Security Analytics 7.3.X Administration and Central Manager Guide Updated: 13 May 2019

Security Analytics 7.3.x Administration and Central Manager Guide Updated: 13 May 2019

© 2019 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON- INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU.

Americas: Rest of the World: Symantec Symantec Limited Corporation Ballycoolin Business Park 350 Ellis Street Blanchardstown, Dublin 15, Ireland Mountain View, CA 94043

Contents

Initial Configuration ...... 6 Open Parser ...... 64 Open Parser Conventions ...... 64 Network and Appliance Settings ...... 6 Create an Open-Parser Rule ...... 64 Install the License ...... 8 View the Report Data ...... 65 Data Capture ...... 9 Add the Custom Analytics Report Widgets to a Summary View ... 66 Open Parser Alerts ...... 66 Capture...... 10 PII Reports Example...... 67 Initiate or Stop Capture ...... 10 Open Parser Data Matching ...... 70 Capture Summary Graph ...... 10 Filters ...... 70 Static Filters ...... 12 Primary Filters ...... 70 Dynamic Filters ...... 13 Capture Filters ...... 76 Capture-Interface Aggregation ...... 15 Primary Filter Attributes...... 76 Reprocessing ...... 16 Advanced-Filter Attributes ...... 76 PCAP Files ...... 17 Universal Connector ...... 86 Download PCAPs of Captured Data...... 17 Indicators ...... 87 Import PCAP Files ...... 19 Preloaded Indicators ...... 87 PCAP File Analysis ...... 20 Automatically Import PCAP Files...... 22 Reports ...... 96 Automatically Export PCAP Files ...... 22 Risk and Visibility Report ...... 96 Configure a Mount Point ...... 22 Reports Page ...... 97 Report Status Pages ...... 99 Data Availability ...... 24 Data Enrichment Profiles...... 24 Populating the Reports ...... 103 Viewing Data Availability ...... 25 Where's my data?...... 103 Calendar Display ...... 25 Geolocation ...... 106 Capture Summary Graph ...... 26 Geolocation Settings ...... 108 Playback ...... 26 MaxMind City and Country Databases ...... 109 Google Earth ...... 110 Data Analysis ...... 30 Encapsulation Detection ...... 111 Summary Views ...... 31 PPPoE ...... 111 Report Widgets ...... 31 IPv6 in IPv4 ...... 111 Create a Summary View ...... 32 GRE Encapsulation ...... 112 On-Demand DNS Resolution ...... 33 Packet Analyzer ...... 113 Reindexing ...... 34 Packet Analyzer Filters ...... 113 Apply Filters to Summary Views ...... 36 Data Enrichment ...... 117 Anomaly Detection ...... 37 Enabling Anomaly Detection ...... 37 Data Enrichment ...... 118 Anomalies Pages ...... 38 Reputation Queries ...... 118 Filtering Anomaly Alerts ...... 39 Activate a Data-Enrichment Resource ...... 118 Anomaly Investigation View ...... 40 Exclude from Lookup ...... 119 Anomaly Detectors ...... 40 Data Enrichment Filters ...... 119 Tuning ADM Settings ...... 42 Enrichment Providers ...... 119 Metadata Settings ...... 43 Blue Coat Intelligence Services ...... 122 Application ...... 44 Symantec On-Demand Providers ...... 126 Custom Analytics ...... 44 Symantec Endpoint Protection ...... 126 Database...... 44 Advanced Threat Protection (ATP) ...... 128 DNS ...... 45 DeepSight Intelligence ...... 129 Email ...... 47 Symantec Analysis Providers ...... 130 Encryption ...... 47 Malware Analysis ...... 130 File ...... 48 Content Analysis ...... 136 Geographical ...... 51 Network Layer ...... 51 Reputation Providers ...... 137 SCADA ...... 54 Local File Analysis Providers ...... 138 Social Persona ...... 58 Third-Party On-Demand Reputation Providers ...... 138 Threat Intel ...... 59 Third-Party Integration Providers ...... 140 Web ...... 61

Endpoint Providers ...... 143 Federal Information Processing Standards ...... 233 Symantec SEP Integration ...... 143 Entering FIPS Mode ...... 233 Rule-Based Endpoint Providers ...... 143 Exiting FIPS Mode ...... 234 Custom Hash List ...... 144 Maintenance ...... 235 YARA Rules ...... 146 Login Correlation ...... 148 Logging and Communication ...... 236 File Names Sent to Providers ...... 155 Logging ...... 236 Email Alerts ...... 237 Default Extractor Filename ...... 155 Syslog Settings...... 239 Other File Names...... 155 Communication Settings ...... 240 Rules...... 157 MIB Files ...... 241 Rules Activated by Default...... 157 Resetting System Logs ...... 241 Activate and Deactivate Rules ...... 157 Remote Notifications ...... 242 Prepare to Create a Rule ...... 157 System Alerts ...... 244 Create a New Rule ...... 158 File-System Notifications ...... 244 Alert Rule ...... 159 System-Critical Notifications ...... 244 Data-Enrichment Rule ...... 160 Dynamic Filter ...... 160 Software Upgrades ...... 245 PCAP Export Rule ...... 161 Add an Upgrade Server...... 245 IPFIX Export Rule ...... 161 Upgrade Security Analytics ...... 246 "None" Rule ...... 162 Licensing ...... 247 Alerts ...... 163 All Settings ...... 248 Alert Management ...... 163 Network Settings ...... 250 Data Enrichment Alerts ...... 165 System Date and Time ...... 251 Extractions ...... 171 Statistics ...... 253 Artifacts ...... 174 Drive-Space Management ...... 256 Artifact Preview ...... 181 Capture and Index Drives ...... 256 System Drive ...... 256 Appliance Security ...... 190 Home Drive ...... 257 User Accounts and Groups ...... 191 Time-Based Data Deletion ...... 258 Local Users ...... 191 Reboot or Shut Down ...... 259 Shell-Only Users ...... 193 Account Profile Settings ...... 193 Security Analytics Functionality ...... 260 User Groups ...... 195 How Security Analytics Works ...... 261 Remote Authentication ...... 200 Implementation ...... 261 LDAP Authentication ...... 200 Drive Configuration ...... 261 Kerberos Authentication ...... 205 Packet Capture ...... 262 RADIUS Authentication ...... 207 Writing the Slots ...... 263 Two-Factor Authentication ...... 207 Data Overwriting ...... 264 Using RADIUS and LDAP in Parallel on Security Analytics ...... 208 Overwriting Imported PCAPs...... 265 LDAP Group Inheritance ...... 209 Flows in Security Analytics ...... 267 Passwords ...... 215 UDP State Machine ...... 269 Password-Complexity Rules ...... 215 Flows in Security Analytics ...... 270 SSL Certificates and Keys ...... 216 Flow-Based Reports ...... 271 Install a New Certificate and Key ...... 216 Data Enrichment Process ...... 273 Additional Certificate Requirements ...... 219 Default Data-Enrichment Process ...... 273 Security Analytics Ports and Protocols ...... 222 FRS Prefilter Process ...... 276 Remote Access ...... 224 Anomaly Detection Process ...... 283 Firewall ...... 224 Initial Evaluation ...... 283 Web Access ...... 225 Statistical Analysis ...... 283 SSH Access ...... 227 ADM Detectors ...... 284 Ping (ICMP) ...... 227 Interpreting Anomaly Messages ...... 285 Web Interface Settings ...... 228 Interface Icons ...... 289 SSH Authentication ...... 229 Appliance Ports ...... 291 Generate an SSH Key for Data Enrichment Providers ...... 229 2G Appliances ...... 291 Disable SSH Root Logins ...... 231 10G Appliances ...... 292 MD5-Encrypted Password for Bootloader ...... 232 Central Managers ...... 293

Storage Modules and Arrays ...... 294 Interface Screens...... 297 Alerts Management Dashboard ...... 297 Analyze > Summary ...... 298 Capture > Summary ...... 299 Analyze > Summary > Reports ...... 301 Analyze > Summary > Extractions ...... 302 Analyze > Summary > Geolocation ...... 303 Central Manager Console Guide ...... 305 Introduction to the Central Manager Console ...... 306 CMC Initial Settings ...... 307 Connect Your First Sensor to the CMC ...... 308 Disconnect Sensors from a CMC ...... 311 User Accounts and Groups on the CMC ...... 313 Remote Groups: Example Setup ...... 314 Multi-Sensor Environment ...... 321 Upgrading Sensors ...... 330 CMC Local Management ...... 333

Initial Configuration

This page contains instructions for configuring the Symantec Security Analytics appliance for the first time. To see how to configure other settings, see Settings.

Network and Appliance Settings After you have logged in to the web interface (admin | Solera), accept the EULA, and then the Initial Configuration page is displayed. If you cannot see the Initial Configuration page, append /settings/initial_config to the appliance's IP address in the address line of your browser.

• Specify a Fully Qualified Hostname (system name) for the Security Analytics appliance.

o If the hostname is not an FQDN, you may get unexpected results. o The name typed here is displayed as part of the prompt when anyone logs in to the command line for this appliance.

o The hostname is the first element of an artifact filename. o You must register this hostname with your DNS servers if you intend to refer to this appliance by its hostname in other contexts.

Set the IP address, mask, and default gateway for the management gateway (eth0) using one of the following methods:

• Select the Use DHCP check box to automatically retrieve network settings. If you choose to enable DHCP, it is recommended that you use the DHCP reservation feature of your DHCP server to statically map the MAC address of the management interface to an IP address. • Specify the network settings manually.

• If you set a temporary IP address on the CLI using ifconfig, you must re-specify the IP address, netmask, and gateway on this page; otherwise, after the next reboot, the IPv4 address will revert to the default (192.168.20.20) and the IPv6 address will be deleted. • If you specify an IPv6 address, the network service restarts after you click Save, and you may lose connectivity temporarily.

• Optional — For IPv6 secondary addresses, separate the addresses with a space. • Optional — If your appliance accesses the Internet through a proxy, type the IP address of the HTTP Proxy in the following format: : • Optional — Specify comma-delimited exceptions to the proxy in the No Proxy field: .symantec.com,10.18.5.5, 2508:34ed:af:2d1::3d33

• The value hostname is always present in the No Proxy field, even though it is not visible. • If your appliance accesses the Internet through an authenticated proxy, edit /etc/environment as follows: http_proxy="http://:@:" https_proxy="https://:@:" or

http_proxy="https://:@[]:" https_proxy="https://:@[]:" Also see how to install the proxy's SSL certificate, which you can do after you license Security Analytics.

Specify up to three DNS servers. If you will be using hostnames for other settings on this appliance, you must specify the primary DNS.

Set the correct date and time for the appliance (MM/DD/YYYY hh:ii:ss). You can enable NTP later.

Select the appropriate Time Zone for this appliance's physical location.

Because time is an essential parameter for both PCAP generation and playback, you must set the correct time and time zone on the appliance before you begin to capture data.

Select the Interface Language. Change the root password for the appliance and specify its lifespan. To change the root password after initial configuration use passwd on the CLI.

• There is no password-backup option. If you lose the root password you may need to send the appliance back to Symantec Support for reset. • Follow best key-maintenance practices by manually recording the root and admin passwords and by keeping a copy in a secure location that is separate from the appliance.

Select Lock Root Account to disable all root access to the appliance.

WARNING! You cannot re-enable the root account unless you have console access to the appliance, and then you will have to contact Symantec Support for assistance.

Change the password for the admin account and specify its lifespan. To change the admin password after initial configuration, select Administrator > Account Settings. For Password, change any of the requirements, as desired.

Alterations to the password requirements apply to the root and admin passwords that you set on this page as well as to all new user accounts. You can change the requirements after initial configuration on Settings > Security.

Click Save.

If there are any errors on the page, you will be prompted to fix the errors. Before you click Save again, you must input the passwords again for both the root and admin accounts.

Install the License The License Details dialog is displayed. Retrieve your license key from Symantec Support (support.symantec.com) as instructed in the eFulfillment message from Symantec.

Does your appliance have access to the internet (license.soleranetworks.com; port 443)?

Yes — Under Retrieve No — Click Download DS Seed to download the seed License, input the License file (dsseed.tgz) to your workstation. Key and click Send • On a workstation that has Internet access, go to Request. license.soleranetworks.com. • If applicable, select the • Type your license key, upload dsseed.tgz, and click desired license type. Submit. • The appliance sends the • If applicable, select the desired license type and license key and the click Submit. license seed file to the • Save the license file ( ) to your Symantec license server, license.tgz workstation. which generates the appropriate license file • Return to the License Details dialog. (license.tgz) and returns it • Click Browse and select license.tgz. to the appliance, which • The license is uploaded and the appliance then automatically automatically reboots. reboots.

Once the system has rebooted, select Settings > About > License Details to verify that the items are correct.

Click Download to create an archive copy of the license file (solera-license.dat). Store this file in a safe location that is not on the appliance. Consult All Settings to further configure your system. If you are setting up a Central Manager Console, continue to these instructions.

Data Capture

This section includes the following topics:

• Capture o Capture Summary Graph o Static Filters o Dynamic Filters o Capture-Interface Aggregation o Reprocessing • PCAP Files o Downloading PCAPs o PCAP File Analysis • Data Availability • Playback

Capture The Capture > Summary page has two sections: the interactive graph at the top of the page and a set of summary boxes (one per interface).

Initiate or Stop Capture

You can also use the dscapture command in the CLI for some of these actions.

Select Capture > Summary and identify the graphical box for the interface. Click Start Capture. The green Start Capture button becomes a red Stop Capture button.

If there is traffic on that interface, the Current, Max, and Total rows in the Captured column will begin to populate. To view the interface's traffic in the graph, click the Hidden icon.

The color of the left margin of the graphical box is the same color as the interface's line in the graph. Select View > Aggregated Statistics to display all traffic in one line.

Packets larger than 1522 bytes are dropped. To capture larger packets, contact Symantec Support.

Capture Summary Graph The capture summary graph provides a view of the capture statistics for each network interface so that you can see patterns in network data over time. Click and drag the cursor over a section of the graph to highlight a section to enlarge. The graph polls the system regularly to get information on interface captures. By default, the graph will display up to six months of historical data.

This interval can be changed by selecting Settings > About > Data-Retention Settings. The "age" of graph data is reckoned according to when it was written to the database, not according to the timestamps on the packet data. For example, if you import a two-year-old PCAP today and retain the timestamps, the graph for the PCAP will be displayed two years in the past; however, if you set the data-retention interval to one month, the graph data for the PCAP will be erased only after a month has elapsed.

Total Traffic per Interface and Uptime At the upper-left of the graph you can see System Uptime as well as total traffic per interface and PCAP imports.

• To show or hide each interface, click its Hide/Show Line on Graph icon. • To hide or show PCAP import, select View > PCAP Import on the upper-right side of the graph. • To view all capture interfaces in aggregate, select View > Aggregated Statistics.

View Menu Use this menu to display information about system performance. You can select as many or as few of these values as you want.

Process Definition Unit of Measurement

CPU Usage Amount of CPU capacity currently used Percentage of Capacity

RAM Usage Amount of RAM currently used Percentage of Capacity

Flow Table Size Cumulative size of the flow table since last reboot Cumulative (Kilo)bytes

DPI Threads Cumulative number of deep-packet inspection (DPI) threads Cumulative Number

Slot Overflow The number of slots that exceed the DPI slot capacity Current Number

Cumulative Flow The highest number of flows since last reboot Cumulative Number Maximum

Flows in Progress The number of flows that are currently being processed Current Number

Classification Discards The number of packets that have not yet been indexed Current Number

Slots in Use The number of slots that are currently being processed Current Number

Packets in Progress The number of packets that are currently being processed Current Number

Flows Initiated The number of new flows that have begun processing Current Number

PCAP Import Toggle to show/hide PCAP imports in the graph Network traffic unit of measure

Aggregated Statistics Aggregate data from all capture interfaces Network traffic unit of measure

Process Definition Unit of Measurement

File Analysis Jobs in The number of file-analysis jobs that are in the queue Current Number Progress

Processed File Analysis The number of file-analysis jobs that have been processed Current Number

File Analysis Queue The number of file-analysis jobs that were dropped because the extractor's Current Number Discards queue limit was exceeded

File Analysis Range The number of file-analysis jobs that were dropped because the maximum Current Number Discards slot range limit was exceeded

File Analysis Slot The number of data-enrichment jobs that were dropped because the slot Current Number Discards was not in memory (not live)

File Analysis Requests The number of file-analysis requests to the Intelligence Services Current Number

Actions Menu Click the Actions menu to access the following options:

• Download PCAP — Save the data in the selected timespan as a PCAP file. • Start Playback — Create a playback session based on the selected timespan. See Playback for more information. • Reprocess — Resend packets through the rules engine. See Reprocessing for more information. • Reset Zoom — Reset the graph to the default view. • Analyze Data — View the selected timespan on the Summary page.

Static Filters With static capture filters, you can select the packets to be captured or discarded by a given network interface. Static filters are applied manually and do not expire. Security Analytics uses the standard Berkeley Packet Filter language to define capture filters at the Ethernet, network, and transport levels (OSI Layers 2–4). Once created, the filter definition can be saved and reused for other capture interfaces. Capture filters can also be applied to PCAP downloads and playback.

• Traffic that is excluded by a capture filter is not written to the capture drive. • To filter out traffic types at the application level, use dynamic filters.

Apply a Capture Filter to an Interface Select Capture > Summary. For the desired interface, click the filter icon . For Filter, do one of the following: • Select an existing filter.

• Select Create New Filter. o Provide the Name and BPF Expression for the filter. Click Save. The interface will now capture only the traffic specified by the filter. To remove the filter click again, select No Filter, and click Save.

Apply a Capture Filter to a PCAP Download Follow the steps in Download PCAP Files of Captured Data and select PCAP without Packet Filters for Type, and then specify a new BPF filter in the space provided.

Dynamic Filters Dynamic filters are similar to "auto notch" filters — a term from radio signal processing. Auto-notch filters identify and suppress frequencies that are overpowering other frequencies, thereby improving the signal-to-noise ratio. In Security Analytics, the auto-notch daemon converts specified flow characteristics into ingress filters, which prevents the flow from being written to the capture and indexing drives. You can use dynamic filters to keep your drives from filling up with packets that you do not want to record, such as Netflix® movies, Pandora® audio streams, SSL-encrypted traffic, or any other traffic that you can identify with an indicator.

Be very careful about applying dynamic filters — you risk overwhelming your system resources if an excessive number of filters is applied in a short time.

Dynamic Filter Operation Dynamic filter rules operate as follows:

The user decides which kind of traffic to exclude and creates one or more indicators to identify that traffic. Examples:

• Streaming video, by service — application_id=netflix,hulu,youtube,yahoo_screen,vimeo,slingbox,qqlive, mubi,blockbuster,baidu_player,blip_tv • Streaming media by protocol — application_id=bmff,h225,h245,h248_binary,mgcp,mms,mpgets,msrp,rdt, rtcp,rtp,rtsp,sccp,sip,x25 • All audio/video protocols and services — application_group=audio/video • Conferencing services — application_id=adobe_connect,gotomeeting,meetingplace,q931,vsee,webex • Encrypted traffic — application_group=encrypted, application_id=ssl • Traffic from a specified VLAN— vlan_id=23 • Traffic on a specified subnet — ipv4_address=10.10.*.*

• To see which protocols and applications are supported for indicators, go to Recognized Applications in the Security Analytics 7.3.x Reference Guide on support.symantec.com and download the XLSX or CSV file. • Use the dynfilter command to manage the dynamic filters.

The user creates a dynamic filter rule on Analyze > Rules using the desired indicator(s). When traffic matches a dynamic filter rule, an ingress filter is applied to the capture interface where the traffic was detected. The flow that matches the filter is dropped before it is written to the capture and indexing drives, except for the first few packets (less than one second) of the flow. When the interval specified in the rule elapses, the filter is deleted from the capture interface. If the same media is still streaming, it triggers the rule again and the filter is reapplied. When a dynamic filter is applied to a capture interface, the interface display should show how much traffic is being filtered in the Filtered column.

Guidelines for Creating Dynamic Filters

• Avoid creating dynamic filters on any type of traffic that is likely to occur frequently across a diverse set of flows. Such a dynamic filter rule will produce filter strings that soon exceed the size limit for the ingress filter, after which no new entries can be added until older entries expire. For example, a dynamic filter rule using the Commonly Scanned Ports indicator will soon fill allotted memory and prevent other dynamic filters from being applied. • Dynamic filters should be as course-grained as possible, meaning that you should select only 1 or 2 of the five available attributes to create the filter: usually, IP Responder and IP Protocol together. There is a limit on the number of flows that can be dynamically filtered at a time. By ensuring that only 1–2 of the options are selected, the limit is much harder to reach.

Expected Behavior with Dynamic Filters

• Between the time that a flow enters the system and the time that the flow is classified and the dynamic filter applied, some packets will still be captured to disk. If the flow is especially short, the entire flow may be captured before it is classified and the filter applied. • Because dynamic filters time out, a flow that lasts longer than the filter timeout may begin to be captured after the filter expires. The DPI engine must reclassify the flow and reapply the dynamic filter before the flow's packets are again filtered out and discarded. • It may take more time to apply a dynamic filter to the traffic in an imported PCAP than it takes to import the PCAP. Unless the PCAP is especially large or the import

speed especially slow, dynamic filters probably will not be applied to imported PCAP data.

Capture-Interface Aggregation In some cases it is advantageous to aggregate two or more physical interfaces into one virtual interface, for example, if you have separate physical interfaces for Rx and Tx traffic, an aggregated interface permits Security Analytics to match initiator traffic with its corresponding responder traffic.

You can also aggregate capture interfaces with the dscapture command.

The following rules apply to interface aggregation:

• You can aggregate as many interfaces as reside on a single appliance. • You can add only one interface to the aggregate at a time. • If any of the component interfaces have a capture filter, that filter will be ignored in the aggregate. • You can apply a capture filter to the aggregated interface. • When you separate an aggregated interface, you separate all of the component interfaces; you cannot delete only one or two interfaces from the aggregate. • After separating an aggregated interface, any filters that were on the individual interfaces will be reapplied, whereas any filters that were on the aggregated interface will be removed. To aggregate interfaces, follow these steps: Stop capture and playback on all of the interfaces that you want to aggregate.

Click and drag one interface box onto another interface box. Verify that you have selected the correct interfaces, make a note of the new interface name, and click Combine. Click Start Capture to start capturing on the aggregated interface.

To separate the aggregated interface into its component interfaces, stop the capture or playback on the interface, click the chain icon at the top-right of the interface box and click Separate.

Reprocessing In some cases, when a data-enrichment rule sends a query to an external source, or when an Intelligence Service sends a query to the Global Intelligence Network, there is no immediate response. In other cases, you may have altered your indicators or rules, new report attributes may have been included in an updated version of Security Analytics, or you captured data using the Packets Only profile. As necessary, you can select data to be examined again by the data-enrichment process as well as reindexed by Security Analytics.

• For certain encrypted protocols such as SSH, IPSEC, and ISAKMP, the tls_heartbeat_attack_attempt attribute will not be indexed during reprocessing. Heartbleed detection is therefore dependent on the tls_heartbeat_mismatch attribute. • Imported PCAPs cannot be reprocessed.

On Capture > Summary, select a timespan to reprocess. Select Actions > Reprocess. The Reprocessing Jobs page is displayed. Click New. The Time Range shows the same start and end times as you selected on the Capture Summary page. You may change the time range, as desired. Click Save. The selected data is sent back through the rules engine and is also indexed again.

Depending on system load, reprocessing may not initiate for up to an hour. In the case of heavy system load, it may not initialize until after system load is reduced.

The columns on the Reprocessing Jobs page are as follows: • Start Time — The starting time of the data to be reprocessed. • End Time — The ending time of the data to be reprocessed. • Processing Start — The time that the reprocessing job starts. • Processing End — The time that the reprocessing job ends.

• Command — The type of reprocessing job: o 1 = Reindexing — Packets that were not indexed at time of capture are indexed. o 2 = Reprocessing — Packets are run again through indexing, rules engine, and data-enrichment. • Source — The origin of the job: o 1 = Auto — When system resources prevent indexing at time of capture, resulting in classification discards, the system uses its idle time to index that data.

Data that is captured during a Packets Only session is not reindexed or reprocessed automatically.

o 2 = Manual — The reprocessing or reindexing job was initiated by the user: . Reprocessing is manually initiated as described in Steps 1–4. . Reindexing is manually initiated on the Summary page status bar. • Percent Complete — Percentage of the job that is completed. • Actions — Click to cancel the unfinished portion of the job. If the job is 100% complete, this will delete the entry from the list.

To prevent data corruption, the reprocessor will not reprocess the last 150 slots (~10 GB) of captured data.

PCAP Files PCAP files contain copies of all captured packets for a given timespan. Symantec Security Analytics supports PCAP and PCAPNG formats, both Ethernet-encapsulated and PPP- encapsulated.

PCAP files can be very large. If you are accessing the Security Analytics web interface on Microsoft® Internet Explorer 9 or another browser that cannot send files in chunks, you cannot support PCAP files larger than 2 GB without using the Web Services API. (Consult the Security Analytics 7.3.x Reference Guide on support.symantec.com)

Download PCAPs of Captured Data

Do one of the following on Analyze > [Summary | Reports | Extractions | Geolocation]: • Select Actions > Download PCAP — Any filters in the filter bar are applied to the downloaded file.

• Click the info icon on the Status bar. The Download PCAP dialog is displayed. For Filter click View Path to see the /pfs/flows path. Click Calculate Size to see the amount of data to be downloaded. For Type, select one of the following: • PCAP — File is downloaded in PCAP format. • PCAPNG — File is downloaded in PCAPNG format. • PCAP without Packet Filters — All primary filters are cleared from the data. o To apply a BPF filter, click the Filter list. Select a previously configured filter or select Create New Filter, type a name for the filter, and enter the BPF Expression in the space provided. For Download Options, select one of the following: • Browser — Download the PCAP file using your browser's file-download feature. • Offline — Send the PCAP download job to the queue, to run in the background. (Not available for PCAP without Packet Filters.)

o A message indicates that the generation of the PCAP has begun. o Click the notification at the upper-right corner of the web interface. The entry shows PCAP generation in progress.

o When the process has completed, the status changes from Processing to Download. Click the entry and follow the prompts to save the PCAP file. NFS save — Save to an NFS server. (Not available for PCAP without Packet Filters.)

The apache user (on the Security Analytics Apache instance) must have both read and write permissions to copy the PCAP to the mounted NFS server.

o For Server, click the Manage Connections icon. The Manage Connections dialog is displayed. As needed, configure an NFS mount point.

Click Download to save data.pcap or data.pcapng.

Other PCAP Downloads Download PCAPs as follows, using your browser's Save function:

On Analyze > [Summary | Reports | Extractions | Geolocation], select Actions > Analyze Packets, and then click Download PCAP — Any packet-analysis filters are applied to the downloaded PCAP.

Select Analyze > Summary > Extractions and expand an artifact entry. • Click Download and then select Download Artifact PCAP or Download Artifact PCAPNG.

• Click Analyze PCAP and then click Download PCAP — Any packet-analysis filters are applied to the downloaded PCAP. Select Capture > Summary, then select Actions > Download PCAP — Any filters on the capture interfaces are applied to the downloaded PCAP.

Automatic PCAP Downloads To export PCAPs automatically, create a PCAP Export rule.

Import PCAP Files You can import PCAP files from your workstation, a USB drive, or a remote server. To import from a USB drive, insert the drive into the Security Analytics appliance before performing the next steps; do not remove the USB drive until the import is complete.

Select View > PCAP Import in the Capture Summary Graph (Capture > Summary) to see the histogram of the import.

You can also use the dspcapimport command in the CLI for this function. (Consult the Security Analytics 7.3.x Reference Guide on support.symantec.com.)

Select Capture > Import PCAP. Click New. For Import from, specify the import device. • My Computer — Click Browse, locate the PCAP file, and open. (Not available from the CMC.) • Appliance USB Drive — Select the PCAP file to import. (Not available from the CMC.) • Remote Server — Select an existing mount point or specify a new one, select the Schedule, and then select the PCAP file to import. Indicate whether to share the imported PCAP. Clear the Retain original packet timestamps check box to use the importation begin and end times as the timestamps.

When the original timestamps are not retained, the PCAP is imported as fast as system resources allow; therefore, the new timestamps will not necessarily be in the same order as in the original PCAP. If you need to preserve the order or timing of events, Blue Coat recommends that you retain the original packet timestamps.

Click Import.

• When you upload a series of PCAPs rapidly, one after the other, each PCAP may be imported over a different virtual interface: impt0–impt9.

• PCAP data can be imported concurrently on up to ten virtual interfaces. • Use dspcapimport to specify which impt interface to use for a PCAP import.

PCAP File Analysis After you have imported a PCAP file, use the following methods to further analyze the data.

Analyze PCAPs on Security Analytics The web UI on Security Analytics offers these options:

• PCAP Imports list • Storage System page • Capture Summary page

PCAP Imports List Select Capture > Import PCAP. On the Imports list, the following information is available:

• Name — Name of the imported PCAP file. • Status — Import state such as Running, Queued, Completed, or Canceled. To filter the list by status, click All at the top-left of the list and select the desired state. • Import Source — The method of importing the PCAP, such as Browser Upload or the name of the remote server (as specified under Manage Connections). • Interface — The interface on which the PCAP was imported, usually impt0. • Import ID — Sequential number that is assigned to the import. This number appears in filters as import_id=.

• Extraction Jobs — Number of files that have been reconstructed by the microextraction process, which corresponds to the number of times a data-enrichment rule gets a hit. • Data Enrichment Jobs — Number of verdicts that have been returned by the enrichment providers. One artifact can trigger multiple data enrichment jobs when multiple enrichment providers receive the artifact. • Created Time — The time at which the PCAP import began.

• First Packet Time — The timestamp on the first packet in the PCAP file. If you selected Retain original packet timestamps for the import, this date will be earlier than the Created Time; otherwise, it will be a few seconds later. • Actions — Click an icon:

o View Import Information — See more information about the import, including error messages.

o View Alerts of This Import — Open the Alerts Management Dashboard to see the alerts that this PCAP generated.

o View This Import — Loads the PCAP into the Analyze > Summary view with import_id= in the filter bar.

• You cannot directly type import_id= into the filter bar to view the PCAP data, because the proper timespan for the import must also be specified. Always use View This Import to load the PCAP data into the Analyze pages. • On the Alerts pages, you can type import_id= into the Advanced Filter to see the alerts that were generated by that PCAP.

Storage System Page On the Statistics > Storage System page, an entry for the imported PCAP is displayed under Active Slot Chain for Interface impt.

• Because PCAPs are imported to the capture drive along with the live captures, imported PCAPs will be overwritten as the capture process cycles. • As a PCAP is overwritten, the values that indicate size and location gradually decrease. The entry for the PCAP disappears when the PCAP data in the capture drive is completely overwritten. • When you import multiple PCAPs via the same virtual interface, the system shows the combined statistics for the PCAPs in a single entry.

Capture Summary Page On the Capture > Summary page, select View > PCAP Import to see the histogram for the PCAP.

• If you selected the Retain original packet timestamps check box during import, the PCAP data will be displayed in its original capture timeframe at the far left of the chart. • Any activity that the PCAP import generates — such as Intelligence Service requests or classification discards — is displayed using the actual timestamps. For example, if the original packet timestamps are in February and the PCAP is imported the following April (with timestamps retained), the histogram for the PCAP import will be in February and the data enrichment requests it generates will be shown as occurring in April.

Analyze PCAP Files in Wireshark

• To view PCAP files in Wireshark®, download and install that third-party application. • Follow the Wireshark instructions to import and read PCAP(NG) files. • Alternatively, open Analyze > [Summary | Reports | Extractions | Geolocation] and then select Actions > Analyze Packets. The PCAP is displayed in the packet analyzer, which has an interface similar to Wireshark's.

Automatically Import PCAP Files Use watch folders to automatically import PCAP files from a remote server. Select Capture > Import PCAP and click the Watch Folders tab. Click New. Do you need to configure a new server (mount point)?

Yes — Follow the steps to Configure a No — Select an existing mount point Mount Point to configure the new server and continue the procedure. and directory.

For Check for Files, specify the interval to check for new PCAP files. For Select folders, specify which folder(s) to monitor for new PCAP files. The selected folder names are displayed in the space below. Optional — Clear the Retain original packet timestamps check box to ignore the PCAP timestamps and use the import start time instead. Click Create. The system will check the specified folder(s) and automatically upload any new PCAP files that it finds. Click Manage Connections to edit the information for the watch folder mount points.

Automatically Export PCAP Files To automatically export PCAP files, use a PCAP Export rule.

Configure a Mount Point Follow these steps to configure a mount point: Do one of the following to access the Manage Connections dialog: • Select Capture > Import PCAP and click Manage Connections.

• On Analyze > [Summary | Reports | Extractions | Geolocation], select Actions > Download PCAP or click the Info icon on the Status bar.

o Select NFS save for Download Options, and then click the Manage Connections icon . • Select Analyze > Rules, click New, select PCAP Export for Type, and then click the Manage Connections icon .

On the Manage Connections dialog, click Add New Server. For Title, specify a unique name for the mount point. You can create multiple mount points on the same server that point to different directories. For Protocol, select CIFS/SMB or NFS. For Server, specify the IP address or hostname for the server. Optionally, you can add a port number after a colon: 10.11.12.13:80. For Directory, type a slash and then the path: /public/saved_pcaps/SA_0344 CIFS/SMB Only — Enter the Username and Password of the account to access the server or directory. Click Save.

Data Availability Data availability is a function of two factors:

• Which data enrichment profile was selected when the data was captured • The rate at which the capture and indexing drives overwrite existing data

Data Enrichment Profiles Settings > Data Enrichment Select different "data enrichment profiles" that affect whether metadata, analytical services, and anomaly detection are available for the captured data. Select one of the following options and click Save.

It is not necessary to reboot after changing the data enrichment profile; however, changing from one profile to another may take a few minutes to complete.

• Full Data Enrichment with Anomaly Detection — All services are available:

o indexing (solera-shaft) o reindexing (solera-reindexerd) o data enrichment (tonicd) o rules and alerts (solera-ruleEngine) o artifact extraction (solera-extractord) o anomaly detection (adm-connector) o IPFIX export (solera-ipfixexport) o PCAP export (solera-pcapexport) • Full Data Enrichment (No Anomaly Detection) — All services are available except anomaly detection (adm-connector). • Packets Only — All resources are dedicated to writing data to the capture drive as fast as the hardware permits. All of the analytical and metadata services are disabled. To retrieve PCAPs from the drive that were written during Packets Only, use the GET: /pcap/download/merge API; you cannot download filtered PCAPs from the web UI during Packets Only.

Data that was captured during Packets Only — and that has not been overwritten — can be reprocessed to index the data and apply all active rules.

Viewing Data Availability You can see data availability on Analyze > [Summary | Reports | Extractions | Geolocation] by expanding the timespan selector.

Data availability information is displayed:

• [no message] — All metadata and packet data are available. • limited packet data — Full metadata is available as well as some packet data. • metadata only — Full metadata is available but no packet data. • limited metadata — Some metadata is available but no packet data. • no data — All packets and metadata have been overwritten, or no data was captured during that time.

In some cases, just after packets have been captured but indexing has not been completed, the data is temporarily not available for searches and reports.

Calendar Display Click a date to see color-coded information for packet and metadata availability.

• White background — All metadata and packet data are available. Reports, artifacts, and PCAP downloads are available for this data. • Light pink background — Metadata is available but the corresponding packets have been overwritten. Only reports are available for this data. • Dark pink background — All packet data and metadata have been overwritten, or no data was captured on those days.

Capture Summary Graph Capture > Summary

The capture summary graph indicates overwritten data with the dark pink No Data Available area and the light pink Packet Data Overwritten (Metadata Only) area.

Capture summary graph data can remain available after the corresponding packets and metadata have been overwritten because it is not stored on the capture or index drives. See Drive Space Management for information on retaining and deleting capture summary data.

Playback

Use the dsregen command in the CLI for these functions. (Consult the Security Analytics 7.3.x Reference Guide on support.symantec.com.)

Use the playback feature to reconstruct and transmit captured data flows to a physical network interface for analysis. Depending on which data is selected for replay, the data is lifted from the capture drives or regenerated directly from the input interface(s). Play back live data to forward data flows to a physical network interface for analysis. The Symantec Security Analytics appliance can regenerate traffic with less than 1 ms latency, even at high network speeds (up to 10 Gbps).

Create a Playback Session Select Capture > Summary.

For the output interface, click Start Playback. Select the input interface(s) whose data you want to include. Select the Output Interface to be used.

Interfaces that are in use for capture cannot be used as the output interfaces for playback; otherwise, the existing capture sessions will be stopped.

For Time Span, select one of the following: • All Captured Data — Select to replay all of the data that is currently on the capture drives. • Live Data — Select to send the data that is currently being captured. • Custom Time Range — Select to specify the beginning and end. o For Start Time, expand the list to select a fixed timespan or specify manually the date and time.

o Select Never End so that the data continues to play back until you stop it. o For End Time, expand the list to select a fixed timespan or specify manually the date and time. For Speed, select the speed at which the data will exit the output interface.

When sending data from multiple input interfaces to a single output, take into consideration the interface speeds. For example, if you have two 100-Mbps input interfaces and your output interface is also 100 Mbps, you might experience problems with throughput.

To apply a filter to the output interface, expand the Filter list and do one of the following:

• Select or edit an existing filter. • Select Create New Filter and specify a Name and the BPF Expression for the filter. Click Save.

The message Playback in Progress is displayed on the interface box if the playback session is successful. Click to see the parameters of the playback.

Many-to-Many Sessions When a playback session is created, the system merges the input from the physical interfaces and maps it to a virtual interface (imfX), which then forwards the traffic to another physical output interface. The web interface permits you to specify many-to-one sessions—that is, multiple input interfaces to a single output interface. To create the equivalent of a many-to-many session, you must create one session per output interface.

example

In the example above, there are two output interfaces — eth6 and eth7 — so the following two sessions must be created:

Session Input Filter Output

1 eth2, eth3 [as desired] eth6

2 eth2, eth3 [as desired] eth7

CLI Commands for Many-to-Many Session To set up the session for the mappings in the example, type the following commands. For more information, see dscapture map and dsregen in the Security Analytics 7.3.x Reference Guide on support.symantec.com). dscapture --map ifm0 eth2 dscapture --map ifm0 eth3 dscapture --map ifm1 eth2 dscapture --map ifm1 eth3 dsregen start ifm0 eth6 dsregen start ifm1 eth7 To limit the session to a particular timespan — from 8:00 a.m. to 5:30 p.m. on April 25, 2017 — type the following commands:

dscapture --map ifm0 eth2 dscapture --map ifm0 eth3 dscapture --map ifm1 eth2 dscapture --map ifm1 eth3 dscapture --settime ifm0 04.25.2017.08.00.00 04.25.2017.17.30.00.00 dscapture --settime ifm1 04.25.2017.08.00.00 04.25.2017.17.30.00.00 dsregen start ifm0 eth6

dsregen start ifm1 eth7

Playback of Imported PCAPs The playback function is currently restricted to captured data. Imported PCAPs are imported through a virtual interface, which cannot be selected for playback.

Data Analysis

This section includes the following topics:

• Summary Views • Reindexing • Anomaly Detection • Metadata Settings • Open Parser • Filters • Universal Connector • Indicators • Reports o Populating the Reports • Geolocation • Encapsulation Detection • Packet Analyzer

Summary Views The Summary views in Symantec Security Analytics are collections of report widgets on a single page. Report widgets are discrete graphical elements that summarize data according to selected criteria. A collection of widgets can then be run against a user-selected time period and a user-defined set of filters. See Summary Page for a description of all page elements.

Report Widgets Analyze > Summary While the data is still loading for the Summary page, you may click the red Stop Reports button to stop the data from processing.

Included on Security Analytics are report widgets that correspond to the Available Reports. Select a summary view from the view selector.

Use the edit control to change the name, share the view, duplicate the view, or specify a view as the default.

Create a Summary View You can create a new summary view from a blank view, or you can modify an existing view. Select Analyze > Summary. Click the view selector and select Add New View. Type a name for your new view. Optional — Select Use flow-based columns to permit the report widgets to adjust to the available width of the window. Clearing this check box forces the report widgets to stay in a fixed-grid location. Optional — Select Shared to share the view. Optional — Select Duplicate Existing View? to select a view to duplicate as the new view. Optional — Select Set as default to make this the default view. Click Save. You get a blank summary screen and the Add/Edit Widgets dialog box is displayed. Select one or more report widgets from the Available Reports list and add them to the Selected Reports list. Press Ctrl to select more than one report, and then click the single arrow button to move them to the Selected Reports list.

• The more report widgets in a view, the longer it takes to load the view. For optimal performance and system integrity, limit the number of widgets to 18 per view.

• If the report widgets in the same view are from different namespaces, the reports will take longer to generate.

• Application Group includes the Application Group and the Application Group over Time widgets.

Click Add/Edit Widgets.

On-Demand DNS Resolution You can immediately resolve IP addresses and host names for selected report and artifact fields on the web UI.

Most local IP addresses will not resolve to a hostname.

Reports and Report Widgets The View Host to IP and View IP to Host feature is available for these reports:

• HTTP Server • IPv4 Initiator • IPv4 Responder • IPv6 Initiator • IPv6 Responder

Artifact Entries The View Host to IP and View IP to Host feature is available for these artifact fields:

• Source IP Address • Destination IP Address • URI Host

Reindexing Also see Reprocessing. During periods of heavy network activity, the system may not be able to index every packet as it is written to the capture drive. During periods of lower activity, the system returns to the unindexed packets on the capture drive and attempts to finish indexing them.

On the Status bar, the total amount of data in the flows is indicated. If the system has not been able to finish indexing all of the packets, the warning icon is displayed. Click the icon to see how many flows remain to be indexed.

Click Give Priority to This Timespan to move the unindexed flows in the current view to the top of the reindexing queue.

In some cases the warning icon is still visible for several minutes after the reindexing job has finished.

On Capture > Summary, select View > Classification Discards to see the rate at which packets are not immediately indexed.

As soon as a flow has been indexed, it is examined by the rules engine. If the flow matches a rule, the flow will be processed according to the instructions in the rule.

To see reindexing jobs, select Capture > Summary > Actions > Reprocess. Reindexing jobs show 1 in the Command column.

Report Widget Controls

To reveal the report widget controls, place your cursor over the widget header.

1 Move Widget 2 Widget Settings 3 Delete Widget

1 Sort-by Field — Select from the widget name or bytes, packets, sessions, IP fragments, or bad checksums. 2 Order — Ascending, Descending 3 View — Table, Pie, Column, Bar 4 Resolution — Select the check box and slide the selector to the desired resolution.

The settings affect only this report widget in this view. If this report widget is present in other views, the settings on those views will be not changed.

Application Group Widgets Two widgets — Application Group and Application Group over Time — are different from the other widgets; user configuration is limited to session-resolution settings. The Application Group widget has Bytes, Packets, and Sessions columns. The Application Group over Time widget is a histogram of the Application Group widget. Place your cursor over a data point to see the details.

When adding widgets to a view, selecting Application Group adds both the Application Group and the Application Group over Time widget to the view.

Apply Filters to Summary Views To apply a filter to a summary view, see Primary Filters and Indicators.

Save the Output of a Summary View The output of a summary view can be saved on the appliance and viewed on the Report Status list. Select Analyze > Summary and select the desired view. Add, delete, and modify the report widgets as desired. Add any filters that you want. Select Actions > Save in the upper-right corner of the interface. Type a name for the saved output (max 300 characters). If you click Save before the system has finished processing the data, you have the option to:

• Save and Stop — Save only the data that was processed before you clicked Save and Stop. • Save and Continue — The save operation will continue until all data is processed. If you click Save after Status shows Finished (100%), all of the results are saved. Retrieve the saved results by selecting Analyze > Report Status > List. There is a separate report entry for each widget.

Click View Report to see the report in the Reports (not Summary) view.

Session Resolution

In the Summary, Reports, and Geolocation views, the session resolution percentage is located on the status bar. The purpose of this feature is to limit reports to a subset of data, which allows quicker display of data.

Adjust Session Resolution Click the session resolution value for the view.

Slide the bar to the percentage of data that you want to view.

Anomaly Detection Also see: Anomaly Detection Process Anomaly Detection and Modeling (ADM) provides visibility into abnormalities in your traffic patterns. By evaluating traffic in 10-minute analysis windows, ADM determines which traffic is normal for your network and then creates alerts for outlier network behavior. Because ADM folds all received traffic into the baseline, regularly occurring "anomalies" will eventually become part of the baseline. The longer ADM runs, the fewer false positives it will register.

ADM requires an appliance or VM with at least 64 GB RAM to function properly. Less memory will result in degraded performance and missed alerts. To disable anomaly detection, select the appropriate Data Enrichment Profile.

Enabling Anomaly Detection ADM is automatically enabled when newly installing or upgrading to Security Analytics 7.2.1 through 7.3.1.

It takes approximately 6 hours for ADM to establish a baseline and then begin to report anomalies. See Anomaly Detection Process for more information.

To disable ADM, go to Settings > Data Enrichment and select one of the following Profiles:

• Full Data Enrichment (No Anomaly Detection) • Packets Only To enable remote notification of anomalies go to Settings > Communication > Advanced.

• Under Remote Notifications, select the Anomaly Events check box for Email, SNMP, or Remote Syslog, as desired. (Select the check box for Local to see anomalies in the Audit Log). • Set up the corresponding remote notification method(s) on Settings > Communication > Server Settings. • See the format for anomaly notifications.

Anomalies Pages Select Analyze > Anomalies to see the Anomalies pages: Summary and List.

Anomalies Summary The Anomalies Summary page displays a series of tables that show which IP addresses, URL categories, countries, and applications have been involved in anomalous traffic. Click a value to add it to the Advanced Filter.

Anomalies List The Anomalies List displays the following: (Also see Interpreting Individual Messages.)

1 Anomaly — Anomaly message. 7 Function — Type of operation used to detect the anomaly.

2 Time of Detection — Start time of the analysis 8 Field — The attribute that is to be analyzed as window, which ends 10 minutes later. a metric.

