xxxx:xxxx:xxxx::1000 through xxxx:xxxx:xxxx::N to the sensors.

n Your organization's firewalls and routers must permit the traffic between the CMC and the sensors that you want to manage through the CMC. Verify that the VPN, port, and protocol settings (including HTTPS) permit the connections.

6. Click Save. Registration and configuration may take several minutes, depending on your network conditions. The VPN network settings are being established during this time.

Connect Your First Sensor to the CMCThis page explains how to connect one sensor to the Symantec Security Analytics CMC and to grant yourself (the Administrator on the CMC) access to the sensor. You should have already completed the "CMC Initial Settings" on the previous page.

Generate the Authorization Key for the Sensor 1. On the CMC, select CMC > Dashboard.

2. Click Manage Sensors.

3. Click Tools > New.

4. Type a unique, descriptive name for the sensor.

n The sensor's hostname and IP address do not appear on the CMC dashboard, so the sensor name should be as specific as possible.

n In the sensor selector, only the first 15–20 characters of the sensor name are visible; you may want to put the more distinguishing part of the name first.

5. For now, leave the Authorizations, Remote Groups, and Labels fields blank.

6. For Mssfix specify the maximum size for a UDP packet from this sensor. Default: 1400.

7. Click Save. A one-time field is displayed above the Sensors table.

8. Click Download Key.

333


9. Optional — Provide a password for Encrypt with Password and click Save to save the authorization key file as <sensor_name>_auth_key.tar.gz.gpg.

n To download the authorization key file at a later time, you can return to the

Manage Sensors page and click Download for the sensor.

n If you are using the Safari browser on a Macintosh workstation, Safari will unzip the TGZ file when you download it. You must re-compress the file for it to be valid.

Link the Sensor to the CMC

1. Log in directly to the sensor with administrator credentials and select Menu > Settings > Central Management.

2. Click New.

3. For Authorization Key File click Browse.

4. Locate the authorization key file for this sensor (<sensor_name>_auth_key.tar.gz[.gpg]) and click Open.

5. Enter the password for the file, if any.

6. For Central Manager Host, type the IP address for the CMC that generated the key. Use the primary IP address for the CMC's management port (bond0) — IPv4 for an IPv4 VPN or IPv6 for an IPv6 VPN. Do not use the CMC's VPN address nor its hostname. Do not use the CMC's secondary address.

To connect a sensor to a CMC over an IPv6 VPN, bond0 on the sensor must have an IPv6 address and IPv6 gateway.

7. Click Save. When the authorization is complete, an entry for the CMC appears in the Central Manager Settings list.

8. On the CMC, go to the dashboard.

9. The sensor appears in the Other Sensors list.

If you cannot see the sensor: Verify with your network administrators that corporate firewalls permit the sensors to reach the CMC's bond0 over port 1194. Ensure that the CMC and the sensor are using the same port for HTTPS.

334


Security Best Practice Destroy the authorization key file after you have used it to connect the sensor to the

Central Manager.

(missing or bad snippet)

Grant Yourself Access to the Sensor

1. On the CMC, select Menu > Settings > Users and Groups and click the Remote Groups tab.

2. Verify that the admin (Default) remote group is present.

3. Click the Edit icon for the admin remote group; under Group Members, type adm and select admin when it is displayed. Click Save.

4. On the CMC, select Menu > Settings > Central Management and click the Sensors tab.

5. The Sensors list displays the following information:

ID Sensor ID, as assigned by the CMC. If you delete a sensor and then re-add it, the CMC will assign it a new ID.

Name Name of the sensor, as created on the CMC

Host IP address of the sensor on the VPN network

Authorized Users Users who are authorized to access the sensor through the CMC, according to their remote-group permissions. Users in this field have access to the sensor even when the other remote-group members do not.

Authorized Remote Groups

User groups that are authorized to access the sensor through the CMC.

Labels Optional, user-defined tags to use while selecting multiple sensors.

Model Hardware type

335


Version Current software version of the sensor

Actions Controls to perform the following tasks:

Download the sensor's authorization key

Edit the sensor entry

Delete the sensor entry

Upgrade the software on the sensor

6. Click Edit for the sensor and do one or both of the following:

n For Authorizations, type adm and then select admin when it is displayed. This setting provides the admin account with admin-level access to the sensor without giving it to other users who are members of the admin remote group.

n For Remote Groups, type adm and then select admin when it is displayed. This setting provides admin-level access to the sensor to all members of the remote group.

On the CMC, the groups grant access to the CMC itself, whereas the remote groups grant access to the sensors through the CMC.

n Optional — For Labels, type a new label name and press Enter or type an existing name and select it. You can add as many labels as you need to organize your sensors for selection.

7. Click Save and return to the dashboard. The sensor should be in the Your Sensors list. You can click the sensor icon to access it or select it from the sensor selector (CMC button).

Disconnect Sensors from a CMCTo disconnect sensors from a CMC, you have these options:

n Interrupt the connection

n Delete the connection

Interrupt the Connection

1. On the CMC, click CMC to open the sensor selector.

2. Click to remove the sensor from the Selected column and click Apply.

336


Delete the Connection

Method 1

1. Log on directly to the sensor.

2. Select Menu > Settings > Central Management.

3. For the CMC, click to remove it.

When you delete the CMC's entry on the sensor, the sensor's entry in the CMC's Sensors table is not deleted. To reconnect to that CMC, you can repeat the connection process with the original authorization key.

4. On the CMC, select Menu > Settings > Central Management > Sensors.

5. Click to remove the sensor's entry. You cannot undo this action.

Method 2

1. On the CMC, select Menu > Settings > Central Management > Settings.

2. Click Reset Settings to reset the communication settings to default values.

When you click Reset Settings, you de-authorize all currently authorized sensors, delete all connections to them, and remove their entries from the Sensors table. To reconnect the sensors, you must create new sensor entries, download new authorization keys, and create new CMC entries on each sensor.

Manage One Sensor with Multiple CMCsYou may set up a many-to-one relationship among multiple CMCs and one sensor as well as multiple CMCs with multiple sensors.

1. Verify that each CMC uses a different VPN subnet. It is possible for a sensor to connect to one CMC over an IPv4 subnet and to another over an IPv6 subnet.

2. On each CMC that will manage the sensor, generate a key for the sensor.

3. Add each authorization key file to the sensor on Menu > Settings > Central Manager.

337


One sensor managed by three CMCs

When multiple CMCs manage one or more sensors, some CMC functions become unstable. Follow these guidelines to prevent unexpected behavior or data loss:

n Do not attempt to push-upgrade the same sensor from different CMCs at the same time.

n Do not use a CMC to create non-shared indicators or rules on the sensors.

User Accounts and Groups on the CMCAs with standalone appliances, access to a Symantec Security Analytics CMC is granted by membership in a group. To these groups, you can assign permissions at a granular level—any user in the group has those permissions on the appliance.

Likewise, users who access a sensor through the CMC must be assigned to a group that specifies which permissions the user has on the sensor. On the CMC, these are called "Remote Groups."

For instructions on assigning local permissions to groups — including LDAP groups — consult User Accounts and Groups User Accounts and Groups for standalone appliances.

Sensor AccessUsers cannot access a sensor until they are assigned permissions for that sensor. There are two methods for granting sensor-access privileges to a user:

n Authorizations — Individual access to the sensor, according to the user's remote-group permissions

n Remote Groups — Provides RBAC for groups of users

You may use one or both of these methods, that is, a user may be present in both the Authorizations field and in a remote group that is present in the Remote Groups field.

338


Authorizations

1. On the CMC dashboard, click Manage Sensors.

2. Click Edit for the sensor.

3. For Authorizations, type the first few letters of the username and then select it when it becomes visible.

4. Click Save.

The authorized user must belong to at least one remote group. The authorized user's permissions on the sensor are the remote-group permissions: if the If the user is not a member of a remote group, the user cannot access any sensors.

Remote Groups

n See Create or Modify a Group See Create or Modify a Group for instructions on creating a remote group. This process is identical to creating user groups on a standalone appliance.

n See "Remote Groups: Example Setup" below for a scenario in which granular access controls to individual sensors are granted to a variety of users.

Remote Groups: Example SetupThe following example describes how to assign specific sensor permissions to different users using the CMC's remote groups. This example does not include instructions on assigning permissions to the CMC itself.

Network SetupThe example network has three sensors that are controlled exclusively through one CMC.

339


n Sensor 1 monitors general workstation traffic in the organization.

n Sensor 2 monitors traffic that includes a public-facing web site, hosted on a cluster of HTTP servers that are on VLAN 7. Other file servers are on different VLANs that the sensor also monitors.

n Sensor 3 monitors traffic that includes VLAN 12, which contains executive workstations, devices, and servers that contain sensitive corporate, accounting, and human-resources data.

RequirementsThe organization needs the following sensor functions to be performed by different users:

n Full administrative access to modify all settings and accounts

n Log auditing to check for conformity to network policy as well as the archiving of logs

o Only one user is to be entrusted with auditing the traffic on VLAN 12

n Security enforcement, which ensures that all devices and user accounts conform to security policies

n General analysis of all LAN traffic to check for malware, breaches, and usage violations

o Only one user is to be entrusted with analyzing the traffic on VLAN 12

n Monitoring and analysis of all incoming traffic to the public web site, but no access to other LAN traffic

DesignThe requirements are best fulfilled with five remote groups:

n admin — All permissions. This remote group is already present on the CMC.

n auditor — View and download the audit log. This remote group is already present on the CMC.

n security_admin — Modify all sensor-access settings such as authentication, certificates, and the firewall. This remote group is already present on the CMC.

n Analyst — View and modify all Analyze pages, import PCAPs from local and remote sources, view and download audit logs, view the capture summary graph, modify data-enrichment settings.

n Website — View and modify all Analyze pages, import PCAPs from local sources, only view web-related traffic on VLAN 7.

The groups will be assigned permissions on the sensors as follows:

n Sensor 1 — admin, Analyst, Auditor, security_admin

n Sensor 2 — admin, Auditor, security_admin, Website

n Sensor 3 — admin, security_admin

In this example, eight users have access to the sensors:

340


n admin — Senior system administrator

n Analyzer1 — Senior analyst

n Analyzer2 — Associate analyst

n Auditor1 — Senior auditor

n Auditor2 — Associate auditor

n Watchman — Security compliance administrator

n WebMaster1 — Web site administrator

n WebMaster2 — Web site administrator

The order in which the remote groups, users, and sensor permissions are created is flexible. A simple sequence is presented here:

1. "Create the Remote Groups" below

2. "Create the Users" on the next page

3. "Assign Sensor Authorizations" on page 344 (The example assumes that the sensors are already connected to the CMC.)