3 Score — Amount of deviation from the baseline 9 Over Field — The initiator or responder IP that on a scale of 0–9; higher numbers indicate is associated with the anomalous activity. (For greater deviation. the URL categories anomaly this is a By Field, which is a specific value of the field that analyzed as a metric.)

4 Clear — Click to delete all visible anomalies. 10 Partition Field — Each distinct value in this field constitutes a separate category for analysis. Not present for all anomalies.

5 Actions — Click to view the anomaly in the 11 Baseline Value — The mean value of this same Anomaly Investigation view with the over-field combination of Field, Over Field, and Partition Field value in the primary filter bar. during a comparable analysis window.*

6 Analysis Window — Timespan for the view 12 Anomalous Value — An outlier value, when you click View Report Summary . compared to several standard deviations from the baseline.

Filtering Anomaly Alerts The Advanced Filter on the Anomalies page permits you to filter the messages by the attributes shown on the Advanced-Filter Attributes page. To find a particular type of anomaly you might need to search on two fields.

Message Search On

Large data transfer by , located in partition_field_name~country

Excessive data transfer by while using partition_field_name~id

sending long strings to DNS server function~info

using numerous applications field_name~id

Many conversations between and multiple function~distinct AND (field_name~ip OR field_name~port)

contacting a high number of countries field_name~country

URL category getting high amount of traffic. by_field_name~url

Anomaly Investigation View The Anomaly Investigation view is a default summary view that is opened when you pivot from View Report Summary . The half-hour timespan for the report begins 20 minutes before the analysis window starts so that you can more clearly see when the anomaly occurred in the Application Group over Time histogram. Included in the Anomaly Investigation view are report widgets for most of the attributes that ADM analyzes.

• Application Group • IPv4 Responder • Country Initiator • Application Group over Time • Flow Duration (sorted ASC by • Country Responder • Application duration) • Port Initiator • IPv4 Initiator • Size in Bytes (sorted ASC by bytes) • Port Responder • DNS Answer Name On this page you can:

• Select Actions > Save to save the metadata on Analyze > Report Status. • Select Actions > Download PCAP to save the packet data. • Add or delete widgets from the view. • Edit widgets for a customized display. • Select Actions > Analyze Packets to see the packets in a Wireshark-like interface.

Anomaly Detectors The ADM detectors consist of the following parameters:

Message Function Field Over Field Partition Field

Large data transfer by IP [initiator | high_sum total_bytes initiator_ip initiator_country responder] , located in responder_ip responder_country

Excessive data transfer by IP high_sum total_bytes initiator_ip application_ids [initiator | responder] responder_ip while using

IP [initiator | responder] high_info_content dns_name initiator_ip — sending long strings to DNS server(s) responder_ip

IP [initiator | responder] high_distinct_count application_ids initiator_ip — using numerous applications responder_ip

Many conversations between IP high_distinct_count responder_ip initiator_ip — [initiator | responder] responder_port and multiple [[initiator | responder] ips | [initiator | responder] ports] initiator_ip responder_ip

IP [initiator | responder] high_distinct_count initiator_country initiator_ip — contacting a high number of responder_country responder_ip countries

URL category § getting high_count — url_categories* — high amount of traffic.

* This is a By Field rather than an Over Field. § URL categories for anomalies are available only with the Web Reputation Service Anomaly Notification Format Format for anomaly notifications in the audit log. Not all fields are present in every message:

Anomaly: score= anomaly_score= typical= actual= probability= actual_probability=]> create_time= start_time= end_time= function='' partition_field_name='' partition_field_value='' field_name='' by_field_name='' by_field_value='' over_field_name='' over_field_value='' link=' https:/// '

Web UI Display Correlation The attributes in the notifications correspond to the web UI fields as follows:

• score — A normalization of probability to values 0–9, Score uses the same schema as the data-enrichment verdicts. • anomaly_score — A sophisticated aggregation of the anomaly records. The calculation is optimized for high throughput, gracefully ages historical data, and reduces the signal-to-noise levels. It adjusts for variations in event rate, takes into account the frequency and the level of anomalous activity and is adjusted relative to past anomalous behavior. The higher the anomaly_score, the more likely the anomaly is worthy of further investigation. • typical — Baseline Value • actual — Anomalous Value • probability — Calculated using anomaly_score and actual_probability and normalized to values 0.00–100.00. • actual_probability — Statistical probability of the anomalous value occurring during a comparable analysis window* • create_time — Time of Detection • start_time — Analysis Window start time • end_time — Analysis Window end time • function — Function • partition_field_name — Partition Field • partition_field_value — Value in Partition Field • field_name — Field • by_field_name — By Field • by_field_value — Value in By Field • over_field_name — Over Field

• over_field_value — Value in Over Field • link — Opens to the default Summary view (not the Anomaly Investigation view).

Tuning ADM Settings

The following settings in /etc/solera/config/adm-conn-config.json control some of the behavior of ADM:

{ "connector_config" : { "anomaly_threshold" : 80.00, "long_poll_timeout" : 60, "hours_to_limit_anomalies" : 6 } } • anomaly_threshold — Valid values: 0.00–100.00. Anomalies with a score lower than this value are not posted. ADM uses a scale of 0.00–100.00, and the web interface normalizes this score to a scale of 1–10. • long_poll_timeout — Valid values: 30–200. Number of seconds for ADM to respond to a query before Security Analytics repeats the query. • hours_to_limit_anomalies — Valid values: 0–720. Amount of time before anomalies will begin to be posted. If the value is set to 0, ADM will run for ~50 minutes before posting anomalies.

After making any changes to the configuration file, restart the ADM connector:

The default behavior of ADM is therefore:

• For the first 6 hours of system uptime, no alerts are generated while ADM establishes a baseline. • Only anomalies that have a score of 8 or higher are posted. • Security Analytics polls ADM for anomaly results every 60 seconds until it gets a response.

Metadata Settings • Select Settings > Metadata to enable or disable hundreds of report attributes. Changes to this page will cause the appliance to reboot. • Reports that were present in versions previous to 7.3.2 are selected by default. • Permissions for this page are automatically enabled for the admin group upon upgrade to version 7.3.2; other user groups do not have this permission. For each metadata attribute that you select, the following will be true:

• You can include its report widget in Summary views. (More than 18 widgets per view will compromise system performance and integrity.) • Its report is available on Analyze > Summary > Reports under its respective report group. • The attribute is available in the primary filter bar.

Table Columns For each report group there is a table with the following columns:

• Report — Name of the report, as presented on the Analyze > Reports page. • Attribute — The primary filter attribute that corresponds to the report. Use the attribute when creating queries. The attribute is visible on the Metadata Settings page when resting the cursor on the report name. • Description — A description of the data in the report. • Namespace — The namespace to which the metadata belongs. o A Summary view that contains report widgets from different namespaces will take longer to complete.

o When creating complex primary filters, attributes from different namespaces are valid only when joined by AND. • Source — The source of the data in the report, such as packet header or metadata indexer. • Format — The format for the data in the report, such as string or integer. • Num/Len — An X in this column means that you can use the length len() or number num() function in the primary filter bar. num() returns the flows that contain the specified number of the attribute; len() returns the attribute with the specified length. For example, len(filename)=6 returns all of the flows that contain a six-character filename, whereas num(filename)=6 returns all of the flows that contain six instances of the filename attribute.

Wildcards are not valid for the len() and num() functions.

• New — An X in this column means that the report is new in Security Analytics 7.3.2.

General Information

• Only the first 4096 bytes of an attribute are stored in the Indexing DB. • Select Actions > Download Raw TSV from any Analyze page (Summary | Reports | Extractions | Geolocation) to download a tab-delimited file that contains selected attributes and their values for the timespan. • See how to use the attributes in the primary filter, including complex filters.

Application The Application attributes cannot be disabled.

Application Reports

Report Attribute Description Namespac Source Forma Num/Le Ne e t n w

Application application_id One of over 2700 recognized applications flows DPI string X engine

Application application_group One of 35 groups to which the applications are flows DPI string Group assigned engine

Custom Analytics The Custom Analytics reports are not visible on the Metadata Settings page. Enable or disable open-parser rules on Analyze > Rules to enable or disable the corresponding reports.

Custom Analytics Reports

Report Attribute Description Namespac Source Forma Num/Le Ne e t n w

* Reports are populated only when the flows Regular expression in string X rule specifies: open-parser rule • Add flag to metadata • Add matching value to metadata • Add succeeding value to metadata until this delimiter

* The name of the open parser rule is converted to all lower-case letters, and underscores replace spaces.

Database

Database Reports

Report Attribute Description Namespac Source Format Num/Le Ne e n w

Database database_query Query sent to the flows Packet string X Query database header, multiple protocols

Database Reports

Report Attribute Description Namespac Source Format Num/Le Ne e n w

TNS Base tns_base Name of accessed flows Packet header string X X database

TNS Client tns_client_ Client machine hostname flows Packet header string X X Hostname hostname

TNS Client tns_client_os Client machine operating flows Packet header string X X OS system

TNS Client tns_client_program Client program name flows Packet header filename X X Program _name Name

TNS Client tns_client_program Client program absolute flows Packet header filepath/filename.ext X X Program _path path Path

TNS Content tns_content_length Length in header field flows Packet header integer X X Length

TNS Login tns_login User login; also included flows Packet header string X X in the Social Persona report

TNS MTU tns_mtu Maximum Transmission flows Packet header integer X X data Unit size

TNS tns_password Password to access the flows Packet header string X X Password TNS server; also included in the Password report

TNS Query tns_query Database query; also flows Packet header string X X included in the Database Query report

TNS Server tns_server_hostname Database server flows Packet header 9.9.9.9 | X X Hostname hostname hostname.tld

TNS Server tns_server_os Database server flows Packet header string X X OS operating system

TNS Version tns_version Version number of Oracle flows Packet header integer X X server

DNS

DNS Reports

Report Attribute Description Namespac Source Format Num/Le Ne e n w

DNS ANCOUNT dns_ancount Number of records in the flows Packet integer X answer section header

DNS Answer dns_name URLs in the answer section flows Packet domain.tld X Name of the DNS response header

DNS ARCOUNT dns_arcount Number of additional flows Packet integer X X records header

DNS Reports

Report Attribute Description Namespac Source Format Num/Le Ne e n w

DNS autogenerated_ DNS server name, SSL flows DGA score - protocol - Autogenerated domain common name, or SSL detector name Domain server name that may have been created by a DGA; this attribute cannot be disabled

DNS autogenerated_domain Probability that the DNS flows DGA integer Autogenerated _score server name, SSL common detector Domain Score name, or SSL server name was created by a DGA (9 = highest probability); this attribute cannot be disabled

DNS Flags dns_flags 16-bit representation of flows Packet hex X X some DNS header flags: header QA, Opcode, AA, TC, RD, RA, Z, RCODE

DNS Host dns_host DNS server name flows Packet domain.tld X X header

DNS Host Type dns_host_type DNS response type: IP flows Packet string X X address, authoritative header name server, primary name server, canonical name, domain name pointer, IPv6 address

DNS IPv4 dns_host_ipv4_addr IPv4 addresses that flows Packet 9.9.9.9 X Answer resolve to the URL header

DNS IPv6 dns_host_ipv6_addr IPv6 addresses that flows Packet a9a9::a9a9:a9a9 X Answer resolve to the URL header

DNS Message dns_message_type Message type: QUERY, flows Packet string X X Type RESPONSE header

DNS NSCOUNT dns_nscount Number of answers in the flows Packet integer X X Authority section header

DNS QDCOUNT dns_qdcount Number of queries in the flows Packet integer X X request header

DNS Query dns_query URL for which a DNS query flows Packet 9.9.9.9IN-ADDR-ARPA X is made header domain.tld

DNS Query Type dns_query_type DNS query type flows Packet string X X header

DNS Reply Code dns_reply_code Return message flows Packet string X X header

DNS Response dns_response_time Elapsed time between flows Packet 9.99 X X Time sending of the DNS header request and reception of its response

DNS Reverse dns_reverse_addr IP address returned to the flows Packet 9.9.9.9 X X Addr pointer request header

DNS Reports

Report Attribute Description Namespac Source Format Num/Le Ne e n w

DNS Reverse dns_reverse_addr6 IPv6 address returned to flows Packet a9a9::a9a9:a9a9 X X Addr6 the pointer request header

DNS Section dns_section_type Type of section for each flows Packet string X X Type DNS answer header

DNS dns_transaction_id DNS unique transaction ID flows Packet hex X X Transaction ID header

DNS TTL dns_ttl Time (in seconds) DNS flows Packet integer X X information returned by header the server will be kept in cache

DNS Web dns_web_application Metadata for the flows Packet [application]/9.9.9.9 X Application Info _info classification of known header HTTP-based web applications

Email Reports

Report Attribute Description Namespac Source Format Num/Le Ne e n w

Email email_recipient Email address in the flows Packet header, [email protected] X Recipient email_address receiver field multiple protocols

Email email_sender Email address in the flows Packet header, [email protected] X Sender email_address sender field multiple protocols

Email subject Email subject flows Packet header, string X Subject multiple protocols

Email URI mail_uri URIs extracted from email flows Open-parser rule string X and HTTP artifacts

SMTP smtp_header_raw Fields and values in the flows Packet header string X X Header Raw header

SMTP X- smtp_xmailer The user agent of the flows Packet header string X X Mailer mailer

Encryption

• Encrypted Heartbleed Attacks — If a "Heartbleed" attack is contained within an encrypted heartbeat message, the tls_heartbeat_attack_attempt attribute cannot detect it; however, a successful attempt will be detected by tls_heartbeat_mismatch

Encryption Reports

Report Attribute Description Namespac Source Forma Num/Le Ne e t n w

SSL Certificate ssl_serial_number Serial number of certificate flows Packet hex X Serial Number header

Encryption Reports

Report Attribute Description Namespac Source Forma Num/Le Ne e t n w

SSL Cipher ssl_cipher_suite Cipher suite used in the SSL session flows Packet string X X Suite header

SSL Cipher ssl_cipher_suite_list List of cipher suites supported by the flows Packet string X Suite List client header

SSL Common ssl_common_name Domain name mentioned in the flows Packet URL X Name certificate header

SSL Handshake ssl_handshake_type Handshake type flows Packet integer X X Type header

SSL Issuer ssl_issuer Certificate authority flows Packet string X X header

SSL ssl_organization_name Organization name mentioned in the flows Packet string X X Organization certificate header Name

SSL Protocol ssl_protocol_version Indicates which SSL/TLS protocol was flows Packet string X Version chosen by the server for this session header

SSL Request ssl_request_size Contains the total length in bytes of the flows Packet integer X X Size request or the response (including SSL header headers); this attribute is computed at the end of the request or response

SSL Subject Alt ssl_subject_alt_name Identifies a list of host names which flows Packet URL X X Name belong to the same certificate header

SSL Supported ssl_supported_next Supported protocol on top of SSL, flows Packet string X X Next Protocol _protocol specified by the server in the Next header Protocol Negotiation TLS extension

SSL Version ssl_version Protocol version: v2, v3 flows Packet string X header

TLS Heartbleed tls_heartbeat_attack Number of sessions in which the flows Metadata binary Attack _attempt payload_length field of the indexer Attempted heartbeat_request does not match the (D)TLSPlaintext.length field; this attribute cannot be disabled

TLS Heartbleed tls_heartbeat_mismatch Number of sessions in which the flows Metadata binary Mismatch heartbeat_request and heartbeat_response indexer payloads are not equal in length; this attribute cannot be disabled

File

File Reports

Report Attribute Description Namespac Source Format Num/Le Ne e n w

Detected File file_type Derived from the file_type field in the flows Metadata string X Type headers for HTTP, IMAP, POP3, and SMTP indexer

File Extension file_extension File extensions derived from the filename flows string field; this attribute cannot be disabled

File Reports

Report Attribute Description Namespac Source Format Num/Le Ne e n w

File Name filename File name flows string X

FTP Method ftp_method FTP commands such as PASS, USER, flows Packet string X X RETR, and OPTS header

Fuzzy Hash* fuzzy_hash Fuzzy hash of the artifact groups Rules engine hex + extractor

MD5 Hash* md5_hash MD5 hash of the artifact groups Rules engine hex + extractor

Presented mime_type Content type of the request or the web flows Packet string X MIME Type page header

SHA1 Hash* sha1_hash SHA1 Hash of the artifact groups Rules engine hex + extractor

SHA256 sha256_hash SHA256 Hash of the artifact groups Rules engine hex Hash* + extractor

SMB smb_command Command number use flows Packet integer X X Command header

SMB smb_command_string Command name flows Packet string X X Command header String

SMB Dialect smb_dialect The version of the SMB Protocol flows Packet string X X header

SMB Dialect smb_dialect_index Index of the selected SMB Protocol version flows Packet integer X X Index header

SMB Domain smb_domain Domain name flows Packet string X X header

SMB File smb_file_attributes File attributes (bit field) flows Packet integer X X Attributes header

SMB File smb_file_chunk Offset of the transferred data flows Packet integer X X Chunk Data _data_offset header Offset

SMB File smb_file_chunk_len Size of the transferred piece flows Packet integer X X Chunk Length header

SMB File ID smb_file_id Identifier of the file affected by the flows Packet hex X X command (USMB v1: 4 char; USMB v2, 32 header char)

SMB File smb_filename Full name of the file or directory; also flows Packet string X Name included in the File Name report header

SMB File Size smb_filesize Size (byte) of the transferred file flows Packet integer X X header

SMB Loadway smb_loadway The file transfer way (upload or download) flows Packet string X X header

SMB Login smb_login Login of the user; also included in the flows Packet string X Social Persona report header

File Reports

Report Attribute Description Namespac Source Format Num/Le Ne e n w

SMB Native smb_native The native LAN manager type flows Packet string X X LAN Manager _lan_manager header

SMB Native smb_native_os Client's operating system flows Packet string X X OS header

SMB Path smb_path The server/share name of the resource to flows Packet filepath X X which the client attempts to connect header

SMB Process smb_process_id Identifier of the process being affected by flows Packet integer X X ID the command that follows header

SMB Query ID smb_query_id Indexes and correlates requests and flows Packet integer X X responses header

SMB Query smb_query_type Indicates if the message is a request (1) or flows Packet integer X X Type a response (2) header

SMB Search smb_search An attribute mask used to specify the flows Packet integer X X Attributes _attributes standard attributes a file must have in header order to match the search

SMB Search smb_search_pattern The file pattern to search for flows Packet string X X Pattern header

SMB User ID smb_user_id User identifier (SMB USMB v1 only) flows Packet integer X X header

SMB Version smb_version Protocol version flows Packet integer X X header

VoIP ID voip_id Identifier for a VoIP conversation flows Packet integer X header

* The hash reports are not populated by the DPI engine nor the metadata indexer. Hashes are calculated by the extractor under the following circumstances:

• At least one data-enrichment rule is activated — and that rule sends either a file or a file hash to one of these enrichment providers:

o File Reputation Service o YARA o ICAP o Cuckoo o Malware Analysis o FireEye AX-series o Calculate and Store Hashes o Lastline File or Hash o ClamAV o TitaniumScale o jsunpack-n o VirusTotal File or Hash • Fuzzy Hash Only — Fuzzy-hash reports are not populated until after you edit /etc/solera/extractor/extractord.conf as shown and then run systemctl restart solera-extractord: # Flag to calculate the fuzzy hash calc_fuzzy_hash=1 <== Uncomment this line and set the value to 1

• Because the hash reports contain data that is calculated after the flows are sent through the rules engine, you cannot use hash attributes as valid indicators for rules. For example, md5_hash~93fd02e cannot trigger a rule; however, it can be a valid primary or advanced filter.

Enable hash calculation for manual extractions on Settings > System. (Those settings do not affect hash-related reports.)

• Hash Searches — When using the md5_hash, sha1_hash, and sha256_hash attributes, the match must be exact to produce a result, but for fuzzy_hash you can specify how much of the hash must match.

o Command Line Interface — /fuzzy_hash/_ge_abc123eae%2570/ will find fuzzy hashes that have a 70% or higher match. To specify a range — for example, between 70–80% — type /fuzzy_hash/_ge_abc123eae%2570_and_le_abc123eae%2580/. Note that the percent sign must be URL-encoded as %25.

o Web UI — For fuzzy_hash>=abc123eae%70 the percent sign should not be URL- encoded.

Geographical

Geographical Reports

Report Attribute Description Namespac Source Forma Num/Le Ne e t n w

Country Initiator country_initiator Location of the initiator flows MaxMind database IP string correlation

Country country_responder Location of the flows MaxMind database IP string Responder responder correlation

Network Layer

• Initiator/Responder Fields — The field that provides the value for these attributes depends on the host’s role in a flow: the host that sends the first SYN packet is the initiator and the host that sends the corresponding SYN+ACK packet is the responder. Also see Flows in Security Analytics.

Network Layer Reports

Report Attribute Description Namespace Source Format Num/Len New

Ethernet ethernet_initiator MAC address of session flows Frame a9:a9:a9:a9:a9:a9 Initiator ethernet_address initiator header + metad ata indexer

Ethernet ethernet_initiator Vendor name of the flows Frame string:a9:a9:a9 Initiator _vendors initiator NICs header + Vendors ethernet_address vendor ID _vendors file

Network Layer Reports

Report Attribute Description Namespace Source Format Num/Len New

Ethernet ethernet_protocol Layer 3 protocol (IPv4 or flows Frame integer Protocol IPv6) header

Ethernet ethernet_responder MAC address of session flows Frame a9:a9:a9:a9:a9:a9 Responder ethernet_address responder header + metad ata indexer

Ethernet ethernet_responder Vendor name of the flows Frame string:a9:a9:a9 Responder _vendors responder NICs header + Vendors ethernet_address vendor ID _vendors file

Flow Duration flow_duration Length of the flow in flows Metadata floating point seconds; this attribute indexer cannot be disabled

Flow ID flow_id Unique identifier for the flows Metadata integer flow; this attribute cannot indexer be disabled

Interface interface Interface the data was flows Metadata eth captured on; this attribute indexer X imptX cannot be disabled

IP Bad ip_bad_csums Number of bad checksums; flows Metadata integer Checksums best used with !=0; this indexer attribute cannot be disabled

IP Fragments ip_fragments Number of IP fragments; flows Metadata integer best used with !=0; this indexer attribute cannot be disabled

IP Protocol ip_protocol IP protocols used: TCP, flows Packet string UDP, ICMP, OSPFGP header

IPv4 n/a IPv4 addresses of both Query 9.9.9.9-9.9.9.9§ Conversation hosts in a session; data for handler this report is assembled only when the report is called; this report is not visible on the Metadata Settings page and cannot be disabled

IPv4 Initiator ipv4_initiator IPv4 addresses of hosts flows Packet 9.9.9.9§ ipv4_address that initiated a session header + metad ata indexer

IPv4 Port n/a IPv4 addresses and ports n/a Query 9.9.9.9§:port- Conversation of both hosts in a session; handler 9.9.9.9:port data for this report is assembled only when the report is called; this report is not visible on the Metadata Settings page and cannot be disabled

Network Layer Reports

Report Attribute Description Namespace Source Format Num/Len New

IPv4 ipv4_responder IPv4 addresses of hosts flows Packet 9.9.9.9§ Responder ipv4_address that answered a session header request + metad ata indexer

IPv6 n/a IPv6 addresses of both n/a Query a9a9::a9a9:a9a9§- Conversation hosts in a session; data for handler a9a9::a9a9:a9a9 this report is assembled only when the report is called; this report is not visible on the Metadata Settings page and cannot be disabled

IPv6 Initiator ipv6_initiator IPv6 addresses of hosts flows Packet a9a9::a9a9:a9a9§ ipv6_address that initiated a session header + metad ata indexer

IPv6 Port n/a IPv6 addresses and ports n/a Query a9a9::a9a9:a9a9§:po Conversation of both hosts in a session; handler rt- data for this report is a9a9::a9a9:a9a9:po assembled only when the rt report is called; this report is not visible on the Metadata Settings page and cannot be disabled

IPv6 ipv6_responder IPv6 addresses of hosts flows Packet a9a9::a9a9:a9a9§ Responder ipv6_address that answered a session header request + metad ata indexer

Link-Local machine_id_llmnr Hostname resolution on flows Packet string X Multicast the local link header Name Resolution

Machine ID machine_id Name of the caller; also flows Packet string netbios_caller header

NBNS Query nbns_query NetBIOS name server query flows Packet string X X sent header

NBNS Query nbns_query_type NetBIOS name server query flows Packet string X X Type type header

NBNS Service nbns_service NetBIOS name server flows Packet string X X service name header

NetBIOS netbios_callee Name of the called member flows Packet string X X Callee header

NetBIOS netbios_caller Name of the caller; also the flows Packet string X X Caller Machine ID report header

NetBIOS netbios_command Message command value flows Packet string X X Command header

Network Layer Reports

Report Attribute Description Namespace Source Format Num/Len New

NetBIOS netbios_message_ty The message type flows Packet string X X Message Type pe header

Packet Length packet_length The length of the packets packets Frame integer captured header

Port Initiator port_initiator Port of sending application flows Packet integer port header

Port port_responder Port of responding flows Packet integer Responder port application header

Size in Bytes bytes Number of bytes in the flows Metadata integer flow indexer

Size in packets Number of packets in the flows Metadata integer Packets flow indexer

Syslog syslog_syslog Syslog message body flows Payload string X Message _message

TCP Initiator tcp_initiator TCP port of initiating flows Packet integer tcp_port application header port

TCP tcp_responder TCP port of responding flows Packet integer Responder tcp_port application header port

Tunnel tunnel_initiator_i IPv4 or IPv6 of the GRE flows Packet 9.9.9.9§ p Initiator tunnel initiator; this header a9a9::a9a9:a9a9 attribute cannot be disabled

Tunnel tunnel_responder_i IPv4 or IPv6 of the GRE flows Packet 9.9.9.9§ p Responder tunnel responder; this header a9a9::a9a9:a9a9 attribute cannot be disabled

UDP Initiator udp_initiator UDP port of initiating flows Packet integer udp_port application header port

UDP udp_responder UDP port of responding flows Packet integer Responder udp_port application header port

VLAN ID vlan_id Virtual LAN ID; this flows Frame integer attribute cannot be header disabled § For IPv4 and IPv6 networks you can input CIDR notation as follows: • 10.63.*.* • 10.63.0.0_16 • 10.63.0.0/16 • 2001::/31

SCADA

SCADA Reports

Report Attribute Description Namespac Source Forma Num/Le Ne e t n w

DNP3 AL dnp3_al_con Confirm application-layer control flag packets Packet binary X Confirm header

DNP3 AL dnp3_al_control Application-layer control flags byte packets Packet integer X Control header

DNP3 AL Final dnp3_al_final Final application-layer control flag packets Packet binary X header

DNP3 AL First dnp3_al_first First application-layer control flag packets Packet binary X header

DNP3 AL dnp3_al_function_code Function code, identifying the type of packets Packet integer X Function Code message at the application layer header

DNP3 AL IIN1 dnp3_al_iin1 First byte of the DNP3 Internal packets Packet integer X Indication (IIN) 16-bit word, set by a header slave station to indicate states and diagnostic results

DNP3 AL IIN2 dnp3_al_iin2 Second byte of the DNP3 Internal packets Packet integer X Indication (IIN) 16-bit word, set by a header slave station to indicate states and diagnostic results

DNP3 AL Obj dnp3_al_obj_qualifier Byte specifying the range of the first packets Packet integer X Qualifier Field _field object. Only the first object is handled header

DNP3 AL Obj dnp3_al_obj_type_field First object type in the application-layer packets Packet integer X Type Field control field. Only the first object is header handled

DNP3 AL dnp3_al_sequence Sequence number of an application packets Packet integer X Sequence message fragment header

DNP3 AL dnp3_al_uns Unsolicited application-layer control packets Packet binary X Unsolicited flag header

DNP3 DL dnp3_dl_control Data link-layer frame control byte packets Packet integer X Control header

DNP3 DL CRC dnp3_dl_crc CRC checksum field packets Packet integer X header

DNP3 DL dnp3_dl_destination Destination address of the frame packets Packet integer X Destination header

DNP3 DL dnp3_dl_direction Physical transmission direction control packets Packet binary X Direction flag header

DNP3 DL Frame dnp3_dl_fcb Frame Count Bit data link-layer control packets Packet binary X Count Bit flag header

DNP3 DL Frame dnp3_dl_fcv Frame Count Valid data link-layer packets Packet binary X Count Valid control flag header

DNP3 DL dnp3_dl_function_code Function Code identifying the frame packets Packet integer X Function Code type at the data-link layer header

DNP3 DL dnp3_dl_function_code Function code name, corresponding to packets Packet integer X Function Code _name the DL Function Code header Name

SCADA Reports

Report Attribute Description Namespac Source Forma Num/Le Ne e t n w

DNP3 DL dnp3_invalid_codes Invalid-message error codes packets Packet integer X Invalid Codes header

DNP3 DL dnp3_dl_length DNP3 frame length packets Packet integer X Length header

DNP3 DL dnp3_dl_prm Primary data link-layer control flag packets Packet binary X Primary header

DNP3 DL dnp3_dl_src Source address of the frame packets Packet integer X Source header

DNP3 DL Start dnp3_dl_start_sync Header start magic field packets Packet integer X Sync header

DNP3 TL dnp3_tl_control Transport-layer control flag byte; was packets Packet integer X Control "DNP3 TL Header" in versions previous header to 7.3.2

DNP3 TL Final dnp3_tl_final Final transport-layer control flag packets Packet binary X header

DNP3 TL First dnp3_tl_first First transport-layer control flag packets Packet binary X header

DNP3 TL dnp3_tl_seq Frame-sequence number field packets Packet integer X Sequence header

MODBUS AND modbus_and_mask AND mask applied when writing the packets Packet integer X Mask data of the register header

MODBUS Byte modbus_byte_count The number of data bytes to follow packets Packet integer X Count header

MODBUS Coil modbus_coil_status Status code of the coil. packets Packet binary X Status header

MODBUS Event modbus_event_count Event counter packets Packet integer X Count header

MODBUS modbus_events Data containing statuses of MODBUS packets Packet string X Events send or receive operations header

MODBUS modbus_exception The extraction of the exception code packets Packet integer X Exception Code _code specifies that the function code is an header exception function code; the value specifies the type of error

MODBUS FIFO modbus_fifo_count Quantity of data registers in the queue packets Packet integer X Count header

MODBUS FIFO modbus_fifo_pointer Queue content address packets Packet integer X Pointer Address _address header

MODBUS File modbus_file_number Identifier of the file packets Packet integer X Number header

MODBUS File modbus_file_resp File length packets Packet integer X Response _length header Length

SCADA Reports

Report Attribute Description Namespac Source Forma Num/Le Ne e t n w

MODBUS modbus_function_code The kind of action to perform. The packets Packet integer X Function Code values indicates the public function header codes used for classification

MODBUS modbus_function Specifies the MODBUS function code packets Packet integer X Function _subcode action header Subcode

MODBUS modbus_invalid_codes Error code when reading a specific packets Packet integer X Invalid Codes MODBUS function header

MODBUS modbus_length A byte count of the following fields, packets Packet integer X Length including the unit identifier and data header fields

MODBUS MEI modbus_mei_type MODBUS encapsulated interface packets Packet integer X Type transport unique number header

MODBUS modbus_message_count Quantity of messages processed by the packets Packet integer X Message Count remote device header

MODBUS OR modbus_or_mask OR mask applied when writing the data packets Packet integer X Mask of the register header

MODBUS modbus_output_address The data address of the coil or register packets Packet integer X Output Address header

MODBUS modbus_output_data Exception status outputs, packed into packets Packet integer X Output Data one byte (one bit per output) header

MODBUS modbus_output_value Value to write packets Packet string X Output Value header

MODBUS modbus_outputs_value Requested ON/OFF coil states packets Packet integer X Outputs Value header

MODBUS PDU modbus_pdu The protocol data unit is defined by the packets Packet integer X function code and the data fields header

MODBUS modbus_protocol_id MODBUS protocol is identified by the packets Packet integer X Protocol ID value 0 header

MODBUS modbus_quantity Total number of coils requested packets Packet integer X Quantity of _of_coils header Coils

MODBUS modbus_quantity The number of coils or registers to write packets Packet integer X Quantity of _of_outputs header Outputs

MODBUS Read modbus_read_registers Register value packets Packet string X Registers Value _value header

MODBUS modbus_record_data The data of the record packets Packet string X Record Data header

MODBUS modbus_record_length The length of the record to be read packets Packet integer X Record Length header

MODBUS modbus_record_number Starting record number within the file packets Packet integer X Record Number header

SCADA Reports

Report Attribute Description Namespac Source Forma Num/Le Ne e t n w

MODBUS modbus_reference_address Address of the reference packets Packet integer X Reference header Address

MODBUS modbus_reference_type Type of reference; must be 6 packets Packet integer X Reference Type header

MODBUS modbus_request Request data length, in terms of packets Packet integer X Request Data _data_length number of bytes header Length

MODBUS modbus_resp_data_length Data length of the response packets Packet integer X Response Data header Length

MODBUS modbus_starting_address The data address of the first coil or packets Packet integer X Starting register header Address

MODBUS Status modbus_status The data address of the first coil or packets Packet binary X register: 0x0000 "OK" | 0xFFFF "busy header processing a previous remote command"

MODBUS modbus_transaction_id Transaction Identifier set by the client packets Packet integer X Transaction ID to uniquely identify each request; used header for transaction pairing

MODBUS Unit modbus_unit_id Identifier used to communicate via packets Packet integer X ID devices that use a single TCP/IP header connection to support multiple independent MODBUS units

MODBUS Write modbus_write_registers Value of register to be written packets Packet string X Registers Value _value header

Social Persona

Social Persona Reports

Report Attribute Description Namespac Source Forma Num/Le Ne e t n w

Password password Cleartext passwords flows Packet headers, multiple string X protocols

Social social_persona User name of account; login flows Packet headers, multiple string X Persona protocols

‡ user_name User Name Username as identified by flows Login Correlation Service string LCS ‡ Data for this report is available only if you are running the Login Correlation Service.

Threat Intel Because the threat intel reports contain data that is calculated after the flows are sent through the rules engine, you cannot use threat intel attributes as valid indicators for rules. For example, malware_analysis_verdict>8 cannot trigger a rule; however, it can be a valid primary filter. To populate these reports you must have the data-enrichment provider mentioned in the Source column, either as a subscription or as an on-site appliance.

Threat Intel Reports

Report Attribute Description Namespac Source Forma Num/Le Ne e t n w

File Signature file_signature_verdict Degree of risk of the file verdicts Blue Coat File integer Verdict hash Reputation Service

Local File local_file_analysis Degree of risk of the file verdicts Local File Analysis integer Analysis _verdict hash providers

Malware malware_analysis_verdict Degree of maliciousness verdicts Malware Analysis integer Analysis based on direct file analysis appliance Verdict

Third-Party third_party_integration Degree of risk of the file verdicts ReversingLabs® integer Verdict _verdict hash TitaniumScale® server

Threat threat_category Category of threat verdicts ReversingLabs integer Category TitaniumScale server

Threat threat_description Description of threat verdicts ReversingLabs string Description TitaniumScale server

Threat Severity threat_severity Severity of threat verdicts ReversingLabs integer TitaniumScale server

URL Categories url_categories Known category of the URL; verdicts Web Reputation string this attribute cannot be Service disabled

URL Risk url_risk_verdict Degree of risk of the URL; verdicts Calculated by integer Verdict this attribute cannot be Security Analytics disabled

When inputting a verdict attribute in the filter bar, use the numerical values for these text equivalents.

Value Text Equivalent

1 Very Low Risk 2

3 Low Risk 4

5 Unknown/Unrated

6 Moderate Risk 7

8 High Risk 9

10 Very High Risk

Web

Web Reports

Report Attribute Description Namespac Source Format Num/Le Ne e n w

HTTP and uri URIs extracted from HTTP and email flows Payload URI X Email URIs artifacts

HTTP Auth http_auth_username Login used in the HTTP Authorization flows Packet string X X Username request extension for authentication. header The supported authentication methods are Basic and Digest.

HTTP Code http_code Return code sent by the server flows Packet integer X header

HTTP http_content Information related to the disposition flows Packet string X Content _disposition of the content present on the web header Disposition page

HTTP http_content_encoding The type of encoding used on the data flows Packet string X X Content header Encoding

HTTP http_content_len The content length of the HTTP flows Packet integer X Content request/response header Length

HTTP http_content_type The MIME type of the body of POST flows Request string X X Content Type and PUT requests packet header

HTTP Cookie http_cookie An HTTP cookie previously sent by the flows Packet string X X server with Set-Cookie header

HTTP http_forward_addr IPv4 DNS address to which the client flows Packet URL X Forward is redirected. This is the HTTP header header Address X-Forwarded: for=

HTTP Header http_header_name Fields that are included in the HTTP flows Packet string X X Name header, such as Accept, Accept- header Language, Referer, Content-Type, or Cache-Control

HTTP Header http_header_raw Field names in the header plus the flows Packet string X X Raw field values, such as Accept-Encoding: header gzip,deflate,sdch or Keep-Alive: timeout=300, max=946

HTTP Header http_header The status line just before the header flows Packet string X X Status Line _statusline lines, such as HTTP/1.1 200 OK or GET header / HTTP/1.1

HTTP Header http_header_value Field values that are included in the flows Packet string X X Value HTTP header, independent of field header names

Web Reports

Report Attribute Description Namespac Source Format Num/Le Ne e n w

HTTP Index http_index Identifier of the request and response flows Packet integer X X in an HTTP flow. The indices of a header completed flow are 1 through N, with 1 being the first request, 2 being the response to the request, and N being the last transaction in the flow.

HTTP Last http_last_modified The date and time at which the origin flows Packet day, DD X X Modified server recorded the last modification header MMM YYYY to the file hh:ii:ss ZZZ

HTTP http_location Destination address where the client flows Packet URL X Location is redirected header

HTTP Method http_method HTTP command sent by the client: flows Packet string X GET, POST, HEAD, CONNECT, and so on header

HTTP NTLM http_ntlm_domain Domain attribute of the NT LAN flows Packet string X X Domain Manager protocol; included in the header HTTP Authentication field

HTTP NTLM http_ntlm_user User attribute of the NT LAN Manager flows Packet string X X User protocol; included in the HTTP header Authentication field

HTTP NTLM http_ntlm_workstation Workstation attribute of the NT LAN flows Packet string X X Workstation Manager protocol; included in the header HTTP Authentication field

HTTP Part http_part_header_name Fields that are included in the HTTP flows Packet string X X Header part header, such as Accept, Accept- header Name Language, Referer, Content-Type, or Cache-Control; extracted only if Content- Type is multipart

HTTP Part http_part_header_value Field values that are included in the flows Packet string X X Header Value HTTP part header, independent of header field names; extracted only if Content- Type is multipart

HTTP Post http_post_variable The 'name/value' metadata from each flows Packet string X X Variable _decoded web-form CGI parameter found in a header Decoded POST HTTP request. The name and value strings are normalized. The parameters are extracted from the URL of the request, and/or from the x- www-form-urlencoded POST data.

HTTP Proxy http_proxy_auth Authentication type on the proxy: flows Packet string X X Auth basic, digest, NTLM header

HTTP Proxy http_proxy_login Authentication credentials flows Packet string X Login header

HTTP referer The address of the previous web page flows Packet URL X Referrer from which a link to the currently header requested page was followed; was "Referrer" in versions previous to 7.3.2

Web Reports

Report Attribute Description Namespac Source Format Num/Le Ne e n w

HTTP Server http_server The FQDN of the server flows Packet URL X header

HTTP Server web_server Server type: Apache, IIS, nginx; was flows Packet string X Agent "Web Server" in versions previous to header 7.3.2

HTTP Set http_set_cookie Contains a cookie stored by the server flows Packet string X X Cookie (Set-Cookie) header

HTTP URI http_uri The domain name of the server plus flows Packet URI X the path to the file header

HTTP User user_agent Software used by the client to access flows Packet string X Agent the web page header

Web Query web_query Database query flows Packet string X header; multiple protocols

Open Parser Use the open parser to create customized reports and report widgets that you can use in the same way as other Security Analytics reports. With the open parser you can include regular expressions in rule definitions.

Open parser rules can consume considerable system resources by generating a large number of rule hits. Use indicators that detect the smallest amount of network traffic possible.

Open Parser Conventions Keep the following in mind when using the open parser:

• Regular expressions must be RE2-compliant. • The operator between regex lines is OR. • The open parser rule name is converted into a report name by making all letters lower-case and replacing all spaces with an underscore. For example, Phone Numbers becomes phone_numbers. • An open parser report is visible only when its corresponding rule is active. • Lua scripts must have the .lua extension. • Do not upload a Lua script that contains the os.exit command.

Create an Open-Parser Rule

Select Analyze > Rules and click New. For Name, specify a unique name for the rule. It must begin with a letter, must not exceed 60 characters, and cannot be the same as an existing report name. For First Event, specify one or more indicators or create new indicators.

Do not click Add Second Event. Multiple events are not supported by the open parse.

Select the Open Parser check box. For Regular Expressions, type or paste a regular expression and click Add. The expression is copied to the space below. You may add up to eight expressions, and each expression must not exceed 1024 characters.

• To delete an expression, select it and click Remove. For Metadata Options, select one of the following: • Select Add flag to metadata — A Boolean is written to the indexing database entry to indicate that the flow matches the regular expression. The report shows how many flows are Matched but does not contain the matching values.

• Select Add matching value to metadata — The values that match the regular expression are written to the indexing database, where they are visible in the report. • Select Add succeeding value to metadata, until this delimiter — The characters that come after the string that matches the regular expression, up to the RE2- compliant delimiter, are written to the indexing database, where they are visible in the report. • Select Take no action — No values are written to the indexing database. A report will be available for this rule but it will never contain data. • Select Execute Lua script — Click Browse to select a Lua script to execute when the regular expression is matched.

o Click Download Script to download a Lua script that is already uploaded.

When a Lua script is uploaded to an open-parser rule, the script is executed for validation purposes before the rule is saved. If the GUI stops responding, it means that the script contains an error that prevents it from being validated; for example, it contains an os.execute command or non-zero exit codes.

For Type, select the rule type and click the corresponding link for instructions on completing the rule:

• Alert • PCAP Export • IPFIX Export • Data Enrichment • Dynamic Filter — n/a • None

View the Report Data Select Analyze > Summary and click the Reports tab. Reports that contain data from the open parser rules are available under Custom Analytics.

Select Analyze > Summary > Reports and select Application > Application ID. The rule name is present to show that data from the rule was generated during the timespan.

Click the entry to add the rule to an application_id filter to help you locate the artifact that matched the rule.

Add the Custom Analytics Report Widgets to a Summary View

Select Analyze > Summary. Select an existing view or create a new view where the widget will be displayed.

Select Actions > Add/Edit Widgets. From the Available Reports list, select the custom analytics report, move it to the Selected Reports list, and click Add/Edit Widgets.

Open Parser Alerts An alert from an open-parser rule shows the regular expression that triggered the alert.

To see the value that matched the regular expression, click View Report Summary and select a view that contains the report widget that corresponds to the rule. When you pivot from an alert to a widget, the widget displays all of the matching values that are present in the same flow.

PII Reports Example This example shows how to create open-parser rules to find personally identifiable information (PII) in HTTP and EML files and then display the PII in reports.

Create an indicator Select Analyze > Indicators and select Actions > New.

Create an indicator named HTTP with the filter application_group=web Verify that the Email indicator exists on the appliance (application_group="Mail", application_group="Webmail").

The HTTP and Email indicators will detect a large amount of traffic. For your network, you may want to add more indicators to exclude traffic that is unlikely to contain PII.

Create the rule Create an open-parser rule that extracts likely phone numbers. Select Analyze > Rules and click New.

Create a rule named [Phone Numbers | Social Security Numbers | Credit Card Numbers] with the Email and HTTP indicators as the First Event.

Select the Open Parser check box. In the regular expressions field, enter the regular expression [Phone Numbers | Social Security Numbers | Credit Card Numbers] and click Add.

For Metadata Options, select Add matching value to metadata. For Type select None so that no alerts are generated. • Alternatively, if you select Alert, you can set the Importance for each rule hit. Optional — Select Shared to make the rule viewable by everyone who has access to this appliance. Remote Notifications — Optional — Select one or more remote-notification types. You may select the default template or configure a template on Settings > Communication > Templates. If you have not already done so, configure the appropriate server(s).

• SMTP — Optional — Specify email accounts to receive the alert notifications. Endpoint Providers — Optional — Select to send endpoint data to external endpoint analysis providers.

Click Save. The rule is displayed in the Rules list. Verify that the rule is activated .

Phone Numbers This regular expression detects likely phone numbers in the United States and Canada.

• Name — Phone Numbers • Regular Expression — ((?:\+?1[ .-]\s*)?((($\s*[2-9]\d{2}\s*$\s*[ .- ]?)|([2-9]\d{2}\s*[ .-])))\s*[2-9]((1[02-9])|([02-9]\d{1}))\s*[ .- ]\s*\d{4})

Social Security Numbers This regular expression detects likely U.S. Social Security numbers.

• Name — Social Security Numbers • Regular Expression — ((?:[0-6]\d{2}|7([0-6]\d|7[012]))[-]\d{2}[-]\d{4})

Credit Card Numbers This regular expression detects likely MasterCard, Visa, Discover, and American Express card numbers.

• Name — Credit Card Numbers • Regular Expression — (4[0-9]{3}[0-9]{4}[0-9]{4}[0-9](?:[0-9]{3})?|[0- 9]{4}[-][0-9]{4}[-][0-9]{4}[-][0-9]{4}|5[1-5][0-9]{2}[0-9]{4}[0-9]{4}[0- 9]{4}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|6(?:011|5[0- 9]{2})[0-9]{12}|(?:2131|1800|35\d{3})\d{11}) • Metadata Options — Select Execute Lua script and upload the following file, which can also be found on the appliance at usr/lib64/lua/5.1/userDefined/pii_parser.lua_tmpl: require "OpenParser" function callback_method(data) local token = data[TOKEN_KEY] local len = data[TOKEN_SIZE_KEY] -- Validate using Luhns Algo odd = 0 even = 0 total = 0 numdigit = 0 nDigits = len reverse = string.reverse(token)

for count = 0,nDigits-1 do num = 0 digit = tonumber(string.sub(reverse, count+1,count+1))

if digit then numdigit = numdigit + 1 if ((numdigit%2) ~= 0) then odd = odd + digit else num = digit*2 if num > 9 then num = num - 9 end even = even + num end end end

total = odd + even

if ((total % 10) == 0) then OpenParser.createMeta(token) end end

OpenParser.setCallback(callback_method)

This file must have the .lua extension before it can be uploaded.