Create the Remote GroupsCreate the remote groups shown in the table (admin, security_admin, and auditor are included by default):

Remote Group

Permissions

Analyst All Analyze pages, local and remote PCAP import, view and download audit log, view capture summary, modify data-enrichment settings

Website All Analyze pages, PCAP import, web-related traffic only, traffic on VLAN 7 only

1. Log on to the CMC with admin permissions.

2. Select Menu > Settings > Users and Groups. Click the Remote Groups tab.


4. For Name, type Analyst.

5. For Description, type All Analyze pages, capture summary, PCAP import, data enrichment.

6. Select the following check boxes:

n Settings > Data Enrichment

n Capture > Capture Summary

341


n Capture > Import PCAP

n Analyze

7. For now, leave the Data Access Control and Group Members sections blank and click Save.


9. For Name, type Website.

10. For Description, type application_group=web, vlan_id!=4,5,6; all Analyze pages, view and download audit log, local PCAP import

11. Select the following check boxes

n Logs

n Capture > Import PCAP

n Analyze

12. Under Data Access Control do the following:

n Type application_group=web and press Enter.

n Type the following and press Enter:

o vlan_id!=4

o vlan_id!=5

o vlan_id!=6

n Optional — Type vlan_id=7 and press Enter.

13. Click Save.

Create the UsersCreate the users and assign them their remote groups, as shown in this diagram.

342


1. Click the Users tab.

2. Verify that for the admin account, admin is shown under Remote Groups. If it is not:

n Click the Edit icon for the admin account.

n For Remote Groups, type adm and select admin when it is displayed.

n Click Save.


4. For Username type Auditor1. This name cannot be changed later.

5. For Password and Confirm Password, type a password.

6. Under Group Memberships, do the following:

n For User Groups, accept the default: user. This setting determines the permissions that the user has on the CMC itself.

n For Remote Groups, delete admin, then type aud and select Auditor when it is displayed.

7. Click Save.

8. Create the remaining users with the values shown in the following table:

Username User Groups Remote Groups

Analyzer1 user Analyst

343


Username User Groups Remote Groups

Analyzer2 user Analyst

Auditor2 user Auditor

Watchman user security_admin, Auditor

WebMaster1 user Website

WebMaster2 user Website

Assign Sensor Authorizations

1. Select Menu > Settings > Central Management and click the Sensors tab.

2. Click the Edit icon for Sensor 1.

3. For Remote Groups, add the following:

n admin

n Analyst

n auditor

n security_admin

4. Click Save.

5. Add the authorizations and remote groups to Sensor 2 and Sensor 3 according to the following information:

Sensor Authorizations Remote Groups

Sensor 1 admin, Analyst, auditor, security_admin

Sensor 2 Analyzer2 admin, auditor, security_admin, Website

Sensor 3 Auditor1, Analyzer1 admin, security_admin

Results

To verify the inputs, go to Menu > Settings > Users and Groups > Remote Groups. The Remote Groups table should have the following data:

Name Description Users

admin (Default) admin

Analyst All Analyze pages, capture summary, PCAP import, data enrichment.

Analyzer1, Analyzer2

auditor Auditor1, Auditor2, Watchman

344


Name Description Users

security_admin Settings: authentication, security, and web interface

Watchman

user

Website application_group=web, vlan_id!=4,5,6; all Analyze pages, view and download audit log, local PCAP import

WebMaster1, WebMaster2

Given the preceding setup, the resulting sensor-access permissions are as follows:

Sensor 1

n All users that belong to the remote groups admin, Analyst, auditor, and security_admin are able to access Sensor 1 with their respective permissions.

n Watchman has both security_admin and auditor permissions on Sensor 1.

345


Sensor 2

n All users that belong to the remote groups admin, auditor, security_admin, and Website are able to access Sensor 2 with their respective permissions.

n Analyzer2 can access Sensor 2 with Analyzer permissions. Analyzer1 does not have permissions on Sensor 2.

n WebMaster1 and WebMaster2 can access web-related traffic on VLAN 7 only.

n The admin, Auditor1, Auditor2, and Watchman accounts have no data-specific restrictions on their access.

n Watchman has both security_admin and auditor permissions on Sensor 2.

Sensor 3

346


n Auditor1 is the only user with auditor permissions on Sensor 3.

n Analyzer1 is the only user with Analyzer permissions on Sensor 3.

n All users that belong to the remote groups admin and security_admin are able to access Sensor 3 with their respective permissions.

Multi-Sensor EnvironmentThe Symantec Security Analytics CMC does not perform data capture but instead aggregates report and PCAP data that the sensors send.

View Multiple SensorsAdd user-defined labels to each sensor so that related groups of sensors can be more easily managed. You can define or add labels at the time that you create the sensor entry, or you can add and remove labels on the Sensors page by selecting one or more sensors and selecting Tools > Add | Remove Labels.

347


1. On the CMC dashboard, click CMC to expand the sensor selector.

2. Select the sensors to view using one of two methods:

n Click one or more sensors to move them into the next column, and then click Apply.

348


n Enter one or more existing label names under FILTER BY LABEL. Multiple labels are ANDed, so the sensors with all of the labels are displayed in the left pane. Click individual sensors or click Add All, and then click Apply.

349


3. To remove a sensor, click its X and then click Apply.

350


4. To remove all sensors, click Clear All and then click Apply.

351


5. To return to the CMC dashboard at any time, expand the sensor selector and click Dashboard.

Sensor-Selection in the URL

n The default behavior for the CMC is to specify the sensor's number in the URL:

https://<cmc>/?&appliances=7,3,8

In this example, the three selected sensors (appliances) are designated by their sensor IDs, which were assigned by the CMC in the order the sensors were created. You can see the sensor IDs on the Sensors page.

n Sensor IDs are not reused or reassigned, so if a sensor is re-added to the CMC after being deleted, it will be assigned a new sensor ID.

n You can manually specify the sensor's name in the URL in place of the sensor ID. The name must be URL-encoded, so if the sensor's name is Bldg 2, Level 5 the URL is:

https://<cmc>/?&appliances=Bldg%202%2C%20Level%205

Data AggregationWith two or more sensors selected, the summary screen displays aggregated data from the sensors. The Reports, Extractions, and Geolocation views have a drop-down arrow at the left of the status bar. Expand to see the status for each individual sensor.

352


Aggregation is not available for the following:

n Anomalies

n Capture pages

n Statistics pages

n Settings pages

For these pages, select a sensor from the selector in the upper-right corner of the interface to view each sensor's page separately.

Multi-Sensor Metadata

On Menu > Settings > Metadata,Settings > Metadata, you can choose from hundreds of metadata types to index. On this page you have the option of setting metadata attributes for one sensor or of pushing attributes to all connected sensors. Changes to this page will cause sensors to reboot. The CMC does not reboot when this page is changed.

n Sensors Selected — With one or more sensors selected, you can select each sensor's Metadata Settings page and save the settings.

n No Sensors Selected — With no sensors selected, you can push the settings on the CMC's Metadata Settings page to all connected sensors.

o Make the desired changes to the CMC's Metadata Settings page and click Save.

o Click Push Metadata to Sensors to push the new settings to all connected sensors.

All of the metadata settings across all sensors must be identical before you attempt to retrieve reports from those sensors via the CMC. Failure to synchronize the metadata settings on all sensors will result in no data returned for any report.

353


Multi-Sensor ICDx Metadata

New in Security Analytics 8.1.1 With all sensors de-selected on the CMC, you can go to Menu > Settings > ICDx MetadataSettings > ICDx Metadata to input server settings, select metadata attributes, and then push them to all connected sensors.

n If you do not see all of the desired metadata attributes on this page, follow the instructions in "Multi-Sensor Metadata" on the previous page to select and push the new attributes to all connected sensors (causing them to reboot). When they have finished rebooting, the new attributes will be displayed on the CMC's ICDx Metadata page.

n See "ICDx Metadata Forwarding" on page 83 ICDx Metadata Forwarding for instructions on configuring the ICDx Metadata page.

o When you have one or more sensors selected, you can configure the ICDx Metadata page for each sensor, one at a time.

o To configure all connected sensors at once, deselect all sensors.

l When you click Push ICDx Settings to All Servers you must provide the password of the ICDx server to continue.

l When the ICDx server and metadata settings are pushed to all connected sensors, a Sensor Push Status dialog informs you whether the push has been successful for each sensor.

If sensors running versions earlier than 8.1.1 are connected to the CMC, you will see an error for each of these sensors.

n To stop sending the ICDx metadata to the server, clear the Enable ICDx check box and click Save.

Multi-Sensor Summary Views

On all of the Menu > Summary views the data is aggregated from all selected sensors, provided that all of the metadata settings are identical across all sensors. When you create or edit a view on the CMC (by deleting or adding widgets, for example), the changes are not propagated to the individual sensors: only on the CMC can the user see the changes.

Multi-Sensor ReportsThe reports that are available on the CMC are the same as for a standalone appliance, provided that all of the metadata settings are identical across all sensors.

n The CMC does not generate reports for the sensors — each individual sensor generates its own report and passes the data to the CMC. However, the saved, aggregated report views are stored on the CMC.

354


n Click Reports on the sensor selector to see reports in progress, completed, and deleted.

If you are viewing the data from more than one sensor, click a row to show the breakout per sensor.

In the Application report, above, DNS data has been captured by four sensors.

Multi-Sensor Extractions n On the Extractions page, the display in the Distribution panel is aggregated, whereas the items listed in the

Results panel are not.

n In a multi-sensor environment, the Sensor column shows which sensor captured the artifact.

n In the expanded view, the sensor name is also visible.

n The Extraction Status page on the CMC displays only the extractions that were initiated on the CMC.

o On the individual sensors you can see extractions that were initiated by the CMC under the user name cmc_proxy:<username>.

355


The CMC and the sensor clean up extracted artifacts on different schedules. For that reason, you may attempt to access an artifact that is visible on the CMC but is no longer present on the sensor.

Multi-Sensor IndicatorsOn the Indicators and Rules pages, a Sensors column shows the where the item is present, or for the Alerts List, which sensor generated the alert.

n If the same indicator is present on multiple sensors, click the [N] more link to see the full list of sensors.

n When creating an indicator, you can apply it to one or multiple sensors. In the Sensors field, all sensors appear by default. Delete any sensors to which you do not want to copy the indicator.

o Any indicator that you add to the Filter field must already be present on the sensor(s) where the new indicator is to be created.

o Creating non-shared indicators through the CMC is not supported; such indicators will not persist on the sensors and will cause unexpected behavior in any rules that are created with them.

o When you delete an indicator, you also delete other indicators, rules, and alerts that contain the indicator. See Delete Indicators. See Delete Indicators.