Open Parser Data Matching Open parser rules run their regular expressions against the following types of fields:

• Content — Fields such as FTP:CONTENT, HTTP:CONTENT, FACEBOOK_MAIL:CONTENT, and POP3:CONTENT • Message — Fields such as ICMP:MESSAGE, SYSLOG:MESSAGE, and GMAIL_CHAT:MESSAGE • Attachments — Attachments to emails, such as GMAIL:ATTACH_CONTENT, SMTP:ATTACH_CONTENT_DECODED, and POP3:ATTACH_CONTENT • General data — The entire data portion of a data protocol, including headers and body.

Filters Symantec Security Analytics employs the following types of filters:

• Primary Filters — Applied to Summary, Reports, Extractions, and Geolocation pages, primary filters return all flows that contain matching traffic. • Dynamic Filters — Apply capture filters to interfaces only when traffic matches a dynamic filter rule. • Data Enrichment Filters — Specify which file types to send to each enrichment provider. • Timespan — Applied in the same contexts as the primary filter. Use the narrowest possible timespan filter to conserve system resources. • Advanced — Applied to the flows that are generated on Reports, Extractions, Geolocation, Alerts, and Audit Log pages, advanced filters eliminate extraneous data from matching flows. • Capture — Applied to capture interfaces and PCAP downloads.

Primary Filters The filter bar — present on Analyze > [Summary | Reports | Extractions | Geolocation] — is at the heart of Security Analytics. With these filters, you can display specific time frames or attributes of the captured data.

1 Filter bar

2 Timespan filter selector

Using the Filter Bar Type directly in the filter bar to create a new filter.

Select Analyze > [Summary | Reports | Extractions | Geolocation]. Click in the filter bar and begin typing a filter attribute.

The system will begin suggesting attributes or indicators based on your typing. You can select the desired attribute by clicking it or by using the arrow keys. Type the operator.

Type the desired value after the operator. You can use wildcard expressions. For CIDR notation, use one of the following formats:

• 10.5.*.* • 10.5.0.0_16 • 10.5.0.0/16

Press Enter. The system completes the filter by enclosing it in a gray box. Click the green Update button to apply the filter.

Whenever you change a filter, you must always click Update to regenerate the results. This permits you to change multiple aspects of the filter before regenerating the results.

All applied filters appear as white text against a blue background.

To modify a filter, click the blue field and edit as desired. Press Enter or click outside the blue field; the box will become gray again. Click Update to apply the modified filter.

You can also create complex primary filters using AND and OR.

Preloaded Indicators Security Analytics is preloaded with indicators such as non-standard protocols, common MIME types, and known malware passwords. You can use these indicators as primary filters. Select Analyze > [Summary | Reports | Extractions | Geolocation]. Expand the filter bar to see a list of indicators. Select the desired indicator. • Alternatively, select Analyze > Indicators. Under Actions for the desired indicator, click Add to Filter Bar . The Summary view will be displayed with that indicator in the filter bar. The indicator appears in the filter bar and is applied to the operation (report, extraction, geolocation). For instructions on creating and editing indicators, see indicators.

Dynamic Filters See Dynamic Filters.

Data Enrichment Filters Settings > Data Enrichment > Default Data Enrichment Filter Per-provider filters specify which file types to send to providers that evaluate files and hashes, such as the File Reputation Service and ClamAV. The default filter sends the following file types to the enrichment providers. (Consult "Data Enrichment Filters" in the Security Analytics 7.3.x Reference Guide on support.symantec.com to see which file types are included in each category.)

• The filters apply only to real-time extractions, which occur when traffic matches a rule. Manual or on-demand reputation queries are not affected by these filters. • The checked boxes indicate the file types to send to the enrichment providers; clear the check boxes for file types that you do not want to send to the providers. • After you have finished making changes to this filter, click Save.

By default all of the enrichment providers use the Default Data Enrichment Filter except Malware Analysis, which has a default filter to permit Adobe PDF, Archives, Debian Packages, Office Documents, and Programs and Libraries.

Customize a Data Enrichment Filter To customize the data enrichment filter for a provider, follow these steps: Select Settings > Data Enrichment.

For the enrichment provider click Edit.

Clear the Use Defaults check box.

Clear and select the file-type check boxes as desired and click Save.

A list of file types that are selected for the filter is displayed.

Timespan Filters Timespan filters are present on Analyze > [Summary | Reports | Extractions | Geolocation]. By default, the system displays the last 15 minutes of data captured.

Expand the control to select another predefined timespan or click the date/time fields to specify a particular time.

See Data Availability for an explanation of the calendar-shading colors.

Advanced Filters

• Valid parameters for advanced filters With the advanced filters, you can easily and rapidly apply additional filters to the report data. When an advanced filter is applied, the charts and tables change automatically to reflect the new criteria.

• Advanced filters are applied directly to the data in the view, whereas applying a primary filter causes the operation, for example an extraction, to be performed again. • Advanced filters affect only what is shown in the current view; they do not affect what is shown in other views (Summary, Reports, Extractions, Geolocation) nor can they be carried across to other views.

Create an Advanced Filter Select Analyze > [Reports | Extractions | Geolocation | Alerts].

Select the desired view from the view selector. Click Add a Filter to select a list of valid attributes for this view. Select an operator. Type or select the desired value and press Enter. The system applies the filter to the displayed data.

Create Nested Filters This example shows how to convert the following expression into a nested advanced filter:

(file_size>=1000 AND file_extension=ico) OR (file_type=image/x-icon AND file_size>=1000) 1. Begin by selecting the Boolean that will link the first group of filters to the second group—in this case, OR—and then click Add Filter Group.

2. Select the Boolean that links the terms within the first group (AND) and then add the filters. 3. To add the second group, click the same Add Filter Group icon as for the first group, and then add the filters for the second group.

Create Filters from Graphical Screen Elements You can instantly create a primary, advanced, or timespan filter from many of the graphical elements on the Web interface. The example below shows what happens when you click the value in the URI Host field of an extracted artifact:

Depending on the attribute, you have the options of:

• adding the value to the filter bar or advanced filter

• adding the value as one of multiple attributes • using one of up to four logical operators Other graphical elements with this feature include:

• Report and widget charts and graphs • Items in results lists: locations, IP addresses, applications • The Application Group over Time widget, as shown below:

Capture Filters See Capture Filters.

Primary Filter Attributes Valid primary filter attributes are displayed on the Metadata Settings page.

Advanced-Filter Attributes The values for the advanced filter are different for each page.

Alerts The Alerts pages offer the following options:

• appliance — CMC Only. Sensor on which the alert was registered. • artifact_identifier — Add the identifier from the Alerts List page, as shown above. • cached — Specify true for reports that were retrieved from the cache • destination_ip — Destination IP address • destination_mac — Destination MAC address • destination_port — Destination port number

• import_id — Specify the Import ID as shown on the Capture > Import PCAP page • importance — 1 = Notification, 2 = Warning, 3 = Critical • integration_provider — Derived from the values in the rule's Send to field • match_criteria — Regular expression in an open parser rule that triggered the alert • name — Name of the open-parser rule that triggered the alert • indicator — Name of the indicator that triggered the alert • rule — Name of the rule that triggered the alert • score — Score returned by the Integration Provider • source_ip — Source IP address • source_mac — Source MAC address • source_port — Source port number • type — Specify file or url

Anomalies The Anomalies pages offer the following options. See Anomaly Detection for an explanation of the attributes and valid values:

• appliance — CMC Only. Sensor on which the anomaly was registered. • by_field_name — Name of the By Field attribute • by_field_value — Value for the By Field • field_name — Name of the Field attribute • function — Function used to detect the anomaly • over_field_name — Name of the Over Field attribute • over_field_value — Value for the Over Field • partition_field_name — Name of the Partition Field attribute • partition_field_value — Value for the Partition Field • score — Anomaly score (0–10).

Reports For Analyze > Summary > Reports, the advanced filter offers the following options:

• — See Metadata Settings for the list. • bad_checksums — Number of erroneous checksums • bytes — Number of bytes • fragments — Number of IP fragments • packets — Number of packets • sessions — Number of sessions

Report Status The Report Status pages have the following search terms:

• field — Attribute for the report.

• id — Unique ID for the report • name — Name of the saved report; field is blank if the report has not been saved • state — Current or final state of the report • username — Name of user who generated the report

Extractions Consult the table below to see which advanced-filter attributes are available in the various Extractions views. Artifacts and Artifacts Timeline provide identical attributes.

Field Description Artifacts Email IM Media

email_bcc Email addresses in the Blind Carbon-Copy field X X

email_cc Email addresses in the Carbon-Copy field X X

email_from Email addresses in the From field X X

email_messageid Email message ID X X

email_priority Email priority X X

email_replyto Email addresses in the Reply To field X X

email_subject Email subject line X X

email_to Email addresses in the To field X X

file_extension Extension of file (DOCX, COM, EXE, JPG) X X

file_size Size of file in kilobytes (KB) X X

file_type Presented MIME type X X

file_type_mismatch All entries where the presented MIME type is different from X the detected type.

fuzzy Fuzzy hash of artifact X X

hex Hexadecimal value X

http_header String in HTTP header X

http_method post or get X

http_request_header String in HTTP Request headers only X

http_response_code Three-digit HTTP response code, e.g., 404, 302 X

http_response_header String in HTTP Response headers only X

image_height Image height (x-value) in pixels X X

image_hw_ratio Height-to-width ratio of the image X X

image_wh_ratio Width-to-height ratio of the image X X

image_width Image width (y-value) in pixels X X

ip_address Any IP address (IPv4 or IPv6) X X X X

ip_initiator Source IP address (IPv4 or IPv6) X X X X

ip_responder Destination IP address (IPv4 or IPv6) X X X X

keyword Text string inside an artifact X X X

Field Description Artifacts Email IM Media

keyword_arabic Cleartext keyword in Arabic alphabet (UTF-8, ISO 8859-6) X

keyword_european Cleartext keyword in Roman alphabet (UTF-8, ISO 8859-1, X Windows 1252)

keyword_japanese Cleartext keyword in Japanese characters (UTF-8, Japanese X Shift-JIS, ISO-2022-JP, EUC-JP)

keyword_korean Cleartext keyword in Korean characters (UTF-8, EUC-KR) X

keyword_utf8 Keyword in UTF-8 characters. Search is case-insensitive X

md5 MD5 hash of artifact X X X

port Any port number X X X X

port_initiator Destination port number X X X X

port_responder Source port number X X X X

protocol Protocol X X

referer Referrer of artifact X X

sha1 SHA1 hash of artifact X X X

sha256 SHA256 hash of artifact X

url URL of artifact X X

user Username of participant in IM conversation X

Geolocation The Geolocation advanced filter offers the following options:

• bytes — Number of bytes • ip_count — Number of IP addresses at a location • location — Name of location

Audit Log See Audit Log.

Wildcards and Logical Operators

Wildcard Usage

Indicators and filters support two regular-expression characters: the question mark (?) and the asterisk (*):

? = single character

* = zero or more characters

These wildcard expressions may be used in the filter bar and for indicators. (The advanced filters use other conventions.)

Expression Description Returns Excludes

filename=*solera* All file names that contain the string solera. solera sol123era mysolerastuff sollera solerastuff mysolera

filename=*solera All file names that end with solera. solera solerastuff mysolera

filename=solera* All file names that begin with solera. solera mysolera solerastuff

filename=sole*ra All file names that begin with sole and end with ra. solera solenoid solemncapybara mordedura

filename=sol?ra All file names that start with sol and end with ra and that have solera sol123ra a single character between sol and ra. sol1ra

filename="*solera*" All file names that are exactly *solera*. The double quotes *solera* solera disable the character expansion. mysolera

filename="sol?ra" All file names that are exactly sol?ra. sol?ra solera

filename=\*solera* All file names that begin with *solera. The backslash disables *solera solerastuff the character expansion for the first wildcard only. *solerastuff mysolerastuff

filename!=* The file name does not exist. All entries All entries without that have filenames filenames

To include a hyphen in a filter value, use a backslash, e.g., http_uri=wp\-admin

Logical Operators in Primary Filters Filters are applied from left to right, such that the first value on the left is filtered first and each filter is applied afterward, in order.

For this filter the data is filtered first on the application_id value and then on the ipv4_initator value, which returns all entries where the application is HTTP and the initiator IP is not 10.10.2.123. The default logic joins unlike attributes with AND and identical attributes with OR.

In this filter, the operator after application_id is AND, whereas between the two ipv4_initiator filters the operator is OR. Click the More Information icon in the status bar to see the query that is passed to the system.

Logical Display When you enter filter definitions in the primary filter bar, the logical equivalent is displayed below the graphical display.

The logical display shows how Boolean AND joins filters with different attributes, whereas filters with the same attribute are joined with OR. This is the query path:

The logical display also shows how filters that contain multiple, comma-delimited values for the same attribute are joined by AND.

If the application_id values were entered as individual attributes, they would be joined by OR.

Creating Complex Filters With the logic exposed on the line below, you can directly edit the operators (AND, OR only) and change the parentheses, thereby creating "complex filters."

For example, when you change the second AND to OR, it forces a second set of parentheses.

Because the default logic does not permit OR between unlike attributes, the graphical filters disappear; however, the filter is still valid. Notice that the query path, below, contains escaped curly and square brackets, which indicates that the filter is complex.

Likewise, you can move the parentheses to a different location, and the filter is still valid.

Complex Filters Across Namespaces All filter attributes belong to one of four namespaces: flows, verdicts, packets, and groups. The Metadata Settings table shows the namespace for each attribute. A complex filter cannot contain attributes from different namespaces. For example, all four namespaces are present in this filter:

Because AND joins all of the attributes, the filter is valid. However, if you change one or more ANDs to OR, the filter is not valid, and an error message is displayed.

Likewise, if you add parentheses the filter is not valid.

Logical Display of Indicators When an indicator is included in the primary filter:

• The individual filters in an indicator are not shown in the logical display, because indicators can contain an extremely high number of filters. • The individual filters inside an indicator are treated as individual filters, and then the default logic is applied.

For example, the default Local File Analysis indicator contains these filters:

Because all of the attributes are the same, the filters are joined by OR when the indicator is added to the path bar or used in a rule. When another filter is included with the indicator ("favorite"), the displayed Boolean is always AND.

However, the actual logic of this filter is

(file_extension=exe OR file_extension=pdf OR file_extension=html OR file_extension=htm OR file_extension=js OR file_extension=swf file_extension=jar) Boolean OR is the operator because all of the filters use the same attribute: file_extension. When an indicator contains unlike attributes, the logic differs depending on the Boolean that joins the indicator with the other filters. For example, a custom indicator called OCSP Japan contains two filters, each using a different attribute:

When adding another filter that has one of the same attributes as the indicator, the logical display shows AND.

However, the actual logic is

(application_id="ocsp" and (country="Japan" OR country="China"))

If you change the AND to OR, the logic changes to

((application_id="ocsp and country="Japan") OR country="China") The filters in the graphical display are not shown, because the OR is not supported by the default logic.

Filter Operators

Operation Syntax Example Result

AND =<"value1","value2"> ipv4_address="1.1.1.1","2.2.2.2" Returns entries with both 1.1.1.1 and 2.2.2.2 as host addresses.

= ipv4_address=1.1.1.1 Returns HTTP entries with host = application_id=http address 1.1.1.1.

OR = ipv4_address=1.1.1.1 Returns entries with either 1.1.1.1 = ipv4_address=2.2.2.2 or 2.2.2.2 as host addresses.

RANGE = ipv4_address=1.1.1.1-1.1.1.254 Returns entries with any host address between 1.1.1.1 and 1.1.1.254.

NOT != application_id!=http Returns all applications except HTTP.

!indicator !MIME Type BIN Returns everything that does not match mime_type="application/bin", "application/binary", "application/x- msdownload" contains ~ http_uri~yahoo Returns all URIs that contain yahoo. does not !~ http_uri!~twitter Returns all URIs except those contain that contain twitter. is null !=* referer!=* Returns all entries where the referer field is empty or non- existent. greater than > vlan_id>45 Returns all entries that have VLAN ID numbers larger than 45. greater than or >= packet_length>=1024 Returns all entries that have equals packet lengths of 1024 bytes or larger less than < interface<3 Returns all entries from interfaces with an ID less than 3. less than or <= port_initiator<=35000 Returns all entries that have port equals initiator number of 35000 or lower • OR is operational only with the same attribute types, for example, two application_id filters or multiple port filters. If the attribute types are different, the operation is always AND. • To apply a primary filter to a different view (Summary, Reports, Extractions, Geolocation), select the view while the filter is still present in the filter bar.

• To save a primary filter, click the star to add it to the indicators list. • To delete an individual filter, click its white and click Update or press Enter. • To delete everything in the filter bar, click and click Update or press Enter. • To modify an attribute/value pair, click it to enter edit mode, type the new value, and press Enter.

• Applying a primary filter causes an operation such as extraction to be performed again, whereas advanced filters are applied only to the data already in the view.

Logical Operators in Advanced Filters

• NOT (does not equal) is treated as a negative AND. When there are multiple NOTs in the filter, they are treated as a single AND operator. • Any special character between double quotes is treated as plain text: the asterisk in "A*C" is treated as plain text, whereas in A*C it is a wildcard. • The term null is valid for the = and != operators: referer!=null will return all entries where the referer field contains a value.

Universal Connector With the Universal Connector, you can directly add IP addresses to the filter bar from a web browser. To install the Universal Connector, select Settings > About > Universal Connector. Under Browser Bookmarklet, right-click the Bookmark button and select Add to favorites, Bookmark this link, or Add link to bookmarks (depending on your browser).

Add an IP Address to the Filter Bar with the Universal Connector Browse to a page with one or more IP addresses on it. (The IP addresses must be in dotted-decimal notation: 111.222.33.44, not domain.tld.) Launch the Universal Connector by opening Bookmarks and double-clicking Universal Connector. The Universal Connector underlines all IP addresses (linked and plain text). Place your cursor over an IP address to invoke the Add control and click. The IP address is added to the list; alternatively, you can click the IP Address field and type the address manually.

Optional — For Endpoint, select Either, Source, or Destination. Optional — For Port, type a port number and select the Type and Endpoint values. Optional — Select a new date or time (default: last 15 minutes). For Appliance, type the hostname or IP address of your appliance. Click Investigate in Security Analytics. The filter is added to the filter bar in the Analyze Summary view.

Indicators An indicator consists of one or more primary filters (attribute/value pairs). Indicators are used to filter report results and to trigger rules and alerts. Click on an indicator anywhere on the web UI to open the Edit Indicator dialog.

Preloaded Indicators Symantec Security Analytics is preloaded with a variety of indicators, including but not limited to the following:

• Presented MIME Types • Commonly Scanned Ports • SSL Certificate Validity • Presented File Types • Non-Standard Protocol Traffic • RFC1918 IPv4 Addresses

Live-Feed Indicators Security Analytics includes live-feed indicators such as:

• From rules.emergingthreats.net • From abuse.ch • From malwaredomains.com o CI Army Threat Intel o Ransomware Tracker o DNS-BH - MalwareDomains Domains, IPs, URLs o Botnet C2 • From isc.scans.edu Compromised IPs Feodo Tracker o o o SANS ISC - IP Block List Spamhaus Block List Zeus Tracker-Bad Domains, o o o SANS ISC - Suspicious IPs Domains

Characteristics • The live-feed indicators are updated only after they have been activated . • After activating a live-feed indicator, click Edit to make sure that: o the update schedule is convenient (default: daily at 03:33) o your appliance can reach the URI • Every update replaces the entire indicator: deletions, additions, changes • To create your own live-feed indicators, follow the instructions to import indicators.

Indicator Specifications

• The size of the filters in an indicator cannot exceed 512 MB, which is calculated by character count. For example, an indicator can contain ~900,000 ipv4_address filters or ~150,000 http_server filters (~200 characters for the URL values). • When an indicator has more than 1000 filters, the filters cannot be edited or deleted using the web UI. • A maximum of 1024 indicators can be active (in rules) at the same time.

Using Indicators To use indicators, do one of the following:

• Select Analyze > Indicators. For the indicator, click Add to Filter Bar . The indicator is added to the filter bar on the Summary page. • Select Analyze > [Summary | Reports | Extractions | Geolocation] and

o Expand the filter bar to select the desired indicator.

o Type part of a name and select the indicator from the options that the system presents. You can choose to include or exclude the indicator: or !.

o Create a rule and add the indicator to the rule under First Event.

Create a New Indicator Select Analyze > Indicators. Select Actions > New. The Create an Indicator dialog box is displayed. Specify a Name for the indicator. For Filter, type one or more primary filter attributes or the names of existing indicators. Begin typing to get suggestions. You can use wildcard expressions and logical operators.

The rules engine cannot detect values for attributes that are in the verdicts or groups namespaces. Those values are produced by data-enrichment processes, which populate the Indexing DB after the data has passed through the rules engine. Attributes in the packets namespace (such as SCADA reports) are also not supported by the rules engine, with the exception of packet_length.

Optional — Clear the Shared check box. Click Save.

Create an Indicator from the Filter Bar In the filter bar, type the desired filter attributes. You can use wildcard expressions and logical operators. Click the star to save the indicator. Provide a name for the indicator and indicate whether it is to be shared. Click Save. You can view the new indicator on Analyze > Indicators or in the filter bar drop-down list.

Import Indicators from a List, or Create a Live-Feed Indicator Select Analyze > Indicators and select Actions > Import. The Import an Indicator dialog is displayed. For File Type, select one of the following: • DShield — Access the feed at feeds.dshield.org/block.txt. This file, updated daily, shows the top 20 attacking Class C networks over the past three days.

• Snort® — Recommended rules are located at rules.emergingthreats.net/blockrules/. See Snort Rules for conversion conventions. • JSON — Indicators formatted as JSON arrays, such as indicators that have been exported from a Security Analytics appliance. • List — Import a text file that contains one or more values for a single filter attribute. Delimiters determine the Boolean operator. Specify a Name for the indicator. Snort Only — Select the Honor rule directionality check box to preserve inbound- and outbound-specifics. See Snort Rules. Location — Select one of the following: • Browser Upload — Click Browse and select a file to upload. • Remote — Use this option for third-party live feeds or for your own live updates. Specify the URI where the file containing the indicators is located, then set the schedule for how often the indicators are to be uploaded. (The scheduler is similar to

the scheduler for reports.) Each time the file is updated, the indicator changes to include all additions, deletions, and edits to the file. Click Save.

Snort Rules Imported Snort files (.rules) are converted to filter attributes as follows:

• The Layer 4 protocol becomes ip_protocol=tcp or ip_protocol=udp. The protocol is not attached to a specific IP address or port as it is with the Snort rule. • Fields such as msg, reference, flags, classtype, and sid are ignored. • The IP addresses and ports are extracted from Snort rules as ipv4_address=[x] and port=[x] unless you select Honor rule directionality to specify initiator or responder:

o $EXTERNAL_NET -> [$HOME_NET] creates IP and port initiator filters o $HOME_NET -> [$EXTERNAL_NET] creates IP and port responder filters example This Snort rule, imported with Honor Rule Directionality selected

alert tcp $HOME_NET any -> 203.44.1.211 1023 (msg:"ET CNC Shadowserver Reported CnC Server Port 1023 Group 1"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405004; rev:4233;) becomes this indicator:

No other attributes besides IP protocol, source/destination IP/port, and direction are extracted from Snort rules.

Export Indicators Follow these steps to export JSON indicators, which can be imported to another Security Analytics appliance. Select the check box for the indicator(s) that you want to export. Select Actions > Export. Follow the prompts to save indicators.json to your workstation.

Edit Indicators To edit an indicator, do one of the following:

• Select Analyze > Indicators and click Edit for the indicator to modify. • Click on an indicator anywhere on the web UI to open the Edit Indicator dialog.

Make the desired changes to the filters or the name of the indicator and click Save.

If you change the name of the indicator, the indicator's name will be changed for all of the alerts, including alerts that were posted when the indicator had its previous name.

Delete Indicators When you delete an indicator, you also delete every other indicator, alert, and rule that contains only that indicator. A rule that still contains an indicator that has not been deleted will not be deleted.

example The following items contain Indicator1:

• Indicator3 contains Indicator1 and application_group~web. • AlertABC contains Indicator1 and another indicator called Email. • AlertXYZ contains ChinaWeb and Indicator3. The alerts that are triggered by the rules, by indicator, are as follows:

When Indicator1 is deleted, these are the results:

• Indicator3 is deleted because it contained Indicator1. • AlertXYZ is not deleted because it has a remaining indicator, ChinaWeb. • AlertABC is not deleted because it has a remaining indicator, Email. • All alerts that were triggered by Indicator1 and Indicator3 are deleted. • The alerts that were triggered by Email and ChinaWeb still remain.

Format a List of Indicators You can import a list of values for a single filter attribute. Importing a list of values in this manner automatically creates the indicator as attribute=value. The list delimiter determines the Boolean operator.

Delimiter Example Text File Indicator(s) Created

Comma (AND) network management, file server, file transfer, attribute="network management, file server, file transfer, network service network service"

192.168.*.*, 10.0.0.0_8, 172.16.0.0/12 attribute="192.168.*.*, 10.0.0.0_8, 172.16.0.0/12"

Line Break (OR) 22 attribute="22" 33 attribute="33" 44 attribute="44" 55 attribute="55"

*solera* attribute="*solera*" sol?ra attribute="sol?ra" "solera" attribute="\"solera\""

• The system will automatically escape double quotation marks, backslashes, and other non-wildcard characters. • For other operators, nesting, or multiple attributes, use JSON formatting and import as a JSON Indicator.

JSON Formatting for Indicators

• Define the indicators to import using JSON. The file should be UTF-8 encoded without BOM. • Imported indicators that have the name of an existing indicator will be renamed 2. • Valid values for attribute and value come from the primary filter. • Valid values for are equals (=), not equals (!=), less than (<), less than or equals (<=), greater than (>), greater than or equals (=>), contains (~), not contains (!~). Format single-level indicators as follows: { "indicator_name_1": [ "attribute_1value_1", "attribute_2value_2" ], "indicator_name_2": [ "attribute_3value_3", "attribute_4value_4" ] }

Nested JSON Indicators To nest indicators, the lowest-level indicators must be defined first in the file, followed by the "container" indicator. The container cannot reference indicators that already exist on the appliance. The following example creates four indicators: three "sub-indicators" and one "container" that includes the sub-indicators.

{ "sub-indicator_1": [ "attribute_1=value_1" ], "sub-indicator_2": [ "attribute_2=value_2" ], "sub-indicator_3": [ "attribute_3=value_3" ], "CONTAINER_INDICATOR": [ "indicator=sub-indicator_1", "indicator=sub-indicator_2", "indicator=sub- indicator_3" ] }

Reports The Reports page presents a detailed, filterable view of every kind of report. Select which reports are available on Settings > Metadata. On the Summary page, double-click the heading of a widget to open that report on the Reports page.

• Reports Page Details • List of Available Reports

Risk and Visibility Report Generate a PDF document to provide non-analysts, executives, and other members of your organization with a general overview of the latest threats that have been detected by Security Analytics.

• The logged-in user must be in a group that has permission to generate the report under Analyze > Reports in the permissions table. • If you import a PCAP, pivot to the Summary page, and then run the Risk and Visibility report for the PCAP, you should add a few minutes to the timespan so that data-enrichment verdicts can be included in the report.

Select [Account Name] > Risk and Visibility Report. Select the desired timespan. By default the timespan in the current window is selected. Select one or both options: • Email — In the space provided, specify one or more comma-delimited email addresses. For this option, you must also specify an email server on Settings > Communication > Server Settings > Email Settings. • Download — A PDF of the report is generated. When it is finished, you can download it from the system notifications.

You can monitor the progress of the report by selecting Analyze > Report Status > List. The reports are displayed with Risk Report in the Name column. To stop the Risk and Visibility report, select the check boxes for all of the reports and click Delete.

Reports Page Analyze > Summary > Reports

1 Report Summary Chart

2 Total [Unit] over Time histogram.

3 Report comparison controls and advanced filter

4 Report results list

5 Column selector control

Report Results List The report results list is a table of the individual records as well as the bytes, packets, sessions, IP fragments, and bad checksums associated with that record. (You can display the IP fragments and bad checksums by clicking the column selector control.) The column values are shown as both an absolute number and as a percentage. Click on any of the column headers to sort on the column value; click a second time to invert the sort order. To specify how many rows to display at a time use the Results per Page control at the bottom of the page. (Permanently set this value by selecting [Account Name] > Preferences.)

Reports are limited to 100,000 rows.

When you change the sort topic or the sort order, the Report Summary and Total [unit] over Time charts are updated to reflect the changed topic or order.

Compare Report Results On the Reports page, you can compare the amount of change over time. Select Analyze > Summary > Reports. Select the desired view from the view selector. Select Enable Report Comparison. Optional — Select the unit of measurement to compare: Bytes, Packets, or Sessions. Optional — The Comparison Time Range box displays the From and To times in the main timespan selector. Expand the timespan control to select a timespan (last 15 minutes, last 60 minutes, etc.) or click the date/time to specify another time. The change over time is displayed both as the amount (Change column) and the percentage (Change % column). The default sort order is Change in absolute values, with the greatest value first. The Total [Unit] over Time chart displays a line that represents the older timespan.

In the Selected Totals chart, change the display settings to Bar Chart or Column Chart to see the comparison line.

Save Report Results You can save report results to view later.

Select Analyze > Summary > Reports. From the view selector, select the view to save. Optional — Use the primary filter or timespan filter, as desired. Select Actions > Save. Type a name for saved output (max. 300 characters). Click Save. Retrieve the saved results by selecting Analyze > Report Status > List and clicking View Report for that entry.

Export Reports You can export basic reports in CSV or PDF format. (Compared results cannot be exported.) Select Analyze > Summary > Reports. From the view selector, select the view to export. Filter and modify the results as desired. Select Actions > Download [PDF | CSV]. • CSV file:

o Follow the prompts to save __report.csv. • PDF file: o A message indicates that the generation of the report has begun. o Click the notification at the upper-right corner of the web interface. The entry shows PDF generation in progress.

o When the process has completed, the status changes from Processing to Download. Click the entry and follow the prompts to save deepsee-report.pdf.

Report Status Pages Analyze > Report Status The Report Status pages display reports that are running or that have completed. Use the information on these pages to keep track of system resources and of report-generation history.

Analyze > Report Status > Summary The Report Status Summary page displays report totals by the following:

• State — The current state of a report. Possible values are: o New — The report request has been sent to the query handler.

o Starting — The query handler has begun generating the report. o Active — The report is currently running but is not complete. o Stopped — The report was stopped by the user clicking the Stop Report button , by browsing away for more than a minute, or by closing the browser window where the report was initiated.

o Stopping — The stop command has been sent to this report but it has not stopped yet.

o Complete — The report has run to completion. • User — Username of person who ran the report. • Field — Attribute name of the report. For example, if you select Analyze > Summary and the selected view has four widgets on it, each widget will have its own entry in this list.

Analyze > Report Status > List The Report Status List displays the details about every report that has been saved or that has not timed out. Reports that have not been viewed for one hour will be removed from this list. Saved reports do not time out.

On this page use the check box for each report and the Delete button to: • Stop reports that were started accidentally • Stop reports that hang instead of completing • Delete reports that take up too much space • Delete saved reports that are no longer needed

Report Status Columns • ID — Unique ID number of the report • Username — User who ran the report • Field — Attribute name of the report • Timespan Start — Start time for the report data • Timespan End — End time for the report data • Start — Time at which the report was started • End — Time at which the report was completed • Processing Time — Interval between Start and End; the amount of time to generate the report • Name — Name of the saved report; field is blank if the report has not been saved • Saved — Whether the report has been saved; non-saved reports (false) will time out of this list after one hour

• Disk Usage — Amount of space that the report occupies; empty reports are typically 16 kB • State — The current state of a report. Possible values are: o New — The report request has been sent to the query handler. o Starting — The query handler has begun generating the report. o Active — The report is currently running but is not complete. o Stopped — The report was stopped by the user clicking the Stop Report button , by browsing away for more than a minute, or by closing the browser window where the report was initiated.

o Stopping — The stop command has been sent to this report but it has not stopped yet.

o Complete — The report has run to completion. • Actions — Click View report summary to see the report in Analyze > Summary > Reports or click to see the report details.

Scheduled Reports You can set up reports to be run at predetermined times on a regular basis. These reports are sent to specified email accounts.

Prior to receiving scheduled reports, you must configure SMTP settings.

Do one of the following: • Select Analyze > Scheduled Reports. • Select Analyze > Summary > Reports > Actions > Schedule Report. Click New. For Name, specify a unique name for the schedule. This name will be the filename of the report. For Recipients, type one or more email addresses to receive the reports. For Output Format, select PDF or CSV. Specify whether the scheduled report is to be shared. (A shared report can be edited by all of the authorized users on the appliance; however, the reports will be sent only to the accounts that are specified in the Recipients field.)

How often will the report run? Select the tab that represents the frequency of the report to be run and set the parameters.

• In the Hour fields, 00 = midnight. • For Custom, you can select multiple values for Months, Weeks, and Days.

• The value in [x] Week of the Month is defined according to ISO 8601 conventions, which means that the week in which the first day of the month appears is the first week, even when the first day falls on a weekend.

What is on the report? For Report Type, select one of the available report types. Begin typing to skip to the report name. Optional — For Filter, type filter attributes and values to apply. Begin typing to get suggestions.

The attributes for imported PCAPs — interface=imptX and import_id=Y — are not valid for this field unless you select Only Once for the timespan.

For the report timespan, select whichever option is available: • Standard Range — Select the amount of time to be included in the report. The time is calculated backwards from the time the report will run. For example, if you schedule a report to run daily at 13:00 and you specify a range of 2 hours, the report will contain data from the two hours previous to 13:00, that is, 11:00 to 13:00. • Custom Range — Specify the timespan. Click Save. The scheduled report is displayed in the Scheduled Reports list.

Populating the Reports Also see: Flows in Security Analytics, Alerts, FRS Prefilter, Best Searching Practices, and Metadata Settings.

Where's my data? If you do not see data in your reports and report widgets, it is possible that the features that populate the reports have not been activated or properly set up. This page explains how each report is populated so that you can troubleshoot empty or sparsely populated reports.

Metadata Settings User-selectable metadata permits you to decide which metadata attributes will be written to the Indexing DB. Report data is not written to the Indexing DB unless it has been selected on this page.

Natively Indexed Metadata The data for most Security Analytics reports is extracted directly from the packet headers by the deep-packet inspection (DPI) engine, or it has been added by system processes at the time of indexing. The reports that contain this data are available within seconds of the data being captured, provided that system resources are available.

Packet-Header Metadata System-Added Metadata

• IP/port and Ethernet addresses • Capture interface or import ID • IP protocol • Application ID, application group • Email sender, receiver, subject line • Flow ID, flow duration • File name, extension, MIME type • NIC vendor • HTTP status code, method, URI, content disposition, server, • File type referrer, user agent, location (redirect), content length • Autogenerated domain and score • Username, social persona (user identifier), or password • Country initiator and responder • Database or web queries • Machine ID • DNS fields • Packet length • User-selectable metadata

For the other reports, specific conditions must be true before the data is written to the metadata array:

• Conversation Reports • Data Enrichment Verdicts • Hash Reports

• Open-Parser Rules

Conversation Reports The data for the Conversation reports is assembled only when the report is queried. For example, if you invoke the IP Layer View on the Analyze > Summary page, the IPv4 and IPv6 conversations for that timespan will be assembled and presented in their respective report widgets.

• IPv4 Conversation • IPv6 Conversation • IPv4 Port Conversation • IPv6 Port Conversation

The values in the Conversation reports are cached but are not written to the metadata DB. To specify a conversation in the primary filter bar, enter IPv[x]_address="","" There is no ipv[X]_conversation attribute.

Data Enrichment Verdicts Also see: Data Enrichment Process. Data for the reports in the verdicts namespace is produced by the data-enrichment process. The following conditions must be true for a data-enrichment report to contain data:

• The corresponding enrichment provider is licensed and activated. • Traffic matches a data-enrichment rule for the provider. • The provider has returned the verdict to Security Analytics OR the verdict for that artifact is already in the verdict cache. The data-enrichment reports are populated as follows:

Report Providers

File Signature Verdict File Reputation Service, FRS prefilter

URL Categories Local Web Reputation Service, Global Intelligence Network (GIN)

URL Risk Verdict Local Web Reputation Service, GIN

Local File Analysis Calculate and Store Hashes, ClamAV, Custom Hash List, jsunpack-n, YARA

Malware Analysis Verdict Malware Analysis appliance; also see FRS Prefilter

Third-Party Verdict ReversingLabs® TitaniumScale® server

Threat Category ReversingLabs TitaniumScale server

Threat Description ReversingLabs TitaniumScale server

Threat Severity ReversingLabs TitaniumScale server

User Name (flows namespace) Login Correlation Service

Exception: URL Risk Verdict With one exception, you cannot use the data-enrichment verdict attributes as indicators for rules, because the data for those attributes is written to the Indexing DB after the rules engine inspects the traffic. For URL Risk Verdict data, however, the process is as follows: The Web Reputation Service is licensed and activated. A Web Reputation Service rule that contains the url_risk_verdict attribute is activated. The metadata indexer sends all URLs to the local copy of the Web Reputation Service, which returns a verdict (1-10) with 5 being unknown. When a verdict has been returned for every URL in a flow, the metadata indexer sends the flow to the rules engine.

If url_risk_verdict is 5 or higher, the system queries GIN to obtain a definitive verdict for that URL. The verdict is written to the Indexing DB.

Hash Reports The hash reports are not populated by the DPI engine nor the metadata indexer. Hashes are calculated by the extractor under the following circumstances:

• At least one data-enrichment rule is activated — and that rule sends either a file or a file hash to one of these enrichment providers:

calc_fuzzy_hash=1 <== Uncomment this line and set the value to 1

Enable hash calculation for manual extractions on Settings > System. (Those settings do not affect hash-related reports.)

Geolocation Symantec Security Analytics provides "geolocation," which is a representation of a host location on a world map. Select Analyze > Summary > Geolocation to view the geolocation report. The Report Summary panel displays a geographic representation of the filtered data. By default, the map is centered on the Greenwich meridian at the equator (0 lat, 0 long). The geographic location of every IP address is identified by a dot on the map. The size of the dot indicates amount of data transferred to or from that geographical area, and the saturation of the color indicates the concentration of markers: darker dots indicate that, upon zooming in on that location, you will see multiple markers.

Geolocation can locate only IP addresses that have location information in the MaxMind databases.

Map Navigation Use the controls in the upper-left corner to zoom and center the map.

Press Shift and drag your cursor to select a specific area of the map to enlarge. The

results will change to list only the results that are in the view.

To return to the full view, click the globe icon.

Place your cursor over a dot to see how many IP addresses and how much traffic is associated with that location.

To save the view (the magnification and area), select Save Current Map as View.

Fill in the fields as desired and click Save. The view is now available from the view selector.

Results List

The locations in the list will be as specific as possible. A general item such as “United States” contains all of the IP addresses in the U.S. for which a more Click a location to see all of the IP specific location could not be found. It is addresses that are associated with that not the total of all IP addresses in the location. United States.

Saving Geolocation Results To save the results, click Actions > Save. Give the results a name and click Save.

Retrieve the results from Analyze > Saved Results. Click View Report to open the results as an IPv4 Conversation report.

Notes on the Accuracy of Geolocation Data • Geolocation can identify only the server location, not a specific device.

• Routing randomization with services such as Tor® or Onion may produce unreliable geolocation data. • IP addresses can be spoofed with readily available technology.

Geolocation Settings Select Settings > Geolocation to open the Geolocation page. On this page you can view and specify values used when examining the geographic location of connections. These include internal subnets, Google Earth country colors, and MaxMind city databases.

Internal Subnets Use the Internal Subnets controls to specify the geographic location of an internal subnet (or multiple subnets). This marks all the traffic on that subnet as occurring at a single location. By definition, internal subnets do not have an externally knowable geographic location and by default are located at 0 latitude, 0 longitude. Use the Internal Subnets feature to specify where your subnets are located on the world map.

example A company has offices in New York, Vancouver, and Tokyo. Their network IPs are 10.1.0.0/16 for New York, 10.2.0.0/16 for Vancouver, and 10.3.0.0/16 for Tokyo. Without setting the internal subnet values, they would all appear at 0,0 on the map. With the Internal Subnets feature, the subnets appear in their proper locations.

Specify Geographic Locations for Internal Subnets Select Settings > Geolocation.

Under Internal Subnets, select the Enable Internal Subnets check box. Type the IPv4 address for the subnet using a CIDR notation that includes zeroes: 192.168.0.0/16. For IPv6 addresses, do not include a subnet mask. Type the latitude and longitude for the subnet. Type a label for the subnet.

The label that you specify can be anything you want; it will be displayed in the data table and when users place their cursors over the dot on the map.

To specify additional internal subnets, click add a new subnet.

Geolocation Filters The Advanced Filter control in the Results panel allows you to easily and rapidly apply additional filtering to the report data. To apply an advanced filter, click the Add a Filter box and select the filter term you want to use. To apply a primary filter, follow these steps: Select Analyze > Summary > Geolocation. In the Results panel, under Location, click the city name to look at. The item expands, displaying a list of the IP addresses that are associated with that geographic location. Click an IP address to examine.

For each IP address to add as a filter, click Add to Filter Bar > As [attribute] > [Equals | Not Equals]. The filter is added to the filter bar.

• If you click Add to Filter Bar only, the filter ipv4_address="x.x.x.x" is added to the filter bar. When you have finished adding filters, click Update.

MaxMind City and Country Databases

The system can use either the free (GeoLite® City) or paid (GeoIP® City) versions of the MaxMind City Databases or the MaxMind Country Databases in both IPv4 and IPv6. For more information on these databases, visit www.maxmind.com.

• Once a MaxMind City database is uploaded, it cannot be removed. • Download the database from the MaxMind site in GZ (GZIP) format. • MaxMind releases new, free databases every month and a new paid database every week. You must upload these updated versions manually. Select Settings > Geolocation. Under Upload MaxMind [X] Database, click Browse. Locate and select the database file. Click Upload. This uploads the database to Security Analytics, and it is immediately available for geolocation as well as the Country Initiator and Country Responder reports.

Google Earth Use the Google Earth settings to control the default color used for markers and routes in Google Earth, enable and disable the display of routes, and set the color used for transactions that start or end in a country. Google Earth can color the routes to captured IP addresses differently from the defaults or those of a different country. Select Settings > Geolocation. Under Google Earth Country Colors, do the following: • Click the color swatch for Default Color to change the pin color. • Select Enable Routes. • Select Enable Country Colors. If you selected Enable Country Colors, select a country. Click the Color swatch to open the color picker. Specify the color and click Select. To specify colors for additional countries, click add a new color. Click Save.

Google Earth Files (KML, KMZ) KMZ files are compressed KML files. On Analyze > [Summary | Reports | Extractions | Geolocation], select Actions > Google Earth. Select Save File and click OK. The KMZ file is saved to your downloads directory. To display KMZ and KML files, open them in the Google Earth application.

Encapsulation Detection Security Analytics can detect and display various types of packet encapsulation.

PPPoE This figure from the Packet Analyzer shows part of an HTTP session that contains PPP-over- Ethernet encapsulation.

The Layer 2 protocol is visible only in the Packet Analyzer, whereas the Ethernet Protocol and IP Protocol reports display IPv6 and TCP, respectively.

IPv6 in IPv4 For IPv6-in-IPv4 encapsulation, as shown in this figure from the Packet Analyzer, both types of IP addresses are indexed.

The IPv6 addresses are displayed in the IPv6 Initiator and IPv6 Responder reports, and the IPv4 encapsulation is displayed in the Tunnel Initiator and Tunnel Responder reports.

GRE Encapsulation

Symantec Security Analytics can identify the endpoints and reconstruct the content of GRE- encapsulated IPv4, IPv6, and WCCP flows. The following figure shows how GRE-encapsulated traffic appears on the Summary page in a customized view.

The endpoints of the GRE tunnel are displayed in the Tunnel Initiator and Tunnel Responder report widgets. The IPv4 Conversation report widget shows the IPv4 sessions that were encapsulated in the GRE tunnel. The IPv6 Conversation report widget would show any GRE- encapsulated IPv6 sessions.

Capture filters can be configured to find GRE-encapsulated IPs using offsets. See BPF Syntax for instructions. (Consult the Security Analytics 7.3.x Reference Guide on support.symantec.com.)

The Extractions page displays the artifacts that passed through the GRE tunnel.

Packet Analyzer Select Actions > Analyze Packets on Analyze > [Summary | Reports | Extractions | Geolocation] to see the data in an interface similar to Wireshark’s. By default, the Packet Analyzer will load only the first 1000 packets of the specified PCAP. As you scroll down to packet number 1001, Packet Analyzer will automatically load the next 1000 packets onto the screen. (For reference, the PCAP path is displayed at the top of the window.) It is recommended that you not load more than 10,000 packets, to avoid performance degradation.

Packet Analyzer Filters

The Packet Analyzer filter uses the same syntax as Wireshark® display filters. Type the desired filter string in the space provided and click Apply Filter. For more examples and information, see wiki.wireshark.org/DisplayFilters.

Action Filter Syntax

Show only SMTP (port 25) and ICMP traffic. tcp.port eq 25 or icmp

Show packets originating from 192.168.0.0 and destined for 172.16.0.0. ip.src == 192.168.0.0/16 and ip.dst == 172.16.0.0/12

Show packets originating from 2620:3b:afa:2030::1 and not destined for ipv6.src eq 2620:3b:afa:2030::1 and 2620:3b:afa:2aaf::202 ipv6.dst ne 2620:3b:afa:2aaf::202

TCP buffer full — Source is instructing Destination to stop sending data. tcp.window_size == 0 &&tcp.flags.reset != 1

Filter on Windows — Filter out noise, while watching Windows Client/DC exchanges. smb || nbns || dcerpc || nbss || dns

Match packets that contain the 3-byte sequence 0x81 0x60 0x03 anywhere in the UDP udp contains 81:60:03 header or payload.