356


Multi-Sensor Rules

n When creating a rule, you must select the sensor on which the rule is to be created.

o When creating a rule, the indicator(s) in the First Event field must already be present on the sensor(s) where the rule is to be created.

o Creating non-shared rules through the CMC is not supported; creating such rules will result in unexpected behavior.

o Shared rules are is visible on the sensors.

Multi-Sensor Alerts

n On Menu > Analyze > Alerts > List, On Analyze > Alerts > List, you can see each instance of a triggered alert. The sensor that registered the hit is displayed in the Sensors column.

357


Multi-Sensor PCAP Files

n You can download PCAP files from the CMC from Menu > Analyze > [Summary | Reports | Extractions | Geolocation].

n The CMC creates a single ZIP file that contains a separate PCAP for each sensor.

PCAP Import n PCAP imports cannot be aggregated.

n When importing a PCAP to a sensor via the CMC, only the Remote Server option is supported for Import from.

n If two or more sensors have identical mount points, the identical mount points are aggregated in the display.

Multi-Sensor Geolocation and Google EarthAlthough the Geolocation and the Google Earth tools can show maps with both aggregated data and individual sensor data, the Geolocation tool in the CMC does not identify the sensor that the data came from. With the Google Earth tool, you can choose to display either aggregated data or data from any individual sensor.

When you download a Google Earth file with multiple sensors selected, you can choose whether to view the aggregated data or to view sensor data separately.

There are two methods to link the source sensor to a geographic location:

n Select the IP address, filter on that and view reports.

n Deselect all but one sensor and regenerate the Geolocation image; you may need to repeat this for each sensor until you find the desired data.

Multi-Sensor Communication SettingsFor settings that are related to remote notifications, scheduled reports, and other communication settings, the CMC will not synchronize its SNMP, SMTP, or syslog server information with that of the sensors.

358


This non-synchronization permits you to specify different servers for the CMC and for each sensor.

Upgrading SensorsYou can use a Symantec Security Analytics CMC as a software repository for the sensors, so that you download the upgrade from the Internet only once. (Alternatively, the sensors can be upgraded from their own interfaces in the same way as standalone appliances.)the same way as standalone appliances.)

CMC Upgrade RepositoryFor the CMC to act as an upgrade repository for its sensors, it must have at least one upgrade server configured in the CMC repository as well as an upgrade image in the CMC repository.

An upgrade image in the CMC repository is available to the sensors for upgrade but it is not available for the CMC itself to upgrade. Select Settings > Upgrade to perform an upgrade of the CMC.

On the dashboard, click Upgrade Repository. During the licensing procedure for the CMC, the upgrade server upgrade.soleranetworks.com should have been added to the CMC's External Repository list.

If no upgrade server is listed, follow these instructions to add the default Security Analytics upgrade server:

1. On the CMC, do one of the following:

n Select Menu > Settings > Central Management > Upgrades.

n On the dashboard, click Upgrade Repository.

2. Click New.

3. For Protocol, select http.

359


4. For Host, type upgrade.soleranetworks.com

5. For Path, type /upgrades/

6. For Username and Password, input your license key both times.

7. Click Save. The upgrade server is saved under External Repository.

This same server will also be listed on the CMC's Settings > Upgrade page.

Add an Upgrade Image to the CMC RepositoryBefore you can upgrade the sensors, the upgrade image must be present on the CMC repository.


n Select Menu > Settings > Central Management > Upgrades.

n On the dashboard, click Upgrade Repository.

2. For the upgrade server, click Download from Server .

3. Select the desired version and click Download.

4. The latest version is now in the Local Repository list. The list shows which upgrade version is appropriate for each version to be upgraded.

Upgrade Sensors from the CMC RepositoryTo upgrade sensors from a CMC repository, you have two options:

n "Push" the upgrade from the CMC to the sensor

n "Pull" the upgrade from the CMC to the sensor

Unless otherwise instructed by the release notes, upgrade the CMC before upgrading the sensors that are attached to it.

Push Upgrades

A push upgrade is initiated on the CMC.

Do not attempt to push-upgrade the same sensor from multiple CMCs at the same time.

360



n On the dashboard, click Manage Sensors.

n Select Menu > Settings > Central Management > Sensors.

2. Select the check boxes for the sensors to be upgraded.

n Alternatively, you can click Upgrade for each individual sensor.

3. Select Tools > Upgrade.

4. Select the upgrade file to use and click Upgrade.

5. On the dashboard, you can view the progress of the upgrade for each sensor. To see the whole upgrade message, place your cursor over the bottom line of the sensor's box.

6. While the upgrade image is loading onto the sensor, you can monitor its progress on the sensor's Settings > Upgrade page.

Do not click Initiate Upgrade on the sensor during a push upgrade; the process is automatic.

7. After the sensor has finished upgrading (including reboot), you can see that the CMC repository has been

automatically added to the sensor's Upgrade Servers list on the Menu > Settings > Upgrade page.

n The IP address under Host is the CMC's VPN address, which is xxx.xxx.xxx.1 for IPv4 or xx:xx:xx::1 for IPv6.

n You now have the option of clicking Upgrade from Server on the sensor to upgrade the software.

Pull Upgrades

A pull upgrade is initiated on the sensor.

Unless otherwise instructed by the release notes, upgrade the CMC before upgrading the sensors that are attached to it.

1. Access the sensor by doing one of the following:

n Log on directly to the sensor with admin-level permissions.

n Access the sensor through a CMC with a remote group account that has admin-level permissions.

2. Select Menu > Settings > Upgrade. Is there an entry for a CMC repository in the Upgrade Servers list?

361

https://www.symantec.com/docs/DOC10526


Yes — Verify that the latest upgrade image is on the CMC.

Continue the procedure.

No — Select New.

n For Protocol, select https.

n For Host, type the VPN address of the CMC (xxx.xxx.xxx.1 or abab::1)

n For Path, type /upgrades/

n Leave the Login Information fields blank.

n Click Save.

n Verify that the latest upgrade image is on the CMC and continue the procedure.

3. On the sensor, click Upgrade from Server.

4. When the download is complete, click Initiate Upgrade.

CMC Local ManagementThis page describes how to manage the Symantec Security Analytics CMC itself. When managing the sensors through the CMC, the process is similar to single-appliance management, with the exceptions described in "Multi-Sensor Environment" on page 347.

CMC Dashboard

1 Menu icon, which opens the Settings menu

362


2 Sensor selector — Use this control to select one or more sensors to view or manage

3 System Utilization

4 About Menu

5 Job Queue

6 Notifications

7 Account Settings

8 Control Buttons

9 Your Sensors list

10 Other Sensors list

Your Sensors listThe Your Sensors list shows all of the sensors for which you have a role (remote group or authorization). Each individual sensor is represented on the dashboard page by a graphical box.

1 Connection status (blue = connected; gray = not connected)

2 Sensor name

3 Connection status

4 Software compatibility status

5 Capture status

363


6 Software version

7 Model number

The capture status is available only when the sensor is connected to the CMC and the user has access to the sensor. In some cases, the capture status of a sensor may take a few minutes to update. Click Check Sensor Connections to refresh the connection status.

Software Compatibility Status

When a sensor has a different software version than the CMC, an information icon is displayed in the upper-right corner of the sensor's box. Symantec strongly recommends that you upgrade the software; otherwise, some functionality is lost when selecting the sensor with outdated software.

Other Sensors ListThe Other Sensors list is visible only to CMC admin accounts and shows two types of appliances:

n Sensors for which you have begun but not finished the authorization process.

n Sensors for which your account does not have a role.

Software version number and capture status are not visible in the Other Sensors list.

Control Buttons

Manage Sensors Button

n Click to go to the Menu > Settings > Central Management > Sensors page.

o Add and delete sensors.

o Generate authorization key files.

o Use the Advanced Filter to select multiple sensors according to their user-defined labels.

364


Upgrade Repository Button

Click to go to the Menu > Settings > Central Management > Upgrades page.

Configure upgrade servers.

View or delete the software versions that have been uploaded to the repository.

Check Sensor Connections Button

New in Security Analytics 8.1.1 Click to refresh sensor connection status.

Upgrading the CMCDuring the licensing procedure for the CMC, the upgrade server license.soleranetworks.com should have been added to the CMC's Upgrade Servers list. If it has not, add the upgrade server add the upgrade server and return to these instructions.

The upgrade image that you download here is available to the CMC for upgrade but it is not available for sensor upgrade. Click Upgrade Repository on the dashboard to upgrade sensors.

1. On the CMC, select Menu > Settings > Upgrade.

2. For the upgrade server, click Upgrade from Server . A status bar is displayed.

3. When the upgrade file has finished downloading, click Initiate Upgrade. After the CMC has upgraded, you are prompted to reboot the CMC.

4. After you log back in, you can verify that you are using the updated software by resting your cursor on the Symantec logo.

365


AppendixHow Security Analytics Works 367Implementation 367Drive Configuration 367Packet Capture 368Writing the Slots 370Data Overwriting 370Overwriting Imported PCAPs 372

Flows in Security Analytics 373TCP Finite State Machine 374UDP State Machine 375Flows in Security Analytics 376Flow-Based Reports 377

Populating the Reports 379Where's my data? 380Metadata Settings 380Natively Indexed Metadata 380Conversation Reports 381Data Enrichment Verdicts 381Hash Reports 382Open-Parser Rules 383

Detecting File Types 383Primary Filters for File Types 383Advanced Extraction Filters 383Why Can't I Detect All JavaScript Files? 384

Artifact Extraction 385Protocol Carvers 385Signature-Based Extraction 385

Data Enrichment Process 389Default Data-Enrichment Process 389Example: Create a Data Enrichment Rule to Evaluate PDFs 390

FRS Prefilter Process 392FRS Prefilter Process 392

366


When to Disable the FRS Prefilter 397

Anomaly Detection Process 398Initial Evaluation 398Statistical Analysis 399ADM Detectors 399Interpreting Anomaly Messages 400

All Settings 404Interface Icons 407Menu > Analyze > Summary 410Menu > Analyze > Summary > Reports 411Menu > Analyze > Summary > Extractions 412Menu > Analyze > Summary > Sessions 414Menu > Analyze > Summary > Geolocation 415Menu > Capture > Summary 416

How Security Analytics Works

ImplementationIn a typical deployment, Symantec Security Analytics receives mirrored traffic from a SPAN port or network tap. The traffic enters the appliance through one or more Ethernet ports, called "capture interfaces." See Tap Placement and Capture Optimization Best Practices for additional information.