Match HTTP requests where the last characters in the URI are the characters gl=se. The http.request.uri matches "gl=se$" $ character is a PCRE punctuation character that matches the end of a string, in this case the end of the http.request.uri field.

Packet List The Packet List pane has 8 columns and as many rows as needed to show the data being analyzed. You cannot change the columns, the sort order, or the colors. The default columns show the following data:

No. The number of the packet in the capture file. This number will not change even when a filter is used. Time The timestamp of the packet. The presentation format of this timestamp cannot be changed. Source The IP address of the packet’s origin Src Port The port of the packet’s origin Destination The IP address of the packet’s destination Dst Port The port of the packet’s destination Protocol The protocol name in a short (perhaps abbreviated) version Info Additional information about the packet content

Follow TCP Stream Click a TCP or HTTP field in the packet list to invoke the Follow TCP Stream control.

If there are fields in the TCP stream, the Follow TCP Stream dialog will open to display color- coded text for both sides of the conversation.

You can also select one side of the conversation to view.

Packet Details The Packet Details pane shows the selected packet in a detailed form that explicitly identifies the packet’s protocols. Click a protocol to see details.

The following two protocol fields are displayed in a particular manner:

• Generated fields — The packet analyzer generates additional protocol fields that are enclosed by brackets. The information in these fields is derived from the known context to other packets in the capture file. For example, if the Packet Analyzer is doing a sequence/acknowledge analysis of a TCP stream, these will be displayed in the [SEQ/ACK analysis] fields of the TCP protocol.

• Links — If the Packet Analyzer detects a relationship to another packet in the capture file, it will generate a link to that packet. Links are blue and underlined.

Packet Bytes Pane The Packet Bytes pane shows the data of the selected packet in a standard hex-dump style. As is usual for a hex dump, the left column shows the offset, the middle columns show the data in hexadecimal, and the right column shows the corresponding ASCII characters. You can select the hex characters independently of the other hex-dump columns and then paste them into the Encoder/Decoder tool.

Data Enrichment

This section includes the following topics:

• Reputation Queries • Activate a Data-Enrichment Resource • Exclude from Lookup • Enrichment Providers o Blue Coat Intelligence Services o Symantec On-Demand Providers . Symantec Endpoint Protection . Advanced Threat Protection . DeepSight Intelligence o Symantec Analysis Providers . Malware Analysis . Content Analysis o Integration Providers o Local File Analysis o Endpoint Providers o Custom Hash List o YARA Rules o Login Correlation • Filenames Sent to Providers • Rules • Alerts • Extractions • Artifacts • Artifact Preview

Data Enrichment Use data enrichment (also called "real-time extraction" or "micro-extraction") to send selected artifacts and flows to additional resources for analysis. Among the resources are:

• Blue Coat Intelligence Services • Symantec On-Demand Providers • Symantec Analysis Providers • Third-Party Integration Providers

• Reputation Providers

Also see Data-Enrichment Process.

Reputation Queries Symantec Security Analytics supports two kinds of reputation queries:

• On Demand — The user initiates a reputation query from the web UI. • Data-Enrichment Rule — A data-enrichment rule sends matching traffic to one or more enrichment providers, such as Blue Coat Intelligence Services.

Activate a Data-Enrichment Resource Some of the data-enrichment resources must be licensed before they can be used. Contact Symantec Support to obtain a Blue Coat Intelligence Services subscription, a Symantec DeepSight login, Symantec Malware Analysis, Symantec Content Analysis, Symantec Endpoint Protection, or Symantec Advanced Threat Protection. The Third Party On-Demand Reputation Providers are licensed by default. Licenses for the Third Party On-Demand Integration Providers are the responsibility of the user. Select Settings > Data Enrichment.

In the Actions column, click the deactivated icon to activate that resource.

• When using data enrichment resources that evaluate the actual file instead of a file hash, it is recommended that you create capture filters for all capture interfaces to exclude traffic to or from eth0 (!ifname eth0); otherwise, you may capture duplicate traffic as the file is exported from the Security Analytics appliance to the external resource.

• Consult Security Analytics Ports and Protocols (in the Security Analytics 7.3.x Reference Guide on support.symantec.com) to configure your network firewalls for data-enrichment traffic.

Exclude from Lookup You can specify IP addresses and domains to exclude from lookup under Settings > Data Enrichment > Exclude from Lookup.

This setting applies only to providers that evaluate URLs and IPs, such as the Web Reputation Service and VirusTotal URL.

• For IP Subnets, type those IP addresses that you want to exclude. Use CIDR notation without zeros: specify 127.0.0.0/8 as 127/8. • For Internal Domains, type domain names to exclude. • Type each entry on its own line.

• On the Alerts list, you can click a responder IP address to add it to this list.

Data Enrichment Filters See Data Enrichment Filters.

Enrichment Providers For data enrichment, Security Analytics provides a broad range of options to get the latest threat intelligence on your network traffic.

URL and IP Enrichment To get additional threat intelligence on URLs and IP addresses, use these providers:

• Blue Coat Web Reputation Service* • Third-Party On-Demand Reputation Providers: • URL support for Symantec Malware § o Domain Age Provider o SANS ISC IP Analysis* o Google Safe Browsing® o SORBS DNSBL Host

• Symantec DeepSight* ® o Google Search o SORBS DNSBL IP

• Symantec ATP Manager* ® § o RobTex Host o WHOIS Host • Customized Pivot-Only Providers § o RobTex IP o WHOIS IP • Third-Party Integration Providers: ® o SANS ISC Host

o VirusTotal® URL*

* Requires additional licensing or subscription from Symantec or the vendor.

§ Domain Age Reporter and WHOIS cannot be used behind a proxy.

File and File-Hash Enrichment To get additional threat intelligence on files or file hashes, use these providers:

• Blue Coat File Reputation Service* • Third-Party On-Demand Reputation • Symantec Malware Analysis* § Providers: Google Search • Symantec Content Analysis* o • Third-Party Integration Providers: • Symantec Endpoint Protection* Cuckoo® § • Symantec DeepSight* o

FireEye® AX-series * § • Symantec ATP Manager* o Lastline® File* § or Hash • Customized Pivot-Only Providers o ReversingLabs® TitaniumCore* § • Local File Analysis: o VirusTotal File* § ® o o ClamAV o VirusTotal Hash* o Custom Hash List o jsunpack-n o YARA rules

* Requires additional licensing, subscription, or system from Symantec or the vendor.

§ Security Analytics sends the actual file to the provider.

Other Enrichment

• Login Correlation — Get username/IP correlation from Microsoft® Active Directory logs.

• Endpoint — Send information on endpoints to providers such as EnCase® Cybersecurity by Guidance® Software.

Data Enrichment Resources in Dark Sites In environments where the Security Analytics management interface (eth0) does not have Internet access, the availability of data-enrichment providers and other resources is as follows:

Provider Available Offline

Blue Coat Web Reputation Service Partially

Blue Coat File Reputation Service No

Symantec ATP Manager With on-site deployment

Symantec Content Analysis Yes

Symantec DeepSight No

Symantec Endpoint Protection With on-site deployment

Symantec Malware Analysis Yes

Anomaly Detection Yes

Provider Available Offline

ClamAV With configuration change

Cuckoo Yes

Custom Hash List Yes

FireEye Yes

FTP File Mover Yes

jsunpack-n Yes

Lastline With on-site deployment

Live-Feed Indicators With internal mirror

Local File Mover Yes

SCP File Mover Yes

ReversingLabs TitaniumScale With on-site deployment

VirusTotal No

YARA Yes • Blue Coat Web Reputation Service (WRS) — Partial offline support. Security Analytics first queries the locally hosted copy of the Web Reputation Service database. If the data-enrichment system cannot find the URL in the local database, and it cannot access the Blue Coat Global Intelligence Network, the verdict is Unrated. • Blue Coat File Reputation Service (FRS) — No offline support; Internet connection required. • Symantec ATP Manager (ATP) — Offline support with on-site deployment. The ATP Manager appliance's location relative to Security Analytics determines its availability. • Symantec Content Analysis (CA) — Offline support with on-site deployment. The Content Analysis appliance's location relative to Security Analytics determines its availability. • Symantec DeepSight — No offline support; Internet connection required. • Symantec Endpoint Protection (SEP) — Offline support with on-site deployment. The Endpoint Protection Manager appliance's location relative to Security Analytics determines its availability. • Symantec Malware Analysis (MA) — Offline support. When the FRS prefilter is enabled, Security Analytics attempts to retrieve a verdict from FRS. Where there is no verdict or no Internet connection, the data-enrichment system sends the file to the locally deployed MA appliance for detonation. • Anomaly Detection and Modeling (ADM) — Offline support. The ADM system does not use Internet resources. • ClamAV — Offline support with configuration change. By default, ClamAV retrieves updates from the Internet, but it also supports private local mirrors for its signature

database. Refer to the ClamAV documentation online (https://www.clamav.net/documents/private-local-mirrors) and in the man files for /etc/freshclam.conf for information on configuring ClamAV to use a local mirror. • Cuckoo — Offline support. The Cuckoo sandbox is deployed locally by the user. Responsibility for update mechanisms resides with Cuckoo and is external to Security Analytics and Symantec. More information is available at http://www.cuckoosandbox.org/. • Custom Hash List — Offline support. The custom hash list accepts MD5, SHA1, and SHA256 hashes as input by the user but does not use Internet resources.

• Domain Age Reporter — No offline support. Domain Age Reporter also cannot be used behind a proxy. • FireEye — Offline support. FireEye’s MAS and AX appliances are deployed locally by the user. Responsibility for update mechanisms resides with FireEye and is external to Security Analytics and Symantec. • FTP File Mover, Local File Mover, SCP File Mover — Offline support. The file servers are deployed locally by the user; no Internet resources are necessary. • jsunpack-n — Offline support. This open-source utility is wholly contained on the Security Analytics appliance; no online or offline updates are necessary. • Lastline — Offline support with on-site deployment. Typically deployed as a cloud- based sandbox solution, Lastline can also be deployed on-site, which removes the need for Internet access. • Live-Feed Indicators — Offline support with internal mirror. By default the live-feed indicators require Internet access for updates, but the indicators can be edited to point to a local mirror instead. • TitaniumScale — Offline support. The ReversingLabs TitaniumScale server is deployed locally by the user. Responsibility for update mechanisms resides with ReversingLabs and is external to Security Analytics and Symantec. • VirusTotal — No offline support. VirusTotal is a cloud-based antivirus scanner that requires Internet connectivity. • WHOIS — No offline support. WHOIS cannot be used behind a proxy. • YARA — Offline support. YARA rules are maintained locally by the user; no Internet resources are necessary.

Blue Coat Intelligence Services Use the Blue Coat Intelligence Services as integration providers for Data Enrichment Rules or as reputation providers for on-demand queries.

The following features are available only with an Intelligence Services subscription. Contact Symantec Support for more information.

• File Reputation Service (FRS) — The SHA256 hashes of files that match a rule are sent to the Blue Coat Global Intelligence Network (GIN), which returns a verdict based on the file-reputation information from more than 15,000 customers and 75 million endpoints that contribute to GIN’s threat intelligence, which includes:

o A black list of 3.5 billion file hashes o Additional black and white lists from three major security organizations o Symantec Malware Analysis detonation results from the field o Research results from Blue Coat Labs o Symantec controls the final verdict behind a File Reputation Service score with algorithms and logic to minimize some of the noise; for example, weighting detections from less-reputable vendors differently • Web Reputation Service (WRS) — The URLs associated with artifacts that match the rule are sent to GIN, which returns one or more URL categories that Security Analytics evaluates for its threat level. The Intelligence Services provide the following reports and report widgets:

• File Signature Verdict — Verdicts that are • URL Risk Verdict — Risk level assigned by returned by the File Reputation Service. Security Analytics based on the URL categories. • Malware Analysis Verdict§ — Verdicts that are • Local File Analysis — Verdict on common file returned by Symantec Malware Analysis. types from the local file analysis providers (YARA, • URL Categories — URL category, returned from ClamAV, jsunpack-n). GIN.

§ Data for this report is available only from a Symantec Malware Analysis appliance.

Additional Symantec Threat Intelligence Resources

• Endpoint Protection — View which hosts have a particular file, and then apply policies to infected hosts. • Advanced Threat Protection — Pivot directly from SHA256 hashes, URLs, and IP addresses to your Symantec Advanced Threat Protection (ATP) manager. • DeepSight — Pivot directly from Security Analytics to DeepSight from URLs and file hashes (MD5, SHA1, SHA256). • ICAP — Integrate with Symantec Content Analysis. To obtain Content Analysis, contact Symantec Support. • Local File Analysis — A feature that is provided by default, local file analysis resources include YARA rules, ClamAV, and a user-defined hash list. • Malware Analysis — Files that trigger a user-defined rule are sent automatically to one or more Symantec Malware Analysis appliances to evaluate their behavior in a sandbox or virtual environment. Files can be manually sent to Malware Analysis from Security Analytics as well. Malware Analysis returns a verdict to indicate the level of maliciousness. To obtain Malware Analysis, contact Support.

Web Reputation Service Database Updates To configure the updates for the local copy of the Web Reputation Service database, select Settings > Data Enrichment and scroll down to Web Reputation Service Update Location.

• Web Reputation Service Version — Displays the current Web Reputation Service version and when it was last updated. • Initiate Web Reputation Service Update — Click Update to force a local Web Reputation Service update. • Update Interval in Seconds — Specify how many seconds between automatic Web Reputation Service updates. • Enable Custom Update Location — Select the check box to configure an alternate location from which to update the Web Reputation Service database.

o URL — Specify the location. If the database is controlled by Basic HTTP Auth, also specify the Username and Password.

Troubleshooting Blue Coat Intelligence Services If you are not getting responses from the Global Intelligence Network (GIN), try investigating the following issues:

• Time and NTP Settings — Incorrect time may prevent SSL validation, which prevents access to GIN. • SSL Intercept — Security Analytics does not support SSL intercept of management traffic (eth0), because the intercept devices send different WRS and FRS certificates to Security Analytics. • OCSP Validation and Connectivity — If OCSP fails and certificate revocation is enabled, GIN also fails.

Intelligence Services Diagnostic Tests The Intelligence Services diagnostic tests display relevant information to assist in troubleshooting your Intelligence Services connections. Alternatively, you can run the GIN Diagnostic Script.

Under Blue Coat Intelligence Services, click the Test Service icon for Web Reputation Service or File Reputation Service and select one or more of the tests to run:

Web Reputation Service Tests File Reputation Service Tests • Web Reputation Service Rules Config — • File Reputation Service Rules Config — Displays whether the Web Reputation Service Displays whether the File Reputation Service and the Web Reputation Service rule are and the File Reputation Service rule are active. active. • File Reputation Service Credentials — • Web Reputation Service Credentials — Verifies that the File Reputation Service Verifies that the Web Reputation Service credentials are correctly stored in the vault.

credentials are correctly stored in the vault. • File Reputation Service — Sends a test • Web Reputation Service Database Status — request to the File Reputation Service and Displays the last time that the local copy of the displays the result. Web Reputation Service was downloaded. • Web Reputation Service — Sends a test request to the Web Reputation Service and displays the result.

Click Run. The results are displayed below. Click the arrow by each test result to see details.

Click Download Diagnostic Data to download gin.diag.out..tar.gz, which contains the PCAPs of the tests as well as the log. It may take a few minutes to generate the file:

• gin.diag.out..bcwf.ocsp.pcap — Testing the Web Reputation Service with OCSP. • gin.diag.out..bcwf.pcap — Testing the Web Reputation Service without OCSP. • gin.diag.out..frs.ocsp.pcap — Testing the File Reputation Service with OCSP. • gin.diag.out..frs.pcap — Testing the File Reputation Service without OCSP. • gin.diag.out..log — Test log.

GIN Diagnostic Script The gindiag.sh script gathers relevant information to assist in troubleshooting your GIN connection. When you run gindiag.sh, it conducts a series of tests on the NTP setup, the DNS settings, and the File Reputation Service (FRS) and Blue Coat WebFilter (BCWF) connections, both with and without OCSP validation. The PCAPs for those tests plus the log are archived in /tmp/gin.diag.out..tar.gz, where ID is a unique number for each time the script is run. You can analyze the PCAPs yourself or send them to Symantec Support.

[root@hostname ~] gindiag.sh begin ntp dns frs creds bcwf creds bcwf dir frs test bcwf test shine log end collect files into archive: -rw------1 root root 2922377 YYYY-MM-DD hh:ii gin.diag.out..bcwf.ocsp.pcap -rw------1 root root 2774852 YYYY-MM-DD hh:ii gin.diag.out..bcwf.pcap -rw------1 root root 7675 YYYY-MM-DD hh:ii gin.diag.out..frs.ocsp.pcap -rw------1 root root 10241 YYYY-MM-DD hh:ii gin.diag.out..frs.pcap -rw------1 root root 3440147 YYYY-MM-DD hh:ii gin.diag.out..log Please submit /tmp/gin.diag.out..tar.gz

Symantec On-Demand Providers Integrate Symantec Security Analytics with various other Symantec solutions to obtain additional threat intelligence or to enact policies on your endpoints.

Symantec Endpoint Protection

Symantec Endpoint Protection is designed to address today’s threat landscape with a comprehensive approach that spans the attack chain and provides defense in depth. By utilizing the world’s largest civilian threat-intelligence network, Symantec Endpoint Protection can effectively stop advanced threats with next-generation technologies that

apply advanced machine-learning, file reputation analysis, and real-time behavioral monitoring.

Customers who have deployed Symantec Endpoint Protection (SEP) in their environment can configure Security Analytics to send actionable information to SEP directly from the Security Analytics web UI. To obtain SEP, contact Symantec. Also see Endpoint Providers.

Integrate Endpoint Protection Manager with Security Analytics Follow these steps to integrate Security Analytics with Endpoint Protection.

Select Settings > Data Enrichment. Under Symantec On-Demand Providers, click the edit icon for SEP. Provide the Location (IP or hostname), Username, and Password for the Endpoint Protection Manager. For Data Enrichment Actions, select one or more of the following options to provide on the web UI:

• List Infected Hosts — Display the endpoints that have received this file. Security Analytics sends the file hash to SEP, which returns the endpoints where the file resides. • List Infected Host — Display the endpoint for this instance of the file. Security Analytics sends the source and destination IPs for this artifact to SEP, and then SEP returns the endpoint that has the file. • Remediate File — Apply the remediation policy to all instances of the file on all endpoints that are managed by the Endpoint Protection Manager.

• The remediation policy quarantines the file and adds the file hash to the File Fingerprint List on the Endpoint Protection Manager. ° You can view the File Fingerprint List by selecting Policies > Policy Components > File Fingerprint Lists. ° Entries in the File Fingerprint List that were added by Security Analytics can be deleted by selecting Clients > Policies > System Lockdown. Under Application File Lists, select an entry in the File Fingerprint List and click Remove. • In the Endpoint Protection Manager quarantine log, the Risk is listed as "Manually Generated Anomaly."

• Remediate File by IPs — Apply the remediation policy to all of the selected hosts with the same source and destination IPs. Security Analytics sends the source and destination IP addresses to SEP, and then SEP applies the remediation policy to all instances of the file that match the IPs. Click Save. Click the Deactivated icon to Activate the SEP integration.

Perform SEP Actions On the Extractions page, expand an artifact.

Click the file name and then select Perform Action > SEP > [action].

When you select List Infected Host(s), the SEP manager queries all hosts, which then perform their own searches for the file hash. During that time, the request to SEP may time out. In that case, wait a few minutes and then repeat the request. Security Analytics will return the results from cache.

Security Analytics sends the information (source/destination IPs, file hash) to the SEP manager, which displays the requested information or performs the specified action.

Advanced Threat Protection (ATP)

Uncover the stealthiest threats that would otherwise evade detection by using global intelligence from one of the world’s largest cyber intelligence networks combined with local customer context. ATP provides a layered approach at the email, cloud, network, and endpoint levels. To obtain ATP, contact Symantec.

Integrate ATP Manager with Security Analytics Follow these steps to integrate ATP with Security Analytics. Select Settings > Data Enrichment. Under Symantec On-Demand Providers, click the edit icon for ATP. For Location enter the IP address or hostname of the ATP Manager and click Save. Click the Deactivated icon to Activate the ATP integration.

Pivot to ATP Follow these steps to use the ATP integration with reports or artifacts.

Reports Open one of the following reports in a Summary View or on the Reports page: • SHA256 Hash • HTTP Server • IPv4/IPv6 Addresses Click one of the values in the report. Select View Reputation Information > ATP.

Artifacts On the Extractions page, expand an artifact. Click one of the following fields: • SHA256 Hash • IPv4/IPv6 Addresses • URI Host Select View Reputation Information > ATP.

DeepSight Intelligence

Get a complete range of threat intelligence along with supporting research tools that encompass information on vulnerabilities, malware, indicators of compromise, campaigns, tactics/techniques/ procedures, and adversary profiles. Symantec DeepSight provides you with a complete view of relevant threats and exposures. Managed Adversary and Threat Intelligence (MATI) research, Directed Threat Research (DTR), a full range of technical

intelligence, and management mechanisms for Data feeds and the API are accessible via this customizable portal. A separate subscription from Symantec is required to access this resource.

Integrate DeepSight with Security Analytics Follow these steps to integrate ATP with Security Analytics. Select Settings > Data Enrichment. Under Symantec On-Demand Providers, click the Deactivated icon to Activate the DeepSight integration.

Pivot to DeepSight Follow these steps to use the DeepSight integration with reports or artifacts.

Reports Open a Summary View or a Reports page. Click one of the following fields:

• DNS Answer Name • HTTP URI • DNS IPv4 Answer • IPv4 Addresses • DNS IPv6 Answer • IPv6 Addresses • DNS Query • MD5 Hash • HTTP Server • Referrer Select View Reputation Information > DeepSight.

Artifacts On the Extractions page, expand an artifact. Click one of the following fields: • IP Addresses • MD5 • Referrer • SHA256 • URI Host Select View Reputation Information > DeepSight.

Symantec Analysis Providers Malware Analysis

Symantec Malware Analysis provides comprehensive, cost-effective protection against unknown and advanced malware, malicious files, and zero-day threats Malware Analysis is the key to enhanced malware-detection accuracy and faster, more complete protection for your workforce and your business.

The latest Malware Analysis documentation is located at the Symantec Support Center.

• Manually send URLs to Malware Analysis from an artifact's Original URL field, provided that the Malware Analysis entry on the Data Enrichment Settings page includes at least one iVM — Sandbox only is not supported for URLs. • Files are sent to Malware Analysis under the following circumstances: ° The user manually submits an artifact to Malware Analysis from the artifact entry. ° The user has created a rule that sends specified files to Malware Analysis, and: . The FRS Prefilter (if enabled) does not exclude the file. . The data enrichment filter for Malware Analysis permits the file type. • You can send details about EXE and DLL analyses to the Blue Coat Global Intelligence Network (GIN) to share with other users via GIN-based resources. Select Settings > Web Interface and select Enable Global Intelligence Network Feedback.

Install Malware Analysis You can install one or more Malware Analysis appliances on your network. Malware Analysis provides the SandBox and virtual emulation environments that are necessary to evaluate potential malware. To set up a Malware Analysis appliance, follow these steps: Follow the steps in the Quick Start Guide that was included with your Malware Analysis appliance to install the appliance and to set the IP address for the management interface. Access the browser interface and follow the instructions in the wizard to install the requisite license keys. Follow the instructions in the MAA Administration Guide to configure one or more VM profiles.

Beginning in Malware Analysis 4.2.x, you can configure default task settings for each environment (IntelliVM, SandBox, MobileVM), including iVM plugins such as ghost_user.py and spyeye.py. The default tasks are automatically applied to samples that Security Analytics sends to Malware Analysis. Consult the MA Administration Guide on the Symantec Support Site for instructions.

Integrate Malware Analysis with Security Analytics To integrate Malware Analysis or Content Analysis 2.2 or later with Security Analytics you must generate an API key.

There is no password-backup option. Follow best key-maintenance practices by manually recording the password and its ID, and by keeping a copy in a secure location that is separate from the appliance.

Generate an API Key for the Malware Analysis Appliance Follow these steps generate an API key on a Malware Analysis appliance. Log on to the Malware Analysis appliance with administrator credentials. Select System Settings > Users. Click the UID of an admin-level account. • Under Add New API Key, specify an API key label (recommended: something related to the Security Analytics appliance that will use the key). • Select administrator for API Key Access Level. • Click Add New Key. • Copy the key from the popup and save temporarily to a text file. You cannot access this key again after you click away from the Malware Analysis appliance.

Generate an API Key for Content Analysis 2.2 or later, with On-Box Sandboxing Follow these steps to configure the sandbox feature on a Malware Analysis appliance that has been upgraded to include Content Analysis 2.2, prior to integration with Security Analytics 7.3.2 or later. Log in to the Content Analysis 2.2.x console with administrator credentials. Enter enable mode and provide the enable password:

prompt> enable Password: Create an API key for use with Security Analytics:

prompt> ma-actions api-key create

where is one of the following:

• administrator • super-analyst • guest • cloud-admin • observer • analyst • sysconfig Copy the generated API key to a text file and document the token ID for later API key management (deletion, regeneration).

Add the Malware Analysis Appliance to Security Analytics Follow these steps to add a Malware Analysis appliance or a Malware Analysis appliance that has been upgraded to include Content Analysis. Log on to Security Analytics with administrator credentials. Select Settings > Data Enrichment. Under Symantec Analysis Providers click Edit for Malware Analysis Appliance.

For Name, provide a name for the Malware Analysis appliance. For Address, type the IP address of the appliance. Do not include http:// or https:// • For a Content Analysis 2.2.x appliance, type the IP address and the TCP port that is used to access the administrative interface (default: 8082): :8082

For Username, type a label that will show ownership of the samples on Malware Analysis. For API Key paste the key that you copied from the Malware Analysis appliance. Click Save. A Malware Analysis/profile pair is displayed.

Symantec recommends that you click the name of the Malware Analysis appliance and then click Test the Connection .

For that entry, select a profile. The values in the list are the profiles that are configured on the Malware Analysis appliance, for example, SandBox, Windows 7 SP2.

To send URLs to Malware Analysis (on-demand only), at least one of the profiles must be an iVM. If only the Sandbox profile is available, Malware Analysis cannot evaluate the URL.

Optional — Click Add a new Malware Analysis appliance/profile pair. A duplicate of the first entry is displayed. Do one of the following:

• Select a different profile for the Malware Analysis appliance.

• Click the name of the Malware Analysis appliance, select Connect to a new Malware Analysis appliance, and repeat the procedure to add the new Malware Analysis appliance. If you have more than one Malware Analysis/profile pair, configure How should the profiles be queried?:

• In Parallel — Queries are sent to all of the Malware Analysis/profile pairs at the same time. • Sequentially — Queries are sent to the Malware Analysis/profile pairs one at a time, beginning with the first pair.

o When you add two or more Malware Analysis/profile pairs, you can set the conditions for sending the query to the next Malware Analysis/profile pair: If the result is [operator] [value] continue to [Malware Analysis/profile pair].

o You can drag the Malware Analysis/profile pairs to change their order in the sequence. Select FRS Prefilter to not send files to Malware Analysis if the File Reputation Service already has a verdict for that file. See FRS Prefilter for more information.

Only Adobe PDF, Archives, Debian Packages, Office Documents, and Programs and Libraries are sent to Malware Analysis. To change this setting, go to Data Enrichment Filters.

These file types require that the corresponding file-type filters be activated: • APK — JAR Archives • iOS — Archives and Binaries • IPA — Archives

When you are ready to begin sending samples to Malware Analysis from Security Analytics, click the (inactive) control to activate the Malware Analysis appliance entry. Select Analyze > Rules and activate the Symantec Malware Analysis Service rule.

Samples that are submitted to multiple Malware Analysis/profile pairs are processed according to the following rules:

• A sample is sent one time to Malware Analysis, where it is processed in a separate task for each profile. • For samples sent in parallel, Security Analytics sends the sample to the SandBox first (provided that the SandBox supports the file type); if the results indicate a suspicious sample, the sample is sent to the iVM profile(s). This measure prevents filling the iVM queues with innocuous samples. • As soon as one profile returns a significant result, that result is returned to Security Analytics instead of waiting for all profiles to complete before sending a verdict. • Malware Analysis automatically routes mobile samples (Android APK) to the MobileVM, regardless of which profiles are configured on Security Analytics. • To see the health of the Malware Analysis connection, open the System Utilization window in the upper-right corner of the web UI.

Green — The connection is active. Yellow — There is an alert condition on the Malware Analysis appliance. Black — The connection is inactive.

Malware Analysis Alerts Any verdict will be displayed as follows:

• In the Malware Analysis Verdict report and report widget. • On the Analyze > Alerts pages, if the verdict is 7 or higher.

o When Malware Analysis returns a verdict, the Malware icon is displayed with the alert. Click Reputation Report for an overview of the detonation results.

o Click Go to MAA to view the full detonation results on the Malware Analysis appliance.

Manually Send Samples You can send individual artifacts to Malware Analysis from the Security Analytics interface. Select Analyze > Extractions. Select the timespan and apply any filters to display the artifact to send. Expand the artifact entry.

Click the File Name field and select View Reputation Information > Malware Analysis. The file is sent to the Malware Analysis profiles that you configured on Settings > Data Enrichment. The results are displayed in a pop-up window.

Compressed-Archive Analysis The Security Analytics extractor recognizes the archive types that are listed on Data Enrichment Filters in the Security Analytics 7.3.x Reference Guide on support.symantec.com, but it does not extract files from those archives and display them as artifacts on the Extractions page.

However, when an archive matches a Malware Analysis rule, the data-enrichment process extracts the files from the archive before sending them to Malware Analysis, according to the default Malware Analysis data-enrichment filter. The data-enrichment process handles archive-extraction according to the default settings:

• Files are extracted two directory layers deep. • The files inside archives that are larger than 500 MB are not extracted. • Archived files that are larger than 100 MB are not extracted. • Files with paths longer than 260 characters are not extracted. • Only the first 100 files that do not exceed the size or path-length limits are extracted.

Content Analysis Send ICAP-formatted data to Symantec Content Analysis.

Symantec Content Analysis integrates real-time blocking of advanced threats — through application white-listing, a variety of anti-malware technologies and static code analysis. Most importantly where traditional sandboxing vendors are deployed passively on a network, Symantec Content Analysis delivers an integration

environment that allows sandboxing from either Symantec or third-party vendors to be leveraged as an in-line and real-time inspection technology.

The latest Content Analysis documentation is located at the Symantec Support Center.

Files are sent to the ICAP provider under the following circumstances: • The user manually submits an artifact to ICAP from the artifact entry. • The user has created a rule that sends specified files to the ICAP provider and the data enrichment filter for ICAP permits the file type.

Configure Security Analytics for ICAP Follow these steps to configure Security Analytics to send ICAP service objects to Content Analysis: Select Settings > Data Enrichment. Under Symantec Analysis Providers click Edit for the ICAP entry. For Location specify the IP address and port number of the ICAP provider: :1344 Security Analytics does not support port 11344. For Data Enrichment File Types, use the defaults as shown or customize the filter.

Activate the ICAP provider by clicking the (inactive) control to activate the ICAP entry. At this point you can use the ICAP provider for on-demand reputation lookups.

To automatically send ICAPs to the provider, follow the instructions to create a data- enrichment rule.

Manually Send ICAP Service Objects You can send individual artifacts as ICAP service objects from the Security Analytics interface.

Select Analyze > Extractions. Select the timespan and apply any filters to display the artifact to send. Expand the artifact entry.

Click the File Name field and select View Reputation Information > ICAP. The file is sent to the ICAP provider that you configured on Settings > Data Enrichment. The results are displayed in a pop-up window.

Reputation Providers Reputation providers supply threat intelligence on web sites, IP addresses, file hashes, and artifacts. You can access reputation information in one of two ways:

• On Demand • Data Enrichment Alerts

Providers Activated by Default As soon as you upgrade to or install Security Analytics, these providers are activated:

• Calculate and Store Hashes • SANS ISC® Host • ClamAV® • SANS ISC IP • Custom Hash List • SORBS DNSBL® Host • Domain Age Reporter • SORBS DNSBL IP • Google® Search • WHOIS Host • Google Safe Browsing • WHOIS IP • jsunpack-n • YARA • RobTex® Host • RobTex IP

To disable any of these providers, select Settings > Data Enrichment and click the Activated icon.

Local File Analysis Providers Local file analysis provides on-box analysis of extracted files without contacting external resources. These local providers have been separated out so that you can select each one for a data-enrichment rule, or you can get the on-demand reputation results shown in this table.

Local File Analysis Service Provided Artifact Fields: On-Demand Provider Reputation

Calculate and Store Calculate MD5, SHA1, and SHA256 hashes for files that match the rule n/a Hashes and write them to the indexing database.

ClamAV® File scanning for known viruses File Name

Custom Hash List Upload your own black and white hash lists. File Name* jsunpack-n On-board analysis of JavaScript, PDF, HTML, and SWF files. Artifact Preview

YARA Helps detect live exploits before they are known to the Blue Coat Global File Name Intelligence Network. * Because this provider requires hash types other than MD5, the artifact itself must be sent; therefore, the on-demand reputation is associated with the File Name field instead of the hash fields.

Third-Party On-Demand Reputation Providers The following third-party sources provide on-demand reputation information. The Reports, Alerts List, and Artifact Fields columns show the fields for which the providers can give information:

Third-Party Reputation Service Provided Reports Alerts List Artifact Fields Provider

Domain Age Reporter The amount of time elapsed since DNS Query URI Host the domain was first registered HTTP Server

Google Safe Browsing URL validation HTTP URI Original URL

Google® Search Pivot to Google search results for all IPv4 addresses all the item IPv6 addresses

RobTex® Host Pivot to hostname-based DNS Query URI Host reputation HTTP Server

RobTex IP Pivot to IP-based reputation IPv4 addresses IPv4 addresses IPv4 addresses IPv6 addresses IPv6 addresses IPv6 addresses

SANS ISC® Host Hostname lookups against DNS Query URI Host known-bad hostnames HTTP Server

SANS ISC IP IP lookups against known-bad IPs IPv4 addresses IPv4 addresses IPv4 addresses

SORBS DNSBL® Host DNS reputation DNS Query, HTTP URI Host Server

SORBS DNSBL IP IP address reputation IPv4 addresses IPv4 addresses IPv4 addresses

Third-Party Reputation Service Provided Reports Alerts List Artifact Fields Provider

WHOIS Host Domain registration information DNS Query, HTTP URI Host Server

WHOIS IP IP address information IPv4 addresses IPv4 addresses IPv4 addresses

* Because this provider requires hash types other than MD5, the artifact itself must be sent; therefore, the on-demand reputation is associated with the File Name field instead of the hash fields.

Activate Reputation Providers The Third-Party On-Demand and Local File Analysis providers are activated by default. Other reputation providers must be licensed or activated or both. Go to Settings > Data Enrichment.

For any reputation provider, click the inactive icon to activate the resource. Click Save.

After you click Save, approximately two minutes elapse before the changes take effect in the data-enrichment process.

On-Demand Reputation Queries You have several means at your disposal to make on-demand reputation queries. A provider must be activated on Settings > Data Enrichment to be available in the reputation lists:

• Click an IP address in an alert entry and select View Reputation Information > [reputation service provider].

• Click an entry in any results lists (Reports, Extractions, Geolocation) and select View Reputation Information > [reputation service provider].

• Click a field in the artifact details and select View Reputation Information > [reputation service provider].

• Expand an item in the Extractions list, and then click Reputation to show all reputation information for all fields.

Third-Party Integration Providers Symantec Security Analytics supports the following third-party integration providers. Also see Enrichment Providers.

Licensing and installation of these services is the responsibility of the user.

These providers can be selected for a data-enrichment rule, or you can get the on-demand reputation results on the Extractions page, as shown in this table.

Provider Service Artifact Fields: On- Demand Reputation

Fuzzy, URL, IP, ). pivot_only_provider Hostname

Cuckoo Send extracted files to a Cuckoo® sandbox for detonation. File Name The default port number is 8090. Only version 0.6 and later is supported by Security Analytics 7.1.x and later. The file api.py must be run on the server side. See the Cuckoo documentation for more information. The Cuckoo response is written to /var/log/messages, where you can find the link to the Cuckoo report.

FireEye Send extracted files to your FireEye® Malware Analysis System, AX-series File Name solution for detonation. For more information, visit http://www.fireeye.com/products-and-solutions/malware-analysis.html Also see Specify Which FireEye Profile to Use.

FTP File Mover Send extracted files to a remote server via FTP. n/a

Lastline® File Send extracted files to Lastline's cloud-based sandbox for malware analysis. File Name For more information, visit https://www.lastline.com/platform/integrations/blue-coat-security- analytics-platform

[Lastline Hash] Send MD5 file hashes to Lastline to check against known-bad hashes. MD5 (Change the Category for Lastline File to hash.)

Local File Mover Write files to a local directory on the Security Analytics. n/a

Titanium Scale Send extracted files to your ReversingLabs® TitaniumScale® server. File Name

SCP File Mover Send extracted files to a remote server via SCP. You must also set up SSH n/a authentication on the remote server.

VirusTotal® File Send extracted files to VirusTotal for malware analysis. For more File Name information, visit https://www.virustotal.com/en/documentation/

VirusTotal Hash Send MD5 file hashes to VirusTotal to check against known-bad files. MD5

VirusTotal URL Send URLs to VirusTotal to check against known-bad URLs. Original URL Referrer HTTP URI (Report)

Activate Integration Providers • When you create a new Integration Provider, it is automatically activated, as shown by the green Activated icon . • To activate an inactive Integration Provider, click the red Deactivated icon .

Configure Integration Providers You may configure as many entries for each provider type as you wish. For example, if you have three FTP servers, you can configure three FTP entries and then specify which servers will receive the extracted data in the data-enrichment rule. Select Settings > Data Enrichment.

Under Integration Providers, click edit for the desired entry or click New. Specify or edit the Name and add a Description, as desired. Select the Type of provider. Select the Category, as provided, to specify which field supports the reputation lookup:

• Hash (MD5) • SHA1 • Host • SHA256 • IP • URL Supply the information for the provider type: • Cuckoo — Provide the Location (hostname or IP address). If you are upgrading from Security Analytics 7.1.x, specify port 8090 (:8090) or use dsportmapping to change the port to 8090. • FireEye — Provide the Location (hostname or IP address) and account credentials. Optionally, see Specify Which FireEye Profile to Use. • FTP File Mover — Provide the Location (hostname or IP address), account credentials, target directory, and FTP mode. • Before sending files to the FTP server, Security Analytics renames the files to avoid conflicts. The new filename is the MD5 hash of [artifact time, source IP/port, destination IP/port, MD5 file hash]. Select Preserve Original Filename to append the original filename to the new name: _ • Lastline — Provide the Token and Location for your account. • Local File Mover — Provide the Directory. Take care not to overfill system directories or performance may be severely degraded. • Pivot — Enter the URL of the resource as http://%{TOKEN} or https://%{TOKEN}. The %{TOKEN} string will be automatically replaced by the value to search. If the %{TOKEN} string cannot be at the end of the URL, enclose the entire URL in double quotation marks: "http://"%{TOKEN}"" For examples see scm pivot_only_provider in the Security Analytics 7.3.x Reference Guide on support.symantec.com. • SCP File Mover — First, you must set up SSH authentication on the remote server and then provide the Location (hostname or IP address), Username of the , and target Directory. • TitaniumScale — Provide the Location. • VirusTotal — Provide the account Key. See Data Enrichment Filter to see how to specify which file types to send to the provider. Click Save.

Specify Which FireEye Profile to Use

FireEye integration requires that SCP enable the diffie-hellman-group1-sha1 algorithm for this integration provider only.

Follow these instructions to specify which profile to use when sending a file to a FireEye AX- series server. Log in to the FireEye console and run this command:

malware analyze sandbox url file:/file guestos ? The list of available guest operating systems (profiles) is displayed. Make a note of the exact name of the guest OS.

On Security Analytics, open the ax_malware_analyze.sh script for editing:

[root@hostname ~] vi /opt/tonic/share/ax_malware_analyze.sh Locate this line — around line 186 — and edit it as shown:

send "malware analyze sandbox url file:/$filename guestos force\r" Save and close the script, and then restart data-enrichment and related services:

scotus stop scotus start

Endpoint Providers Symantec SEP Integration You can integrate the functionality of Symantec SEP with Symantec Security Analytics.

Rule-Based Endpoint Providers Security Analytics can provide endpoint information to external endpoint-analysis providers such as EnCase® Cybersecurity by Guidance® Software. Using a Security Analytics Web API, endpoint analysis providers can retrieve source and destination IPs, source and destination ports, and the timespan for selected alerts. With this information, the provider can conduct its own endpoint investigations.

It is the responsibility of the user to license and install third-party endpoint analysis solutions.

Enable endpoint analysis support on the New/Edit Rule dialog by selecting the Endpoint Providers check box.

Custom Hash List • The Custom Hash List is an UnQLite embedded NoSQL database. • The list accepts MD5, SHA1, and SHA256 hashes. • Hashes must be designated as either "white" (known good) or "black" (known bad). • The hash lists are stored here:

o /var/lib/solera/meta/local_hash_repo_md5.unq o /var/lib/solera/meta/local_hash_repo_sha1.unq o /var/lib/solera/meta/local_hash_repo_sha256.unq • Both black and white hashes for each type of hash are contained in the same UNQ file. • On a fresh install or upgrade from Security Analytics 7.1.x or earlier, the UNQ files do not exist; the Custom Hash List is empty until the user adds hashes to it. • When a blacklist hash matches a file, the verdict is 10; a whitelist hash currently produces no score.

Add Hashes to the Custom Hash List The lhr_flat_to_qdb command converts flat files of hashes (one hash per line) into database format. Only one kind of hash can be present in each file: Do not attempt to use a file that contains both MD5 and SHA1 hashes, for example.

syntax lhr_flat_to_qdb -[5|1|2] -[b|w] -f [-d] [-v]

parameters

-5, --md5 Process file as MD5 hashes

-1, --sha1 Process file as SHA1 hashes

-2, --sha256 Process file as SHA256 hashes -b, --black Add hashes to blacklist

-w, --white Add hashes to whitelist

-f, --file= Read hashes from

-o, --output= Write database files with prefix

-d, --debug Turn debug logging on

-v, --verbose Turn verbose logging on

-n, --noexec Perform a dry run; do not read or write files

-h, --help Display usage and help info

ld library path lhr_flat_to_qdb requires access to the SO files in /usr/local/share/tonic/plugins.

examples LD_LIBRARY_PATH=/usr/local/share/tonic/plugins /usr/local/bin/lhr_flat_to_qdb -- verbose --sha1 --black --file=sha1_blacklist.txt Uploads the SHA1 hashes in sha1_blacklist.txt to /var/lib/solera/meta/local_hash_repo_sha1.unq, marks them as blacklist hashes, and enables verbose logging.

LD_LIBRARY_PATH=/usr/local/share/tonic/plugins /usr/local/bin/lhr_flat_to_qdb -5 -w -n -f md5_hashes.txt Shows the results of uploading md5_hashes.txt to /var/lib/solera/meta/local_hash_repo_md5.unq and marking them as whitelist hashes, but without performing the operation.

LD_LIBRARY_PATH=/usr/local/share/tonic/plugins /usr/local/bin/lhr_flat_to_qdb -2 -b -d -f sha256_blacklist.txt -w -f sha256_whitelist.txt Uploads the SHA256 hashes in sha256_blacklist.txt as black hashes and sha256_whitelist.txt as white hashes to /var/lib/solera/meta/local_hash_repo_sha256.unq and enables debug messages.

Create a Flat File of Hashes Follow these steps to create flat files of hash lists from files that are on a Linux or Unix system.

list of files

sum | awk '{ print $1; }' >

all files in current directory

sum -b * | awk '{ print $1; }' >

example On a Unix server you have a directory /malware_files that contains 21 known-bad PDFs. To save their SHA256 hashes as sha256-bad.txt, run this command from inside /malware_files:

sha256sum -b * | awk '{print $1; }' > sha256-bad.txt With sha256-bad.txt copied to the root of Security Analytics, add the hashes to the Custom Hash Database:

[root@hostname ~]# LD_LIBRARY_PATH=/opt/tonic/lib /opt/tonic/bin/lhr_flat_to_qdb -2 -b -v -f sha256-bad.txt hash type: sha256 hash color: black input filename: sha256-bad.txt

db file prefix: /var/lib/solera/meta/local_hash_repo processing sha256 black-list file sha256-bad.txt ... 21 sha256 entries added to black-list [root@hostname ~]# cd /var/lib/solera/meta/ [root@hostname meta]# ls domain_users groups local_hash_repo_sha256.unq packets rules space_table_journal_v3.backup verdicts_journal flows groups_journal lost+found prelerts space_table_journal_v3 verdicts

YARA Rules YARA rules (v. 3.2.0) can help detect live exploits before they are known to the Blue Coat Global Intelligence Network (GIN). YARA rule hits are displayed as follows:

• On the Alerts pages when the score is 7 or higher • In the Local File Analysis report • In the reputation information for individual artifacts

Activate YARA Rules The YARA analysis provider and its corresponding rule (Local File Analysis - Live Exploits) are enabled by default.

Enable the YARA Analysis Provider Follow these steps to edit the provider: Select Settings > Data Enrichment. Under Local File Analysis Providers you can

• Enable or disable YARA . • Edit the per-provider data enrichment filter.

Take care when creating rules that use the YARA provider. Only one YARA task runs at a time. If the rules engine sends excessive artifacts to the YARA provider, the verdict may take too long to be returned. Furthermore, when the YARA queue is full, new requests are dropped.

Enable the YARA Rule Do one of the following:

• Select Analyze > Rules and enable or disable the Local File Analysis - Live Exploits rule. • Create or edit a data-enrichment rule and select YARA in the Send to field.