Drive ConfigurationAll Security Analytics appliances (except the CMC) comprise three logical drives or arrays:

367


n Capture — Raw packet data

n Indexing — Indexed metadata (Indexing DB)

n System — A Linux®-based operating system

The actual size and composition of the drives vary according to the hardware and the specific configuration of the Security Analytics deployment. For example, in a Security Analytics 10G Appliance, all three drives are RAID arrays, whereas in a virtual machine, the drives may be logically separate entities on a conventional hard drive.

Packet CaptureThe figure below shows how incoming packets are processed and analyzed by Security Analytics.

368


1 Mirrored packets arrive from the LAN through one or more NICs.

2 When traffic begins to arrive, the NIC requests a "slot," a 64-MB RAM "container” into which the NIC loads incoming packets. Each packet receives a time-of-capture stamp and a source-interface tag.

3 When the slot is full, the slot is written to the capture drive, and the NIC requests another slot.

4 The metadata (packet header fields, capture timestamps, and interface identifiers) for the packets are written to the Indexing DB. Flows ("conversations" or "sessions") between hosts are identified during indexing. Also see "Data Enrichment Process" on page 389.

5 Artifacts (files), email messages, and IM conversations are extracted from the capture drive.

6 When PCAPs are downloaded, the packets are retrieved from the capture drive.

7 Reports, report widgets, the capture summary graph, and geolocation are generated from the metadata on the indexing drive.

369


Writing the SlotsThe capture drive is logically organized into "slots." As each packet is captured, it is written to a slot. Slots are allocated to the interfaces in sequential order (0–N).

The figure above shows four NICs: eth2 through eth5.

colored Packet written from that NIC

gray Nothing written because another NIC has that slot

white Capture inactive on that NIC

> Start capture

X End capture

eth2 starts to capture first, so it is allocated slot 0. eth5 is allocated slot 1, eth3 is allocated slot 2, and eth4 receives slot 3. The faster or busier NICs are allocated slots more frequently than slower or less-busy NICs. In this example, eth2 and eth5 are allocated more slots because they fill their slots more quickly than eth3 and eth4.

n Each time capture begins on an interface, it creates a "slot chain" — a list of the slots that were used for that capture session in the order in which they were filled.

n In the figure above, eth2 created the slot chain 0-4-8-12-14-18-21-24-28, whereas eth3 created slot chains 2-6-10 and 16-19-22-25.

n Slots are interface-agnostic. After slot N is allocated, slot 0 will be allocated to the next NIC that requests a slot, regardless of which NIC was allocated to slot 0 in the previous cycle.

Select Statistics > Storage System to see slot and slot-chain data.

Data OverwritingThe figure below shows how packets are logically written to the capture and index drives. The full packets and their corresponding index entries (metadata) are written simultaneously to the two drives: the red circles represent a particular set of packets with its corresponding metadata.

370


1 Packets are written to the capture drive in slot order from 0–N.

2 The corresponding metadata is simultaneously written to the indexing drive.

The write process always starts at the first slot and runs continually to the last, which prevents the hard-drive heads from engaging in excessive motion. It also enables extremely fast packet capture: up to 10 Gbps with the appropriate system RAM and RAID arrays.

After the last slot is filled, the next captured packet is written to slot 0. When the capture drive overwrites the first slot, the capture drive has "recycled." Select Statistics > Storage System to see the recycle count for your capture drive. The interval between cycles depends on the amount of data being captured, the size of the packets being captured, and the size of the capture drive.

3 The indicated packet data is overwritten as the capture drive recycles the first time.

4 The corresponding metadata is still available for reports.

In the figure above, the recycle count has been incremented by one because the capture drive has begun to overwrite the first set of packets. Notice that the metadata for the first packets has not yet been overwritten, because the index drive typically does not recycle as quickly as the capture drive. For this reason, report and geolocation data is often available after the original packets have been overwritten.

371


5 The original packet data’s location is overwritten a second time.

6 The corresponding metadata has now been overwritten.

As the second cycle begins, the metadata for the original packets begins to be overwritten.

To see whether the packets or metadata have been overwritten, view data availability.

Overwriting Imported PCAPsWhen you import a PCAP, the PCAP is first uploaded to system RAM and queued into slots in the same manner as the data from the capture interfaces. The interface for an imported PCAP is designated as impt[x].

It is then written to the capture drive alongside the live data.

372


Because the capture drive overwrites slots according to slot order, not according to timestamps, imported PCAPs will be overwritten according to their location on the capture drive, not according to the "age" of the packets.

For example, if you are actively capturing data in 2019 and you import PCAPs from 2018 (and retain the original timestamps), the capture drive will not overwrite all of the PCAPs from 2018 before starting to overwrite the data from 2019; instead, it will overwrite the slots in numerical order, 0–N, as usual.

Flows in Security AnalyticsThis page explains how the TCP and UDP state machines impact flow-based reporting and artifact extraction in Security Analytics.

Symantec Security Analytics implements Internet Protocol (IP) state machines to identify, track, and return associated data for all network flows. A network flow — also called a "conversation" or "session" in Security Analytics — is an orderly exchange of data between two network entities.

At minimum, Security Analytics identifies a flow by a unique 5-tuple that is derived from the flow's first packet: three network-layer fields and two transport-layer fields:

n IP protocol

n Source IP address (src IP)

n Destination IP address (dst IP)

n Source port (src port)

n Destination port (dst port)

Transmission Control Protocol (TCP, part of Internet Protocol) uses a sequence number to explicitly identify each packet in the same flow, whereas User Datagram Protocol (UDP, also part of Internet Protocol) does not include a

373


sequence number. The end of a flow is determined either by a time-out mechanism (UDP) or a formal session termination (TCP).

TCP Finite State Machine

Most TCP flows establish a connection with a "graceful," 3-way handshake that includes a sequence number: a SYN (synchronize) packet, a SYN+ACK (acknowledge SYN) packet, and an ACK (acknowledge the SYN+ACK) packet.

In some cases, the first packet of a new TCP session does not have a traditional handshake, such as PSH/ACK, RST, or FIN/ACK depending on the behavior of the network application: probe utility, N-map, firewall port knocking, and so forth.

When Security Analytics detects a 3-way handshake it checks its flow table to determine whether a flow with the same 5-tuple already exists. If it does not, Security Analytics creates a new row in the flow table and generates a hash key from the 5-tuple to track the state of the flow throughout its duration.

The handshake is also used to determine directionality — the entity that sends the first SYN packet is the "initiator" and the entity that sends the corresponding SYN+ACK is the "responder."

When a new TCP packet enters the system and it is not preceded by a 3-way handshake nor does it have an entry in the flow table, Security Analytics uses the 5-tuple of the first captured packet to determine the TCP roles of initiator and responder and to generate the corresponding hash key for the flow.

This behavior is similar to how Wireshark constructs TCP streams. Security Analytics inspects every TCP packet that enters the system and performs the following operations:

374


n Determines whether the 5-tuple already exists in the flow table and creates a new entry if it does not.

n When the 5-tuple already exists, the TCP state machine matches the packet's sequence number to its entry in the flow table, so that the packets may be correctly reassembled.

n For each hash key, Security Analytics sequentially assigns a flow ID and writes the value to the Indexing DB as the flow_id attribute, which can be used in the primary filter and reports.

The flow ID field uses 62 bits and can therefore identify 262 unique flows. Based on the current capacity and supported capture rates of a 10G appliance, it would take an estimated 100 years or more before the flow ID numbers were exhausted.

Security Analytics considers a flow to be expired when the TCP session is gracefully torn down with an in-sequence FIN/ACK, when it is reset (RST), or when it times out from inactivity. The state machine expires a flow from the state table when the session remains open but no new packets arrive for 60 seconds. If new packets arrive for a previous session, after the 60-second timeout, they are treated as a new flow and given a new sequence number.

UDP State Machine UDP is a simple stateless protocol — packets arrive without an introductory handshake and stop without a formal session tear-down.

The UDP state machine works in a fashion similar to TCP: it inspects packets based on a 5-tuple and associates them with a unique flow ID. A UDP flow 5-tuple consists of IP proto, src IP, dst IP, src port, dst port.

375


n Because UDP is connectionless, the first packet in a new flow (rather than a handshake) — together with the 5-tuple — are used to determine the initiator, responder, and unique hash key for the flow.

n The state machine inspects all UDP packets to see if they match an existing flow in the system, and if not, it generates a new flow record.

n The UDP session inactivity timeout is 5 seconds; after 5 seconds of inactivity, a UDP session is considered closed. Any new packets that match the 5-tuple are written as a new flow in the Indexing DB.

Flows in Security AnalyticsThis simplified diagram of a TCP session shows why a single flow usually contains multiple files.

376


1 The Initiator sends a SYN packet to start the TCP session.

2 The Responder sends SYN+ACK to confirm.

3 The three-way handshake is completed by ACK from the Initiator. With the Layer 4 (transport) session established, the Initiator can make requests according to the application-layer protocol, such as HTTP, FTP, or SMB. In this example, the Initiator sends multiple HTTP Requests to the Responder.

4 Often using HTTP pipelining, the Responder sends files in response to each request as it arrives, instead of waiting to receive an acknowledgment for each response. In this example an HTML page with its associated elements — JavaScript, style sheets, graphics, and multimedia files — are transferred in a single flow.

5 At the end of the session, the Initiator sends a FIN packet.

6 The Responder sends FIN+ACK to terminate the session.

Flow-Based ReportsA single TCP flow may comprise tens of thousands of packets that contain an enormous variety of data types such as the application-delivery mechanism, multiple requests and responses (each with different request headers and server-side response headers), numerous file payloads, and a diverse collection of metadata. For network forensic investigations, it is paramount to understand the full chain of events and context for any network activity.

For example, finding a malicious file is important, but it is equally important to understand the transport protocol, application, IP addresses, user agents, and URIs that were used during the download of the malicious file. All of these data points help identify the different tactics, techniques, and procedures (TTPs) that an attacker used. For these reasons, Security Analytics is structured to return entire flows when the primary filter specifies a particular item of metadata as an indicator or filter.

example

A typical process for returning entire flows is displayed in this flowchart:

377


1 On the web interface, the user inputs one or more attribute/value tuples in the primary filter bar OR the user pivots from an alert to the Summary page.

2 The query handler finds matches for the tuples in flow_ids 111, 222, 333, 444, and 555.

3 If the user query is for a report, the flow_id request is sent to the Indexing DB.

4 If the user query is for an extraction, the flow_id request is sent to the extractor, which queries the capture drive and extracts artifacts from the flows that the query handler identified.

5 The Indexing DB returns all of the metadata for all of the flows in the request.

6 The extractor returns all of the artifacts for all of the flows in the request.

example

This example shows how a single attribute/value tuple in the primary filter bar will return multiple artifacts. As shown below, the filter filename=map.swf returns 36 artifacts, including synthetic, 0-byte artifacts. Only one of the artifacts has the file name map.swf, yet the extractor has returned all of the files in the requested flow.

378


In a corresponding Summary view, these report widgets show that all of the files in the flow share the same 5-tuple.

Populating the ReportsAlso see:

"Flows in Security Analytics" on page 373, "Alerts" on page 236, "FRS Prefilter Process" on page 392, Best Searching Practices in Security Analytics, and "Metadata Settings" on page 56.

379


Where's my data?If you do not see data in your reports and report widgets, it is possible that the features that populate the reports have not been activated or properly set up. This section explains how each report is populated so that you can troubleshoot empty or sparsely populated reports.

Metadata SettingsUser-selectable metadata permits you to decide which metadata attributes are written to the Indexing DB. Report data

is not written to the Indexing DB unless it has been selected on Menu > Settings > Metadata.

Natively Indexed MetadataThe data for most Security Analytics reports is extracted directly from the packet headers by the deep-packet inspection (DPI) engine, or it has been added by system processes at the time of indexing. The reports that contain this data are available within seconds of the data being captured, provided that system resources are available. (See "Reindexing" on page 52.)

Packet-Header Metadata

n IP/port and Ethernet addresses

n IP protocol

n Email sender, receiver, subject line

n File name, extension, MIME type

n HTTP status code, method, URI, content disposition, server, referrer, user agent, location (redirect), content length

n Username, social persona (user identifier), or password

n Database or web queries

n DNS fields

n Packet length

n User-selectable metadata

System-Added Metadata

n Capture interface or import ID

n Application ID, application group

n Flow ID, flow duration

n NIC vendor

n File type

n Autogenerated domain and score

n Country initiator and responder

n Machine ID

For the other reports, specific conditions must be true before the data is written to the metadata array:

n "Conversation Reports" on the next page

n "Data Enrichment Verdicts" on the next page

n "Hash Reports" on page 382

n "Open-Parser Rules" on page 383

380


Conversation ReportsThe data for the Conversation reports is assembled only when the report is queried. For example, if you invoke the IP Layer View on the Analyze > Summary page, the IPv4 and IPv6 conversations for that timespan will be assembled and presented in their respective report widgets.

n IPv4 Conversation


n IPv6 Conversation


The values in the Conversation reports are cached but are not written to the metadata DB.

To specify a conversation in the primary filter bar, enter IPv[x]_address="<ip_address1>","<ip_address2>" There is no ipv[X]_conversation attribute.

Data Enrichment VerdictsAlso see: "Data Enrichment Process" on page 389.

Data for the reports in the verdicts namespace is produced by the data-enrichment process. The following conditions must be true for a data-enrichment report to contain data:

n The corresponding enrichment provider is licensed and activated.

n Traffic matches a data-enrichment rule for the provider.

n The provider has returned the verdict to Security Analytics OR the verdict for that artifact is already in the verdict cache.

The data-enrichment reports are populated as follows:

Report Providers

File Signature Verdict File Reputation Service, FRS prefilter

URL Categories Local Web Reputation Service, Global Intelligence Network (GIN)

URL Risk Verdict Local Web Reputation Service, GIN

Local File Analysis Calculate and Store Hashes, ClamAV, Custom Hash List, jsunpack-n, YARA

Malware Analysis Verdict Malware Analysis appliance; also see FRS Prefilter

Third-Party Verdict ReversingLabs® TitaniumScale® server

Threat Category ReversingLabs TitaniumScale server

Threat Description ReversingLabs TitaniumScale server

Threat Severity ReversingLabs TitaniumScale server

User Name (flows namespace)


381


Exception: URL Risk Verdict

With one exception, you cannot use the data-enrichment verdict attributes as indicators for rules, because the data for those attributes is written to the Indexing DB after the rules engine inspects the traffic.

For URL Risk Verdict data, however, the process is as follows:

1. The Web Reputation Service is licensed and activated.

2. A Web Reputation Service rule that contains the url_risk_verdict attribute is activated.

3. The metadata indexer sends all URLs to the local copy of the Web Reputation Service, which returns a verdict (1-10) with 5 being unknown.

4. When a verdict has been returned for every URL in a flow, the metadata indexer sends the flow to the rules engine.

5. If url_risk_verdict is 5 or higher, the system queries GIN to obtain a definitive verdict for that URL.

6. The verdict is written to the Indexing DB.

Hash ReportsThe hash reports are not populated by the DPI engine nor the metadata indexer. Hashes are calculated by the extractor under the following circumstances:








382


Open-Parser RulesReport data for open-parser rules is written to the Indexing DB only when the following are true:

n The open-parser rule is active.

n The rule specifies that metadata be written to the Indexing DB.

Detecting File TypesA common task to perform with Security Analytics is to find all files of a certain type and then filter on additional characteristics until you find the files that you want. Unfortunately, creating filters to single out all files of a particular type will inevitably leave out some of those files while including files not of that type, because there is no single characteristic of a file that objectively indicates its type. Text-based files have few distinguishing characteristics, for example, and malicious users can spoof file characteristics, which means that short of attempting to open a file in its suspected application — a risky way to test the file type — determining file type is not an exact science.

The file-detection tools in Security Analytics provide excellent ways to narrow down which files are most likely to be of a particular type. While using Security Analytics, you should be aware of how each filter type works as it relates to the file type that you are looking for.

Also see: "Flows in Security Analytics" on page 373, Best Searching Practices in Security Analytics, "Metadata Settings" on page 56

Primary Filters for File TypesPrimary filters identify all flows that contain the matching filter value. These attributes are recorded in the Indexing DB:

n file_name — Derived from the header fields of application-layer protocols such as HTTP, SMB, IMAP, or TFTP. This is a presented attribute, meaning that Security Analytics merely indexes what the header contains.

n smb_filename — From the filename field of the SMB packet header.

n file_extension — Everything after the first dot of file_name.

n mime_type — The Content-Type field of an HTTP or SMTP header .

n file_type — Derived from the file signature (magic number) of files transmitted via HTTP, IMAP, POP3, and SMTP. This is a derived attribute, meaning that Security Analytics obtained the value from the file itself instead of from an application header. See which file types are detected by the file_type filter in Detected File Types.

Advanced Extraction FiltersOn the Extractions page, use advanced filters to filter out extraneous files from the flows that the primary filters identified.

n file_extension — Derived from the presented MIME type.

n file_type — Detects values in both the Presented MIME Type (mime_type) and Detected MIME Type (file_type) fields.

383


n file_type_mismatch — Shows files that have different presented and detected MIME types.

n keyword, keyword_[x] — Detects strings inside an artifact, provided that the string is in cleartext rather than being encoded.

n filename — Not available as an advanced filter, because the artifact's displayed file name may be derived from a variety of sources, not from the file_name in the Indexing DB. To find a particular file name, try URL~<filename>.

Why Can't I Detect All JavaScript Files?Attempting to filter for all files of a particular type — and only files of a particular type — presents difficulties that are inherent in the nature of file structure and the network transport of files. Filtering for JavaScript files, for example, presents the following difficulties:

n The .JS file extension is usually applied to JavaScript files, but some JavaScript files have a .PHP or other extension, and nothing prevents a non-JavaScript file from having a .JS extension.

n JavaScript files do not have a magic number or file signature, so they cannot be detected by the file_type primary filter.

n JavaScript formatting can resemble formatting for other protocols such as HTML, XML, and CSS.

n HTTP headers usually specify that the MIME type is JavaScript, but the header may specify that the MIME type is something else.

Recommended Methods

n Begin with one or more primary filters that return only the flows that contain likely JavaScript files, for example: mime_type~javascript or file_extension=js. (Apply these filters before running the extraction so that you don't waste system resources extracting artifacts in flows that definitely do not contain the specified files.)

n After you initiate the extraction, apply file_type advanced filters to detect file types that contain the terms javascript or js (but not json).

384


The advanced filter shown here will detect most of the likely JavaScript files. However, any filter set will leave out some of the files that you want and include some that you do not. Ultimately, you must determine for your purposes which characteristics of a file constitute the desired file and then apply your filters accordingly.

Artifact ExtractionThe protocol is detected by the DPI engine and then sent to the extractor, which uses the appropriate carver to extract and reconstruct the artifacts.

Protocol CarversSpecialized protocol carvers extract artifacts from these Application Layer protocols:

n File Transfer Carver

o AIM Transfer o IRC Transfer o Jabber Transfer o PalTalk Transfer o Tencent (QQ)

Transfer o Yahoo o Yahoo YMSG

Transfer

n FTP Carver

o FTP o FTP Data

n HTTP Carver

o HTTP

n HTTP2 Carver

o HTTP2

n Mail Carver

o IMAP o POP3 o SMTP

n Messaging Carver

o AIM o AIM Express o Badoo o eBuddy o Facebook o Gmail Chat o IRC o Jabber o PalTalk o Second Life o Teamspeak o Yahoo Messenger o Yahoo Web Messenger

n SMB Carver

o SMB

n Telnet Carver

o Telnet

n TFTP Carver

o TFTP

n VoIP Carver

o MGCP o RTP o SIP

Webmail Carver

o Active Sync o DIMP o Facebook Mail o GMAIL o GMAIL Basic o GMAIL Mobile o GMX o IMP o MS Hotmail o Mailru o Maktoob o MIMP o Orangemail o OWA o Rambler Webmail o Squirrel Mail o Yandex Webmail o Yahoo Webmail — AJAX o Yahoo Webmail Classic o Zimbra o Zimbra Standard

Signature-Based ExtractionIf an application does not have a protocol carver, the extractor performs a Foremost signature scan to determine how to extract artifacts from the protocols (except on protocols in the Encrypted application group). This secondary scan is performed only when all of the following are true:

385


n Enable signature-based extraction is enabled on Menu > Settings > System (default=enabled).

n The protocol is in /etc/solera/config/unknown_protocols.json.

n A flow matches a rule that includes the indicator application_id=unknown. This indicator is the equivalent of creating separate application_id=<protocol> indicator with each individual protocol in /etc/solera/config/unknown_protocols.json

By default this carver can extract artifacts from the following protocols, listed by Application Group. You can add any recognized application_id to unknown_protocols.json. (See Recognized Applications in the Security Analytics 8.1.3 WebGuide on support.symantec.com.)