The Live Exploits Indicator The Local File Analysis - Live Exploits indicator, which is used by the Local File Analysis - Live Exploits rule, specifies multiple mime_type= values and then specifies uri_risk_verdict=5 (Unrated). The uri_risk_verdict filter is included to prevent overloading the YARA rules engine: only activity from unrated URLs is analyzed. The local copy of the Web Reputation Service database provides the uri_risk_verdict attribute.

The uri_risk_verdict attribute is available only with an Intelligence Services license.

Customize YARA Rules You can customize your YARA rules by following these steps: Select Settings > Data Enrichment, scroll down to the YARA File Manager section, and click Download to download the current file: rules.yar.

• Alternatively, you can open the YARA rules file: /usr/share/solera/yara_rules/rules.yar. Use a text editor to add, delete, or modify YARA rules, as desired.

Avoid writing overly complicated rules: If a rule takes longer than two seconds to process, the process is terminated.

Specify meta information to generate alerts for YARA hits. The risk_score attribute specifies the lowest score for which alerts are generated. Because the system threshold for alerts is 7, user-defined rules should specify 7 or higher:

{ meta: author = "MyOrganization" risk_score = strings: condition: } Save the file, and then on the web UI click Upload to upload the new file to the appliance. If you are editing the file directly, you must restart the data-enrichment service.

systemctl restart tonicd To test the new rule set, open the Extractions page, expand an artifact entry, and then click Reputation. YARA rules should return a result.

To restore the YARA file to its default, click Restore.

The Login Correlation Service (LCS) for Microsoft® Active Directory® associates network activity with Microsoft AD domain users. The LCS sends the following information to Symantec Security Analytics:

• Username • IP address (as found in the domain server's DHCP log) • Login time • Authentication method

How the LCS Works The LCS has two components:

• LCS agent — Detects user logons and logoffs and creates an IP-to-username correlation. Resides on a DC. • adlistener-d — A Linux daemon that adds the correlation information to the Indexing DB, from which the User Name report is generated. Resides on Security Analytics. The LCS agent parses the logon/logoff events of a DC's security logs. Specifically, it monitors the logs for these event IDs:

• 4624 — An account was successfully logged on. • 4634 — An account was logged off. After detecting this event ID, the LCS agent sends a WMI query to the workstation to verify whether the user has actually logged off. The LCS agent extracts the following information from those events:

• User Name • Logon Type • Source Port • Domain • Workstation Name • Time • Logon ID • Source Network • Date Address

The LCS agent correlates User Name with Source Network Address and sends the pairings to adlistener-d over port 8843, which adds the information to the Indexing DB.

Requirements • .NET Framework 3.5 or later • Windows Server 2008 DC or Windows Server 2012 DC

Configure the DC For every Active Directory DC that you want to monitor for logon events, perform these steps:

Configure the Advanced Audit Policy Setting User logon information is stored in security logs on the DC. The LCS derives its information from these logs. To capture logon events, the DC’s advanced audit policy must be configured to audit successful logon and logoff events. To configure an advanced domain login audit policy setting, follow these steps: Log on to the DC as a member of the local administrators group. Select Start > Administrative Tools > Group Policy Management. In the console tree, double-click your forest, e.g., Forest: soleranetworks.com. Double-click Domains, and then double-click the DC, e.g., solera.com. Right-click Default Domain Policy, and then click Edit. Open the following items in this order:

a. Computer Configuration f. Configuration b. Policies g. System Audit Policies c. Windows Settings h. Logon/Logoff d. Security Settings i. Logon e. Advanced Audit Policy

Select the Configure the following audit events check box, select the Success check box, and then click OK.

Set Logoff to Success as well.

Configure the Group Policy to Enable WMI Access to a Remote Machine

• The LCS uses remote WMI queries to verify whether a domain user is logged off. If a domain workstation does not respond to a WMI query, then the LCS regards the user as not logged off. • If the user does not log off gracefully, Windows does not generate an event log; therefore, the LCS does not detect the event. This missed event can sometimes be inferred when a user logs on later to a workstation with the same IP address.

Select Administrative Tools > Group Policy Management > Group Policy Objects > Default Domain Policy.

In both the standard and domain profiles, select Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall and enable the Allow inbound remote administration exception.

Update the Group Policy Settings Select Start > All Programs > Accessories, right-click Command Prompt, and click Run as administrator. If the User Account Control dialog box is displayed, confirm that the action it shows is what you want, and then click Yes.

Type gpupdate and press Enter.

Verify That the Audit Policy SettingsWere Applied Correctly

Type auditpol.exe /get /category:"Logon/Logoff" and press Enter.

C:\Windows\system32>auditpol /get /category: "Logon/Logoff"

System audit policy Category/Subcategory Setting Logon/Logoff Logon Success Logoff Success Account Lockout Success IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon Success Other Logon/Logoff Events No Auditing Network Policy Server Success and Failure

Verify that the setting for both Logon and Logoff is Success.

Install the LCS Agent Select Settings > Data Enrichment. Click Download Version [x] of the Login Correlation Service Installation File and save DSLoginCorrelation.exe to your workstation.

• Only one LCS agent is required per domain. • You must install the LCS agent on the domain controller.

Run DSLoginCorrelation.exe on the target machine and follow the prompts to install it. DSLoginCorrelation.exe installs the following:

• The LCS agent

• A GUI application to configure the LCS

The installation process requires a system restart to complete.

Launch SOLERA NETWORKS > Login Correlation Service. On the welcome page click Next. On the Select Installation Folder page, specify the folder and click Next. The LCS agent begins to install. When the Set Service Login dialog is displayed, specify credentials to authenticate to the LCS agent. Use the following format:

• Local user — \ • Domain user — \

must be a domain administrator account or an account that has permission to read DC security event logs and execute WMI queries.

On the Installation Complete page, click Close.

Configure the LCS Agent Launch Login Correlation Service and click Connect. No DCs are detected. Click Add. Click Add again. In the Domain Controllers section: • For Domain Name, type the name of a DC, e.g., ad.bluecoat.com. • For Domain IP, type the IP of the DC. • For Login Name and Password, type the name and password of the administrator account for the DC. • Click Apply. In the DeepSee Appliances section: • Click Add. • For Appliance IP, type the IP address of Security Analytics. • For Login Name and Password, type the name and password of the root account. • Click Apply. Optional — If Security Analytics requires a client certificate, select the Use Client Certificate check box.

Client authentication occurs when the adlistener-d service on the appliance requests a certificate from the LCS agent during the SSL handshake; an LCS agent cannot initiate a request to be authenticated.

Click Import SSL Certificate and upload a PEM-format certificate that will permit the LCS agent to access the appliance. Select File > View > Read-Only Tree View to see a hierarchical view of the DCs and appliances.

Import DCs and Appliances from a CSV File You can import multiple DCs and Security Analytics from a CSV file.

Syntax for DCs

DomainController-IP,username,password

example

192.168.5.55,administrator, 192.168.6.55,administrator, 192.168.7.75,administrator,

Syntax for Security Analytics Appliance-IP,username,password,SSL_agent_certificate_path

example

192.168.1.20,root, 192.168.2.219,root,,F:\shares\certificates\adl-cacert.pem 192.168.2.25,root,

Enable LCS on the Appliance Select Settings > Security on the web interface. Scroll down to Login Correlation Service. Do one of the following: • Select the Allow All Agent IPs check box. With this setting enabled, the login events from all LCS agents will be accepted by this Security Analytics appliance. • To specify which LCS agent events to accept, clear the Allow All Agent IPs check box.

o For Server, type the address of an LCS agent. o Optional — Click add another agent IP for additional LCS agents. On Settings > Security click Configure Firewall.

A default rule permits all Login Correlation traffic (port 8843) from all IPs. Create more firewall rules as desired. Click Save.

View LCS Activity

From the CLI Log on to the appliance via the CLI as root and execute the following command: ps -aux | grep adl You should see a display similar to the following:

In the Log File The log file DomainLogonWatcher.log is created in the application data folder on the machine where the LCS agent resides: C:\Users\\AppData\Roaming\Solera Networks\. The file has a maximum size of 100 Mb.

The \AppData\ directory is hidden by default.

Domain Admin Account

4/12/2013 8:02:33 PM Updated configuration will be applied to domain : 4/23/2013 8:02:33 PM Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors 4/23/2013 8:02:33 PM Trying to authenticate at appliance 10.1.1.149 4/23/2013 8:02:33 PM AcknowledgeReceiverThread started for ip 10.1.1.149 4/23/2013 8:02:33 PM Authenticated to ADListner 10.1.1.149 4/23/2013 8:02:33 PM Adding domain controller : 10.1.1.150 4/23/2013 8:02:33 PM Adding domain controller : 10.1.1.151

Non-Admin Account

4/23/2013 6:11:06 PM Updated configuration will be applied to domain : 4/23/2013 6:11:08 PM trying to connect to domain controller [ 10.1.1.151 ] 4/23/2013 6:11:08 PM Exception received while connecting to Domain Controller : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) 4/23/2013 6:11:11 PM Exception received while connecting to Domain Controller : Access denied 4/23/2013 6:11:18 PM trying to connect to domain controller [ 10.1.1.151 ] 4/23/2013 6:11:18 PM Exception received while connecting to Domain Controller : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) 4/23/2013 6:11:21 PM trying to connect to domain controller [ 10.1.1.150 ]

On the Web Interface To see AD user names in the web interface, do one of the following:

• On the a Summary view, add the User Name widget. • On the Analyze > Reports page, select the Social Persona > User Name report. Add user_name= to the primary filter and run the IPv[x] Initiator report to see the user's IP address.

File Names Sent to Providers When Security Analytics sends the actual file (rather than a file hash) to data enrichment providers, the name of the file may be altered, according to the provider and its settings. The alteration is made to distinguish among identically named files that are captured at different times, from different sources, and that may have different contents.

Default Extractor Filename By default the extractor assigns each artifact a new name, which includes the hostname of the appliance that captured the artifact, the date and time that the artifact was captured, and the MD5 hash of the file itself.

_T-_-_- _.

example For the file 2017-executive-report.pdf, the default extractor filename might be:

SA-0324_2017-11-03T03:32:29-0700_10.0.0.10-8080_172.16.5.11- 80_edc26aac26b6eb93c20e2bf4db77f5f9.pdf Security Analytics sends artifacts with the default extractor filename to these providers:

• Cuckoo • FireEye AX-series • Lastline • VirusTotal File

Other File Names These providers do not receive artifacts with the default extractor filename.

Malware Analysis The filename that Security Analytics sends to the Malware Analysis appliance differs depending on which process sends the artifact.

Real-Time Extraction When traffic matches a Malware Analysis rule, Security Analytics sends a byte stream that has a title, which is the original file name. The title is derived from each protocol according to its packet headers: for example, FTP specifies a file name, emails have attachment filenames, HTTP specifies the file name in the URI or the POST content.

examples pdfcreator-1.3.2-en.win.exe watch_as3-vflGW0leG.swf 2017-executive-report.pdf

Manual Reputation Request In an artifact entry on the Extractions page, click the file name and then select View Reputation Information > Malware Analysis. The name of the artifact is the default extractor filename.

In Malware Analysis you can further edit the Label of any sample (file) that you send from Security Analytics.

FTP Mover The FTP Mover settings include the Preserve Original Filename option.

• Enabled — _____. • Disabled — ___.

examples For the file 2017-executive-report.pdf, the filenames might be:

• Enabled — 1476834423.12753__10.1.1.10_172.16.5.11__2017-executive- report.pdf • Disabled — 1476834423.12753__10.1.1.10_172.16.5.11.pdf

Rules Use rules to trigger a process on any packet flow that matches one or more indicators. The rule types on Symantec Security Analytics are:

• Alert — Matching traffic triggers an alert. • Data Enrichment — Matching traffic is submitted to additional resources for analysis. • Dynamic Filter — The first few packets of matching traffic are written to the capture and indexing drives, then all subsequent matching flows are excluded from the drives for a specified interval. • PCAP Export — Matching traffic is saved as a PCAP to an external server. • IPFIX Export — Matching traffic is sent to an external IPFIX collector. • None — Matching traffic triggers a remote notification without producing an alert.

Rules Activated by Default As soon as you upgrade to or install Security Analytics 7.3.x, these rules are applied to all incoming traffic:

• Alert - Heartbleed Attack Attempt — Alerts on traffic that matches the tls_heartbeat_attack_attempt indicator • Alert - Non-Standard SSH — Alerts on traffic that matches application_id=ssh AND tcp_responder!=22 • Local File Analysis - Live Exploits — Applies YARA rules to traffic that matches the Local File Analysis indicator

Activate and Deactivate Rules

The rule is displayed in the Analyze > Rules list. The green icon indicates that the rule is active.

Click the green icon to deactivate the rule .

Prepare to Create a Rule

If you intend to use the open parser in a rule, follow the instructions on the Open Parser page.

The following rule types require prior setup:

• Alert — Optional — Set up the SMTP server on Settings > Communication > Server Settings to send alerts via email. • Data Enrichment — Enrichment providers such as Intelligence Services and Malware Analysis must be configured and activated on Settings > Data Enrichment.

• Dynamic Filter — Create one or more indicators to specify which types of flows to exclude. • PCAP Export — Configure a directory (mount point) on an external server where the PCAPs will be sent. • IPFIX Export — Deploy an IPFIX collector on your network. The IPFIX files that Security Analytics produces are IPFIX (NetFlow) v.10-formatted.

Create a New Rule

Select Analyze > Rules and click New. For Name, specify a unique name for the rule. For First Event, specify one or more indicators or create new indicators.

Do you want to add more events?

Yes — Will you be using the open parser? No— Skip to Step 5.

Yes — You cannot use multiple No — Continue the events. Go to Open Parser. procedure.

Click Add Second Event. For Then Within, specify the amount of time that monitoring for the second event will take place, after the first event has occurred.

For Second Event, specify one indicator. Optional — Click Add Condition. Specify which attribute of the first event should match/not match the second event. You may add as many as four conditions, each of which must be unique.

Optional — Click Add Third Event, specify the timespan, one indicator, and as many as four conditions. For Type, select the rule type and click the corresponding link for instructions on completing the rule:

• Alert • Dynamic Filter • IPFIX Export • Data Enrichment • PCAP Export • None

Alert Rule This type of rule posts alerts and sends remote notifications for matching traffic but takes no further action.

• Email Frequency — Optional — Specify how often email alerts are sent (15 minutes, hour, day, and week). You must also select SMTP for Remote Notifications and set up an SMTP server on Settings > Communication to receive email alerts. • Importance — Select the importance level.

If you change the importance level of an alert, you must deactivate then activate the rule for the change to take effect.

• Shared — Optional — Select to make the rule viewable by everyone who has access to this appliance. After you set this attribute, you cannot change it. • Remote Notifications — Optional — Select one or more remote-notification types. You may select the default template or configure a template on Settings > Communication > Templates. If you have not already done so, configure the appropriate server(s).

o SMTP — Optional — Specify email accounts to receive the alert notifications. If you specify no email accounts, the Default Email Address on the Settings > Communication > Server Settings page will be used. • Endpoint Providers — Optional — Select to send endpoint data to endpoint analysis providers. • Click Save.

Data-Enrichment Rule This type of rule sends data to one or more enrichment providers and posts an alert if the score is 7 or higher.

• Send to — Select one or more enrichment providers. The options for this field are derived from the items on the Data Enrichment Settings page.

• You can select a provider that is not active or licensed, but the rule will not produce a result for that provider until the provider is activated. • The importance level (critical, warning, notice) is determined by the score that the provider returns.

• Shared — Optional — Select to make the rule available to everyone who has access to this appliance. After you set this attribute, you cannot change it. • Remote Notifications — Optional — Select one or more remote-notification types. You may select the default template or configure a template on Settings > Communication > Templates. If you have not already done so, configure the appropriate server(s).

• When using data enrichment, it is recommended that you create capture filters for all capture interfaces to exclude traffic to and from eth0 (!ifname eth0); otherwise, you will capture duplicate traffic as the artifact is exported from the Security Analytics appliance to the external resource. • Consult Security Analytics Ports and Protocols to configure your network firewalls for data-enrichment traffic.

Dynamic Filter See Dynamic Filters for an explanation of this rule type. Before creating a dynamic filter rule, review Guidelines for Creating Dynamic Filters.

• Select at least one attribute from the 5-tuple that Security Analytics uses to identify a flow. Symantec recommends that you use IP protocol and IP responder only:

o IP/port initiator — Selecting the initiator port can add significant workload to the system.

o IP/port responder o IP protocol (TCP or UDP) • Filter Duration in Seconds — Specify the number of seconds to apply this rule before disengaging the rule. • Shared — Optional — Select to make the rule viewable by everyone who has access to this appliance. After you set this attribute, you cannot change it. • Click Save. When network traffic matches the event(s), the system creates a capture filter using the selected attributes and applies it for the specified interval. An alert is not produced for this type of rule, but the Audit Log will show when the rule is applied.

PCAP Export Rule

This type of rule converts matching flows to PCAP or PCAPNG files and exports them to an external server.

• Server — Select an existing mount point on an external server or click the Manage Connections icon to configure a new mount point. • PCAPNG — Select to export in PCAPNG format. • Shared — Optional — Select to make the rule viewable by everyone who has access to this appliance. After you set this attribute, you cannot change it. • Remote Notifications — Optional — Select one or more remote-notification types. You may select the default template or configure a template on Settings > Communication > Templates. If you have not already done so, configure the appropriate server(s).

o SMTP — Optional — Specify email accounts to receive the alert notifications. If you specify no email accounts, the Default Email Address on the Settings > Communication > Server Settings page will be used. • Click Save. When network traffic matches the events, the entire flow is exported to the specified directory as a PCAP(NG) file. The file will be named ///.pcap(ng)

IPFIX Export Rule

This type of rule converts matching flows to IPFIX v.10 and exports them to an external IPFIX server. It is the responsibility of the user to deploy an IPFIX server that supports v.10 formatting.

• IPFIX Server IP — Specify the IP address or hostname of the IPFIX collector.

• IPFIX Server Port — Specify the port number that the IPFIX collector uses. • Shared — Optional — Select to make the rule viewable to everyone who has access to this appliance. After you set this attribute, you cannot change it. • Remote Notifications — Optional — Select one or more remote-notification types. You may select the default template or configure a template on Settings > Communication > Templates. If you have not already done so, configure the appropriate server(s).

o SMTP — Optional — Specify email accounts to receive the alert notifications. If you specify no email accounts, the Default Email Address on the Settings > Communication > Server Settings page will be used. • Click Save. When network traffic matches the indicator(s), the entire flow is exported to the external IPFIX collector.

"None" Rule This type of rule can be used to send remote notifications of matching traffic without producing an alert.

• Shared — Optional — Select to make the rule viewable to everyone who has access to this appliance. After you set this attribute, you cannot change it. • Remote Notifications — Optional — Select one or more remote-notification types. You may select the default template or configure a template on Settings > Communication > Templates. If you have not already done so, configure the appropriate server(s).

Alerts The Alerts Management Dashboard is the default landing page. From there you can easily access the Alerts Summary and Alerts List.

Alert Management The Alerts List provides alert management and data visibility.

• Assign alerts to specific users • Assign a state to each alert to track the investigation • Delete alerts individually or across a selected timespan • Add responder IP addresses to the Exclude from Lookup list. • When the alerts table exceeds 100,000 rows, the deletion algorithm removes Closed alerts first.

1 Alert check box. 8 Start time for the flow that contains the alert. • To toggle between Select All and Clear All, This value is affected by reindexing and by press Shift Alt * retaining timestamps for a PCAP import.

o To expand selected alerts press Shift Alt +

o To collapse selected alerts press Shift Alt –

2 Select All check box. This check box controls 9 Modified on/ Modified time — Time at which only the alerts on the current page. the most recent child alert was posted

4 Name of the rule that produced the alert 11 Alert Owner — Select the alert's check box, select Actions > Set Owner, and select a user account. • Users in this list have Analyze > Rules permissions.

o On a CMC, the users must have remote group permissions for the sensor; users on the sensor are not displayed on the CMC. • To change an alert's owner, a user must have Settings > Users and Groups > User Names permissions.

5 Name of the indicator that matched the flow; 12 Actions menu. For some actions, you have the click to view or edit the indicator. option to apply the action to: • all alerts that meet the filter criteria • only the alerts with the check box selected

6 Layers 2–4 Flow Data — Ethernet and IP 13 View Report Summary — Click to view the flow addresses, port numbers, and the system- in the default Summary View assigned flow ID

Click a responder IP address to view the geolocation, get a reputation report, or select Whitelist IP for URL Reputation to add it to the Exclude from Lookup list on Settings > Data Enrichment. Adding the IP to the Exclude from Lookup list does not delete alerts that have already been posted.

7 Time when the alert was posted 14 View Artifacts — Click to extract the artifacts in this flow

Data Enrichment Alerts Data enrichment alerts are generated by data-enrichment rules that you explicitly configure and enable on Analyze > Rules.

Blue Coat Web Reputation Service Alerts Blue Coat Web Reputation Service alerts are available with an Intelligence Services subscription. Contact Symantec Support for more information. To activate Web Reputation Service alerts: Select Settings > Data Enrichment.

Under Blue Coat Intelligence Services, click the icon to activate Blue Coat Web Reputation Service.

Select Analyze > Rules and click the icon to activate the Blue Coat Web Reputation Service rule. This rule sends all URLs with a url_risk_verdict equal to or higher than 5 (unknown) to the Web Reputation Service. You may edit the indicators for this rule and also specify the Web Reputation Service as a provider for other data enrichment rules, either existing or user-defined. In addition to the basic alert, a Web Reputation Service alert includes child alerts for the parent:

1 Parent alert — Contains all of the information 6 Whether the verdict was retrieved from cache. in the basic alert. Double-click the parent to Run scm db clear_redis tonic to clear the verdict toggle between expanding and collapsing the cache. child alerts.

2 Child alert — Only the parent alert is counted 7 Time when the child alert was posted in the tally. All child alerts come from the same flow.

3 Alert type: URL 8 Reputation Report — Click to see verdict details

4 Risk score, as returned by the Web Reputation 9 URL that triggered the alert Service

5 Number of child alerts for the parent 10 Enrichment provider that returned the verdict

Blue Coat File Reputation Service Alerts Blue Coat File Reputation Service alerts are available with an Intelligence Services subscription. Contact Symantec Support for more information. To activate File Reputation Service alerts: Select Settings > Data Enrichment.

Under Blue Coat Intelligence Services, click the icon to activate Blue Coat File Reputation Service.

Select Analyze > Rules and click the icon to activate the Blue Coat File Reputation Service rule. This rule sends all files that match the filters in the Blue Coat File Reputation Service Presented File Extensions, Blue Coat File Reputation Service File Types, and Blue Coat File Reputation Service Presented MIME Types indicators to the File Reputation Service. You may edit the indicators for this rule and also specify the File Reputation Service as a provider for other data enrichment rules, either existing or user-defined.

When an artifact matches the indicators, the artifact is extracted, the SHA256, SHA1, and MD5 hash values are written to the Indexing DB, and an entry is displayed on the Alerts pages.

In addition to the basic alert, a File Reputation Service alert includes child alerts for the parent:

2 Child alert — Only the parent alert is counted 7 Time when the child alert was posted in the tally. All child alerts come from the same flow.

3 Alert type: File 8 Reputation Report — Click to see verdict details

4 Risk score, as returned by the File Reputation 9 MD5 hash plus file name of artifact that Service triggered the alert

5 Number of child alerts for the parent 10 Enrichment provider that returned the verdict

Symantec Malware Analysis Alerts Symantec Malware Analysis alerts are available if you have a Symantec Malware Analysis appliance. Contact Symantec Support for more information. To activate Malware Analysis alerts: Integrate your Malware Analysis appliance with Security Analytics by following these instructions. When you are ready to begin sending samples to Malware Analysis, select Settings > Data Enrichment.

Under Symantec Analysis Providers, click the icon to activate the Malware Analysis Appliance.

Select Analyze > Rules and click the icon to activate the Symantec Malware Analysis Service rule. This rule sends all files that match the filters in the Blue Coat File Reputation Service Presented File Extensions, Blue Coat File Reputation Service File Types, and Blue Coat File Reputation Service Presented MIME Types indicators to Malware Analysis.

Because the Malware Analysis and File Reputation Service rules have the same default indicators, enabling both rules at the same time will produce duplicate alerts. Symantec recommends that you do one of the following: • Select the FRS Prefilter option when configuring the Malware Analysis provider, and then enable only the Malware Analysis rule. • Enable only one of the rules at a time. • Edit the indicators so that each rule detects mutually exclusive traffic or artifacts.

You may edit the indicators for this rule and also specify Malware Analysis as a provider for other data enrichment rules, either existing or user-defined.

In addition to the basic alert, a Malware Analysis alert includes child alerts for the parent:

The FRS Prefilter option — enabled by default — has a substantial effect on Malware Analysis alerts and reports by returning FRS verdicts for known artifacts and then sending only the unknown artifacts to the Malware Analysis appliance.

1 Parent alert — Contains all of the information 7 Time when the child alert was posted in the basic alert. Double-click the parent to toggle between expanding and collapsing the child alert.

2 Child alert — Only the parent alert is counted 8 Reputation Report — Click to see verdict in the tally. All child alerts come from the same details. flow.

3 Alert type: Malware 9 Go to MAA — Click to open the task page on the Malware Analysis appliance.

4 Risk score, as returned by a Malware Analysis 10 MD5 hash plus file name of artifact that appliance triggered the alert

5 Number of child alerts for the parent 11 Enrichment provider that returned the verdict

6 Whether the verdict was retrieved from cache. Run scm db clear_redis tonic to clear the verdict cache.

Extractions Symantec Security Analytics extracts and reconstructs most common file types so that you can see accurate copies of the images, web pages, and documents that have been transported across your LAN. Reconstructed files are called "artifacts." Security Analytics performs two types of extractions:

• Manual — When the user selects Analyze > Summary > Extractions. • Real Time — When a Data Enrichment rule registers a hit.

Artifact Extraction The protocol is detected by the DPI engine and then sent to the extractor, which uses the appropriate carver to extract and reconstruct the artifacts.

Protocol Carvers Specialized protocol carvers extract artifacts from these Application Layer protocols:

• File Transfer Carver • Mail Carver • SMB Carver o AIM Transfer o IMAP o SMB o IRC Transfer o POP3 • Telnet Carver Jabber Transfer SMTP o o o Telnet o PalTalk Transfer • Messaging Carver • TFTP Carver Tencent (QQ) Transfer AIM o o o TFTP Yahoo YMSG Transfer o o AIM Express • VoIP Carver • FTP Carver Badoo o o MGCP FTP eBuddy o o o RTP FTP Data Facebook o o o SIP • HTTP Carver o Gmail Chat IRC Jabber o HTTP o • HTTP2 Carver o PalTalk Second Life o HTTP2 o o Teamspeak o Yahoo Messenger o Yahoo Web Messenger

Signature-Based Extraction If an application does not have a protocol carver, the extractor performs a Foremost signature scan to determine how to extract artifacts from the protocols (except on protocols

in the Encrypted application group). This secondary scan is performed only when all of the following are true:

• Enable signature-based extraction is enabled on Settings > System (default=enabled). • A flow matches a rule that includes the indicator application_id=unknown. • The protocol is in /etc/solera/meta/metapocrypha.json under "signature_carving_protocols". This carver can extract artifacts from the following protocols, listed by Application Group. You can add any recognized application_id to the "signature_carving_protocols" list.

• Application Service Group • Instant Messaging Group • Printer Group o DICT o BeeTalk o LPR o LDAP o chatON • Routing Group MQ Feiliao o o o BGP o Perforce o Fetion • Terminal Group SRVLOC Gadu-Gadu o o o RLOGIN syslog Kakao Talk o o o RSH o XFS o Lotus Sametime • Thin Client Group • Audio/Video Group M+ Messenger o o Go to Device Baofeng MXit.DOM o o o Go to My PC Fring OICQ o o o ICA MMS QQ (Tencent) IM o o o PCAnywhere NicoNico Douga Skype o o o RADMIN Octoshape Softros Messenger o o o Teamviewer P2P Streaming Teamspeakv3 o o o x11 Telegram o PPTV Streaming o • Tunneling Group Q.931 Touch o o o Hotspot Shield SCCP WeChat o o o OpenVPN Spotify WhatsApp o o o PPTP Tango Yahoo Messenger o o o Socks to HTTP TVAnts Conference o o Socks4 UUSee Mail Group o o o Socks5 Viber Lotus Notes o o o XOT • Authentication Group • Microsoft Office Group o WAP Group DIAMETER Groove o o o SMPP IDENT • Middleware Group o o UCP o Kerberos 5 o DCERPC • Web Group TACACS+ GIOP o o o Apple Airport • Behavioral Group • Network Management Group o Baidu SPID IPERF o o o Funshion • Database Group • Network Service Group o GroupWise DRDA COTP o o o Habbo o MobileLink DB o CVS

o My SQL o DNS o Kaspersky Update o PostgreSQL o ECHO o Orb o SQLI o ISCSI o QQ (Tencent) Games o TDS o NBNS o Sina Weibo o TNS o NCP o SPDY • ERP Group o NDMP o Speedtest RTMP YouKu o SAP o o • File Server Group o SNPP SVN o CFT o T.38 o Quantum DXi o • File Transfer Group o WHOIS WINS o iRODS o • Forum Group • Peer to Peer Group ADC o NNTP o • Game Group o AppleJuice Ares o Battle.net o BitTorrent o CounterStrike o DirectConnect o Destiny o eDonkey o Eve Online o Filetopia o Lineage 2 o GNUnet o RuneScape o GNUtella o Steam o o iMesh o LUKE o Manolito o MUTE o QQ (Tencent) Music o Share o SLSK o Thunder o WinMX o WinNY

Artifacts Artifacts are objects such as Microsoft Word files, executables, and web pages.

When an artifact is transferred via HTTP or email, the MIME type is specified in the header ("presented" in system nomenclature). If it differs from the file type that the system detects, using the magic number or file signature, the value in the Type column is shown in red text. You can also use the file_type_mismatch attribute in the advanced filter to find all such artifacts. Click an entry in the Results list to see additional information about the artifact.

1 HTTP response code 4 Actions

2 MD5, SHA1, and SHA256 hashes* 5 HTTP method

3 Fuzzy hash * 6 Displayed MIME or file type

A set of actions along the bottom provides the following functionality:

Preview See Artifact Preview

Download Download the artifact in its native format, as a ZIP file, or as PCAP(NG)

Analyze PCAP View all artifact packets in the packet analyzer

Explore Root Cause See Root Cause Explorer

Reputation View reputation-service information

* Enable hash computation for manual extractions on the Web UI. Select Settings > System and select or clear the following options: MD5, SHA1, SHA256, Fuzzy. (Fuzzy hash is disabled by default.)

MIME-Type Display Specify which method determines the displayed file type of an artifact on [Account Name] > Preferences:

• Artifact MIME-Type Display — Specify how the file type is displayed in the Type column on the Extractions page:

o Presented — Use the value in the Content-Type field of the HTTP or email header, else show unknown.

o Detected — Use the embedded magic number or file signature, else show unknown.

o Derived — If both presented and detected values are present, use internal logic to display the most likely file type.

SMB Artifacts For artifacts transmitted over SMB, an extra field is displayed.

SMB Fragment displays whether the artifact is a known SMB fragment (true). To display SMB fragments, go to Settings > System and select the Display fragments check box.

HTTP POST Payloads For HTTP POSTs, the payload has a separate entry from the original POST and is displayed below it.

The payload artifact does not display an HTTP method or the HTTP response icon.

Click Show Payload to see the Artifact Details for the payload.

VoIP Extractions The VoIP artifacts are extracted and displayed by segment and payload type rather than by participant. The figure below shows the segments from one side of the call: PCMU (default audio), CN (comfort noise), and video/H263 (which is present in the VoIP implementation but unused in this particular call). (Consult RFC 3551 for payload formats.)

From the main (multipart/x-voip) artifact entry, you can download the entire call in Ogg or WAV format or as a PCAP(NG).

To preview the call, select the Ogg or WAV format and then listen to the call.

Following the main artifact are separate artifacts that display each segment separately. From each separate entry you can download the raw version of that segment.

Save Extractions and Artifacts You may save the extraction results at any time, even if the extraction process for that view has not finished. Open an Extractions page and apply any desired filters. Select Actions > Save.

Type a name for the results. If you click Save before the extraction process is finished, you are provided with two options:

• Save and Stop — Everything that was extracted until you click Save and Stop will be saved. • Save and Continue — The save operation will continue until the extraction process is completed. If you click Save after Status shows Finished (100%), all of the results in the view will be saved. Click Save. Go to Analyze > Saved Extractions to retrieve the extraction.

Save Multiple Extraction Items Open an Extractions page and apply any desired filters. Select the check boxes for the artifacts to save. In the left panel, under Selected Actions (X), click Download Artifacts and follow the prompts to save the artifacts to your workstation in a ZIP file.

Cancel an Extraction While an extraction is running, you can cancel it without saving the results. Select Actions > Stop Extraction. A few minutes may elapse before the extraction stops completely. When the extraction has fully stopped, the status will show Canceled 100% regardless of how much data was processed. Optional — Select Actions > Save to save the data that was extracted before the process was canceled. After you have saved the data, you may restart the extraction by selecting Actions > Rerun.

Artifact Preview See Artifact Preview.

Root Cause Explorer The root cause explorer presents the chain of referrers for a given artifact. To view referrer URL information, select Analyze > Summary > Extractions. Click an artifact. If there is a value in the Referrer field, click Explore Root Cause. The system will display the referring artifact. If that artifact also has a referrer, that artifact will be displayed as

well, until no more referrers are found. All of the referrers must be in the same extraction session (same timespan and filters) for the referrer to be included.

Artifacts Timeline The Artifacts Timeline view displays the distribution of artifacts across time.

• You can view the timeline by initiator/responder IP or port or by file type. • Click the artifact or [X] Artifacts to see more information. • Once you have selected an individual artifact, you can view it the same way as a single artifact.

Email Extractions The Email view provides information about email messages (EML) and their attachments. If an attachment is included in an email, it can be exported using the FTP File Mover.

Security Analytics extracts only non-encrypted email messages. To decrypt SSL/TLS- encrypted messages, install Symantec SSL Visibilty Appliance upstream of the Security Analytics appliance.

• Click Preview to see the email.

• Click the attachment to select the file-type for download. • Click View Attachment Details to see more information.

IM Conversations The IM Conversations view displays a list of IM conversations.

Security Analytics extracts only non-encrypted IM conversations. To decrypt SSL/TLS- encrypted messages, install Symantec SSL Visibilty Appliance upstream of the Security Analytics appliance.

IM Conversation Preview

1 Participant list, including avatars

2 Click to view more about each participant

3 Conversation details

4 Date of capture, such as the date the PCAP file was imported or the conversation was captured

5 Click to hide or show status changes

6 Conversation date

Media Panel The media panel displays thumbnails of captured image, audio, and multimedia files. By default, images that are smaller than 2 Kb are not displayed. Under Filter Results, you can select one or more image or audio file types. Use the Advanced Filter to narrow the search. Preview small, medium, or large thumbnails. Place your cursor over a thumbnail to see a summary of its attributes (URL, source/destination IP, file size, MIME type). Click the thumbnail to see the image's actual size. For audio files, click to launch an audio player for the file.

Artifact Preview The Preview function provides the following views:

• Audio — Audio player for VoIP calls and other • Web Page — The HTML document with or audio files. without graphics, style sheets, and JavaScript® • Email — The actual email message • Image — The actual image: GIF, BMP, PNG • EXIF — The Exchangeable Image File data for • jsunpack-n — The jsunpack-n results JPG/JPEG files • Strings — Output of the strings command • File Info — Output of the file command • Text — The plain text or formatted code, • HTTP Headers — Request and response including FTP and Telnet sessions headers for the artifact • Hex — Hex dump of the plain text

Artifact Views The Artifact Preview window displays all of the tabs for all of the views so that you can see different renderings for each artifact, regardless of the presented or detected file type.

Audio A playable audio interface for audio files:

Any file can be displayed in the Audio view, and if you click the Play button, your browser will attempt to launch the file in its native application. Take care not to accidentally launch malware in this way; instead, click Download Artifact to obtain the artifact in a ZIP archive.

See File Names Sent to Providers for an explanation of the default extractor file name.

Email The email message in HTML.

EXIF For JPG/JPEG files, the embedded EXIF information.

File Info Results from the File command, such as the artifact filename, file modification date/time, application version, and flags.

See File Names Sent to Providers for an explanation of the default extractor file name.

HTTP Headers The HTTP request and response headers for the artifact, such as GET, POST, error codes, cookies.

In the results list, you can also place your cursor over the icon to see the HTTP response code, if any.

Hex A conventional hex dump of the text.

Web Page For text/html, the stripped-down web page.

Click View Options to add other elements (images, cascading style sheets, scripts) to the view.

• Captured Data — Retrieve from your capture drive. • External — Retrieve from the Internet.

• Click View Page Elements to see a list of images, CSSs, and scripts that are included on the web page.

• When you view scripts (captured or external), you risk infecting your system with any malware in the scripts. • To prevent the importation of external images, stylesheets, and scripts during HTML preview, select Settings > Web Interface and clear the Enable External HTML Elements Preview check box.

Security Best Practice Clear the Enable External HTML Elements Preview check box.

• Click Download Artifact to save the HTML page (but not the page elements).

Image The actual image, if it can be rendered.

jsunpack-n The results from jsunpack-n. In most cases, there is no JavaScript inside the artifact, so it will return [nothing detected] and info: [0] no JavaScript.

For JS, PDF, HTML, and SWF files, the process will usually return more details. The phrase [nothing detected] means that no malicious code was found. (Most error messages are generated by the script as it attempts to access data and variables in other files; they are not an indication that the file has been corrupted.)

For a corrupted file jsunpack-n will designate elements as "malicious" or "suspicious":

Strings Results from the Strings command.

Text The artifact in plain text. You can select one of the Syntax Highlighting options to see code in its native formatting.

Syntax Highlighting Options

ActionScript®3 CSS Formatted HTML Formatted Perl® Scala Bash/Shell Delphi JavaScript PHP SQL

ColdFusion Diff JS Formatted Plain Text Visual Basic® C# Erlang Java Python XML C/C++ Groovy JavaFX® Ruby XML Formatted CSS HTML

When the text consists of obfuscation-encoded characters such as BASE-64 or URL, you can decode the text by copying the text and selecting [Account Name] > Encoder/Decoder Tool. Paste the text to decode in Encoded Text, select the Algorithm, and click Decode. (Alternatively, you can paste plain text into Decoded Text, select an algorithm, and click Encode to encode the text.)

For FTP sessions, the Text preview shows the sequence of events .

For Telnet sessions, the Text preview (HTML Formatted) displays the messages with and tags.

Appliance Security

This section includes the following topics:

• User Accounts and Groups • Remote Authentication o LDAP o Kerberos Single Sign-On o RADIUS o Two-Factor o Using RADIUS and LDAP in Parallel o LDAP Group Inheritance • Passwords • SSL Certificates and Keys • Ports and Protocols • Remote Access o Firewall o Web Access o SSH Access o Web Interface Settings • SSH Authentication • Disable SSH Root Logins • MD5-Encrypted Password for Bootloader • Federal Information Processing Standards

User Accounts and Groups Select Settings > Users and Groups to configure local user accounts and their groups. With these groups you can exercise RBAC. RBAC gives administrators the ability to assign specific view or modify permissions to "roles" (which are represented by "groups" on Symantec Security Analytics), and then to assign the users to one or more groups. In this way, administrators can impose a granular level of control over what users are permitted to do or see on Security Analytics.

Local Users

• You can create up to 256 local users on the Security Analytics appliance. • User names and passwords support the UTF-8 character set. • Password strength can be configured on Settings > Security. • To enable two-factor authentication for your account, see Two-Factor Authentication.

Security Best Practices • Do not modify password complexity settings except to increase password length. • Specify different passwords for each user when setting up local user accounts. • Require that user passwords be regularly changed, using "password aging." 90 days should be the maximum age. • Notify users 7 days before their passwords expire.

Add a User Select Settings > Users and Groups > Users. Select Actions > New. Under Login Details, specify the username and type the password twice. The username cannot contain spaces. Optional — For User Groups, the default user group is present. You can delete this group or add other user groups, as desired.

A user account that does not belong to any groups does not have access to the appliance.

Optional — Under Account Details specify the user's real name and email address. Click Save.

If you lose access to all of the admin-level accounts on the web interface, log on to the CLI with root permissions and run the following:

/gui/dsweb/Console/cake --app /gui/dsweb solera_acl elevate

where is the name of an existing user account. The command places the user in a new group with administrator privileges called elevated-admin-T. Log on with this account using its original password, and then edit the account and the group in Settings > Users and Groups.

Modify User Accounts Use the controls on the Users and Groups page to modify or delete user accounts.

Local User — This user account was created directly on the appliance. When you delete this user, the

user’s group membership and login data are deleted, so the user cannot log in to the appliance again.

Edit Account — Click to change the user’s password, enable or disable the account, or change group

membership.

Delete User — If a user is logged in when its account is deleted, the user’s next action will fail.

Non-Local Account — This user has logged in to the appliance using remote-server credentials such

as LDAP or RADIUS. When you delete a non-local user from the appliance, the user is deleted from all local groups, but the account on the remote server is unaffected. When the user logs in to the appliance again using those remote credentials, the user account appears again on the Users and Groups page in the default group. The Admin may manually add or remove the user from the group. To prevent remote users from automatically logging on to the appliance, do one of the following:

• Create a group that has few access privileges and designate it as the default group. • In the LDAP search settings, select a Group DN that excludes unwanted users. See LDAP Group Inheritance for more information.

Enabling and Disabling User Accounts • User accounts are disabled automatically after a specified number of failed login attempts. (See Session Controls.) You can re-enable the user account by clicking its Edit icon and clearing Account Disabled. • Likewise, you can manually disable a user account by selecting the Account Disabled check box.

Shell-Only Users Shell-only user accounts can access the appliance through an SSH session only. They do not appear on and cannot be modified in the web interface. The password for a shell-only user expires after 60 days. To create a shell-only user, log in to the CLI with root credentials.

syntax

scm solera_acl shell_only []

parameters

User name for the shell account; this account must already exist on the appliance, created either on the web interface or with the dsadduser command.

-r Remove the shell-only flag from the account.

examples scm solera_acl shell_only Displays a list of shell-only users.

scm solera_acl shell_only Converts the username account on the web UI to shell only. The account is no longer displayed in the web UI.

scm solera_acl shell_only -r Removes the shell-only flag from the user account.

Account Profile Settings Click the name of the current account to change user name, email, password, display, and authentication preferences.

Settings [Account Name] > Account Settings

For Name, type a display name for your account. For Email, type the email address to associate with the account. Optional — Click Change Password.

The default requirements for password strength are: • 14 characters • digit (numeral) • other character (non-alphanumeric [#, &, %]) • upper-case letter To change these rules, go to Settings > Security.

• Type the current (old) password. • Type and then retype the new password. API Key — The API key is used for web services APIs. • The API key is not visible on the web UI by default. o Click Reset API Key to view and copy the API key. o After you close the Account Settings dialog, the API key will not be available again. You must click Reset API Key to generate a new key.

o When you click Reset API Key, the previous API key is deleted. o A new user account does not have an API key until the user logs in to the web UI, opens Account Settings, and clicks Reset API Key. Time Prefix, Time Suffix — See "Single Time-Value Configuration" in the Security Analytics 7.3.x Reference Guide on support.symantec.com.

Preferences [Account Name] > Preferences

• Number of Entries per Page — Select the number of rows to display for the data tables. • Network Traffic — Select the unit of measurement to display: bits, bytes, packets. • Language — Select the language for the interface. • Enable Google Authenticator — Select to enable 2FA.

Do not enable 2FA until after you have installed Google Authenticator on your smart phone; otherwise, you may be locked out of the web interface.

• Artifact MIME-Type Display — Specify how the file type is displayed in the Type column on the Extractions page:

o Presented — Use the value in the Content-Type field of the HTTP or email header, else show unknown.

o Detected — Use the embedded magic number or file signature, else show unknown.

o Derived — If both presented and detected values are present, use internal logic to display the most likely file type.

User Groups Security Analytics has three preconfigured user groups:

• admin — Full modification rights via the web interface and the CLI • auditor — View and download logs • security_admin — Full modification rights but no capture or analyze permissions • user — View and modify capture and analysis pages; all new users are assigned to this group by default.

Create or Modify a Group Select Settings > Users and Groups > Groups. Do one of the following: • Click the Edit icon for an existing group. • Click Actions > New and specify a unique Name. Optional — Select Default to make this the default group. All new users will placed into this group by default. Optional — For Description, describe the group characteristics. Specify the group's access rights. See Group Permissions, below. Optional — For Filter, specify which data this group can access. See Data Access Control for more information. Optional — For Users, type the names of the group's members. You can also leave this field blank and return later to add names. Is LDAP authentication enabled on this appliance?

Yes — Optional: For LDAP Groups, type any value that No — Continue the exists within the search scope of the Group DN field on procedure. the Authentication Settings page. See LDAP Authentication and LDAP Group Inheritance for more information.

Click Save.

Group Permissions

Security Best Practices Provide users with only the level of access that is required for their roles.

• Use the security_admin group for users who must verify that the appliance's security settings conform to your organization's policies. • If a user needs to view reports but will not be responsible for making configuration changes, assign the user to a group that does not have Settings permissions. • Assign a user who is an auditor to the default audit group, which has permission to view and download logs only. • Use data-access control to restrict access to particular types of report and artifact data. For example, if Filter contains application_group!=web, the user cannot view data that has been classified in the Web Application Group.

When assigning group permissions, you can select a parent permission to include all of its children permissions, or you can select each permission separately. When you select the Capture check box, for example, you assign all capture-related permissions to the group, or you can clear Capture child permissions individually. The Security Administrator has access to all settings and the CLI but cannot capture or analyze data.