386



n Application Service Group

o DICT o elasticsearch o exacqvision o FIX o GDB_remote o LDAP o MQ o MS MQ o MSNP o Perforce o SRVLOC o syslog o vMotion o XFS

n Audio/Video Group

o Afreeca o Apple Airplay o Baofeng o Fring o H245 o Hulu o ICY o Join Me o MMS o MPGETS o MSRP o Netflix o NicoNico Douga o Octoshape o PalTalk Audio o PalTalk Video o Periscope o PP Live o PP Stream o Q.931 o QQ (Tencent) Live o QVOD o RTSP o SCCP o SIP SOAP o SMARTalk o Spotify o Tango o TVAnts o TVU Player o UUSee o Viber o Voddler

n Game Group

o Battle.net o Battlefield 1 o Battlefield 4 o Clash of Clans o Clash Royale o CounterStrike o Destiny o Eve Online o Gameloft o Lineage 2 o QQ Dancer o QQ Speed o RuneScape o Steam o Vivox o World of Tanks o World of Warcraft o Xbox LIVE

n Instant Messaging Group

o BeeTalk o Feiliao o Fetion o Gadu-Gadu o Kakao Talk o KIK Messenger o Lava Lava o Line IM/VoIP o Lotus Sametime o Lync o Mailru Agent o MiTalk Messenger o M+ Messenger o OICQ o QQ IM o Skype o Snow o Softros Messenger o Teamspeakv3 o Telegram o Touch o UpLive o WeChat o WhatsApp o Yahoo Messenger

Conference o Zoom

n Mail Group

n Peer to Peer Group

o ADC o AppleJuice o Ares o Bitcoin o BitTorrent o DirectConnect o eDonkey o Filetopia o GNUnet o GNUtella o GoBoogy o iMesh o Juxtapose o Kugou o LUKE o Manolito o MUTE o QQ Music o Share o Shareman o SLSK o Stealthnet o Thunder o WinMX o WinNY

n Printer Group

o JetDirect

o LPR

n Routing Group

o BGP

n Terminal Group

o RLOGIN o RSH

n Thin Client Group

o AnyDesk o DameWare o Go to Device o Go to My PC o ICA o JEDI o MS Hyper-V o PCAnywhere

387


o WebEx o Yahoo Messenger

n Authentication Group

o DIAMETER o IDENT o KPASSWD o Kerberos 5 o TACACS+

n Behavioral Group

o SPID

n Database Group

o DRDA o Honeywell PHD o IBM DB2 o MobileLink DB o MongoDB o My SQL o PostgreSQL o SQLI o TDS o TNS

n ERP Group

o SAP

n File Server Group

o CFT o Hotline o PBX o Quantum DXi o RSYNC

n File Transfer Group

o iRODS

n Forum Group

o NNTP

o Lotus Notes

n Microsoft Office Group

o Groove

n Middleware Group

o AMQP o COAP o DCERPC o DeltaV o GIOP o Java RMI o MQTT o MS PSRP o OPCUA o PI Analysis Framework o PI DataArchive o Thrift

n Network Management Group

o Altiris o Ethernet/IP o IFIX o IPERF o MODBUS o Vnet/IP o Zabbix Agent

n Network Service Group

o COTP o CSP AB/Ethernet o CVS o DISTCC o DNP3 o DNS o DSI o ECHO o ISCSI o IWARP o NBNS o NCP o NDMP o RTMP o SNPP o SVN o T.38 o Time o ULP

o RADMIN o RFB o Teamviewer o VMware o x11

n Tunneling Group

o AICCU o CCProxy o LogMeIn Hamachi o Hotspot Shield o OpenVPN o PPTP o Socksto HTTP o Socks4 o Socks5 o Ultrasurf o XOT

n WAP Group

o SMPP o UCP

n Web Group

o Akamai o Amazon o Apple o Apple Airport o Baidu o eBay o Funshion o GroupWise o Habbo o HAProxy o HTTP Proxy o ICAP o Kaspersky Update o LLP o LogMeIn o NAVER o Orb o Pornhub Network o PP Film o QQ Games o QQ Web o Shopee o Sina Weibo o Slack o SPDY o Speedtest

388


o WHOIS o WINS o XMCP

o Taobao o Threema o Twitch o VTun o YouKu o Your Freedom

Data Enrichment ProcessThe data-enrichment process begins with the rules engine and ends with alerts posted and data written to the reports.

Default Data-Enrichment ProcessThis diagram shows how the rules engine directs the production of data-enrichment verdicts during real-time extraction. The Malware Analysis Process is different from the default.

1 Captured data and imported PCAPs are sent to the metadata indexer.

2 The metadata indexer sends the packets to the deep-packet inspection (DPI) engine, where the packet headers are extracted and classified.

3 The metadata indexer compares the classified metadata with active rules. When a rule is matched, the metadata indexer sends the flow ID and the rule it matched to data enrichment.

389


4 Data enrichment compares the artifact's file type to the file-type filter for each of the rule's enrichment providers. If the filter permits the file type, data enrichment sends the flow ID to the extractor to request a real-time extraction (RTE) or "microextraction."

5 The extractor reassembles all of the artifacts in the flow by reading packet data from the capture system, and for each artifact it calculates the MD5, SHA1, SHA256, and fuzzy hashes, according to user settings. (Fuzzy hash must be manually enabled.) When importing a PCAP, you can see how many rule-based extractions were performed on the PCAP in the Extraction Jobs column. The extractor returns the hashes to data enrichment.

6 If a verdict for an artifact is already present for an enrichment provider, data enrichment retrieves the verdict from cache.

7 If the verdict is not present in cache, data enrichment sends the hashes or files to the selected reputation provider(s) — local or off-box, such as ClamAV or Malware Analysis.

8 As soon as it receives a verdict, data enrichment writes the verdict and the hashes to the Indexing DB, where they are available for reports.

9 If the verdict is higher than 6, an alert and its reputation report are posted to the Alerts page.

10 If remote notification has been enabled for the rule, a remote notification is also sent.

Example: Create a Data Enrichment Rule to Evaluate PDFsThe Security Analytics rule engine provides a real-time, rule-based method to enrich extracted files and metadata. A rule consists of these simple building blocks:

n Indicator — Contains metadata attributes such as file type, IP address, DNS query, or HTTP URL

n Rule type — Data enrichment, alert, IPFIX export, or PCAP export

o For data-enrichment rules, a verdict from an enrichment provider such as File Reputation Service, ClamAV, YARA rules, or Malware Analysis.

n Notification — An alert when traffic matches the rule and the verdict is higher than 6.

n Action — In the case of IPFIX and PCAP export, sending the file to a PCAP or other file server

Follow these steps to set up a rule that detects malware inside a PDF document:

1. Enable one or more file-based enrichment providers such as Malware Analysis and ClamAV. Ensure that the desired file-type filter for the providers is selected. Enable the FRS Prefilter to reduce traffic to the Malware Analysis appliance.

390


2. Create one or more indicators to match the file type of interest: PDF. The indicators can include any DPI-based, primary-filter attributes such as filename=*.pdf or file_extension=pdf (matches the explicit file name), file_type=pdf (matches the magic number), or a pre-loaded indicator such as PDF – Presented MIME Type (matches various PDF-related MIME types).

Filters that use two or more different attributes are joined by Boolean AND. If the filter contained file_extension=pdf and PDF - Presented MIME Type, traffic would have to match both filters.

391


3. Create a rule and specify the indicator(s) as the event to match.

4. Select Data Enrichment for Type, and for Send to select the desired enrichment provider(s).

5. Optionally, configure remote notifications via email, syslog, or SNMP.

6. The rule is activated as soon as you click Save.

FRS Prefilter ProcessThe File Reputation Service (FRS) prefilter setting is enabled by default on the Malware Analysis provider so that artifacts that are already known to FRS are not sent to the Malware Analysis appliance.

FRS Prefilter ProcessFRS Prefilter alters the data-enrichment process for Malware Analysis by returning FRS verdicts for known artifacts and then sending only the unknown artifacts to the Malware Analysis appliance.

To manually bypass the FRS prefilter and all data enrichment filters for an artifact, go Analyze > Extractions, expand the artifact entry, click the file name, and select Malware Analysis, which sends the file to the Malware Analysis appliance.

392


1 The rules engine registers a hit based on a rule's indicator. The corresponding artifact is extracted and its hashes are calculated.

2 If the file type for the artifact does not match the Malware Analysis (MA) file-type filter, the process ends. No data-enrichment job is created.

3 When the artifact matches the Malware Analysis filter, a data-enrichment job is created.

4 If FRS Prefilter is enabled, the artifact must also match the File Reputation Service (FRS) file-type filter.

5 If FRS Prefilter is not enabled, the system looks for an existing MA verdict in the cache.

6 If no MA verdict is found in cache, the artifact is sent to the Malware Analysis appliance.

393


7 The MA verdict (cached or from the appliance) and the artifact hashes are written to the indexing DB, making them available for the Malware Analysis Verdict and hash reports.

8 If the MA verdict is 6 or lower, no alert is posted.

9 If the MA verdict is higher than 6, the alert is posted, showing Malware Analysis as the

Enrichment Provider and the

Type as

Malware

10 If there is no FRS verdict in the cache, the hash is reviewed by the local copy of the Web Reputation Service (WRS).

11 If the local WRS database has no verdict, then the hash is sent to the Global Intelligence Network (GIN).

12 If GIN returns a 5 (unknown), the system looks for an MA verdict in the cache, and if not found the artifact is sent to the Malware Analysis appliance.

13 If GIN returns a verdict other than 5, the FRS verdict and the artifact hashes are written to the Indexing DB, making them available for the File Signature Verdict and hash reports.

14 If the verdict is higher than 6, an alert is posted, showing File Reputation Service as the

Enrichment Provider and the

Type as

File

example

A file called pdfcreator-1-3-2-en-win.exe is known to the File Reputation Service as malware. A PCAP that contains pdfcreator-1-3-2-en-win.exe is imported three times to Security Analytics under these conditions:

n The File Reputation Service is licensed. (It does not need to be activated.)

n A Malware Analysis appliance has been added. (A Content Analysis 2.2 or later appliance with Malware Analysis licensed would also produce this behavior.)

n The Malware Analysis and File Reputation Service file-type filters both permit Programs and Libraries.

n The Symantec Malware Analysis Service rule is enabled.

n The Symantec File Reputation Service rule is not enabled. (Duplicate alerts would be produced.)

n Security Analytics has never received a verdict on pdfcreator-1-3-2-en-win.exe.

Iteration 1

The first time that the PCAP is imported, FRS Prefilter is disabled.

394


1. The file pdfcreator-1-3-2-en-win.exe is detected by the Symantec File Reputation Service File Types indicator.

2. Malware Analysis returns a verdict, so the alert has a malware icon

3. The alert has a link to the corresponding task on the Malware Analysis or Content Analysis appliance.

4. The result did not come from cache, which means that the artifact was sent to the Malware Analysis or Content Analysis appliance.