Default Group Permissions

Permission Admin Sec. Admin Auditor User

Full modify permissions X

Settings — Modify all Settings pages. X X

Authentication — Remote login services (LDAP, RADIUS, Kerberos) X X

Central Manager — Add and remove CMC control X X

Communication — SNMP, syslog, notifications X X

Permission Admin Sec. Admin Auditor User

Data Enrichment and Reputation — Data-enrichment server X X setup; reputation providers

Data Retention — Time-based data deletion; summary graph data X X purge

Date/Time — Time zone, NTP X X

Geolocation — Google Earth, MaxMind databases, internal subnets X X

License — Install and download X X

Metadata — Enable and disable reports and indexing attributes. X X

Network — IP address, hostname, DNS, proxy X X

Security — Firewall, access control, session control X X

System X X

CSR — Download the Customer Service Report X X

Reboot X X

Shut Down X X

Upgrades — Initiate upgrades X X

Users and Groups — Create, edit, and delete user and group X X accounts

User Names — View user names only X X X

User Records — Create, update, and view user records X X

Web Interface — Session timeouts, referrers, and message of the X X day

Statistics — View statistics pages X X X

Logs — View and download logs X X X

Capture — Perform all capture, playback, and PCAP functions X

Capture Summary — View Capture Summary Graph X

Capture — Stop and start capture X X

Playback — Stop and start playback X X

Reindexing — Initiate reindexing X X

Capture Statistics — View capture rate and system statistics X X

Import PCAP — Import PCAP files X X

Import Remote PCAP — From remote servers X X

Import Local PCAP — From local directories and USB drives X

Import PCAP from Browser — Import PCAPs using a browser X X

PCAPs — Download and analyze PCAPs X X

PCAPs without Access Restrictions — Download PCAPs X X using BPF filter; ignore data-access restrictions

Permission Admin Sec. Admin Auditor User

Analyze — Analyze PCAPs X X

Download — Download PCAPs X X

Analyze — All pages under Analyze X X

Summary — View Summary page X X

Reports — Generate reports X X

Standard Reports — View, schedule, and download reports X X

Risk and Visibility Report — Generate the Risk and Visibility X X report

Artifacts — View and download artifacts X X

Download — Download and preview artifacts X X

Metadata — View artifact metadata X X

Geolocation — View the Geolocation page X X

Rules — Create, edit, and delete rules and alerts X X

Current User Only — Create, edit, and delete rules for the X X logged-in user account; view related alerts

All User Rules — Edit and delete rules from all users; view all X X alerts

Indicators — Create, edit, and delete indicators X X

CLI — Restricted-shell access to the CLI via SSH X X

Base Permissions — Read-only commands such as cd, ls, pwd, less X X

Tier 1 Permissions — Networking and File System Management, as X X specified in /etc/sudoers.d

Tier 2 Permissions — File System and Admin Utilities, Process and X X Drive Management, as specified in /etc/sudoers.d

Security Best Practice Assign only Base-level permissions for shell access.

Data Access Control • Use data access control to specify which data types a group can access. All primary filter attributes are valid for this field. (See Metadata Settings.) • For example, if you specify application_group=web, the users in the group can access only the data that is related to the Web application group. Leave the field blank to grant access to all data types.

Remote-Authentication Users

• When remote authentication is enabled (LDAP, Kerberos, RADIUS), users can log on to the appliance without the admin creating the user on the appliance. • When a user logs on to the appliance with remote credentials, the user automatically appears on the Settings > Users and Groups page and is placed in the default group.

Create a default user group on Security Analytics with minimal or zero permissions so that when the user logs in to the appliance for the first time, the user will not be able to access sensitive information. After you verify that the user is a legitimate Security Analytics user you can move the user into a group that has suitable permissions.

• Remote users are designated by this icon , whereas local users are designated thus: • If remote authentication is enabled, you cannot create a local username that is identical to a username on a remote authentication server.

Remote Authentication

Security Best Practices • Because remote-authentication servers may provide stronger password-storage and password-guessing protections than local user accounts, implement third-party authentication instead of using local accounts. ° Create a default user group with minimal permissions so that remote-authentication users cannot automatically access sensitive information. • Active Directory and LDAP should have encrypted connections to Security Analytics. ° Security Analytics should initiate authenticated connections with the remote authentication server—not the other way around. • Encrypt connections to authentication servers with TLS. Security Analytics 7.3.1 and later uses TLS 1.2 only.

LDAP Authentication With the LDAP authentication service, users can log on to the Security Analytics appliance using a username/password combination stored on an external LDAP server. These credentials are valid for both the web interface and the CLI.

Because each network is unique, Symantec cannot make specific recommendations as to how you should integrate LDAP with Security Analytics.

When a user attempts to authenticate via LDAP, the process is as follows: The user logs in via HTTP or SSH. The appliance sends a BIND request containing the BIND DN credentials to the LDAP server. The LDAP server returns success or failure. The appliance sends the LDAP user credentials and search base criteria to the LDAP server. The LDAP server returns success or failure. The appliance allows authentication; if successful, the user is added to the user list in the default user group on the Users and Groups settings page.

Create a default user group on Security Analytics with minimal or zero permissions. When an LDAP user logs in to the appliance for the first time, the user will not be able to access sensitive information. If the user is a legitimate Security Analytics user you can move the user into a group that has suitable permissions.

Enable LDAP Select Settings > Authentication. Select the Enable LDAP Authentication check box. The system will automatically attempt to discover an LDAP server. If the auto-discover is unsuccessful, the LDAP Auto-Discover dialog box is displayed. Do one of two things:

• Click Cancel and manually specify the LDAP settings. • Supply the BIND domain FQDN and click Save. o Follow the prompts to provide the LDAP BIND authentication credentials for the domain controller. For an anonymous LDAP BIND, leave these fields blank.

o Click Save. The system discovers the configuration information from Active Directory or LDAP server and populates the Authentication page.

At any time during LDAP configuration, you can click the Test LDAP button to see if the settings are valid.

Modify LDAP Server Settings If there is more than one domain controller on the system, by default the system discovers the primary server configured. You can change the settings to use another domain controller by following these steps: For Server, enter the LDAP server’s hostname or IP address. For Port, enter one of the following:

• 389 for LDAP

• 3268 for Active Directory® Select the Encryption Type. • For SSL/TLS or StartTLS, you should select the Verify Server Certificate check box only if your LDAP server has a certificate from a valid certificate authority. • If the LDAP server certificates are self-signed, clear the Verify Server Certificate check box. Enter the BIND DN and BIND Password for an account that has rights to search the containers where the LDAP users are located. If your LDAP server does not require an authorized login, you may leave the Authenticated BIND fields blank.

Select Enable Credentialed Group BIND if you want to determine group membership by querying LDAP as the logged-in user instead of using the authenticated BIND credentials. Click Save. The appliance will immediately try to connect to the LDAP server.

Limiting LDAP User Searches To improve LDAP login performance, you can constrain the range of containers to be searched when looking for an LDAP user.

Search Base The starting container where the LDAP server will begin searching for LDAP users. Only one search base is allowed. Specify using LDIF, e.g., DC=,DC=.

Scope How the LDAP server will search within that container.

• base — Queries only the search base but nothing below it • one — Queries only the first level under the search base but not the search base itself • sub — Queries the search base and every level under it

Group DN The group whose members will be added to the default user group on the Security Analytics appliance.

Before you specify the Group DN, you must correctly set the Group Membership Attribute under Schema Configuration. This attribute's syntax varies according to your LDAP implementation. If the attribute is specified incorrectly, the Group DN field will not populate properly.

Examples of the group members that are included in the search parameters are displayed.

When configuring LDAP, Symantec recommends that you not leave Group DN blank, because then all LDAP users in the search scope will be able to authenticate as members of the default user group. This may pose a security risk. • Before you specify Group DN, create a default user group on Security Analytics with minimal permissions so that the LDAP users are not accidentally granted more permissions than desired. Later, you can manually assign each user to the desired groups. • Membership in the Security Analytics user group is established when the LDAP user logs in to Security Analytics for the first time. If you change the default user group or the Group DN, the membership of users who have logged in once to Security Analytics will not change.

After you specify a Group DN, you can add other LDAP groups to different Security Analytics user groups such that the LDAP group inherits the permissions of the Security Analytics group. See LDAP Group Inheritance.

Group Name Attribute Specify the attribute to use for the group name.

Identifying the LDAP Schema Configuration Because LDAP schema mappings vary between LDAP implementations, you can select an

appropriate schema mapping such as InetOrgPerson, Microsoft® Active Directory®, and Microsoft Services for Unix®. Select the LDAP schema that your server uses from the list. Most Open LDAP implementations will work with the InetOrgPerson configuration. If your server’s schema is not in the list, select User Defined and fill out the resulting fields.

Note on Server-Side Changes to LDAP LDAP server settings are performed with each proprietary LDAP implementation. Depending on the LDAP server being used, schema may need to be extended to allow for certain attributes such as Unix attributes to be added to the user objects themselves. This may require elevated rights to make the necessary modifications to either the LDAP schema or the LDAP users. The attributes that must be present on the LDAP users are uidnumber, gidnumber, and homeDirectory.

Specify a Mapped LDAP Schema Select Settings > Authentication and scroll down to Schema Configuration. For LDAP Schema select one of the following options: • InetOrgPerson — Standard LDAP configurations • Microsoft Active Directory — Microsoft Active Directory configurations • Microsoft Active Directory (RFC 2307) — MS Active Directory configurations compliant with the ITEF RFC 2307 standard • Microsoft Services for Unix 2.0 — MS Active Directory configurations compliant with the Unix 2.0 standard • Microsoft Services for Unix 3.5 — MS Active Directory configurations compliant with the Unix 3.5 standard • RFC 2307 Network Information Service — Network Information Service compliant with the ITEF RFC 2307 standard • RFC 2307bis Network Information Service — Network Information Service compliant with the ITEF RFC 2307bis standard • User Defined — All other LDAP configurations. If you select this option, go to Define a new LDAP schema. Click Save. The appliance will now use these values when searching for LDAP users.

Define a New LDAP Schema Scroll down to the Schema Configuration section. For LDAP Schema, select User Defined. Specify the User Object Class. For Login Name Attribute, type the LDAP distinguished name. For Full Name (GECOS) Attribute, type the full name of the user (or application name, if the account is for a program). You can also append the following (separated by commas):

• Building and room number or contact person • Office telephone number • Any other contact information (pager number, fax, etc.) For User Password Attribute, type the account password. Select the Password Change Method:

• Active Directory (ASDI) • MD5

• Cleartext • Novell® NDS • Cleartext (remove old password first) • RFC 6032 • Crypt • RFC 6032 (send old and new passwords) • IBM® RACF

Specify the User ID Number Attribute and Home Directory Attribute. For User Shell Attribute, type the name of the shell that the user will use to log in. Specify any Shadow Object Class. Specify the Group Object Class and Group ID Number Attribute for nested and dynamic groups. For Group Membership Attribute, type the name of the attribute where group membership should be derived. This attribute must match the schema on the LDAP server. Select Distinguished Name or UID for Group Membership Type. Click Save. The appliance will now use these mapping values when searching for LDAP users.

Troubleshooting LDAP For further assistance, contact Symantec Support.

problem The system returns the error message: Your LDAP settings were not discoverable. Please enter the BIND Domain FQDN and another attempt will be made.

solution Verify that the name servers are configured properly. The search base and domain should not be pointing to the wrong domain in /etc/resolv.conf.

problem The system returns the error message: Your LDAP settings were not discoverable. Please check the username and password. If that still does not fix the problem, cancel this dialog and manually enter your settings.

solution Select Settings > Network and verify that DNS is configured correctly and is pointing to a Windows domain controller. Verify that the username and password are correct for the domain controller.

problem Security Analytics sends too many login requests to the LDAP server.

solution In versions 7.3.2 and later, create /etc/ldap_throttle.conf with the following arguments to control the number of milliseconds between sequential LDAP login requests.

./pam_ldap.c:#define THROTTLE_MIN ./pam_ldap.c:#define THROTTLE_MAX

When /etc/ldap_throttle.conf does not exist, the system performs no throttling.

Kerberos Authentication

If Kerberos® is implemented on your network, you can provide single sign-on (SSO) access to the Security Analytics appliance.

Kerberos SSO and Active Directory authentication via an LDAP group DN are mutually exclusive. If Kerberos is enabled, anyone in the domain can authenticate to the Security Analytics appliance successfully. If you specify a group DN in the Searches section, Kerberos authentication will be automatically disabled.

LDAP Server Setup Install and configure the Active Directory or LDAP server. Consult the LDAP vendor's documentation for instructions.

Create a default user group on Security Analytics with minimal or zero permissions. When a Kerberos user logs in to the appliance for the first time, the user will not be able to access sensitive information. If the user is a legitimate Security Analytics user you can move the user into a group that has suitable permissions.

Security Analytics Setup Select Settings > Date/Time and select the Use Network Time Protocol (NTP) check box. For Primary NTP, type the FQDN of the LDAP server and click Save. Select Settings > Network. Make a note of the Hostname. On all of the DNS servers that are listed in the Domain Name Servers section, add forward and reverse lookup entries for the Security Analytics appliance hostname: = Follow the steps in Enable LDAP to configure LDAP authentication. For Group DN, verify that nothing is selected. Select the Enable Kerberos check box. The Domain Controller, Realm, and Domain fields should be auto-populated with the LDAP configuration settings Specify the Username and Password to bind the appliance to the Kerberos domain. Click Save.

Single Sign-On Setup For every device that is to authenticate to the Security Analytics appliance using single sign- on, perform these steps: Verify that the device is in the same Kerberos domain as the Security Analytics appliance. The FQDN of the Security Analytics appliance must be specified as a trusted site, according to browser settings:

• For Firefox®, go to the about:config page and modify the network.negotiate-auth.trusted-uris setting to include the FQDN of the appliance. • For Internet Explorer, go to Internet Options > Local Intranet, and add the FQDN of the Security Analytics appliance as a local intranet site. (If you are using the Windows short name, you do not need to perform this step.) Configure the browser to negotiate with Kerberos instead of NTLM (NT LAN Manager). Users must navigate to the domain name of the Security Analytics appliance instead of its IP address. This domain name can be the Windows short name or the FQDN. (The FQDN is recommended, because that is the name in the certificate for HTTPS management.)

RADIUS Authentication You can configure Security Analytics to accept RADIUS authentication.

• Create a default user group on Security Analytics with minimal or zero permissions. When a Kerberos user logs in to the appliance for the first time, the user will not be able to access sensitive information. If the user is a legitimate Security Analytics user you can move the user into a group that has suitable permissions. • Also see Using RADIUS and LDAP in Parallel on Security Analytics.

Select Settings > Authentication. Select the Enable RADIUS Authentication check box. Fill in the fields as follows: • Server — IP address or hostname of the RADIUS server • Port — Port number (default: 1812) • Shared Secret — Passphrase • Timeout (Seconds) — Number of seconds before an idle RADIUS session times out Click Save.

Two-Factor Authentication Two-factor authentication (2FA) requires a token in addition to the username and password to access the web interface. The authentication token is created by a time-based, one time password (TOTP)-compatible mobile app such as Symantec VIP or Google Authenticator®.

Do not enable 2FA until after you have verified the following; otherwise, you may be locked out of the web interface*:

• The TOTP app is installed on your smart phone and is working. • The time on the Security Analytics appliance is correct and coordinated with NTP. Because the 2FA token is valid for only 30 seconds, the appliance will reject a token that appears to be outside the validity timespan. *Use the scm tally command to restore access.

Download the TOTP app and follow the instructions to install the application on your smart phone. On the web interface, select [Account Name] > Preferences. Select the Two-Factor Authentication check box. Enter the secret key to the TOTP app in one of two ways:

• Scan the QR code. • Type the case-sensitive secret key into the space provided. Click Save. 2FA is now enabled for this user account.

2FA is enabled per user account, not per appliance; therefore, some user accounts on the same appliance can require 2FA to log in while others do not.

2FA Logins When logging in to the web interface with a 2FA-enabled account, follow these steps: Type the username and password as usual and click Log In. A second login prompt is displayed. Type the authentication token as provided by the TOTP app and click Log In.

The authentication token changes about every 30 seconds, so you must consult the TOTP app for each login instance.

Using RADIUS and LDAP in Parallel on Security Analytics When both RADIUS and LDAP are configured on a Security Analytics appliance: RADIUS authentication is usually tried first. • If the user account is defined only on the RADIUS server, the login fails. • RADIUS user accounts must also be defined elsewhere, either in the local user database or on the LDAP server. If RADIUS rejects the account credentials, Security Analytics will attempt LDAP authentication.

Functionality and Process In Security Analytics:

• RADIUS serves one purpose — Authentication, which addresses the question: "Is this username/password tuple valid?" • LDAP serves two purposes — Authentication and Authorization, which addresses the question: "May this user access the resource?" • The local user database serves three purposes — Authentication, Authorization, and Accounting, as it records user activity in the log. Logging in to Security Analytics has a different workflow depending on where the user- account information is defined:

• When a username/password tuple is defined only on the RADIUS server, the user will not be allowed to log in to a RADIUS-configured Security Analytics appliance, even if

the correct username and password are given, because RADIUS does not serve the Authorization function. For a RADIUS-defined user to access an appliance, a corresponding user account must also be defined in a system that provides Authorization—the Security Analytics local user database or the LDAP server. • When a user account is defined only on the LDAP server, the user can to log in even when no local user account has been defined on Security Analytics, because an LDAP user account provides both the Authentication and Authorization functions. When both RADIUS and LDAP are configured on a Security Analytics appliance, user login attempts may trigger several transactions to both LDAP and RADIUS servers, because Security Analytics needs to resolve both the Authorization and Authentication questions. Typically, one might first see Authorization-related queries to the LDAP server followed by Authentication-related queries to the RADIUS server, so the question of which authentication protocol is tried first has different answers depending on whether Security Analytics needs Authentication or Authorization information.

LDAP Group Inheritance Symantec Security Analytics supports the inheritance of local Security Analytics group membership based on user groups that are stored in a remote LDAP server.

example These two LDAP users are members of three LDAP groups, as follows:

• bilbo (adventurer, hobbit) • ggrey (adventurer, wizard) In this example, members of the adventurer group will be added to the default user group (user) but only members of the wizard group will inherit admin privileges.

Step 1: Verify the LDAP Schema Group memberships on the LDAP server must be stored as full distinguished names (DNs), not only as user names, because the pam_ldap module on Security Analytics forms a query filter based on the DN.

Step 2: Map the Group Membership Attribute Depending on your schema you may need to manually specify the group membership attribute. This attribute is required for all group-membership lookups.

Step 3: Set the Group DN To enable group permission inheritance, you must specify the Group DN. Each LDAP user in that group will be added to the default Security Analytics user group when the user logs in for the first time. Users who are not in that group cannot log in to Security Analytics.

Step 4: Configure Inheritance Select Settings > Users and Groups > Groups. Edit the admin group and specify wizards for LDAP Groups. Members of wizards will inherit admin privileges the next time they log in to Security Analytics.

An LDAP user who is a member of wizards — but is not in the group specified by Group DN — cannot log in.

Step 5: Verify Group Inheritance When you log in to the Security Analytics appliance as each LDAP user, you can see that their Setting menus reflect their respective permissions.

On Settings > Users and Groups > Users, you can see the users who have logged in to Security Analytics at least once. Both user entries show membership in the default group; however, ggrey does not show membership in admin.

On the Groups tab, you can see that the wizards LDAP group has admin privileges, but individual users in wizards are not listed in the admin group. If desired, you could manually remove ggrey from user so that ggrey has only admin permissions.

Passwords The passwords to access features on a Symantec Security Analytics appliance are as follows:

• Local Users • Remote Users • Root • Boot Loader • Administrator/Current User • Two-Factor Authentication • SNMPv3 • SMTP • syslog

Password-Complexity Rules

The password-complexity rules affect the local and remote users (including the admin account) and root (SSH). To alter the password-complexity rules, follow these steps: Select Settings > Security and scroll down to Password. Adjust the Length as desired. Select or clear the check boxes to require digits (numerals), other characters (non- alphanumeric), or upper-case letters. Click Restore Defaults to reset as follows: • Length — 14 • Require Digits — Enabled • Require Other Characters — Enabled • Require Uppercase — Enabled • Require Lowercase — Enabled

Set Notification Interval for Password Expiry

[root@hostname ~]# sed -i "s/^PASS_WARN_AGE.*/PASS_WARN_AGE 7/" /etc/login.defs

SSL Certificates and Keys You may install a certificate for the Symantec Security Analytics or require that browsers have a certificate to access the web interface. A self-signed certificate and key are automatically included on the appliance with a new Security Analytics installation.

• Security Analytics 7.3.x uses TLS 1.2 only. • Only HIGH ciphers are enabled by default, for both the web server and clients: HIGH:!MEDIUM:!LOW:!EXP:!3DES:!MD5:!aNULL:!eNULL:!NULL:@STRENGTH • The following HIGH ciphers are available:

• ECDHE-RSA-AES256-GCM-SHA384 • ECDHE-RSA-AES128-GCM-SHA256 • ECDHE-RSA-AES256-SHA384 • ECDHE-RSA-AES128-SHA256 • DHE-RSA-AES256-GCM-SHA384 • DHE-RSA-AES128-GCM-SHA256 • DHE-RSA-AES256-SHA256 • DHE-RSA-AES128-SHA256 • AES256-GCM-SHA384 • AES128-GCM-SHA256 • AES256-SHA256 • AES128-SHA256

• In Security Analytics 7.1.x and earlier, self-signed certificates used the SHA-1 algorithm and 1024-bit keys. A new installation of Security Analytics 7.3.2 comes with SHA-512 and 4096-bit keys. • Upgrading to version 7.3.2 from 7.1.x or earlier does not overwrite the existing certificate or key. • Change the supported client ciphers by editing /etc/environment and rebooting.

Security Best Practices • Create a certificate to secure eth0 using a 2048-bit or stronger RSA keypair and SHA-256 or stronger encryption algorithm. • Get a certificate that is signed by a trusted CA. • Use SSL/TLS certificates.

Install a New Certificate and Key Follow these steps to replace the existing certificate and key on Security Analytics.

All certificates must be PEM-formatted.

Step 1: Back Up the Current Certificate and Key Before installing new certificates and keys, Symantec strongly recommends that you create a backup copy of the current certificate and key:

mkdir backup cp /etc/pki/tls/private/localhost.key backup cp /etc/pki/tls/certs/localhost.crt backup

Step 2: Obtain a New Certificate and Key Use one of these methods to generate the certificate-signing request and its key:

• Using the web UI • Using the CLI

Step 2a: Using the Web UI Generate a certificate-signing request from the web UI. On Settings > Security scroll down to the bottom of the PKI and SSL section. Fill in these fields: • Country Name — Two-letter country designator (ISO-3166-1 Alpha-2) • State or Province Name — Spelled-out name of state or province • Locality Name — City or town • Organization Name — Company name • Organizational Unit Name — Division or department • Common Name — Domain name (CN) of the server • Email Address — Contact email address Click Download Certificate-Signing Request to save localhost.csr to your workstation. The corresponding key should remain on the appliance.

Send localhost.csr to a valid Certificate Authority. When the signed certificate is returned, go to Step 3.

Step 2b: Using the CLI These commands generate a new key, certificate, and certificate-signing request (CSR; not to be confused with the CSR) on the appliance that will be using the certificate, but they do not overwrite the appliance's current certificate and key.

Generate the new key:

openssl genrsa -out newKey.key [4096|2048] Generate a certificate-signing request with that key:

openssl req -new -sha[512|256] -key newKey.key -out newCsr.csr

You will be prompted to provide the following information for the distinguished name (DN):

• Two-letter country code • Organizational unit name • State or province name • Your or your server's name (Common Name • Locality (city) name [CN]) • Organization name • Email address

Generate a temporary self-signed certificate to use until you get the CA-signed certificate:

openssl req -x509 -sha[512|256] -days 365 -key newKey.key -in newCSR.csr -out newCert.crt Copy the new key and temporary certificate to the proper locations:

/etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt Restart the web server to use the new certificate: systemctl restart httpd Export newCSR.csr to your workstation and send it to a CA to be signed.

Because of the security risk, Symantec strongly warns against copying a key off the device that will be using the key and its certificate.

Step 3: Install the CA-Signed Certificate Use one of these methods to install the certificate:

• Using the web UI • Using the CLI

Step 3a: Using the web UI Select Settings > Security and scroll down to PKI and SSL.

The temporary self-signed certificate for the appliance is displayed along with the key that you used to generate both the self-signed certificate and the CSR. localhost.localdomain and localhost.key are always the names of the certificate and key that are currently installed.

Click edit for Appliance Certificate to upload the CA-signed certificate. Click Save to apply the changes and restart the web server. Go to Additional Certificate Requirements.

Step 3b: Using the CLI Follow these steps to install the certificate from the Security Analytics root directory.

If you use this method to install the certificate, you bypass audit and record-keeping controls — which might be in violation of your organization's security policy.

Copy the CA-signed certificate to the root directory. Overwrite the current certificate with the new certificate:

mv certificate.crt /etc/pki/tls/certs/localhost.crt Restart the web server: systemctl restart httpd

If you upload a key or certificate using the web UI and click Save, the internal HTTP server always restarts. If the key and certificate do not match, the web UI displays an error message; however, if you attempt to restart the HTTP server manually before both the key and its corresponding certificate have been installed, the web server will not restart.

Additional Certificate Requirements As required by your organization's security policy, implement the following security measures that are available on Settings > Security > PKI and SSL.

Require that Browsers Present a Certificate to the Appliance

When you enable this feature, all web browsers that do not have a valid certificate from the Issuing Authority — including your workstation browser — will be prevented from accessing the web interface.

Select the Require Client Certificate to Access Web Interface check box. Two additional fields are displayed. Upload the certificate that validates client certificates to Issuing Authority's Certificate.

Specify the URL of the certificate revocation list (PEM, DER, or CRL format).

Certificate Revocation Checks for Blue Coat and Security Analytics Services Settings > Security > PKI and SSL > Perform certificate revocation check for Blue Coat services The certificate-revocation check is disabled by default in version 7.3.1 and later. Specify the URL for the certificate revocation list in the space provided. Security Analytics retrieves updates on the 1st and 16th of every month at 23:00. The services that are affected by this option are:

• Blue Coat Web Reputation Service • Blue Coat File Reputation Service • Syslog over TLS or TLS-FIPS

Require Client Certificate for Login Correlation Do the following: Select the Require Client Certificate for Login Correlation Service check box. Additional fields are displayed. Upload the certificate that validates client certificates to Issuing Authority's Certificate.

Specify the URL of the certificate revocation list (PEM, DER, or CRL format).

Authenticate to an Internet Proxy If your appliance connects to the Internet via an authenticated proxy, and the proxy has a certificate handshake for SSL traffic, add the additional CA certificate bundle using any of these methods:

Using the Web Interface Select Settings > Security and go to the PKI and SSL section. For Additional Certificate Authority Bundle, click Browse to upload the certificate. Click Save to restart the web server.

Using the CLI Copy the bundle to /etc/pki/ca-trust/source/anchors/ and then run

update-ca-trust Reboot to apply changes.

Certificates Between CMCs and Sensors

If you have a CMC environment, you may set up one of the following scenarios:

• All sensors (clients) present a certificate to the CMCs (servers). • All CMCs (clients) present a certificate to the sensors (servers).

• Both the CMCs and the sensors present certificates to each other. (Perform both server and client steps on all appliances.)

Server Role On the appliance that requires the certificate (server role), do the following: Select Require Client Certificate to Access Web Interface. Additional fields are displayed.

Upload the certificate that validates client certificates to Issuing Authority's Certificate.

Specify the URL of the certificate revocation list (PEM, DER, or CRL format). Click Save to restart the web server.

Client Role On the appliance that is required to present a certificate (client role), do one of the following:

• Select the Use Appliance Certificate as Client Certificate check box to use the appliance certificate for the client role. This option is valid only if the appliance certificate can function in both server and client roles.

When you select the Use Appliance Certificate as Client Certificate check box and click Save, the web interface will be refreshed and the check box will be cleared. The client table will display the Common Name and Fingerprint information from the appliance.

• Under Upload Separate Client Certificate and Key, do the following:

Click edit for Client Certificate to upload the PEM-formatted client certificate. Click edit for Client Certificate Key to upload the certificate's key. Click Save to restart the web server.

Security Analytics Ports and Protocols Consult this table to configure your firewalls, according to the services that you have activated on your Symantec Security Analytics appliance. Configure the Security Analytics firewall on Settings > Security. Also see Data Enrichment in Dark Sites.

During the licensing and license-update procedures, the appliance will communicate with license.soleranetworks.com over TCP 443.

Inbound Connections to Security Analytics

Service URL/IP Ports Comment

Central Management VPN eth0 of CMC TCP/UDP 1194 All sensors must be able to access the CMC's eth0 over port or as specified 1194. FTP File Mover [as needed] TCP/UDP 20 Use port 21 for active mode. If you are not using FTP File TCP/UDP 21 Mover, you should delete the internal firewall rules that permit ftp-data through port 20.

HTTP [none] TCP/UDP 80 All HTTP requests are automatically redirected to HTTPS. Symantec recommends that you delete the internal firewall rules that permit http through port 80.

HTTPS 1 [none] TCP/UDP 443 Change the default on Settings > Security. All CMCs and their sensors must use the same HTTPS port. SSH 1 [none] TCP 22 The port can be changed on Settings > Security.

1 Service is always used by Security Analytics.

Outbound Connections from Security Analytics

Service URL/IP Ports Comment

Active Directory® [none] TCP/UDP 3268 For LDAP authentication

Advanced Threat [as needed] TCP 443 Protection (ATP) Manager 3

Central Management eth0 of CMC TCP/UDP 1194 or All sensors must be able to access the CMC's eth0 VPN as specified over port 1194.

ClamAV 1 *.clamav.net TCP 80 Requires only HTTP access to update the signature database. Analysis is performed locally on the appliance.

Cuckoo 3 [as needed] TCP/UDP 8090

DeepSight 1,3 sso.trm.symantec.com TCP 443

DNS 2 [as needed] TCP/UDP 53

Domain Age Reporter 1,4 [same as WHOIS] [same as WHOIS] The WHOIS settings also permit Domain Age Reporter traffic.

Service URL/IP Ports Comment

File Reputation *.es.bluecoat.com TCP 8443 The URL for the File Reputation Service will usually Service 1,3 185.2.196.204 be frs.es.bluecoat.com; Symantec recommends that 8.28.16.233 you create a rule for all of the listed IP addresses. 199.116.169.204 103.246.38.204 Future Engineering Services resources will also be provided from the *.es.bluecoat.com domain.

FireEye® 3 [as needed] [as needed] AX-series is supported.

Google Safe Browsing® sb-ssl.google.com TCP 443 Uses Internet connection from workstation.

Google® Search google.com TCP 443 Uses Internet connection from workstation. HTTP 2 [none] TCP/UDP 80 Change the default on Settings > Security.

HTTPS 2 [none] TCP/UDP 443 Change the default on Settings > Security. All CMCs and their sensors must use the same HTTPS port.

Intelligence Services 1,3 — — See File Reputation Service and Web Reputation Service

ICAP 3 [as needed] TCP 1344 Security Analytics does not support port 11344 for (plaintext) Content Analysis integration.

Lastline® 1,3 analysis.lastline.com TCP 443 LDAP authentication [none] TCP/UDP 389

Live-feed indicators rules.emergingthreats.net:80 TCP/UDP 80 mirror1.malwaredomains.com:80 TCP 443 *.abuse.ch:443 isc.sans.edu:443 Login Correlation [none] TCP 8843 This port is used to communicate between the LCS Service and the agent's UI application. The Security Analytics firewall has a rule to accept this traffic.

Malware Analysis 3 [as needed] TCP/UDP 80, 443

NTP [as needed] UDP 123

OCSP requests ocsp.entrust.net TCP 80 Various Security Analytics services use OCSP for certificate-chain validation.

RADIUS [as needed] UDP 1812, 1813

RobTex® 1 robtex.com TCP 80 Uses Internet connection from workstation.

SANS ISC® 1 isc.sans.edu TCP 443 Host and IP queries are transmitted over SSL. SMTP [as needed] TCP 25

SNMP [as needed] TCP 161 (polling) TCP/UDP 162 (trap)

SORBS DNSBL® 1 dnsbl.sorbs.net UDP 53 syslog [as needed] UDP 514

VirusTotal® 1,3 www.virustotal.com TCP 443

Web Reputation sp.cwfservice.net TCP 443 Service 1,3

Service URL/IP Ports Comment

Web Reputation Service list.bluecoat.com TCP 443 Used by the Web Reputation Service and ADM local database updates 1,3

WHOIS 1,4 [as needed] TCP 443 The WHOIS lookup service will query different WHOIS servers based on the registry associated with the top-level domain of the target. Consult this authoritative list of WHOIS servers.

1 Service requires Internet access. 2 Service is always used by Security Analytics. 3 Licensing for this service is the responsibility of the user. 4 Cannot be used behind a proxy.

Remote Access Control how users and other network devices connect to and interact with the appliance.

Firewall Settings > Security

Security Best Practice If you are not using the FTP File Mover, delete the firewall rules that permit ftp-data through port 20.

• Enable Firewall — Select to enable and view the firewall. • Configure Firewall — Click to modify the firewall.

• The icmp DROP rules in both the IPv4 and IPv6 firewalls apply to ICMP types 13, 14, and 128. Click Information to see the string for each rule. These types of rules cannot be edited nor can they be added via the web UI, because the web UI currently does not support all of the needed attributes. Symantec recommends that you not delete these rules.

• The default ACCEPT rule before the last default DROP rule specifies ESTABLISHED,RELATED in the State field to allow income traffic on the connections that Security Analytics initiated.

To add a new rule follow these steps: Click New Rule.

All values are case-sensitive.

For Interface enter the interface name: eth0, tun+, and lo are some of the acceptable values. Leave blank for ANY.

For Protocol, enter the protocol in lower-case: udp, tcp, icmp, ssh. Leave blank for ANY. For Source Address and Port, enter the IP address, IPv4 network in CIDR notation, or MAC address. Leave blank for ANY. For Destination Address and Port, enter the IP address, IPv4 network in CIDR notation, or MAC address. Leave blank for ANY. Optional — For State, specify one of the following connection states: NEW, ESTABLISHED, RELATED, INVALID. For Policy, specify the action to take: ACCEPT, DROP, QUEUE, RETURN, or other valid iptables policy. Optional — For Comment, add a comment in printable, ASCII characters. Click OK. The rule is displayed at the bottom of the list. Optional — Click and drag the rule to its desired position.

The word Modified in the upper-right corner of the interface indicates that neither the new rule nor the rule order have been saved.

Optional — Click Revert Changes to return to the last-saved version of the firewall or click Restore Defaults to return to the factory-installed rule set. When you are satisfied with the rule set, scroll to the bottom of the page and click Save.

Web Access Settings > Security These settings affect how users access the appliance via the web interface.

Security Best Practices • Set the Maximum Login Attempts to no more than 3. • Set the Unsuccessful Login Timeout to at least 1200 seconds.

You can also use the scm tally commands in the CLI for some of these settings. (Consult the Security Analytics 7.3.x Reference Guide on support.symantec.com.)

• Maximum Login Attempts — Specify the number of login failures before an account is disabled. Default: 3 • Unsuccessful Login Timeout (Seconds) — Specify the number of seconds that elapse before a disabled account is automatically enabled. To prevent accounts from being automatically enabled, enter 0 (zero) or leave the field blank. Default: 1200

• Maximum Concurrent Sessions — Specify the number of sessions that can access the appliance at the same time. Default: 10 • Require HTTPS — Select to require that users access the appliance via HTTPS.

• When an account is disabled by failed login attempts, you can re-enable it in one of these ways:

° Wait for the interval in Unsuccessful Login Timeout to expire. ° Access the user account on Settings > Users and Groups and clear the Account Disabled check box. ° With root access on the CLI, run scm tally.

• Users are not notified that their accounts have been disabled by unsuccessful login attempts.

• The root account for the CLI is not disabled after reaching the maximum number of unsuccessful logins.

Web Access Ports

Security Best Practice • To prevent malicious access on ports that aren’t being used, disable unused ports. • Symantec recommends that you disable port 80 by deleting its entry in the firewall tables, because Security Analytics automatically redirects all inbound HTTP requests to HTTPS. • See the complete list of ports and protocols that Security Analytics uses in the Security Analytics 7.3.x Reference Guide on support.symantec.com.

• HTTP Port — Type an integer for the new HTTP port number. • HTTPS Port — Type an integer for the new HTTPS port number.

BEFORE you change any web-access port number, you must add a corresponding rule to the firewall. If you are locked out, you must edit /etc/sysconfig/httpd and run systemctl restart httpd to regain access to the web UI.

All CMCs and their sensors must use the same port number for HTTPS.

Click Restore Defaults to reset as follows:

• Maximum Login Attempts — 3 • Unsuccessful Login Timeout — 1200 • Maximum Concurrent Sessions — 10

• Require HTTPS — Enabled • HTTP Port — 80 • HTTPS Port — 443

SSH Access Settings > Security

Security Best Practice • Disable root access via SSH. • If you disable SSH root logins, be sure to review log files for root logins and activity.

• Allow SSH Access — Select to permit access to this appliance via SSH. • SSH Port — Type an integer for the new SSH port number. • Restore Defaults — Click to restore the SSH port to 22. • The timeout value for the web interface also controls the SSH/console timeout.

Also see SSH Authentication and how to Disable SSH Root Logins. (Consult the Security Analytics 7.3.x Reference Guide on support.symantec.com.)

Ping (ICMP) Settings > Security

Security Best Practice • Do not enable ping response except to test a deployment. • Enable "ignore broadcast requests."

• Respond to Pings (ICMP) — Select to permit this appliance to respond to ICMP (ping) requests on the management interface (eth0).

Because the capture interfaces do not have an IP stack, they cannot be assigned an IP address and therefore cannot be pinged.

To enable "ignore broadcast requests" follow these steps:

[root@hostname ~]# /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 [root@hostname ~]# /sbin/sysctl -w net.ipv4.route.flush=1 [root@hostname ~]# /bin/ed /etc/sysctl.conf << END g/^net\.ipv4\.icmp_echo_ignore_broadcasts.*=/d \$a net.ipv4.icmp_echo_ignore_broadcasts = 1 .wq [root@hostname ~]# END

Web Interface Settings Settings > Web Interface

Inactivity Timeout

• Maximum time of inactivity before logout — Select the desired interval. The timeout value for the current browser session is updated immediately. The timeout value for other active browser sessions will not be updated until the page is changed or refreshed.

Security Best Practice Set the inactivity timeout to 10 minutes or less.

HTML Preview • Enable External HTML Elements Preview — Select to permit the Web page preview function to retrieve external images, style sheets, and scripts from the Internet. When this feature is disabled, you can view only images and CSSs that are already written to the capture drive.

Anonymous Usage Tracking

• Enable Anonymous Usage Tracking — Select to permit your appliance to send the following data to Symantec:

o Randomly unique identifier that is o Time in use not tied to any known information o Pages accessed and actions taken Public IP address of the appliance o o Time to generate reports and o Country and city of the appliance extractions o Version, build, and model number o Query attributes used (not values) o User ID o Widgets in use o Browser type and version o Number of indicators, rules, PCAPs, replays, filters

Global Intelligence Network Feedback • Enable GIN Feedback — Select to send details about EXE and DLL detonation to the Blue Coat Global Intelligence Network to share with other GIN users. This setting is valid only in conjunction with the Malware Analysis appliance.

Message of the Day Add custom text to the system login screen and the CLI.

• Message of the Day — Type the text in the space available: o Limit of 5000 characters (including formatting). o The only supported HTML tags are B and U. Allowed Referrers

• Allowed Referrers — Type the hostname or IP address of a host that is allowed to link back to this appliance.

SSH Authentication Also see Disable SSH Root Logins and SSH Access. Security Analytics does not support versions of PuTTY earlier than 0.67. To set up SSH public-key authentication between a Security Analytics appliance and a client, follow these steps: Generate the SSH key on the client. As root or admin, create the .ssh directory on the Security Analytics appliance. Note the leading dot in the directory name.

mkdir .ssh Open the authorized_keys file for editing. You cannot cd into this directory; you must directly open the file in an editor.

vi .ssh/authorized_keys Paste the public key from the client. Save and exit the file.

Using ssh-copy-id to modify .ssh/authorized_keys is not supported.

Generate an SSH Key for Data Enrichment Providers

Follow these instructions to set up SSH authentication between the data-enrichment ("tonic") user on the Security Analytics appliance and a remote server, such as the SCP File Mover integration provider, and all external providers while in FIPS mode.

Log on to the Security Analytics appliance as the superuser (root). Create the SSH key directory for the tonic user:

[root@hostname ~] mkdir -p ~tonic/.ssh Create an SSH key in the directory. When prompted for a passphrase, press Enter twice. (Do not create a passphrase.)

[root@hostname ~] cd ~tonic/.ssh [root@hostname .ssh] ssh-keygen -t rsa -f id_rsa You do not need to save the fingerprint or randomart image. Verify that id_rsa and id_rsa.pub were created.

[root@hostname .ssh] ll Establish correct ownership and permissions for the key directory and files. Note the leading dot on the directory name.

[root@hostname .ssh] cd .. [root@hostname tonic] chmod 700 .ssh [root@hostname tonic] chown -R tonic:tonic .ssh As the tonic user, copy the public key from the appliance to the remote user account that will be receiving artifacts. If the remote system runs Linux, use this command:

[root@hostname tonic] sudo -u tonic ssh-copy-id -i ~tonic/.ssh/id_rsa.pub @ Verify that the remote host key file (known_hosts) was created in tonic's SSH directory:

[root@hostname tonic] ls ~tonic/.ssh Verify the key setup by attempting a manual file transfer as the tonic user; for example:

[root@hostname tonic] echo "test" > /tmp/test [root@hostname tonic] chmod a+r /tmp/test [root@hostname tonic] sudo -u tonic scp -B /tmp/test @:

Disable SSH Root Logins

Security Best Practice • Disable root access via SSH. • If you disable SSH root logins, be sure to review log files for root logins and activity.

This procedure disables root access over SSH connections but preserves root access via console. Edit the sshd_config file:

[root@hostname ~]# vi /etc/ssh/sshd_config Uncomment the line #PermitRootLogin yes and set the value to no:

PermitRootLogin no Save and exit sshd_config. Restart the SSH daemon to apply the changes:

[root@hostname ~]# service sshd restart (v 7.3.1) [root@hostname ~]# systemctl restart sshd (v 7.3.2) To disable the root account entirely, append /settings/initial_config to the appliance's IP address or hostname in the address bar of the browser. Under Root Password, select Lock Root Account.

WARNING! You cannot re-enable the root account unless you have console access to the appliance, and then you will have to contact Symantec Support for assistance.

MD5-Encrypted Password for Bootloader This page applies only to Dell-based hardware.

Security Best Practice Password-protect the bootloader. • Security Analytics 7.3.1 supports MD5-hashed or cleartext passwords for the bootloader. MD5 hashing is recommended over cleartext. • Security Analytics 7.3.2 and later does not support the MD5 hashing command.

Version 7.3.2 and later

Use the grub2-setpassword utility:

[root@hostname ~]# grub2-setpassword Enter password: Confirm password:

Follow best key-maintenance practices by manually recording this password and keeping a copy in a secure location that is separate from the appliance.

When attempting to edit the grub menu the credentials are root and the grub password. Do not use the root system password here.

Enter Username: root Enter Password:

Version 7.3.1

Generate an MD5-encrypted password:

openssl passwd -1 -salt `openssl rand -base64 16` You are prompted to provide a password.

Follow best key-maintenance practices by manually recording this password and keeping a copy in a secure location that is separate from the appliance.

Copy the output value, which is the MD5 hash of the password. Open /boot/grub/grub.conf. Before the splashimage parameter add the following line:

default=0 timeout=5 password --md5 <== Insert this line here. splashimage=(hd0,0)/grub/solera-bootsplash.xpm.gz hiddenmenu

For paste the MD5-hashed password. (For a cleartext password omit - -md5) Save and exit grub.conf.

You can perform Steps 1–7 with this one command if no password in exists grub.conf.

NEWPASS=$(openssl passwd -1 -salt `openssl rand -base64 16`) && sed - i "13ipassword --md5 "$NEWPASS"" /boot/grub/grub.conf && NEWPASS=""

Federal Information Processing Standards On 7 Feb 2017, Symantec Security Analytics 7.2.3 completed FIPS 140-2 Level 2 Functional Testing on Symantec S500 hardware.

Entering FIPS Mode

Entering FIPS mode is a destructive process. Many services such as remote notification will have to be reconfigured.

Prior to entering FIPS mode, verify that your appliance's system clock is accurate and that NTP is enabled.

To enter FIPS mode: Go to Settings > Security and scroll to the bottom of the page. Select Toggle FIPS mode and click Save. The appliance reboots. During this reboot, the appliance undergoes the following changes: • All configuration files are archived. • All TLS and SSH keys are zeroized and reset. • User passwords are reset to the default (Solera). • Enhanced random number generator requirements increase the boot time by about 1 minute.

If any FIPS-mode conversions are not successful, the appliance will halt in an error state; no input or output is permitted, and the process of entering FIPS mode will be reversed.

While in FIPS mode the following conditions are true: • Because all TLS keys were zeroized and reset, all certificates, keys and certificate authority bundles must be re-uploaded to the appliance. • All remote-notification methods require mutual authentication. • Booting directly from a USB is disabled. • Unauthorized or unvalidated algorithms such as MD5 cannot be used. • The root account is disabled. (Many functions have been transferred to the admin account.) • RPM and YUM are disabled. • System software cannot be upgraded.

Exiting FIPS Mode

Exiting FIPS mode is a destructive process. Many services such as remote notification will have to be reconfigured.

To exit FIPS mode: Go to Settings > Security and scroll to the bottom of the page. Clear Toggle FIPS mode and click Save. The appliance reboots. During this reboot, the appliance undergoes the following changes: • All configuration files are archived. • All TLS and SSH keys are zeroized and reset. • User passwords are reset to the default (Solera).

Maintenance

This section includes the following topics:

• Logging • Remote Notifications • System Alerts • Software Upgrades • Licensing • All Settings o Network Settings o System Date and Time • Statistics • Drive-Space Management • Reboot or Shut Down

Logging and Communication Symantec Security Analytics communication consists of logging, alerts, SNMP, and remote notifications.