5. The verdict is present in the Malware Analysis Verdict report.

Iteration 2

For the second PCAP import, no settings are changed.

6. Security Analytics retrieves the verdict from cache.

395


7. The link to the original Malware Analysis task is also retrieved from cache.

8. The verdict is present in the Malware Analysis Verdict report.

Iteration 3

Before importing the PCAP the third time, the verdict cache is cleared by running scm db clear_redis tonic, and FRS Prefilter is enabled in the Malware Analysis entry on Settings > Data Enrichment.

9. The File Reputation Service returns the verdict, as indicated by the file icon, and there is no link to a Malware Analysis task. Symantec File Reputation Service is the Enrichment Provider.

10. The rule name is still Symantec Malware Analysis Service, because that rule detected pdfcreator-1-3-2-en-win.exe. The Reputation Report contains a note saying that the sample (artifact) was not sent to Malware Analysis.

396


11. The Data Enrichment Filter for the File Reputation Service was applied. (If the FRS filter excluded pdfcreator-1-3-2-en-win.exe, File Reputation Service would not be queried, and the file would not be sent to Malware Analysis had FRS returned a verdict of 5 [unknown].)

12. The verdict is present in the File Signature Verdicts report.

When to Disable the FRS PrefilterSymantec recommends that the FRS prefilter always be enabled, because it is the fastest method for returning verdicts on files: The longer the Malware Analysis queue becomes, the longer it takes to return a verdict. Disabling the FRS prefilter, however, may be feasible under the following circumstances:

397


n You reduce the number of files that Security Analytics sends to Malware Analysis by:

o Removing the default indicators for the Malware Analysis rule and replacing them with indicators that detect a small number of unique files.

o Using the data enrichment file-type filter to limit the file types to send to Malware Analysis. (When the FRS prefilter is enabled, the file-type filter for the File Reputation Service is used.)

n Testing in your environment shows that the size of the Malware Analysis queue does not create too much latency in verdict returns.

n Security Analytics does not have an internet connection and so cannot query the GIN cloud.

n You do not have an Intelligence Services subscription but have a Malware Analysis appliance.

Anomaly Detection ProcessAlso see: "Anomaly Detection" on page 101

The ADM process consists primarily of

n establishment of baseline values

n statistical analysis of new data

n alerting on outliers

Initial EvaluationFor the first six hours of operation, ADM evaluates all incoming traffic and establishes norms for the traffic according to:

n capture interface (eth2, impt0)

n time (time of day, day of week, day of month, month of year)

n IP addresses (initiators and responders)

n port numbers (initiators and responders)

n country of IP addresses (initiators and responders)

n application, as identified by the DPI engine

n bytes transferred

n length of DNS answers

n URL category (only with the Web Reputation Service enabled)

These parameters are derived from the ADM detectors, which have been specifically calibrated for Security Analytics.

398


Statistical AnalysisThe system sends data to ADM in 10-minute chunks, called "analysis windows." This data has already been classified by the DPI engine, so the initiators and responders have been established for each flow, and the URL category (if any) has been determined.

n The length of the analysis window is not significant: it was chosen to balance manageability with frequency of alerts.

n ADM does not compare values in an analysis window with the other values in the same window; rather, it compares all data against the baseline.

n A value is considered anomalous when it is an outlier compared to the mean plus several standard deviations.

n ADM assigns a score to the degree of deviation from the mean: 0–9; anomalies with a score of 8 or higher are posted.

n After ADM finishes evaluating the 10-minute chunk of data, it folds all of that data into the baseline, including the anomalies; therefore, a value that is anomalous today might be within the bounds of "normal" next week.

n If for any reason data stops being captured during an analysis window, the data that is in the partially filled window will not be analyzed until after capture resumes and the analysis window is filled. The detection time will be the same time as when the analysis window has been analyzed, not when the data first was captured. This may prevent you from seeing an anomaly when you pivot to the Summary view.

o For example, say that capture stops at 00:35, after the analysis window has been filling for five minutes. Capture then resumes four hours later at 04:35. After five more minutes of capture, the analysis window is full, and it is then analyzed. Any anomalies in this analysis window will show a detection time of 04:30, even if the data was captured between 00:30 and 00:35.

o When pivoting to the Summary view for an anomaly that was captured at 00:32, the anomaly will not be visible, because the timespan is set to the detection time minus 30 minutes: 04:00–04:30. You should manually set the timespan to 00:30–04:30 to see that anomaly.

ADM DetectorsStatistical analysis is performed according to the terms in the ADM detectors. Terms that ADM uses are:

n Field — The attribute to be analyzed as a metric. A By Field is a specific value of Field to be analyzed.

n Function — Operation that is performed on the Field:

o high_sum — Detects large sums for the Field value.

o high_info_content — Detects large amounts of content at the beginning of a DNS answer name.

o high_distinct_count — Detects large numbers of distinct values for the Field.

o rare — Detects first-time or unusual instances of a Field or By Field value.

n Over Field — Always an initiator or responder IP, it identifies the device associated with the anomaly.

399


n Partition Field — A value by which the data is separated into distinct groups for consideration. Not all detectors have a partition field.

example 1

Given this detector:

n Function: high_sum

n Field: total_bytes

n Over Field: initiator_ip

n Partition Field: application_ids

1. ADM groups all of the data in the analysis window by application_ids.

2. For each flow with a particular application ID, ADM sums the total_bytes of flows that have the same initiator_ip.

3. ADM compares the sum to the baseline value for the same

n application_ids

n initiator_ip

n comparable analysis window*

4. If total_bytes is abnormally high compared to the baseline, ADM assigns it a score 0–9.

5. If the score is 8 or higher, ADM posts the anomaly: "Excessive data transfer by IP initiator <ip_address> while using <application_ids>"

example 2

Given this detector:

n Function: high_distinct_count

n Field: initiator_country

n Over Field: responder_ip

1. ADM counts the number of different initiator_countrys that have the same responder_ip.

2. ADM compares the number of countries to the baseline value for the same

n responder_ip

n comparable analysis window*

3. If the number of different initiator_countrys is abnormally high compared to the baseline, ADM assigns it a score 0–9.

4. If the score is 8 or higher, ADM posts the anomaly: "IP responder <ip_address> contacting a high number of countries."

Interpreting Anomaly MessagesEach of these anomaly messages indicates that the event is unusual for a comparable analysis window:

400


A "comparable analysis window" is derived from multiple timespans that pertain to the same capture interface: the specific weekday and time, that time on weekdays in general, that time for that day of the month, as well as recent activity (~48 hours before the analysis window).

Excessive data transfer by IP address while using application

The amount of data that this IP address is transferring — while using this application — is unusually high.

example

Initiator IP 1.1.12.211, while using FTP, transferred 1,083,240 bytes at around 03:30 on 09 Jun 2016. The mean for this same capture interface + time + IP initiator + application ID combination is 242,026 bytes. That degree of deviation from the mean gets a score of 9.

anomaly might indicate

n data exfiltration

n covert communications

IP address sending long strings to DNS servers

This IP address made a DNS request with an unusually high number of characters in the DNS name.

example

401


Responder IP 4.2.2.2 sent an unusually long string — represented as 15484 — to a DNS server at around 17:50 on 01 Mar 2017. The mean for this same capture interface + time + IP responder + DNS communication combination is ~110. That degree of deviation from the mean gets a score of 8.


n data exfiltration

n command-and-control traffic using DNS tunneling

IP address using numerous applications

This IP address is sending data using an unusually high number of applications.

example

IP Responder 1.1.48.91 was using 40 applications at around 03:30 on 08 June 2016. The mean for this same capture interface + time + IP responder + number of applications combination is ~1. That degree of deviation from the mean gets a score of 9.


n systems under threat-actor control that are performing probes

n scans for penetration

n lateral movement

Many conversations between IP address and multiple IPs or ports

This IP address is having an unusually high number of conversations (sessions) with another IP or port.

example

402


IP responder 1.1.33.101 had 34 conversations with multiple initiator IPs at around 03:20 on 08 Jun 2016. The mean for this same capture interface + time + IP responder + number of initiator IPs combination is ~1. That degree of deviation from the mean gets a score of 9.

High data transfer by IP address located in country

This IP address, which is located in this country, transferred an unusually high amount of data.

example

IP responder 1.1.37.58, which is located in China, transferred 766,408 bytes at around 11:10 on 06 Jun 2016. The mean for this same capture interface + time + IP responder + country combination is ~33,806 bytes. That degree of deviation from the mean gets a score of 9.


n denial-of-service attack

n data exfiltration

n legitimate VPN traffic

URL category getting a high number of hits

URLs that belong to this URL category are getting an unusually high number of visits.

example

URLs in the Web Ads/Analytics category were visited 98 times at around 23:50 on 27 Jun 2016. The mean for this same combination of capture interface + time + URL category is ~15 times. That degree of deviation from the mean gets a score of 9.

403



n phishing

n malware beaconing

All SettingsConsult the table below to see where to configure all settings on SymantecSecurity Analytics. The Settings menu is

available only to users with administrative privileges for the appliance. The settings in the [Account Name] menu affect only the logged-in account. See more about the CLI commands in the Security Analytics 8.1.x Reference Guide on support.symantec.com.

Setting Interface Location CLI

Account name and email[Account Name]

> Account

Settings

Anomaly detection See Tuning Anomaly Detection Settings.