Security Best Practice For highest security when sending the audit log data, make sure to use the following settings when configuring the servers on Settings > Communication > Server Settings: • Email—Enable Use STARTTLS. This setting upgrades an insecure connection to a secure connection using SSL or TLS. It does not encrypt the email content. • SNMP—Select the Enable Authentication check box for Inform and/or Trap servers to enable SNMPv3. • Syslog—Send encrypted syslog messages over TLS or TLS-FIPS.

Logging For each event, the logs record the date and time of the event as well as the priority and the category.

You can also use the dslogdump command in the CLI for these settings. (Consult the Security Analytics Reference Guide on support.symantec.com.)

Audit Log Settings > Audit Log

• Click Download Log to download the audit log as comma-delimited file.

Security Best Practice To securely download the CSV log file, verify that you are logged into the web UI over HTTPS.

• Use the advanced filter to search the logs by priority, category, or event.

To specify which event categories to display in the audit log, go to Settings > Communication > Advanced and select the Local check box for the category.

Event Categories

• Alert Events — Alerts cleared • Miscellaneous — Modifications to the Settings > • Anomaly Events — Anomaly detected Security, Settings > System, Settings > Communication, and Settings > Central

• Capture Events — Stop or start capture; add, Management pages modify, or remove capture filters; PCAP import • Playback Events — Playback started or stopped started and stopped; mount points added, • Report Events — Reports created, stopped, modified, or deleted; interfaces aggregated or viewed, or deleted; extractions created, stopped, separated or viewed; Capture > Summary page viewed, • Enrichment Events — Modifications on the scheduled reports created, modified, or deleted; Settings > Data Enrichment page, such as communication templates created, modified, or providers activated or deactivated; providers deleted; PDF or CSV report generated or added, modified, or deleted; manual Web downloaded; report PCAP downloaded Reputation Service updates and settings changes, • Rule Events — Rules activated, created, IP or hostname exclusion lists, file-type filter modified, or deleted modifications • System Events — Insufficient disk space, • Hardware Events — Power supply status, program segfaults, changes to Settings > chassis fan status, disk status Date/Time and Settings > Network pages, • Indexing Events — Reindexing and reprocessing Malware Analysis appliance health jobs created, stopped, or completed • Unclassified — Currently no messages • Indicator Events — Indicators created, modified, • User Events — Users and user groups created, or deleted modified, or deleted; user login success or failure, user logout

System Logs From the CLI, you can access two additional logs:

• /var/log/audit/audit.log — User-initiated events written by auditd • /var/log/messages — System events from all components

Email Alerts

You can also use the dslc command in the CLI for many of these settings. (Consult the Security Analytics Reference Guide on support.symantec.com.)

Security Analytics can send email alerts to any standard email address, either directly or through an SMTP server gateway. Configuring the email settings will automatically send outbound emails for log entries to one or more email addresses. You can specify any email address you prefer in the From field.

Security Analytics uses the sendmail application and must therefore have Internet access to send a message to an external email address. You can also configure the appliance to point to an internal SMTP server; however, that SMTP server must be set up to relay email from the Security Analytics appliance.

Select Settings > Communication > Server Settings.

For To, type at least one valid email address. Separate multiple email addresses with a comma. For From, type the email address to be displayed in the From field. This field is required if you plan to run scheduled reports or the Risk and Visibility Report. For SMTP Server and SMTP Port, type the server IP address or hostname and its port number. Does the SMTP server require authentication?

Yes — For Username and Password, type the No — Select the No credentials for SMTP server access. authentication required check box.

Select the Use STARTTLS check box if the SMTP server requires it. For Default Email Address, type the email address that will be used whenever no email address is specified for an Alert. Click the Advanced tab. Under Remote Notifications, select the Email check box for the desired event categories and click Save.

SNMP Settings

You can also use the dslc command in the CLI for many of these settings. (Consult the Security Analytics Reference Guide on support.symantec.com.)

Security Best Practice Enable SNMPv3 to prevent non-authorized users from monitoring the appliance.

By default, the appliance will respond to incoming public queries from external SNMP devices. Security Analytics can be configured to send SNMP traps and inform messages to external SNMP servers. SNMP traps are error messages that do not require acknowledgement of receipt; SNMP informs require that the receiving server send back an acknowledgement.

• You can specify the same server to receive both trap and inform messages. • Security Analytics supports only SHA for authentication and AES for privacy.

Any special character — including a space — that is entered in these SNMP fields will be converted to an underscore (_). The exception is the @ character, which will be left as-is.

Select Settings > Communication > Server Settings and scroll down to SNMP Settings. Under Polling, configure these settings: • Optional — Select Enable Polling. o Type the read-only username and read-only community name in the spaces provided, or accept the default (public). • Optional — Select Enable Authentication. o Specify the authentication and privacy-encryption passwords. Under Trap, configure these settings: • Specify the name for the trap community. • Specify the inform and trap server settings. • Optional — Select Enable Authentication. o Specify the read-only username and the authentication and privacy-encryption passwords. Optional — Select Enable Authtrap. Click Save. Click the Advanced tab. Under Remote Notifications, enable the SNMP check box for the desired event categories and click Save.

Syslog Settings Syslog records information about the operation of a computer or computer-related device. Syslog messages can be sent to an external syslog server.

You can also use the dslc command in the CLI for many of these settings. (Consult the Security Analytics 7.3.x Reference Guide on support.symantec.com.)

Select Settings > Communication > Server Settings and scroll down to Syslog Settings. Optional — If multiple syslog messages are issued simultaneously, select the Enable Coalescing check box to group the messages before they are sent. This setting applies to all syslog servers. For Syslog facility, select one of the following:

Kernel User Mail Daemon Auth syslog LPR News UUCP Cron AuthPriv FTP Local Use 0–7

For Syslog Servers, type the hostname or IP address and port number.

Select one of four protocols to use for syslog:

• TCP • TLS • UDP • TLS-FIPS

Syslog uses the certificate-revocation list that is configured on Settings > Security > PKI and SSL. Security Analytics updates the list on the 1st and 16th of every month at 23:00.

Click add a new host for multiple syslog servers to use the same facility.

To set up a many-to-many relationship among syslog servers and facilities, use dslc add syslog server . Each server entry will be visible on the web interface but the facility that is associated with each entry will not be visible at this time. Run dslc show syslog to see the facilities that are associated with each server. (Consult the Security Analytics 7.3.x Reference Guide on support.symantec.com.)

Click Save. Click the Advanced tab. Under Remote Notifications, enable the Remote Syslog check box for the desired event categories and click Save.

Communication Settings

Import Settings

Use the dslc import command in the CLI for these same settings. (Consult the Security Analytics 7.3.x Reference Guide on support.symantec.com.)

Select an existing communication configuration file and apply those settings to your Security Analytics appliance.

Importing settings is valid only for transferring configurations between the same models of hardware; for example, from one Dell R730xd to another Dell R730xd.

Select Settings > Communication > Advanced. Under Import/Export Communication Settings, click Browse. Locate and select a settings file, e.g., logging_config.dat, and click Open. The New Settings File box shows the path to the selected file. Click Import Communication Settings.

Your existing settings will immediately be overwritten, and — unless you had previously exported them — will not be recoverable.

Export Settings You can export your current communication settings to view them or to import to an identical hardware model of appliance.

Do not modify the text file in an attempt to modify the settings.

• Select Settings > Communication > Advanced. • Under Import/Export Communication Settings, click Export Settings. This saves your settings file as logging_config.dat.

Export Log Entries Click Download to save the log as a CSV file.

Security Best Practice To securely download the CSV log file, verify that you are logged into the web UI over HTTPS.

MIB Files Security Analytics supports remote logging via SNMP and syslog. To use SNMP logging, you must export the MIB and install it on your SNMP system.

Do not modify the MIB text in an attempt to modify the settings.

Select Settings > Communication > Advanced. Under Download SNMP MIB click Download MIB to save mibfiles.zip in your local downloads directory. This archive contains these files:

o SOLERA-AGENT-MIB.mib o SOLERA-SMI-MIB.mib Resetting System Logs

Once the log files have been cleared, the information that was in them cannot be recovered.

Select Settings > Communication > Advanced. Under Reset Log, click Clear Log Entries. This deletes all audit log entries.

Use the dslc factory command in the CLI to restore the logging system to its default settings. (Consult the Security Analytics 7.3.x Reference Guide on support.symantec.com.)

Remote Notifications With the remote notifications feature, you can customize the alert notifications that the system sends to configured SNMP, SMTP, and syslog servers.

Create a Template Create one or more templates and customize the format. Select Settings > Communication > Templates. • Several preconfigured templates are already present on this page. They cannot be edited or deleted. Click New. The New Template dialog is displayed. For Template Name, specify a name. For Type, select SNMP, SMTP, or syslog. • If you selected SMTP, type the Subject Line for the email message. For Available Fields, select the fields to include in the template. The fields correspond to the primary filter attributes plus Flow Timestamp, which is start_time="". Use the up and down arrows to put the fields in the desired order. For Delimiter, select which character to put between the fields. The Template Output Characters field displays the template and counts the characters. This field is not editable. Click Save. These templates are available in the Rules dialog boxes (Create, Edit) under Remote Notifications. When you select a remote notification type, a drop-down list is displayed with the available templates.

Default Template Output The default templates cannot be edited. To get other attributes create a new template. The default output is as follows:

CEF CEF syslog messages conform to ArcSight CEF version 17.

CEF:0|||||||src= spt= dst= dpt= start=

timestamp> end= smac= dmac= msg="Rule: '' was triggered by indicator: ''"

File Reputation File reputation syslog messages are semicolon-delimited.

mime_type="";file_type="";filename="";application_id="";md5="";sha1="";sha256_hash="";ipv4_initiator="";ipv4_responder="";ipv6_initiator="";ipv6_responder="";ip_protocol="";port_initiator="";port_responder="";http_uri="";

Sandboxing Malware Analysis Sandboxing Malware Analysis syslog messages are semicolon-delimited.

SMTP SMTP messages are tab-delimited.

ipv4_initiator=→port_initiator=→ipv4_responder=→port_responder=→start_time=

SNMP SNMP messages are pipe-delimited.

ipv4_initiator=|port_initiator=|ipv4_responder=|port_responder=|start_time=

Web Reputation Web reputation syslog messages are semicolon-delimited.

http_uri="";mime_type="";application_id="";ip_protocol="";ipv4_initiator="";ipv4_responder="";ipv6_initiator="";ipv6_responder="";port_initiator="";port_responder="";

System Alerts

System alerts (also called "notifications") are displayed in the upper-right corner of the web UI.

Click a notification to go to the corresponding audit-log message. Once you click-through to the message, the notification should be cleared.

File-System Notifications Notifications are generated when file systems reach 80% of capacity:

/ (root) /tmp /home/apache /ds /var

See Drive-Space Management for instructions on clearing disk space.

System-Critical Notifications When the file systems are nearly full or when other system-critical conditions occur — such as when database migration during an upgrade from 7.1.x fails — a prominent alert is displayed along the top of the web UI. To clear such an alert, you must contact Symantec Support.

Software Upgrades To upgrade Symantec Security Analytics, you must have a link to an upgrade server, and then you must download the new image from the upgrade server, initiate the upgrade, and reboot. See Also: Upgrade from an ISO in the Security Analytics Reference Guide on support.symantec.com.

Add an Upgrade Server During the licensing procedure for the appliance, the upgrade server upgrade.soleranetworks.com should have been added to the Upgrade Servers list. If there is no entry in the Upgrade Servers list, follow these steps to add the upgrade server manually. Select Settings > Upgrade. The Upgrade Servers page is displayed. Click New. The Add Upgrade Server dialog box is displayed. For Protocol, select https.

• When you select https you can also enable the Validate SSL/TLS Certificate check box. The certificate validation takes place as follows:

o upgrade.soleranetworks.com — If the Perform certificate revocation check for Blue Coat services check box is enabled on Settings > Security > PKI and SSL, the server's certificate is validated against the appliance's local Certificate Authority bundle, and an OCSP verification is performed for all issuing authorities. If the Perform certificate revocation check for Blue Coat services check box is disabled, the OCSP verification is not performed. • Custom upgrade server over HTTPS — The remote certificate is validated against the appliance's local Certificate Authority bundle. (There is no OCSP or CRL check.) • Custom upgrade server over HTTP — No certificate validation is performed; however, the upgrade file is encrypted with a private key, so the file can be decrypted only with the appliance's public key. To add the upgrade server, follow these steps: For Host, type upgrade.soleranetworks.com For Path, type /upgrades/

Under Login Information, type the credentials to access the upgrade server. The username and password are your license key.

To add a different upgrade server, specify the hostname and file path for the manifest.xml file on that server. Add login credentials, as necessary. Click Save. The server is added to the list of available upgrade servers.

Upgrade Security Analytics

Select Settings > Upgrade. The Upgrade Servers page is displayed. For the desired upgrade server, click Upgrade from Server . Select the upgrade version and click Download Upgrade. When the download is complete, click Initiate Upgrade. The new image is downloaded, verified, and unpacked. When prompted click Reboot. The system restarts, and the new image is installed.

• The system will continue to operate normally until you click Reboot. During the reboot/upgrade, all capture and logging are suspended. • The upgrade may take as long as 30 to 45 minutes, depending on your configuration. • When the upgrade is complete, the system will automatically resume capture and logging.

When you log in again, verify that you are using the upgraded version by placing your cursor over the Symantec logo.

Licensing During initial configuration, you are presented with the license dialog, where you must install a license before you can continue. To update or change a license, follow these steps: Contact Symantec Support to purchase the renewal or upgrade. You will use your original license key for this procedure.

• To see your serial number, select Settings > About. • To see your license key, select Settings > Upgrade. The characters up until the bang (!) are your license key.

Select Settings > About and then click License Details. Does your appliance have access to the Internet (license.soleranetworks.com; port 443)?

Yes — Under Retrieve No — Click Download DS Seed to download the seed License, input the License file (dsseed.tgz) to your workstation. Key and click Send • On a workstation that has Internet access, go to Request. license.soleranetworks.com. • If applicable, select the • Type your license key, upload dsseed.tgz, and click desired license type. Update. • The appliance sends the • If applicable, select the desired license type and license key and the click Update. license seed file to • Save the license file ( ) to your the license server, which license.tgz workstation. generates the appropriate license file • Return to the License Details dialog. (license.tgz) and returns it • Click Browse and select license.tgz. to the appliance, which • The license is uploaded and the appliance automatically reboots. automatically reboots.

All Settings Consult the table below to see where to configure all settings on Symantec Security Analytics. The Settings menu is available only to users with administrative privileges for the appliance. The settings in the [Account Name] menu affect only the account with which you are logged in. To see more about the CLI commands, consult the Security Analytics Reference Guide on support.symantec.com.

Setting Interface Location CLI

Account name and email [Account Name] > Account Settings

Anomaly detection See Tuning Anomaly Detection Settings.

Anonymous usage tracking Settings > Web Interface

API settings [Account Name] > Account Settings

Capture summary graph data Settings > About > Data-Retention Settings

Central Manager linkage Settings > Central Management

Certificates Settings > Security

Content Analysis settings Settings > Data Enrichment

CSR Settings > System (machine ID: Settings > About) csr.sh

DeepSight settings Settings > Data Enrichment

DHCP Settings > Network

DNS Settings > Network

Email logs, server setup Settings > Communication > Server Settings dslc

Enable external HTML elements preview Settings > Web Interface

Endpoint Protection settings Settings > Data Enrichment

Entries per page [Account Name] > Preferences

FIPS mode Settings > Security

Firewall Settings > Security dsfirewall

Global Intelligence Network connectivity Settings > Data Enrichment gindiag.sh

Global Intelligence Network feedback Settings > Web Interface

Google Authenticator [Account Name] > Preferences

Google Earth® settings Settings > Geolocation

Hostname Settings > Network

HTTP proxy Settings > Network

HTTPS access Settings > Security

ICMP response Settings > Security

Inactivity timeout Settings > Web Interface

Setting Interface Location CLI

Intelligence Services setup Settings > Data Enrichment

Integration providers Settings > Data Enrichment

Internal subnets for geolocation Settings > Geolocation

IPs to exclude from reputation lookup Settings > Data Enrichment

IPv4 and IPv6 addresses Settings > Network

Kerberos single sign-on Settings > Authentication

LDAP authentication Settings > Authentication

Licensing Settings > About > License Details

Log file export Settings > Communication > Advanced dslc

Log file purge Settings > Communication > Advanced dslc

Log notifications Settings > Communication > Server Settings dslc

Log settings import Settings > Communication > Advanced dslc

Logging (syslog, SNMP) Settings > Communication dslc

Malware Analysis appliance setup Settings > Data Enrichment

MaxMind® uploads Settings > Geolocation

Message of the day Settings > Web Interface

Metadata Settings > Metadata

MIB Settings > Communication > Advanced

NTP Settings > Date/Time

Open parser Analyze > Rules

Passwords Various, click link

Ping response Settings > Security

Pivot-only providers Settings > Data Enrichment (enable/disable only) scm pivot_only_providers

RADIUS authentication Settings > Authentication

Reboot appliance Settings > System

Referrers Settings > Web Interface

Reputation providers Settings > Data Enrichment

Root password https:///settings/initial_config

Session controls Settings > Security

Shut down appliance Settings > System

SNMP Settings > Communication > Server Settings dslc

SSH access Settings > Security

syslog Settings > Communication > Server Settings dslc

Setting Interface Location CLI

Time/date/zone settings Settings > Date/Time

Time-based data deletion Settings > About > Data Retention

Two-factor authentication [Account Name] > Preferences

Units of measurement [Account Name] > Preferences

Upgrade system software Settings > Upgrade

User accounts and groups Settings > Users and Groups scm solera_acl_elevate scm solera_acl_shell_only

Web Reputation Service Updates Settings > Data Enrichment

YARA rules Settings > Data Enrichment

Network Settings Settings > Network

Fully Qualified Hostname — The name typed here is displayed as part of the prompt when anyone logs in to the command line on this appliance. Failure to use an FQDN here will cause the system name to appear as "localhost" in log messages as well as cause other unexpected behaviors. Use DHCP — If you select this check box, it is recommended that you use the DHCP reservation feature of your DHCP server to statically map the MAC address of the management interface to an IP address. IP Address, Netmask, Default Gateway — Enter these values in dotted-decimal format. IPv6 Address — Input the appliance's address. IPv6 Secondaries — Separate each address with a single space. IPv6 Dynamic Address and IPv6 Dynamic Secondaries — Automatically assigned by the IPv6 system. HTTP Proxy — If your appliance accesses the Internet through a proxy, type the IP address of the proxy in the following format: :

• If your appliance accesses the Internet through an authenticated proxy, edit /etc/environment as follows: http_proxy="http://:@:" https_proxy="http://:@:" or

http_proxy="https://:@[]:" https_proxy="https://:@[]:" Also see how to install the proxy's SSL certificate.

No Proxy — Enter a comma-delimited list of IP addresses or domains that will not use the HTTP proxy to access the Internet: .maa.ourdomain.com,192.168.2.55, 2508:34ed:af:2d1::3d33

The value hostname is always present in the No Proxy field, even though it is not visible.

Primary DNS, Secondary DNS, Tertiary DNS — Specify up to three DNS servers. If you intend to add this appliance to your domain name service, or if you will be specifying hostnames for other devices in this appliance's settings, then you must specify at least one DNS server.

• When you change the hostname, HTTP proxy settings (including No Proxy), or time zone, the appliance will automatically reboot. • When you change the IP address you may need to wait for ~10 seconds before attempting to connect to the new IP address.

System Date and Time Time is an important parameter for PCAP file generation, playback, and certificates; therefore, it is recommended that you use NTP to synchronize time between the management workstation and the appliance whenever possible. Select Settings > Date/Time. For Date, type the date as MM/DD/YYYY. For Time, type the time as hh:ii:ss. For Time Zone, select the appropriate time zone for your location.

You must manually input the time and date even if you intend to enable NTP.

Optional — Select the Use Network Time Protocol (NTP) check box. You may use the default NTP servers or specify others.

Optional — To enable NTP encryption: • For each NTP server: o Select the Use Autokey check box to enable encryption. o Click Browse to upload the group key that was generated by the NTP server. When the key has been accepted, the Current Group field will be populated with the following: ntpkey_iff_[|] • Optional — Type the Group Key Password if a password was generated for the group key. This password must be the same for all of the servers' group keys.

• Select the Generate NTP Host Keys check box to generate a certificate and a host key for the appliance. These files will expire after one year.

• When you change the name of an NTP server, you must upload a new group key. • When you change the hostname of the appliance on the Network Settings page, you must generate new NTP host keys.

Click Save. If you changed the time zone, the appliance will automatically reboot.

Statistics Network System The Network System page displays network interface statistics for Symantec Security Analytics. Select a specific network interface to view the statistics for that interface. Select Automatically Refresh Statistics to continuously update the displayed information.

Some of the "total" statistics will be reset after an upgrade or a reboot.

Statistic Description

Current Packets Captured per The number of packets per second currently being captured. This is a snapshot statistic. Second

Current Packets Filtered per Second The number of packets per second currently being filtered. This is a snapshot statistic.

Current Bytes Captured per Second The current number of bytes per second currently being captured. This is a snapshot statistic.

Max Packets Captured per Second The maximum number of packets received in a second.

Max Packets Filtered per Second The maximum number of packets filtered in a second.

Max Bytes Captured per Second The maximum number of bytes received in a second.

Total Packets Captured The total number of packets captured. Depending on the storage size, these packets may have already been overwritten.

Total Bytes Captured The total number of bytes captured. Depending on the storage size, these packets may have already been overwritten.

Total Packets Filtered The total number of filtered packets matching the filter.

Total Bytes Filtered The total number of bytes recorded from the filtered packets received.

Slot Allocation Misses The number of packets dropped due to no available memory slots.

Space Map Errors The number of packets dropped due to no available allocation for network interface.

DSR Read Misses The Disk Space Record was not found.

Active Slot The memory slot currently receiving packets.

Address of Active Slot The memory address of the active slot.

Packets Captured in Active Slot The number of packets stored in the current memory slot.

Ring Buffers in Active Slot The total number of ring buffers (on the network capture card) used to capture packets.

Bytes Captured in Active Slot The total number of bytes stored in the active memory slot.

Metadata in Active Slot (Bytes) The total metadata bytes in the active memory slot.

Size on Disk The Size on Disk page displays a pie chart that depicts the total bytes of storage used by capture operations on each Ethernet interface. This data is a representation of disk space used to store the data and not necessarily the exact amount of data stored. For example, a

pie slice showing 25 GB may be a combination of 23 GB of actual payload data and 2 GB of overhead. Place the cursor over a segment of the graphic to see how large the segment is.

Storage System The Storage System page displays a list of storage device statistics. Select Automatically Refresh Statistics to continuously update the displayed information.

Disk Space Record ID

Statistic Description

Disk Space Type The identified purpose of the storage.

Disk Space Active Identifies if the storage space is in use.

Disk Space Date/Time Time stamp of the disk space creation.

Member Count The number of logical storage devices.

Disk ID The kernel reported drive type (e.g., 20 = SATA).

Partition ID The name of the logical disk partition.

Slot Size (bytes) The number of bytes allocated for each slot.

Total Slots The total number of memory slots available for storage.

Cluster Size (bytes) The cluster size in bytes.

Total Clusters The total number of clusters available for storage.

Total 4K Blocks The total number of 4K blocks available for storage.

Disk Record Blocks The total number of disk record blocks.

Logical Data Area Start The start address for the logical data area.

Start of Slot Data The start address of slot data.

Space Table Size (bytes) The total size of the space table, in bytes.

Recycle Count The number of times the capture drive has filled to capacity.

Active Slot Chains For each interface, the Storage System page shows the following data:

Statistic Description

Start Cluster Address of the start cluster

End Cluster Address of the end cluster

Start Time Start time and date

End Time End time and date

Slot Count Number of slots occupied

Elements Number of elements

Size (bytes) Bytes in the chain

Active Slot Active slot number

Statistic Description

Active Slot Address Address of active slot

Packets Number of packets in the chain

Ring Buffers Number of ring buffers

Total Bytes Total bytes in the chain

Total Metadata Bytes Total bytes that contain metadata

Total Captured The Total Captured page displays a pie chart that depicts the total bytes captured by each Ethernet interface. Place your cursor over a segment to display the actual amount captured by that interface.

Total Filtered The Total Bytes page displays a pie chart depicts the total bytes for each filtered interface. Place your cursor over a segment to display the amount of filtered data captured by that interface.

Drive-Space Management This page describes how Symantec Security Analytics organizes data so that you can delete the appropriate data sets if you need to free up space for new data.

Capture and Index Drives The data on both the capture and index drives is automatically overwritten according to the method described in Data Overwriting. To purge all data from the capture and index drives, run dszap from the command line.

You cannot retrieve data that you erase with the dszap command.

System Drive Security Analytics saves the following data on the system drive, so the data is not affected by the overwrite cycles on the capture and index drives:

• Indicators and rules† • Capture filters† • Logs • Statistics • Capture summary graph data • Saved extractions† • Real-time extractions • Packet analysis data

†Save operation initiated by user

Delete Controls for Data Types Some data is deleted with a special button; other data is deleted through settings and other controls. This table shows how to delete each data type.

Data Type UI CLI

Indicators Analyze > Indicators > n/a

Rules Analyze > Rules > n/a

Saved Reports Analyze > Report Status > List > Included in dszap deletion Settings > About > Data-Retention Settings

Saved Extractions Analyze > Saved Extractions > Included in dszap deletion Settings > About > Data-Retention Settings

Audit Logs Settings > Communication > Advanced > Clear Log dslogdump --clear Entries

Statistics n/a dsstats --reset Packet Analyzer n/a rm -fr /home/apache/hammerhead

Captured Packets and n/a dszap Metadata

Capture Summary Drive Data Settings > About > Data-Retention Settings > Delete ALL Capture Summary Data

You cannot retrieve data that you erase with the dszap command.

Home Drive Select Analyze > Saved Extractions. The text at the bottom of the page indicates how much space is available on the home drive.

The following data types are stored on the home drive.

• Saved extractions • Packet analysis data§ • PCAPs to be downloaded

§ Data from the last 10 invocations of the packet analyzer are automatically stored. You can delete data from the home drive in the following ways:

• On Analyze > Saved Extractions, delete one or more entries. • On Settings > About > Data-Retention Policies, enable time-based data deletion.

Time-Based Data Deletion You can specify the amount of time that the system retains your data before automatically deleting it. Select Settings > About > Data-Retention Settings. Select the Enable Time-Based Data Deletion check box. For Delete data older than, specify the number of days and hours to keep capture and metadata before deletion. Optional — Select Delete Saved Reports and Artifacts. Click Save. If you have time-based data deletion enabled for saved reports and extractions, then the following behaviors may occur:

1 A saved item that straddles the deletion time will display the data that is still present but not the data that has been deleted.

2 A saved extraction with a start and end time that is after deletion will continue to appear in the Saved Extractions list but with Time Deletion in the Status column. When you attempt to view the saved extraction, you will be prompted to delete the item from the list.

3 A saved item that is being viewed during the deletion operation will be visible until the data is deleted. A message will then be displayed to inform the user that the data has been deleted.

Reboot or Shut Down

Never power off a Symantec Security Analytics appliance manually.

From the Web Interface Select Settings > System. Do one of the following: • Under Reboot Appliance, click Reboot. • Under Shut Down Appliance, click Shut Down. The appliance immediately shuts down. You must have physical access to the appliance to reboot it. If you are unsuccessful and you have physical access to the appliance, press Ctrl+Alt+Delete on the console keyboard to initiate a clean system restart, then power down the appliance using the power button on the appliance — after the system POST (power-on self-test) but before system begins to boot.

From the CLI

• Open an SSH session and navigate to the management interface's IP address. • Log in using an account with administrator or root privileges. • Type the command shutdown -r and press Enter. The appliance will shut down and then reboot itself. You should then be able to log in normally.

Using the IPMI Interface

• Connect to the IP address of the IPMI port from a web browser.

If Security Analytics is installed on a Dell® server, consult Dell iDRAC user documentation to obtain this same functionality.

• Click Remote Control. • Click the Remote Control tab and then click Launch Console to open a hardware- level console connection to the appliance. (Java® software is required for this operation.) • To remotely power on, power down, or reset the appliance, click the Power Control button and select the desired option.

Selecting any of the following IPMI menu options — Power Off Server – Immediate, Reset Server, or Power Cycle Server — will not perform a graceful shutdown of the appliance. Select one of these options only if you are unable to power down the appliance using the interfaces (web or CLI).

Security Analytics Functionality

This section includes the following topics:

• How Security Analytics Works • Flows in Security Analytics • Data Enrichment Process • FRS Prefilter Process • Anomaly Detection Process • Interface Icons • Appliance Ports • Interface Screens

How Security Analytics Works Also see: Flows in Security Analytics, Populating the Reports, Data Enrichment Process, FRS Prefilter, Detecting File Types, Anomaly Detection Process

Implementation In a typical deployment, Symantec Security Analytics receives mirrored traffic from a SPAN port or network tap. The traffic enters the appliance through one or more Ethernet ports, called "capture interfaces."

Drive Configuration

All Security Analytics devices (except the CMC) comprise three logical drives or arrays:

• Capture — Where raw packet data is written • Indexing — Indexed metadata (Indexing DB)

• System — A Linux®-based operating system

The actual size and composition of the drives vary according to the hardware and the specific configuration of the Security Analytics deployment. For example, in a Security Analytics 10G Appliance, all three drives are RAID arrays, whereas in a virtual machine, the drives may be logically separate entities on a conventional hard drive.

Packet Capture The figure below shows how incoming packets are processed and analyzed by Security Analytics.

1 Mirrored packets arrive from the LAN through one or more NICs. (Packets larger than 1522 bytes are dropped. To capture larger packets, contact Symantec Support.)

2 When traffic begins to arrive, the NIC requests a "slot," a 256-MB RAM "container” into which the NIC loads incoming packets. Each packet receives a time-of-capture stamp and a source-interface tag.

3 When the slot is full, the slot is written to the capture drive, and the NIC requests another slot.

4 The metadata (packet header fields, capture timestamps, and interface identifiers) for the packets are written to the Indexing DB. Flows ("conversations" or "sessions") between hosts are identified during indexing. Also see Data-Enrichment Process.

5 Artifacts (files), email messages, and IM conversations are extracted from the capture drive.

6 When PCAPs are downloaded, the packets are retrieved from the capture drive.

7 Reports, report widgets, the capture summary graph, and geolocation are generated from the metadata on the indexing drive.

Writing the Slots The capture drive is logically organized into "slots." As each packet is captured, it is written to a slot. Slots are allocated to the interfaces in sequential order (0–N).

The figure above shows four NICs: eth2 through eth5.

colored Packet written from that NIC

gray Nothing written because another NIC has that slot

white Capture inactive on that NIC

> Start capture

X End capture

eth2 starts to capture first, so it is allocated slot 0. eth5 is allocated slot 1, eth3 is allocated slot 2, and eth4 receives slot 3. The faster or busier NICs are allocated slots more frequently than slower or less-busy NICs. In this example, eth2 and eth5 are allocated more slots because they fill their slots more quickly than eth3 and eth4.

• Each time capture begins on an interface, it creates a "slot chain" — a list of the slots that were used for that capture session in the order in which they were filled. • In the figure above, eth2 created the slot chain 0-4-8-12-14-18-21-24-28, whereas eth3 created slot chains 2-6-10 and 16-19-22-25. • Slots are interface-agnostic. After slot N is allocated, slot 0 will be allocated to the next NIC that requests a slot, regardless of which NIC was allocated slot 0 in the previous cycle.

Select Statistics > Storage System to see slot and slot-chain data.

Data Overwriting The figure below shows how packets are logically written to the capture and index drives. The full packets and their corresponding index entries (metadata) are written simultaneously to the two drives: the red circles represent a particular set of packets with its corresponding metadata.

1 Packets are written to the capture drive in slot order from 0–N. 2 The corresponding metadata is simultaneously written to the indexing drive.

The write process always starts at the first slot and runs continually to the last, which prevents the hard-drive heads from engaging in excessive motion. It also enables extremely fast packet capture: up to 10 Gbps with the appropriate system RAM and RAID arrays. After the last slot is filled, the next captured packet is written to slot 0. When the capture drive overwrites the first slot, the capture drive has "recycled." Select Statistics > Storage System to see the recycle count for your capture drive. The interval between cycles depends on the amount of data being captured, the size of the packets being captured, and the size of the capture drive.

3 The indicated packet data is overwritten as the capture drive recycles the first time.

4 The corresponding metadata is still available for reports.

In the figure above, the recycle count has been incremented by one because the capture drive has begun to overwrite the first set of packets. Notice that the metadata for the first packets has not yet been overwritten, because the index drive typically does not recycle as

quickly as the capture drive. For this reason, report and geolocation data is often available after the original packets have been overwritten.

5 The original packet data’s location is overwritten a second time.

6 The corresponding metadata has now been overwritten.

As the second cycle begins, the metadata for the original packets begins to be overwritten.

To see whether the packets or metadata have been overwritten, View Data Availability.

Overwriting Imported PCAPs When you import a PCAP, the PCAP is first uploaded to system RAM and queued into slots in the same manner as the data from the capture interfaces. The interface for an imported PCAP is designated as impt[x].

It is then written to the capture drive alongside the live data.

Because the capture drive overwrites slots according to slot order, not according to timestamps, imported PCAPs will be overwritten according to their location on the capture drive, not according to the "age" of the packets.

For example, if you are actively capturing data in 2017 and you import PCAPs from 2016 (and retain the original timestamps), the capture drive will not overwrite all of the PCAPs from 2016 before starting to overwrite the data from 2017; instead, it will overwrite the slots in numerical order, 0–N, as usual.

Flows in Security Analytics This page explains how the TCP and UDP state machines impact flow-based reporting and artifact extraction in Security Analytics. Symantec Security Analytics implements Internet Protocol (IP) state machines to identify, track, and return associated data for all network flows. A network flow — also called a "conversation" or "session" in Security Analytics — is an orderly exchange of data between two network entities.

At minimum, Security Analytics identifies a flow by a unique 5-tuple that is derived from the flow's first packet: three network-layer fields and two transport-layer fields:

• IP protocol • Source IP address (src IP) • Destination IP address (dst IP) • Source port (src port) • Destination port (dst port) Transmission Control Protocol (TCP, part of Internet Protocol) uses a sequence number to explicitly identify each packet in the same flow, whereas User Datagram Protocol (UDP, also part of Internet Protocol) does not include a sequence number. The end of a flow is determined either by a time-out mechanism (UDP) or a formal session termination (TCP).

TCP Finite State Machine

Most TCP flows establish a connection with a "graceful," 3-way handshake that includes a sequence number: a SYN (synchronize) packet, a SYN+ACK (acknowledge SYN) packet, and an ACK (acknowledge the SYN+ACK) packet.

In some cases, the first packet of a new TCP session does not have a traditional handshake, such as PSH/ACK, RST, or FIN/ACK depending on the behavior of the network application: probe utility, N-map, firewall port knocking, and so forth.

When Security Analytics detects a 3-way handshake it checks its flow table to determine whether a flow with the same 5-tuple already exists. If it does not, Security Analytics creates a new row in the flow table and generates a hash key from the 5-tuple to track the state of the flow throughout its duration. The handshake is also used to determine directionality — the entity that sends the first SYN packet is the "initiator" and the entity that sends the corresponding SYN+ACK is the "responder." When a new TCP packet enters the system and it is not preceded by a 3-way handshake nor does it have an entry in the flow table, Security Analytics uses the 5-tuple of the first captured packet to determine the TCP roles of initiator and responder and to generate the corresponding hash key for the flow. This behavior is similar to how Wireshark constructs TCP streams. Security Analytics inspects every TCP packet that enters the system and performs the following operations: Determines whether the 5-tuple already exists in the flow table and creates a new entry if it does not.

When the 5-tuple already exists, the TCP state machine matches the packet's sequence number to its entry in the flow table, so that the packets may be correctly reassembled.

For each hash key, Security Analytics sequentially assigns a flow ID and writes the value to the Indexing DB as the flow_id attribute, which can be used in the primary filter and reports.

The flow ID field uses 62 bits and can therefore identify 2x1062 unique flows. Based on the current capacity and supported capture rates of a 10G appliance, it would take an estimated 100 years or more before the flow ID numbers were exhausted.

Security Analytics considers a flow to be expired when the TCP session is gracefully torn down with an in-sequence FIN/ACK, when it is reset (RST), or when it times out from inactivity. The state machine expires a flow from the state table when the session remains open but no new packets arrive for 60 seconds.. If new packets arrive for a previous session, after the 60-second timeout, they are treated as a new flow and given a new sequence number.

UDP State Machine UDP is a simple stateless protocol — packets arrive without an introductory handshake and stop without a formal session tear-down.

The UDP state machine works in a fashion similar to TCP: it inspects packets based on a 5- tuple and associates them with a unique flow ID. A UDP flow 5-tuple consists of IP proto, src IP, dest IP, src port, dst port.

• Because UDP is connectionless, the first packet in a new flow (rather than a handshake) — together with the 5-tuple — are used to determine the initiator, responder, and unique hash key for the flow. • The state machine inspects all UDP packets to see if they match an existing flow in the system, and if not, it generates a new flow record. • The UDP session inactivity timeout is 5 seconds; after 5 seconds of inactivity, a UDP session is considered closed. Any new packets that match the 5-tuple are written as a new flow in the Indexing DB.

Flows in Security Analytics This simplified diagram of a TCP session shows why a single flow usually contains multiple files.

The Initiator sends a SYN packet to start the TCP session. The Responder sends SYN+ACK to confirm. The three-way handshake is completed by ACK from the Initiator. With the Layer 4 (transport) session established, the Initiator can make requests according to the application-layer protocol, such as HTTP, FTP, or SMB. In this example, the Initiator sends multiple HTTP Requests to the Responder. Often using HTTP pipelining, the Responder sends files in response to each request as it arrives, instead of waiting to receive an acknowledgment for each response. In this example an HTML page with its associated elements — JavaScript, style sheets, graphics, and multimedia files — are transferred in a single flow.

At the end of the session, the Initiator sends a FIN packet. The Responder sends FIN+ACK to terminate the session.

Flow-Based Reports A single TCP flow may comprise tens of thousands of packets that contain an enormous variety of data types such as the application-delivery mechanism, multiple requests and responses (each with different request headers and server-side response headers), numerous file payloads, and a diverse collection of metadata. For network forensic investigations, it is paramount to understand the full chain of events and context for any network activity. For example, finding a malicious file is important, but it is equally important to understand the transport protocol, application, IP addresses, user agents, and URIs that were used during the download of the malicious file. All of these data points help identify the different tactics, techniques, and procedures (TTPs) that an attacker used. For these reasons, Security Analytics is structured to return entire flows when the primary filter specifies a particular item of metadata as an indicator or filter.

example A typical process for returning entire flows is displayed in this flowchart:

1 On the web interface, the user inputs one or more attribute/value tuples in the primary filter bar OR the user pivots from an alert to the Summary page.

2 The query handler finds matches for the tuples in flow_ids 111, 222, 333, 444, and 555.

3 If the user query is for a report, the flow_id request is sent to the Indexing DB.

4 If the user query is for an extraction, the flow_id request is sent to the extractor, which queries the capture drive and extracts artifacts from the flows that the query handler identified.

5 The Indexing DB returns all of the metadata for all of the flows in the request.

6 The extractor returns all of the artifacts for all of the flows in the request.

example This example shows how a single attribute/value tuple in the primary filter bar will return multiple artifacts. As shown below, the filter filename=map.swf returns 36 artifacts, including synthetic, 0-byte artifacts. Only one of the artifacts has the file name map.swf, yet the extractor has returned all of the files in the requested flow.

In a corresponding Summary view, these report widgets show that all of the files in the flow share the same 5-tuple.

Data Enrichment Process Default Data-Enrichment Process This diagram shows how the rules engine directs the production of data-enrichment verdicts during real-time extraction. The Malware Analysis Process is different from the default.

1 Captured data and imported PCAPs are sent to the metadata indexer.

2 The metadata indexer sends the packets to the deep-packet inspection (DPI) engine, where the packet- headers are extracted and classified.

3 The metadata indexer compares the classified metadata with active rules. When a rule is matched, the metadata indexer sends the flow ID and the rule it matched to data enrichment.

4 Data enrichment compares the artifact's file type to the file-type filter for each of the rule's enrichment providers. If the filter permits the file type, data enrichment sends the flow ID to the extractor to request a real-time extraction (RTE) or "microextraction."

5 The extractor reassembles all of the artifacts in the flow by reading packet data from the capture system, and for each artifact it calculates the MD5, SHA1, SHA256, and fuzzy hashes, according to user settings. (Fuzzy hash must be manually enabled.) When importing a PCAP, you can see how many rule-based extractions were performed on the PCAP in the Extraction Jobs column. The extractor returns the hashes to data enrichment.

6 If a verdict for an artifact is already present for an enrichment provider, data enrichment retrieves the verdict from cache.

7 If the verdict is not present in cache, data enrichment sends the hashes or files to the selected reputation provider(s)—local or off-box, such as ClamAV or Malware Analysis.

8 As soon as it receives a verdict, data enrichment writes the verdict and the hashes to the indexing DB, where they are available for reports.

9 If the verdict is higher than 6, an alert and its reputation report are posted to the Alerts page.

10 If remote notification has been enabled for the rule, a remote notification is also sent.

Example: Create a Data Enrichment Rule to Evaluate PDFs The Security Analytics rule engine provides a real-time, rule-based method to enrich extracted files and metadata. A rule consists of these simple building blocks:

• Indicator — Contains metadata attributes such as file type, IP address, DNS query, or HTTP URL • Rule type — Data enrichment, alert, IPFIX export, or PCAP export o For data-enrichment rules, a verdict from an enrichment provider such as File Reputation Service, ClamAV, YARA rules, or Malware Analysis. • Notification — An alert when traffic matches the rule and the verdict is higher than 6. • Action — In the case of IPFIX and PCAP export, sending the file to a PCAP or other file server Follow these steps to set up a rule that detects malware inside a PDF document:

Enable one or more file-based enrichment providers such as Malware Analysis and ClamAV. Ensure that the desired file-type filter for the providers is selected. Enable the FRS Prefilter to reduce traffic to the Malware Analysis appliance.

Create one or more indicators to match the file type of interest: PDF. The indicators can include any DPI-based, primary-filter attributes such as filename=*.pdf or file_extension=pdf (matches the explicit file name), file_type=pdf (matches the magic number), or a preloaded indicator such as PDF – Presented MIME Type (matches various PDF-related MIME types).

Filters that use two or more different attributes are joined by Boolean AND. If the filter contained file_extension=pdf and PDF - Presented MIME Type, traffic would have to match both filters.

Create a rule and specify the indicator(s) as the event to match.

Select Data Enrichment for Type, and for Send to select the desired enrichment provider(s).

Optionally, configure remote notifications via email, syslog, or SNMP. The rule is activated as soon as you click Save.

FRS Prefilter Process The File Reputation Service (FRS) prefilter setting is enabled by default on the Malware Analysis provider so that artifacts that are already known to FRS are not sent to the Malware Analysis appliance. FRS Prefilter alters the data-enrichment process for Malware Analysis by returning FRS verdicts for known artifacts and then sending only the unknown artifacts to the Malware Analysis appliance.

To manually bypass the FRS prefilter and all data enrichment filters for an artifact, go Analyze > Extractions, expand the artifact entry, click the file name, and select Malware Analysis, which sends the file to the Malware Analysis appliance.

1 The rules engine registers a hit based on a rule's indicator. The corresponding artifact is extracted and its hashes are calculated.

2 If the file type for the artifact does not match the Malware Analysis (MA) file-type filter, the process ends. No data-enrichment job is created.

3 When the artifact matches the Malware Analysis filter, a data-enrichment job is created.

4 If FRS Prefilter is enabled, the artifact must also match the File Reputation Service (FRS) file-type filter.

5 If FRS Prefilter is not enabled, the system looks for an existing MA verdict in the cache.

6 If no MA verdict is found in cache, the artifact is sent to the Malware Analysis appliance.

7 The MA verdict (cached or from the appliance) and the artifact hashes are written to the indexing DB, making them available for the Malware Analysis Verdict and hash reports.

8 If the MA verdict is 6 or lower, no alert is posted.

9 If the MA verdict is higher than 6, the alert is posted, showing Malware Analysis as the Enrichment Provider and the Type as Malware

10 If there is no FRS verdict in the cache, the hash is reviewed by the local copy of the Web Reputation Service (WRS).

11 If the local WRS database has no verdict, then the hash is sent to the Global Intelligence Network (GIN).

12 If GIN returns a 5 (unknown), the system looks for an MA verdict in the cache, and if not found the artifact is sent to the Malware Analysis appliance.

13 If GIN returns a verdict other than 5, the FRS verdict and the artifact hashes are written to the Indexing DB, making them available for the File Signature Verdict and hash reports.

14 If the verdict is higher than 6, an alert is posted, showing File Reputation Service as the Enrichment Provider and the Type as File

example A file called pdfcreator-1-3-2-en-win.exe is known to the File Reputation Service as malware. A PCAP that contains pdfcreator-1-3-2-en-win.exe is imported three times to Security Analytics under these conditions: The File Reputation Service is licensed. (It does not need to be activated.) A Malware Analysis appliance has been added. The Malware Analysis and File Reputation Service file-type filters both permit Programs and Libraries.

The Blue Coat Malware Analysis Service rule is enabled. The Blue Coat File Reputation Service rule is not enabled. (Duplicate alerts would be produced.)

Security Analytics has never received a verdict on pdfcreator-1-3-2-en-win.exe.

1 The first time that the PCAP is imported, FRS Prefilter is disabled.

1. The file pdfcreator-1-3-2-en-win.exe is detected by the Blue Coat File Reputation Service File Types indicator.

2. Malware Analysis returns a verdict, so the alert has a malware icon 3. The alert has a link to the corresponding task on the Malware Analysis appliance. 4. The result did not come from cache, which means that the artifact was sent to the Malware Analysis appliance. 5. The verdict is present in the Malware Analysis Verdict report.

2 For the second PCAP import, no settings are changed.

6. Security Analytics retrieves the verdict from cache.

7. The link to the original Malware Analysis task is also retrieved from cache. 8. The verdict is present in the Malware Analysis Verdict report.