Anonymous usage tracking Settings > Web Interface

API settings[Account Name]

> Account

Settings

Capture summary graph data About > Data-Retention

Settings

Central Manager linkage Settings > Central Management

Certificates Settings > Security

Content Analysis setup Settings > Data Enrichment

CSR Settings > System

(machine ID: About )

csr.sh

DeepSight settings Settings > Data Enrichment

DHCP Settings > Network

DNS Settings > Network

Dynamic filters Analyze > Rules dynfilter

EDR Settings > Data Enrichment

Email logs, server setup Settings > Communication > Server Settings

dslc

Enable external HTML elements preview

Settings > Web Interface

404




Endpoint Protection settings Settings > Data Enrichment

Entries per page[Account Name]

>

Preferences

FIPS mode Settings > Security

Firewall Settings > Security dsfirewall

Global Intelligence Network connectivity

Settings > Data Enrichment gindiag.sh

Google Authenticator[Account Name]

>

Preferences

Google Earth® settings Settings > Geolocation

Hostname Settings > Network

HTTP proxy Settings > Network

HTTPS access Settings > Security

ICDx Settings > ICDx MetadataSettings > Communication > Server Settings

ICMP response Settings > Security

Inactivity timeout Settings > Web Interface

Integration providers Settings > Data Enrichment

Intelligence Services setup Settings > Data Enrichment

Intelligent capture Analyze > Rules

Internal subnets for geolocation Settings > Geolocation

IPs to exclude from reputation lookup

Settings > Data Enrichment

IPv4 and IPv6 addresses Settings > Network

Kerberos single sign-on Settings > Authentication

LDAP authentication Settings > Authentication

Licensing About > License Details

Log file export Settings > Communication > Advanced

dslc

Log file purge Settings > Communication > Advanced

dslc

405



Log notifications Settings > Communication > Server Settings

dslc

Log settings import Settings > Communication > Advanced

dslc

Logging (syslog, SNMP) Settings > Communication dslc

Login Correlation Service Settings > Data Enrichment

Malware Analysis setup Settings > Data Enrichment

MaxMind® uploads Settings > Geolocation

Message of the day Settings > Web Interface

Metadata Settings > Metadata

MIB Settings > Communication > Advanced

NTP Settings > Date/Time

Open parser Analyze > Rules

Passwords Various, click link

Ping response Settings > Security

Pivot-only providers Settings > Data Enrichment scm pivot_only_providers

RADIUS authentication Settings > Authentication

Reboot appliance Settings > System

Referrers Settings > Web Interface

Remote notifications Settings > Communications > Server Settings

Reputation providers Settings > Data Enrichment

Root password https://<appliance>/settings/initial_config

SEPM Settings > Data Enrichment

Session controls Settings > Security

Shut down appliance Settings > System

SNMP Settings > Communication > Server Settings

dslc

Splunk Phantom Settings > Communication > Server Settings

406



SSH access Settings > Security > Server Settings

syslog Settings > Communication > Server Settings

dslc

Threat Explorer Settings > Data Enrichment

Time/date/zone settings Settings > Date/Time

Time-based data deletion About > Data Retention

Two-factor authentication[Account Name]

>

Preferences

Units of measurement[Account Name]

>

Preferences

Upgrade system software Settings > Upgrade

User accounts and groups Settings > Users and Groups scm solera_acl_elevatescm solera_acl_shell_only

Web Reputation Service Updates Settings > Data Enrichment

YARA rules Settings > Data Enrichment

Interface IconsThese icons appear throughout the web interface as controls and signals.

Icon Function

Menu — Click to open the main menu.

About — Click to see the model and serial numbers, view license details, edit data-retention settings, and access the help files, EULA, audit log, Universal Connector, and Symantec Blogs.

Job Queue — Click to see jobs in the queue, such as offline PCAP downloads and generated PDFs

Notifications — Click to see system notifications.

Account Menu — For the logged-in account access account settings, preferences, the Risk and Visibility report, and the encoder/decoder tool.

407

https://www.symantec.com/blogs/


Icon Function

Analyze > [Summary | Reports | Extractions | Geolocation] — Stop Report(s)/Extraction — Click to stop the data processing on that page.

Analyze > Extraction Status — Stop Extraction — Click to stop an extraction in progress.

Active/Inactive — Toggle to activate or deactivate the entry.

Delete — Click to delete this record.

Analyze > Extraction Status — Delete Extraction — Click to delete the extraction from the page and from disk.

Download — Click to download the item to the local workstation.

Edit — Click to edit this item.

Not Shared/Shared. Shared = Visible to all users on this appliance.

Analyze > Alerts > List — View Report Summary — Click to see the artifact on the Summary page. Analyze > Report Status > List — View Report — Click to view the report on the Reports page. Analyze > Indicators — Add to Filter Bar — Click to add the indicator to the filter bar. Analyze > Anomalies — View Report Summary — Click to view the anomaly data on the Summary page. Capture > Import PCAP — View This Import — Click to load the PCAP into the Summary page.

Analyze > Extraction Status — View Extraction — Pivot to the Extractions page to view the extraction.

Analyze > Extraction Status — Copy PCAP Path — Click to copy the PCAP path to clipboard.

Settings > Users and Groups — Remote/Local User. Local = Created on this appliance; remote = created on another authentication server such as an LDAP server.

Settings > Upgrade — Upgrade from Server — Click to initiate a software upgrade from the corresponding server.

408


Icon Function

Analyze > Alerts > List — View Artifacts— Click to view the artifact on the Extractions page. Analyze > Saved Extractions — View Extraction — Click to view the artifacts on the Extractions page. Analyze > Summary > Extractions — Preview — Click to preview the artifact.

Analyze > Alerts > List — URL — The item that triggered this alert is a URL.

Analyze > Alerts > List — File — The item that triggered this alert is a file.

Analyze > Alerts > List — Malware — The reputation report for this item was generated by a Malware Analysis or Content Analysisappliance.

Capture > Import PCAP — Manage Connections — Click to configure/edit a watch folder. Analyze > Rules > Create/Edit PCAP Export — Manage Connections — Click to configure/edit an external mount point.

Analyze > Summary — More Information — Click to see more information or to download the displayed data as a PCAP(NG). Analyze > Alerts > List — Rule Details — Click to display information about the advanced rule that triggered the alert. Capture > Import PCAP — Import Information — Click to see information on the imported PCAP(NG). Settings > Data Enrichment — View Description — Click to see the description of the custom script.

Capture > Summary — Hidden/Showing — Click to hide or show lines on the capture summary graph.

Capture > Summary — Capture Filter — Click to apply or remove a capture filter on an interface.

Analyze > Alerts > List — Critical Alert

Analyze > Alerts > List — WarningAnalyze > Summary — Unindexed Flows — Click to see how many of the flows in the current view are not yet indexed.

Analyze > Alerts > List — Notice

Capture > Import PCAP— View Alerts of This Import — Click to view the alerts that were generated by this PCAP.

Analyze > Summary > Extractions — Explore Root Cause — Click to view the root cause of the artifact.

Analyze > Summary > Extractions — Reputation — Click to view available reputation information for the artifact.

409


Icon Function

Analyze > Summary > Extractions — Analyze PCAP — Click to open the artifact in the Packet Analyzer.

Analyze > Summary > Extractions — Show Payload — For HTTP Method POST artifacts, display the payload.


See "Summary Views" on page 144 for further information.

1 Analyze, Capture, Statistics, Settings, Menus

2 Filter Bar 14 Timespan Filter

3 Summary, Reports, Extractions, Sessions, Geolocation

15 Actions Menu

4 View Selector 16 Reindexing Control

5 Status Bar 17 Session Resolution Control

6 Save and Delete indicator Controls

18 Information and PCAP Download

410


7 Alerts in the last 96 hours and Anomalies

19 Application Group Widget

8 System Utilization 20 Application Group over Time Widget

9 About Menu 21 Table Display

10 Job Queue 22 Pie Chart Display

11 Notifications 23 Bar Chart Display

12 Account Settings 24 Column Display

13 Update and Stop Reports Buttons

Menu > Analyze > Summary > Reports

See "Reports" on page 137 for more information.


12 Account Settings

411


2 Filter Bar 13 Update and Stop Report Buttons


14 Timespan Filter

4 Report Selector 15 Actions Menu

5 Status Bar 16 Report Summary Chart

6 Save and Delete indicator Controls 17 Information and PCAP download


18 Total Sessions over Time Histogram

8 System Utilization 19 Report Comparison Control

9 About Menu 20 Advanced Filter

10 Job Queue 21 Results Table

11 Notifications

Menu > Analyze > Summary > Extractions

See "Extractions" on page 152 for more information.


12

About Menu

412


2 Filter Bar 13

Job Queue

3 Analyze Menu: Summary, Reports, Extractions, Sessions, Geolocation

14

Notifications

4 View Selector: Artifacts, Artifacts Timeline, Email, IM Conversations, Media Panel

15

Account Settings

5 Status Bar 16 Actions Menu

6 Information and PCAP download

17

Histogram


18

Advanced Filter


19 Results List

9 Update and Stop Extraction Buttons

20

Expanded Artifact Entry

10

Timespan Filter 21 Artifact Actions: Preview, Download, Analyze, Explore Root Cause, Reputation

11 System Utilization

413


Menu > Analyze > Summary > Sessions

See "Sessions" on page 172 for more information.


11 Notifications

2 Filter Bar 12 Administrator Account Settings


13 Update and Stop Report Buttons

4 View Selector 14 Timespan Filter

5 Status Bar 15 Actions Menu

6 Save and Delete Controls 16 Session Resolution


17 Information and PCAP download

8 System Utilization 18 Session Results Table

9 About Menu 19 Detail View

10 Job Queue 20 Advanced Filter

414


Menu > Analyze > Summary > Geolocation

See "Geolocation" on page 176 for more information.


11 Notifications

2 Filter Bar 12

Account Settings


13

Update and Stop Report Buttons

4 View Selector 14

Timespan Filter

5 Status Bar 15

Actions Menu


16

Information and PCAP download


17

Geolocation Map

415


8 System Utilization 18

Advanced Filter

9 About 19

Results List

10

Job Queue 20 Map Controls

Menu > Capture > Summary

See "Capture" on page 30 for more information.

1

Analyze, Capture, Statistics, and Settings menus

9 Graph Scales

2

Alerts in the last 96 hours and Anomalies

10

View Menu

3

System Utilization 11

Actions Menu

4

About Menu 12

Data Availability Histogram

416


5

Job Queue 13

Capture Totals

6

Notifications 14

Stop/Start Capture on All Interfaces

7

Account Settings 15 Capture Interfaces

8 Status Bar

Capture Interfaces

Each capture interface on a Security Analytics has a graphical box. To change the unit of measure on the boxes, go to [Account Name] > Preferences.

1 Line color on the graph

2 Interface name: eth — Ethernet; agg — aggregated interfaces. Click to edit the name.

3 Interface speed

4 Toggle to start/stop playback

5 Toggle to enable/disable data representation on the graph

417


6 Click to apply a capture filter

; during playback, click to

see playback information

7 Toggle to start/stop data capture

Each active interface box shows a table with the following columns:

n Type — Current, maximum, and total

n Captured — Total amount of data captured by this interface

n Filtered — Amount of filtered data captured by this interface

418


ResourcesConsult these resources for assistance with your Security Analytics implementation:

n Required Ports, Protocols and Services for Symantec Enterprise Security Products: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-network-security/security-analytics/8-1/ports-reference.html

n All Security Analytics documentation: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-network-security/security-analytics/8-1.html

n Security Analytics support page: https://support.broadcom.com/security

419

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-network-security/security-analytics/8-1/ports-reference.html

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-network-security/security-analytics/8-1/ports-reference.html




Security Analytics 8.1.x Administration and Central Manager ...

Documents

Transcript of Security Analytics 8.1.x Administration and Central Manager ...