3 Before importing the PCAP the third time, the verdict cache is cleared by running scm db clear_redis tonic, and FRS Prefilter is enabled in the Malware Analysis entry on Settings > Data Enrichment.

9. The File Reputation Service returns the verdict, as indicated by the file icon, and there is no link to a Malware Analysis task. Blue Coat File Reputation Service is the Enrichment Provider.

10. The rule name is still Blue Coat Malware Analysis Service, because that rule detected pdfcreator-1-3-2-en- win.exe. The Reputation Report contains a note saying that the sample (artifact) was not sent to Malware Analysis.

11. The Data Enrichment Filter for the File Reputation Service was applied. (If the FRS filter excluded pdfcreator-1-3-2-en-win.exe, File Reputation Service would not be queried, and the file would not be sent to Malware Analysis.) 12. The verdict is present in the File Signature Verdicts report.

When to Disable the FRS Prefilter Symantec recommends that the FRS prefilter always be enabled, because it is the fastest method for returning verdicts on files: The longer the Malware Analysis queue becomes, the longer it takes to return a verdict. Disabling the FRS prefilter, however, may be feasible under the following circumstances:

• You reduce the number of files that Security Analytics sends to Malware Analysis by: o Removing the default indicators for the Malware Analysis rule and replacing them with indicators that detect a small number of unique files.

o Using the data enrichment file-type filter to limit the file types to send to Malware Analysis. (When the FRS prefilter is enabled, the file-type filter for the File Reputation Service is used.) • Testing in your environment shows that the size of the Malware Analysis queue does not create too much latency in verdict returns.

• Security Analytics does not have an internet connection and so cannot query the GIN cloud. • You do not have an Intelligence Services subscription but have a Malware Analysis appliance.

Anomaly Detection Process Also see: Anomaly Detection The ADM process consists primarily of

• establishment of baseline values • statistical analysis of new data • alerting on outliers

Initial Evaluation For the first six hours of operation, ADM evaluates all incoming traffic and establishes norms for the traffic according to:

• capture interface (eth2, impt0) • time (time of day, day of week, day of month, month of year) • IP addresses (initiators and responders) • port numbers (initiators and responders) • country of IP addresses (initiators and responders) • application, as identified by the DPI engine • bytes transferred • length of DNS answers • URL category (only with the Web Reputation Service enabled) These parameters are derived from the ADM detectors, which have been specifically calibrated for Security Analytics.

Statistical Analysis The system sends data to ADM in 10-minute chunks, called "analysis windows." This data has already been classified by the DPI engine, so the initiators and responders have been established for each flow, and the URL category (if any) has been determined.

• The length of the analysis window is not significant: it was chosen to balance manageability with frequency of alerts. • ADM does not compare values in an analysis window with the other values in the same window; rather, it compares all data against the baseline. • A value is considered anomalous when it is an outlier compared to the mean plus several standard deviations. • ADM assigns a score to the degree of deviation from the mean: 0–9; anomalies with a score of 8 or higher are posted.

• After ADM finishes evaluating the 10-minute chunk of data, it folds all of that data into the baseline, including the anomalies; therefore, a value that is anomalous today might be within the bounds of "normal" next week.

ADM Detectors Statistical analysis is performed according to the terms in the ADM detectors. Terms that ADM uses are:

• Field — The attribute to be analyzed as a metric. A By Field is a specific value of Field to be analyzed. • Function — Operation that is performed on the Field: o high_sum — Detects large sums for the Field value. o high_info_content — Detects large amounts of content at the beginning of a DNS answer name.

o high_distinct_count — Detects large numbers of distinct values for the Field. • Over Field — Always an initiator or responder IP, it identifies the device associated with the anomaly. • Partition Field — A value by which the data is separated into distinct groups for consideration. Not all detectors have a partition field.

example 1 Given this detector:

• Function: high_sum • Over Field: initiator_ip • Field: total_bytes • Partition Field: application_ids

ADM groups all of the data in the analysis window by application_ids. For each flow with a particular application ID, ADM sums the total_bytes of flows that have the same initiator_ip. ADM compares the sum to the baseline value for the same

• application_ids • initiator_ip • comparable analysis window* If total_bytes is abnormally high compared to the baseline, ADM assigns it a score 0–9. If the score is 8 or higher, ADM posts the anomaly: "Excessive data transfer by IP initiator while using "

example 2 Given this detector:

• Function: high_distinct_count • Over Field: responder_ip • Field: initiator_country

ADM counts the number of different initiator_countrys that have the same responder_ip. ADM compares the number of countries to the baseline value for the same

• responder_ip • comparable analysis window* If the number of different initiator_countrys is abnormally high compared to the baseline, ADM assigns it a score 0–9.

If the score is 8 or higher, ADM posts the anomaly: "IP responder contacting a high number of countries."

Interpreting Anomaly Messages Each of these anomaly messages indicates that the event is unusual for a comparable analysis window:

A "comparable analysis window" is derived from multiple timespans that pertain to the same capture interface: the specific weekday and time, that time on weekdays in general, that time for that day of the month, as well as recent activity (~48 hours before the analysis window).

Excessive data transfer by IP address while using application The amount of data that this IP address is transferring — while using this application — is unusually high.

example

Initiator IP 1.1.12.211, while using FTP, transferred 1,083,240 bytes at around 03:30 on 09 Jun 2016. The mean for this same capture interface + time + IP initiator + application ID combination is 242,026 bytes. That degree of deviation from the mean gets a score of 9.

anomaly might indicate • data exfiltration • covert communications

IP address sending long strings to DNS servers This IP address made a DNS request with an unusually high number of characters in the DNS name.

example

Responder IP 4.2.2.2 sent an unusually long string — represented as 15484 — to a DNS server at around 17:50 on 01 Mar 2017. The mean for this same capture interface + time + IP responder + DNS communication combination is ~110. That degree of deviation from the mean gets a score of 8.

anomaly might indicate • data exfiltration

• command-and-control traffic using DNS tunneling

IP address using numerous applications This IP address is sending data using an unusually high number of applications.

example

IP Responder 1.1.48.91 was using 40 applications at around 03:30 on 08 June 2016. The mean for this same capture interface + time + IP responder + number of applications combination is ~1. That degree of deviation from the mean gets a score of 9.

anomaly might indicate • systems under threat-actor control that are performing probes • scans for penetration • lateral movement

Many conversations between IP address and multiple IPs or ports This IP address is having an unusually high number of conversations (sessions) with another IP or port.

example

IP responder 1.1.33.101 had 34 conversations with multiple initiator IPs at around 03:20 on 08 Jun 2016. The mean for this same capture interface + time + IP responder + number of initiator IPs combination is ~1. That degree of deviation from the mean gets a score of 9.

High data transfer by IP address located in country This IP address, which is located in this country, transferred an unusually high amount of data.

example

IP responder 1.1.37.58, which is located in China, transferred 766,408 bytes at around 11:10 on 06 Jun 2016. The mean for this same capture interface + time + IP responder + country combination is ~33,806 bytes. That degree of deviation from the mean gets a score of 9.

anomaly might indicate • denial-of-service attack • data exfiltration • legitimate VPN traffic

URL category getting a high number of hits URLs that belong to this URL category are getting an unusually high number of visits.

example

URLs in the Web Ads/Analytics category were visited 98 times at around 23:50 on 27 Jun 2016. The mean for this same combination of capture interface + time + URL category is ~15 times. That degree of deviation from the mean gets a score of 9.

anomaly might indicate • phishing • malware beaconing

Interface Icons The following icons appear throughout the web interface as controls and signals.

Icon Function

Settings — Click to open the Settings menu.

Analyze > [Summary | Reports | Extractions | Geolocation] — Stop Report(s)/Extraction — Click to stop the data processing on that page.

Active/Inactive — Toggle to activate or deactivate the entry.

Delete — Click to delete this record.

Download — Click to download the item to the local workstation.

Edit — Click to edit this item.

Not Shared/Shared. Shared = Visible to all users on this appliance.

Analyze > Alerts > List — View Report Summary — Click to see the artifact on the Summary page. Analyze > Report Status > List — View Report — Click to view the report on the Reports page. Analyze > Indicators — Add to Filter Bar — Click to add the indicator to the filter bar. Analyze > Anomalies — View Report Summary — Click to view the anomaly data on the Summary page. Capture > Import PCAP — View This Import — Click to load the PCAP into the Summary page.

Settings > Users and Groups — Remote/Local User. Local = Created on this appliance; remote = created on another authentication server such as an LDAP server.

Icon Function

Settings > Upgrade — Upgrade from Server — Click to initiate a software upgrade from the corresponding server.

Analyze > Alerts > List — View Artifacts — Click to view the artifact on the Extractions page. Analyze > Saved Extractions — View Extraction — Click to view the artifacts on the Extractions page. Analyze > Summary > Extractions — Preview — Click to preview the artifact.

Analyze > Alerts > List — URL — The item that triggered this alert is a URL.

Analyze > Alerts > List — File — The item that triggered this alert is a file.

Analyze > Alerts > List — Malware — The reputation report for this item was generated by a Malware Analysis appliance.

Capture > Import PCAP — Manage Connections — Click to configure/edit a watch folder. Analyze > Rules > Create/Edit PCAP Export — Manage Connections — Click to configure/edit an external mount point.

Analyze > Summary — More Information — Click to see more information or to download the displayed data as a PCAP(NG). Capture > Import PCAP — Import Information — Click to see information on the imported PCAP(NG).

Analyze > Summary — Unindexed Flows — Click to see how many of the flows in the current view are not yet indexed.

Capture > Summary — Hidden/Showing — Click to hide or show lines on the capture summary graph.

Capture > Summary — Capture Filter — Click to apply or remove a capture filter on an interface.

Analyze > Alerts > List — Critical Alert

Analyze > Alerts > List — Warning

Analyze > Alerts > List — Notice

Capture > Import PCAP — View Alerts of This Import — Click to view the alerts that were generated by this PCAP.

Analyze > Summary > Extractions — Explore Root Cause — Click to view the root cause of the artifact.

Analyze > Summary > Extractions — Reputation — Click to view available reputation information for the artifact.

Analyze > Summary > Extractions — Analyze PCAP — Click to open the artifact in the Packet Analyzer.

Analyze > Summary > Extractions — Show Payload — For HTTP Method POST artifacts, display the payload.

Appliance Ports Consult the following diagrams to see how ports are designated on a Symantec Security Analytics appliance. For instructions on cabling and configuration for head unit plus storage module combinations, see the Security Analytics Installation Guides on Symantec Support Center under Installation Guide. Be sure that you use the instructions for the correct hardware vendor and generation.

Go to Security Analytics documentation on the Symantec Support Center and select Hardware Guide for Document Type to see the bill of materials for each model.

The location of the management port in the Dell Hardware is valid only after Security Analytics has been installed on the hardware.

2G Appliances

SA-S500-20-FA

SA-2G-10T-G6 Dell PowerEdge R630 Rack Server

10G Appliances

SA-S500-30-FA

SA-S500-40-FA

SA-10G-HD-8T-FC-G6 Dell PowerEdge R630 Rack Server

SA-10G-26T-G6 Dell PowerEdge R730xd Rack Server

Central Managers

SA-S500-10-CM

SA-CM-4T-G6 Dell PowerEdge R630 Rack Server

Storage Modules and Arrays

SA-E5660-ISA-300T Security Analytics E5660 300T Intelligent Storage Array

SA-J5300-DAS-40T Blue Coat Security Analytics J5300 40T Direct-Attached Storage

The rightmost two ports in each module are used only in a two-node failover cluster, which Symantec does not support for Security Analytics.

SA-SM-48T-G6 Dell PowerVault MD1400 Attached Storage

The rightmost two ports in each module are used only in a two-node failover cluster, which Symantec does not support for Security Analytics.

SA-SM-240T-FC-G6 Dell PowerVault MD3860f High-Speed Fibre Channel Storage

NetApp® E2760 Storage Array

Interface Screens Alerts Management Dashboard The default landing page, the Alerts Management Dashboard, provides immediate visibility into the current state of network traffic.

• Populating the Dashboard • Alerts List

1 Analyze Menu: Summary, Reports, Extractions, Geolocation

2 Capture Menu 9 Dashboard, Summary, and List tabs

3 Statistics Menu 10 Time Range Filter

4 Alerts in the last 96 hours; this count is not 11 IP Filter affected by the alerts filters

5 Anomalies 12 Advanced Filter

6 Account Settings 13 Importance Filter — Click to add to the Advanced Filter

7 Settings Menu 14 Alert Distribution over Time Histogram

8 System Utilization and Notifications 15 Alert Cards — Click details to see the alert list

Populating the Dashboard Alerts are produced by rules.

• By default, the following rules are enabled: Heartbleed Attack Attempt, Non- Standard SSH, Shellshock Webserver Exploit Attempt, and Local File Analysis - Live Exploits. • To enable other rules or create new ones, select Analyze > Rules or click Set Up Rules for Alerts.

Analyze > Summary See Summary Views for further information.

1 Filter Bar 12 System Utilization and Notifications

2 Analyze Pages: Summary, Reports, Extractions, 13 Actions Menu Geolocation

3 View Selector 14 Application Group Widget

4 Status Bar 15 Reindexing Control

5 Navigation Bar 16 Session Resolution Control

6 Save and Delete indicator Controls 17 Information and PCAP Download

7 Alerts in the last 96 hours and Anomalies 18 Application Group over Time Widget

8 Update and Stop Reports Buttons 19 Table Display

9 Timespan Filter 20 Pie Chart Display

10 Account Settings 21 Column Display

11 Settings Menu 22 Bar Chart Display

Capture > Summary See Capture for more information.

1 Analyze Menu: Summary, Reports, Extractions, Geolocation

2 Capture Menu 9 Graph Scales

3 Statistics Menu 10 View Menu

4 Alerts in the last 96 hours and Anomalies 11 Actions Menu

5 Account Settings 12 Data Availability Histogram

6 Settings Menu 13 Capture Totals

7 System Utilization and Notifications 14 Stop/Start Capture on All Interfaces

8 Status Bar 15 Capture Interfaces

Capture Interfaces Each capture interface on a Security Analytics has a graphical box. To change the unit of measure on the boxes, go to [Account Name] > Preferences.

1 Line color on the graph

2 Interface name: eth — Ethernet; agg — aggregated interfaces. Click to edit the name.

3 Interface speed

4 Toggle to start/stop playback

5 Toggle to enable/disable data representation on the graph

6 Click to apply a capture filter; during playback, click to see playback information

7 Toggle to start/stop data capture

Each active interface box shows a table with the following columns: Type — Current, maximum, and total Captured — Total amount of data captured by this interface Filtered — Amount of filtered data captured by this interface

Analyze > Summary > Reports See Reports for more information.

1 Filter Bar 12 System Utilization and Notifications

2 Analyze Pages: Summary, Reports, Extractions, 13 Actions Menu Geolocation

3 Report Selector 14 Report Summary Chart

4 Status Bar 15 Session Resolution Control

5 Navigation Bar 16 Information and PCAP download

6 Save and Delete indicator Controls 17 Total Sessions over Time Histogram

7 Alerts in the last 96 hours and Anomalies 18 Report Comparison Control

8 Update and Stop Report Buttons 19 Advanced Filter

9 Timespan Filter 20 Results Table

10 Account Settings

11 Settings Menu

Analyze > Summary > Extractions See Extractions for more information.

1 Filter Bar 11 Account Settings

2 Analyze Menu: Summary, Reports, Extractions, 12 Settings Menu Geolocation

3 View Selector: Artifacts, Artifacts Timeline, 13 System Utilization and Notifications Email, IM Conversations, Media Panel

4 Status Bar 14 Actions Menu

5 Navigation Bar 15 Histogram

6 Information and PCAP download 16 Advanced Filter

7 Save and Delete Indicator Controls 17 Results List

8 Alerts in the last 96 hours and Anomalies 18 Expanded Artifact Entry

9 Update and Stop Extraction Buttons 19 Artifact Actions: Preview, Download, Analyze, Explore Root Cause, Reputation

10 Timespan Filter

Analyze > Summary > Geolocation See Geolocation for more information.

1 Filter Bar 10 Account Settings

2 Analyze Pages: Summary, Reports, Extractions, 11 Settings Menu Geolocation

3 View Selector 12 System Utilization and Notifications

4 Status Bar 13 Map Controls

5 Navigation Bar 14 Geolocation Map

6 Save and Delete indicator Controls 15 Information and PCAP download

7 Alerts in the last 96 hours and Anomalies 16 Actions Menu

8 Update and Stop Report Buttons 17 Advanced Filter

9 Timespan Filter 18 Results List

Central Manager Console Guide

This section includes the following topics:

• Connect Your First Sensor to the CMC • User Accounts and Groups on the CMC • Remote Groups: Example Setup • Multi-Sensor Environment • Upgrading Sensors • CMC Local Management

Introduction to the Central Manager Console

Security Best Practice • Update the CMC VPN key to a 2048-bit RSA keypair. If you are upgrading to version 7.3.x from version 7.1.x or earlier, you must recreate the CMC VPN; all new connections between 7.3.x CMCs and their sensors use a 2048-bit RSA keypair.

• Provide a password when downloading the authorization key.

If you are upgrading your CMCs and sensors from an earlier version of Security Analytics (7.1.x or 7.2.1), you must follow the instructions on the CMC Initial Settings page.

The Symantec Security Analytics CMC is a dedicated appliance that is licensed as a CMC. With the CMC, you can manage multiple sensors (formerly "managed appliances") and analyze data from the sensors. Specifically, the CMC provides:

• An aggregated view of data across multiple sensors • An interface for sensor management • Centralized sensor software upgrades

This illustration shows one possible configuration: three sensors being managed by one CMC. Notice that all connections between the sensors and the CMC are conducted over VPN connections. The browser for the CMC’s web interface uses an HTTPS connection. Each link between a sensor and the CMC has its own VPN connection.

• Because each of these connections is a separate tunnel, no sensor can "see" or communicate with another sensor through the VPN. • The VPN can cross network boundaries. • CMC-to-sensor traffic that is captured by Security Analytics is classified as udp > openvpn or tcp > openvpn in the Tunneling application group.

CMC Initial Settings Follow these steps when installing a new CMC. 1. Complete the steps to configure a standalone appliance.

Before you create the VPN network, verify that the system time for the CMC is correct. Symantec recommends that you enable NTP on all CMCs and their sensors.

2. The Central Management Settings page should be the next display on the CMC interface, after the Initial Settings page. If you are not on this page, select Settings > Central Management > Settings.

3. Select TCP or UDP as the VPN connection protocol. 4. Select IPV4 or IPV6 for Network Type. The IPV6 option is available only if the CMC has an IPv6 address for eth0. You cannot set up both IPv4 and an IPv6 subnets on the same CMC; for a mixed environment, Symantec recommends an IPv4 network. 5. Specify the following: • IPv4 Network o Subnet — Specify the IP addresses to be used for the VPN connections between the sensors and the CMC. The default is 10.8.0.0/16. This subnet must be different from any other subnet on your network.

o Netmask — Specify the netmask for the VPN subnet. The address space should be large enough to provide four IP addresses for each sensor that the CMC controls.

o Port — Specify the port for the VPN connection on the sensors: Default is 1194. It is strongly recommended that you not use ports 22, 80, or 443, because they are reserved for other applications and protocols. • IPv6 Network o IPv6 Unique Local Addresses — Specify a subnet for the Unique Local IPv6 Addresses (ULAs). This non-routable address should be unique on your network. Symantec recommends that you not change the default (fdf9:568f:54b9::/64) unless it conflicts with the ULA for another CMC.

• If you have more than one CMC on your network, the VPN subnets must be unique for each CMC. • The CMC is always xx.xx.xx.1 on an IPv4 VPN subnet, and it assigns addresses to the sensors automatically: xx.xx.xx.2–254. For IPv6 VPNs, the CMC's address is the subnet designation and then it assigns addresses xxxx:xxxx:xxxx::1000 through xxxx:xxxx:xxxx::N to the sensors. • Your organization's firewalls and routers must permit the traffic between the CMC and the sensors that you want to manage through the CMC. Verify that the VPN, port, and protocol settings (including HTTPS) permit the connections.

6. Click Save. Registration and configuration may take several minutes, depending on your network conditions. The VPN network settings are being established during this time.

Connect Your First Sensor to the CMC This page explains how to connect one sensor to the Symantec Security Analytics CMC and to grant yourself (the Administrator on the CMC) access to the sensor. You should have already completed the CMC initial setup.

Generate the Authorization Key for the Sensor On the CMC, select CMC > Dashboard. Click Manage Sensors. Click Actions > New. Type a unique, descriptive name for the sensor.

• The sensor's hostname and IP address do not appear on the CMC dashboard, so the sensor name should be as specific as possible. • In the sensor selector, only the first 15–20 characters of the sensor name are visible; you may want to put the more distinguishing part of the name first.

For now, leave the Authorizations, Remote Groups, and Labels fields blank. Click Save. A one-time field is displayed above the Sensors table. Click Download Key. Optional — Provide a password for Encrypt with Password and click Save to save the authorization key file as _auth_key.tar.gz.gpg.

• To download the authorization key file at a later time, you can return to the Manage Sensors page and click Download for the sensor. • If you are using the Safari browser on a Macintosh workstation, Safari will unzip the TGZ file when you download it. You must re-compress the file for it to be valid.

Link the Sensor to the CMC Log in directly to the sensor with administrator credentials and select Settings > Central Management. Click New. For Authorization Key File click Browse. Locate the authorization key file for this sensor (_auth_key.tar.gz[.gpg]) and click Open. Enter the password for the file, if any. For Central Manager Host, type the IP address for the CMC that generated the key. Use the IP address for the CMC's management port (eth0) — IPv4 for an IPv4 VPN or IPv6 for an IPv6 VPN. Do not use the CMC's VPN address nor its hostname.

To connect a sensor to a CMC over an IPv6 VPN, eth0 on the sensor must have an IPv6 address and IPv6 gateway.

Click Save. When the authorization is complete, an entry for the CMC appears in the Central Manager Settings list. On the CMC, go to the dashboard. The sensor appears in the Other Sensors list.

If you cannot see the sensor: • Verify with your network administrators that corporate firewalls permit the sensors to reach the CMC's eth0 over port 1194. • Ensure that the CMC and the sensor are using the same port for HTTPS.

Security Best Practice Destroy the authorization key file after you have used it to connect the sensor to the Central Manager.

Grant Yourself Access to the Sensor On the CMC, select Settings > Users and Groups and click the Remote Groups tab. Verify that the admin (Default) remote group is present.

Click the Edit icon for the admin remote group; under Group Members, type adm and select admin when it is displayed. Click Save. On the CMC, select Settings > Central Management and click the Sensors tab. The Sensors list displays the following information:

ID Sensor ID, as assigned by the CMC. If you delete a sensor and then re-add it, the CMC will assign it a new ID.

Name Name of the sensor, as created on the CMC

Host IP address of the sensor on the VPN network

Authorized Users Users who are authorized to access the sensor through the CMC, according to their remote-group permissions. Users in this field have access to the sensor even when the other remote-group members do not.

Authorized Remote User groups that are authorized to access the sensor through the CMC. Groups

Labels User-defined tags to use while selecting multiple sensors.

Model Hardware type

Version Current software version of the sensor

Actions Controls to perform the following tasks:

Download the sensor's authorization key

Edit the sensor entry

Delete the sensor entry

Upgrade the software on the sensor

Click Edit for the sensor and do one or both of the following:

• For Authorizations, type adm and then select admin when it is displayed. This setting provides the admin account with admin-level access to the sensor without giving it to other users who are members of the admin remote group. • For Remote Groups, type adm and then select admin when it is displayed. This setting provides admin-level access to the sensor to all members of the remote group.

On the CMC, the groups grant access to the CMC itself, whereas the remote groups grant access to the sensors through the CMC.

• For Labels, type a new label name and press Enter or type an existing name and select it. You can add as many labels as you need to organize your sensors for selection. Click Save and return to the dashboard. The sensor should be in the Your Sensors list. You can click the sensor icon to access it or select it from the sensor selector (CMC button).

Disconnect Sensors from a CMC To disconnect sensors from a CMC, you have these options:

• Interrupt the connection • Delete the connection

Interrupt the Connection

Method 1 1. On the CMC, click CMC to open the sensor selector. 2. Click to remove the sensor from the Selected column and click Apply.

Method 2 1. Log on directly to the sensor. 2. Select Settings > Central Management. 3. For the CMC, click to deactivate it .

Delete the Connection

Method 1 1. Log on directly to the sensor. 2. Select Settings > Central Management. 3. For the CMC, click to remove it.

When you delete the CMC's entry on the sensor, the sensor's entry in the CMC's Sensors table is not deleted. To reconnect to that CMC, you can repeat the connection process with the original authorization key.

4. On the CMC, select Settings > Central Management > Sensors. 5. Click to remove the sensor's entry. You cannot undo this action.

Method 2 1. On the CMC, select Settings > Central Management > Settings. 2. Click Reset Settings to reset the communication settings to default values.

When you click Reset Settings, you de-authorize all currently authorized sensors, delete all connections to them, and remove their entries from the Sensors table. To reconnect the sensors, you must create new sensor entries, download new authorization keys, and create new CMC entries on each sensor.

Manage One Sensor with Multiple CMCs You may set up a many-to-one relationship among multiple CMCs and one sensor (as well as multiple CMCs with multiple sensors). Verify that each CMC uses a different VPN subnet. It is possible for a sensor to connect to one CMC over an IPv4 subnet and to another over an IPv6 subnet. On each CMC that will manage the sensor, generate a key for the sensor. Add the authorization key file to the sensor on Settings > Central Manager.

One sensor managed by three CMCs

When multiple CMCs manage one or more sensors, some CMC functions become unstable. Follow these guidelines to prevent unexpected behavior or data loss: • Do not attempt to push-upgrade the same sensor from different CMCs at the same time. • Do not use a CMC to create non-shared indicators or rules on the sensors.

User Accounts and Groups on the CMC As with standalone appliances, access to a Symantec Security Analytics CMC is granted by membership in a group. To these groups, you can assign permissions at a granular level— any user in the group has those permissions on the appliance.

Likewise, users who access a sensor through the CMC must be assigned to a group that specifies which permissions the user has on the sensor. On the CMC, these are called "Remote Groups."

For instructions on assigning local permissions to groups — including LDAP groups — consult User Accounts and Groups for standalone appliances.

Sensor Access Users cannot access a sensor until they are assigned permissions for that sensor. There are two methods for granting sensor-access privileges to a user:

• Authorizations — Individual access to the sensor, according to the user's remote- group permissions • Remote Groups — Provides RBAC for groups of users You may use one or both of these methods, that is, a user may be present in both the Authorizations field and in a remote group that is present in the Remote Groups field.

Authorizations On the CMC dashboard, click Manage Sensors. Click Edit for the sensor. For Authorizations, type the first few letters of the username and then select it when it becomes visible. Click Save.

• The authorized user must belong to at least one remote group. • The authorized user's permissions on the sensor are the remote-group permissions: if the If the user is not a member of a remote group, the user cannot access any sensors.

Remote Groups • See Create or Modify a Group for instructions on creating a remote group. This process is identical to creating user groups on a standalone appliance. • See Remote Groups: Example Setup for a scenario in which granular access controls to individual sensors are granted to a variety of users.

Remote Groups: Example Setup The following example describes how to assign specific sensor permissions to different users using the CMC's remote groups. This example does not include instructions on assigning permissions to the CMC itself.

Network Setup The example network has three sensors that are controlled exclusively through one CMC.

• Sensor 1 monitors general workstation traffic in the organization. • Sensor 2 monitors traffic that includes a public-facing web site, hosted on a cluster of HTTP servers that are on VLAN 7. Other file servers are on different VLANs that the sensor also monitors.

• Sensor 3 monitors traffic that includes VLAN 12, which contains executive workstations, devices, and servers that contain sensitive corporate, accounting, and human-resources data.

Requirements The organization needs the following sensor functions to be performed by different users:

• Full administrative access to modify all settings and accounts • Log auditing to check for conformity to network policy as well as the archiving of logs • Only one user is to be entrusted with auditing the traffic on VLAN 12 • Security enforcement, which ensures that all devices and user accounts conform to security policies • General analysis of all LAN traffic to check for malware, breaches, and usage violations • Only one user is to be entrusted with analyzing the traffic on VLAN 12 • Monitoring and analysis of all incoming traffic to the public web site, but no access to other LAN traffic

Design The requirements are best fulfilled with five remote groups:

• admin — All permissions. This remote group is already present on the CMC. • auditor — View and download the audit log. This remote group is already present on the CMC. • Security — Modify all sensor-access settings such as authentication, certificates, and the firewall. • Analyst — View and modify all Analyze pages, import PCAPs from local and remote sources, view and download audit logs, view the capture summary graph, modify data-enrichment settings. • Website — View and modify all Analyze pages, import PCAPs from local sources, only view web-related traffic on VLAN 7. The groups will be assigned permissions on the sensors as follows:

• Sensor 1 — admin, Analyst, Auditor, Security • Sensor 2 — admin, Auditor, Security, Website • Sensor 3 — admin, Security In this example, eight users have access to the sensors:

• admin — Senior system administrator

• Analyzer1 — Senior analyst • Analyzer2 — Associate analyst • Auditor1 — Senior auditor • Auditor2 — Associate auditor • Watchman — Security compliance administrator • WebMaster1 — Web site administrator • WebMaster2 — Web site administrator The order in which the remote groups, users, and sensor permissions are created is flexible. A simple sequence is presented here: Create the remote groups Create the users Assign sensor authorizations (the example assumes that the sensors are already connected to the CMC)

Create the Remote Groups Create the remote groups shown in the table (except admin and auditor, which are included by default):

Remote Group Permissions

Analyst All Analyze pages, local and remote PCAP import, view and download audit log, view capture summary, modify data-enrichment settings

Security Modify authentication, sensor-access, SSL certificates, and web-interface settings

Website All Analyze pages, PCAP import, web-related traffic only, traffic on VLAN 7 only

• Log on to the CMC with admin permissions. Select Settings > Users and Groups. Click the Remote Groups tab. Select Actions > New. For Name, type Analyst. For Description, type All Analyze pages, capture summary, PCAP import, data enrichment. Select the following check boxes: • Settings > Data Enrichment • Capture > Capture Summary • Capture > Import PCAP • Analyze

For now, leave the Data Access Control and Group Members sections blank and click Save. Select Actions > New. For Name, type Security. For Description, type Settings: authentication, security, and web interface. Select the following check boxes: • Settings > Authentication • Settings > Security • Settings > Web Interface Click Save. Select Actions > New. For Name, type Website. For Description, type application_group=web, vlan_id!=4,5,6; all Analyze pages, view and download audit log, local PCAP import Select the following check boxes • Logs • Capture > Import PCAP • Analyze Under Data Access Control do the following:

• Type application_group=web and press Enter. • Type the following and press Enter: o vlan_id!=4 o vlan_id!=5 o vlan_id!=6 • Optional — Type vlan_id=7 and press Enter. Click Save.

Create the Users Create the users and assign them their remote groups, as shown in this diagram.

Click the Users tab. Verify that for the admin account, admin is shown under Remote Groups. If it is not: • Click the Edit icon for the admin account. • For Remote Groups, type adm and select admin when it is displayed. • Click Save. Select Actions > New. For Username type Auditor1. This name cannot be changed later. For Password and Confirm Password, type a password. Under Group Memberships, do the following: • For User Groups, accept the default: user. This setting determines the permissions that the user has on the CMC itself. • For Remote Groups, delete admin, then type aud and select Auditor when it is displayed. Click Save. Create the remaining users with the values shown in the following table:

Username User Remote Groups Groups

Analyzer1 user Analyst

Analyzer2 user Analyst

Username User Remote Groups Groups

Auditor2 user Auditor

Watchman user Security, Auditor

WebMaster1 user Website

WebMaster2 user Website

Assign Sensor Authorizations Select Settings > Central Management and click the Sensors tab. Click the Edit icon for Sensor 1. For Remote Groups, add the following: • admin • Analyst • auditor • Security Click Save. Add the authorizations and remote groups to Sensor 2 and Sensor 3 according to the following information:

Sensor Authorizations Remote Groups

Sensor 1 admin, Analyst, auditor, Security

Sensor 2 Analyzer2 admin, auditor, Security, Website

Sensor 3 Auditor1, Analyzer1 admin, Security

Results To verify the inputs, go to Settings > Users and Groups > Remote Groups. The Remote Groups table should have the following data:

Name Description Users admin (Default) admin

Analyst All Analyze pages, capture summary, PCAP import, data enrichment. Analyzer1, Analyzer2 auditor Auditor1, Auditor2, Watchman

Security Settings: authentication, security, and web interface Watchman user

Website application_group=web, vlan_id!=4,5,6; all Analyze pages, view and WebMaster1, WebMaster2 download audit log, local PCAP import

Given the preceding setup, the resulting sensor-access permissions are as follows:

Sensor 1

• All users that belong to the remote groups admin, Analyst, auditor, and Security are able to access Sensor 1 with their respective permissions. • Watchman has both Security and auditor permissions on Sensor 1.

Sensor 2

• All users that belong to the remote groups admin, auditor, Security, and Website are able to access Sensor 2 with their respective permissions. • Analyzer2 can access Sensor 2 with Analyzer permissions. Analyzer1 does not have permissions on Sensor 2. • WebMaster1 and WebMaster2 can access web- related traffic on VLAN 7 only. • The admin, Auditor1, Auditor2, and Watchman accounts have no data-specific restrictions on their access. • Watchman has both Security and auditor permissions

on Sensor 2.

Sensor 3

• Auditor1 is the only user with auditor permissions on Sensor 3. • Analyzer1 is the only user with Analyzer permissions on Sensor 3. • All users that belong to the remote groups admin and Security are able to access Sensor 3 with their respective permissions.

Multi-Sensor Environment The Symantec Security Analytics CMC does not perform data capture but instead aggregates report and PCAP data that the sensors send.

View Multiple Sensors Add user-defined labels to each sensor so that related groups of sensors can be more easily managed. You can define or add labels at the time that you create the sensor entry, or you can add and remove labels on the Sensors page by selecting one or more sensors and selecting Actions > Add | Remove Labels.

On the CMC dashboard, click CMC to expand the sensor selector.

Select the sensors to view using one of two methods: • Click one or more sensors to move them into the next column, and then click Apply.

• Enter one or more existing label names under FILTER BY LABEL. Multiple labels are ANDed, so the sensors with all of the labels are displayed in the left pane. Click individual sensors or click Add All, and then click Apply.

To remove a sensor, click its X and then click Apply.

To remove all sensors, click Clear All and then click Apply.

To return to the CMC dashboard at any time, expand the sensor selector and click Dashboard.

Sensor-Selection in the URL • The default behavior for the CMC is to specify the sensor's number in the URL: https:///?&appliances=7,3,8 In this example, the three selected sensors (appliances) are designated by their sensor IDs, which were assigned by the CMC in the order the sensors were created. You can see the sensor IDs on the Sensors page.

• Sensor IDs are not reused or reassigned, so if a sensor is re-added to the CMC after being deleted, it will be assigned a new sensor ID. • You can manually specify the sensor's name in the URL in place of the sensor ID. The name must be URL-encoded, so if the sensor's name is Bldg 2, Level 5 the URL is: https:///?&appliances=Bldg%202%2C%20Level%205

Data Aggregation With two or more sensors selected, the summary screen displays aggregated data from the sensors. The Reports, Extractions, and Geolocation views have a drop-down arrow at the left of the status bar. Expand to see the status for each individual sensor.

Aggregation is not available for the following:

• Anomalies • Capture pages • Statistics pages • Settings pages

For these pages, select a sensor from the selector in the upper-right corner of the interface to view each sensor's page separately.

Multi-Sensor Metadata On Settings > Metadata, you can choose from hundreds of metadata types to index. On this page you have the option of setting metadata attributes for one sensor or of pushing attributes to all connected sensors. Changes to this page will cause sensors to reboot. The CMC does not reboot when this page is changed. • Sensors Selected — With one or more sensors selected, you can select each sensor's Metadata Settings page and save the settings. • No Sensors Selected — With no sensors selected, you can push the settings on the CMC's Metadata Settings page to all connected sensors.

o Make the desired changes to the CMC's Metadata Settings page and click Save. o Click Push Metadata to Sensors to push the new settings to all connected sensors.

All of the metadata settings across all sensors must be identical before you attempt to retrieve reports from those sensors via the CMC. Failure to synchronize the metadata settings on all sensors will result in no data returned for any report.

Multi-Sensor Summary Views On all of the Summary views the data is aggregated from all selected sensors. When you create or edit a view on the CMC (by deleting or adding widgets, for example), the changes are not propagated to the individual sensors: only on the CMC can the user see the changes.

Multi-Sensor Reports The reports that are available on the CMC are the same as for a standalone appliance.

The CMC does not generate reports for the sensors — each individual sensor generates its own report and passes the data to the CMC. However, the saved, aggregated report views are stored on the CMC.

Click Reports on the sensor selector to see reports in progress, completed, and deleted.

If you are viewing the data from more than one sensor, click a row to show the breakout per sensor.

In the Application report, above, DNS data has been captured by four sensors.

• Sensors Selected — With one or more sensors selected, you can select each sensor's Metadata Settings page and save the settings. • No Sensors Selected — With no sensors selected, you can push the settings on the CMC's Metadata Settings page to all connected sensors.

o Make the desired changes to the CMC's Metadata Settings page and click Save. o Click Push Metadata to Sensors to push the new settings to all connected sensors.

Multi-Sensor Extractions

• On the Extractions page, the display in the Distribution panel is aggregated, whereas the items listed in the Results panel are not. • In a multi-sensor environment, the Sensor column shows which sensor captured the artifact.

• In the expanded view, the sensor name is also visible.

Multi-Sensor Indicators On the Indicators and Rules pages, a Sensors column shows the where the item is present, or for the Alerts List, which sensor generated the alert.

• If the same indicator is present on multiple sensors, click the [N] more link to see the full list of sensors.

• When creating an indicator, you can apply it to one or multiple sensors. In the Sensors field, all sensors appear by default. Delete any sensors to which you do not want to copy the indicator.

• Any indicator that you add to the Filter field must already be present on the sensor(s) where the new indicator is to be created. • Creating non-shared indicators through the CMC is not supported; such indicators will not persist on the sensors and will cause unexpected behavior in any rules that are created with them. • When you delete an indicator, you also delete other indicators, rules, and alerts that contain the indicator. See Delete Indicators.

Multi-Sensor Rules

• When creating a rule, you must select the sensor on which the rule is to be created.

• When creating a rule, the indicator(s) in the First Event field must already be present on the sensor(s) where the rule is to be created. • Creating non-shared rules through the CMC is not supported; creating such rules will result in unexpected behavior. • Shared rules are is visible on the sensors.

Multi-Sensor Alerts

• On Analyze > Alerts > List, you can see each instance of a triggered alert. The sensor that registered the hit is displayed in the Sensors column.

Multi-Sensor PCAP Files

• You can download PCAP files from the CMC from Analyze > [Summary | Reports | Extractions | Geolocation]. • The CMC creates a single ZIP file that contains a separate PCAP for each sensor.

PCAP Import

• PCAP imports cannot be aggregated. • When importing a PCAP to a sensor via the CMC, only the Remote Server option is supported for Import from. • If two or more sensors have identical mount points, the identical mount points are aggregated in the display.

Multi-Sensor Geolocation and Google Earth Although the Geolocation and the Google Earth tools can show maps with both aggregated data and individual sensor data, the Geolocation tool in the CMC does not identify the sensor that the data came from. With the Google Earth tool, you can choose to display either aggregated data or data from any individual sensor.

When you download a Google Earth file with multiple sensors selected, you can choose whether to view the aggregated data or to view sensor data separately.

There are two methods to link the source sensor to a geographic location: • Select the IP address, filter on that and view reports. • Deselect all but one sensor and regenerate the Geolocation image; you may need to repeat this for each sensor until you find the desired data.

Multi-Sensor Communication Settings For settings that are related to remote notifications, scheduled reports, and other communication settings, the CMC will not synchronize its SNMP, SMTP, or syslog server information with that of the sensors.

This non-synchronization permits you to specify different servers for the CMC and for each sensor.

Upgrading Sensors You can use a Symantec Security Analytics CMC as a software repository for the sensors, so that you download the upgrade from the Internet only once. (Alternatively, the sensors can be upgraded from their own interfaces in the same way as standalone appliances.)

CMC Upgrade Repository For the CMC to act as an upgrade repository for its sensors, it must have at least one upgrade server configured in the CMC repository as well as an upgrade image in the CMC repository.

An upgrade image in the CMC repository is available to the sensors for upgrade but it is not available for the CMC itself to upgrade. Select Settings > Upgrade to perform an upgrade of the CMC.

On the dashboard, click Upgrade Repository. During the licensing procedure for the CMC, the upgrade server upgrade.soleranetworks.com should have been added to the CMC's External Repository list. If no upgrade server is listed, follow these instructions to add the default Security Analytics upgrade server: On the CMC, do one of the following: • Select Settings > Central Management > Upgrades. • On the dashboard, click Upgrade Repository. Click New. For Protocol, select http. For Host, type upgrade.soleranetworks.com For Path, type /upgrades/ For Username and Password, input your license key both times. Click Save. The upgrade server is saved under External Repository.

This same server will also be listed on the CMC's Settings > Upgrade page.

Add an Upgrade Image to the CMC Repository Before you can upgrade the sensors, the upgrade image must be present on the CMC repository. On the CMC, do one of the following: • Select Settings > Central Management > Upgrades.

• On the dashboard, click Upgrade Repository.

For the upgrade server, click Download from Server . Select the desired version and click Download. The latest version is now in the Local Repository list. The list shows which upgrade version is appropriate for each version to be upgraded.

Upgrade Sensors from the CMC Repository To upgrade sensors from a CMC repository, you have two options:

• "Push" the upgrade from the CMC to the sensor • "Pull" the upgrade from the CMC to the sensor

Unless otherwise instructed by the release notes, upgrade the CMC before upgrading the sensors that are attached to it.

Push Upgrades A push upgrade is initiated on the CMC.

Do not attempt to push-upgrade the same sensor from multiple CMCs at the same time.

On the CMC, do one of the following: • On the dashboard, click Manage Sensors. • Select Settings > Central Management > Sensors. Select the check boxes for the sensors to be upgraded. • Alternatively, you can click Upgrade for each individual sensor. Select Actions > Upgrade. Select the upgrade file to use and click Upgrade. On the dashboard, you can view the progress of the upgrade for each sensor. To see the whole upgrade message, place your cursor over the bottom line of the sensor's box. While the upgrade image is loading onto the sensor, you can monitor its progress on the sensor's Settings > Upgrade page.

Do not click Initiate Upgrade on the sensor during a push upgrade; the process is automatic.

After the sensor has finished upgrading (including reboot), you can see that the CMC repository has been automatically added to the sensor's Upgrade Servers list on the Settings > Upgrade page.

• The IP address under Host is the CMC's VPN address, which is xxx.xxx.xxx.1 for IPv4 or xx:xx:xx::1 for IPv6. • You now have the option of clicking Upgrade from Server on the sensor to upgrade the software.

Pull Upgrades A pull upgrade is initiated on the sensor.

Unless otherwise instructed by the release notes, upgrade the CMC before upgrading the sensors that are attached to it.

Access the sensor by doing one of the following: • Log on directly to the sensor with admin-level permissions. • Access the sensor through a CMC with a remote group account that has admin-level permissions. Select Settings > Upgrade. Is there an entry for a CMC repository in the Upgrade Servers list?

Yes — Verify that the No — Select New. latest upgrade image is • For Protocol, select https. on the CMC. • For Host, type the VPN address of the • Continue the CMC (xxx.xxx.xxx.1 or abab::1) procedure. • For Path, type /upgrades/ • Leave the Login Information fields blank. • Click Save. • Verify that the latest upgrade image is on the CMC and continue the procedure.

On the sensor, click Upgrade from Server. When the download is complete, click Initiate Upgrade.

CMC Local Management This page describes how to manage the Symantec Security Analytics CMC itself. When managing the sensors through the CMC, the process is similar to single-appliance management, with the exceptions described in Multi-Sensor Environment.

CMC Dashboard

1 Sensor selector — Use this control to select one or more sensors to view or manage

2 Settings menu

3 Control buttons

4 Your Sensors list

5 Other Sensors list

Your Sensors list The Your Sensors list shows all of the sensors for which you have a role (remote group or authorization). Each individual sensor is represented on the dashboard page by a graphical box.

1 Connection status (blue = connected; gray = not connected)

2 Sensor name

3 Connection status

4 Software compatibility status

5 Capture status

6 Software version

7 Model number

• The capture status is available only when the sensor is connected to the CMC and the user has access to the sensor. • In some cases, the capture status of a sensor may take a few minutes to update.

Software Compatibility Status

When a sensor has a different software version than the CMC, an information icon is displayed in the upper-right corner of the sensor's box. It is highly recommended that you upgrade the software; otherwise, some functionality is lost when selecting the sensor with outdated software.

Other Sensors List The Other Sensors list is visible only to CMC admin accounts and shows two types of appliances:

• Sensors for which you have begun but not finished the authorization process. • Sensors for which your account does not have a role.

Software version number and capture status are not visible in the Other Sensors list.

Control Buttons

Manage Sensors Button • Click to go to the Settings > Central Management > Sensors page. o Add and delete sensors. o Generate authorization key files. o Use the Advanced Filter to select multiple sensors according to their user- defined labels.

Upgrade Repository Button • Click to go to the Settings > Central Management > Upgrades page. o Configure upgrade servers. o View or delete the software versions that have been uploaded to the repository.

Upgrading the CMC During the licensing procedure for the CMC, the upgrade server license.soleranetworks.com should have been added to the CMC's Upgrade Servers list. If it has not, add the upgrade server and return to these instructions.

The upgrade image that you download here is available to the CMC for upgrade but it is not available for sensor upgrade. Click Upgrade Repository on the dashboard to upgrade sensors.

On the CMC, select Settings > Upgrade. For the upgrade server, click Upgrade from Server . A status bar is displayed. When the upgrade file has finished downloading, click Initiate Upgrade. After the CMC has upgraded, you are prompted to reboot the CMC. After you log back in, you can verify that you are using the updated software by resting your cursor on the Symantec logo.