RSA Envision Event Explorer 4.0.3 Installation Guide

Home , Explorer 17, Explorer 19, Explorer 20, Explorer 21, Explorer 9

RSA enVision Event Explorer 4.1 Installation Guide

Revision 1 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks RSA, the RSA Logo, RSA enVision Event Explorer, and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go to www.rsa.com/legal/trademarks_list.pdf. License agreement This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by EMC. Third-party licenses This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses.pdf file. Note on encryption technologies This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product. Distribution Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Revision History

Revision Date Revision Number

1 2/6/2012 Updated “Client Requirements.”

Revision History 3

RSA enVision Event Explorer 4.1 Installation Guide

Contents

Revision History...... 3 Preface...... 7 About This Guide...... 7 RSA enVision Event Explorer Documentation ...... 7 Related Documentation...... 7 Support and Service...... 8 Before You Call Customer Support...... 8

Chapter 1: RSA enVision Event Explorer ...... 9 Chapter 2: Requirements for Using RSA enVision Event Explorer11 RSA enVision Compatibility ...... 11 License Requirements...... 11 User Permission Requirements ...... 12 Client Requirements...... 12 Port Requirements...... 13

Chapter 3: Install RSA enVision Event Explorer...... 15 Allow Non-Administrative Users to Run RSA enVision Event Explorer...... 16 Uninstall RSA enVision Event Explorer ...... 17

Chapter 4: Setting Up RSA enVision Event Explorer...... 19 Specify an RSA enVision Appliance During Your Initial Logon ...... 19 Log On to RSA enVision Event Explorer...... 20 Select A Default Application Mode...... 21 Log Off of RSA enVision Event Explorer...... 21

Contents 5

RSA enVision Event Explorer 4.1 Installation Guide

Preface

About This Guide This guide describes how to install the RSA enVision Event Explorer module. It is intended for system administrators, security officers, end users, or anyone who needs to install Event Explorer on a client computer.

RSA enVision Event Explorer Documentation For information about RSA enVision Event Explorer, see the following documentation: Release Notes. Provides information about what is new and changed in this release, as well as workarounds for known issues. The latest version of the Release Notes is available on RSA SecurCare Online at https://knowledge.rsasecurity.com. Installation Guide. Instructions on installing the RSA enVision Event Explorer client on your personal computer. Intended audience is the end user. RSA enVision Event Explorer Help. Comprehensive instructions on setting up and using RSA enVision Event Explorer. RSA continues to assess and improve the documentation. Check RSA SecurCare Online for the latest documentation.

Related Documentation For information about the RSA enVision platform, see the following documentation: Release Notes. Provides information about what is new and changed in this release, as well as workarounds for known issues. The latest version of the Release Notes is available on RSA SecurCare Online at https://knowledge.rsasecurity.com. Overview Guide. Provdes an introduction to RSA enVision platform features and capabilities. Hardware Setup and Maintenance Guide. Provide instuctions on setting up and maintaining RSA enVision appliances. Intended audience is the system administrator. Configuration Guide. Provides instructions on configuring an RSA enVision site. Intended audience is the system administrator. Migration Guide. Provides instructions on migrating data from a previous version of the RSA enVision platform to the current version. Virtual Deployment Guide. Provides instructions on installing an RSA enVision single appliance site or Remote Collector on a virtual infrastructure.

Preface 7 RSA enVision Event Explorer 4.1 Installation Guide

Administrator’s Guide. Provides instructions on the basic setup and maintenance of the RSA enVision platform. Includes instructions for the most common administrator tasks. User’s Guide. Provides information that helps users to get started using the RSA enVision platform. Includes instructions for the most common user tasks. Backup and Recovery Guide. Provides instructions on backup up an RSA enVision system and recovering from a hardware failure. Security Configuration Guide. Provides an overview of security configuration settings in the RSA enVision platform. Universal Device Support Guide. Describes how to add log collection and analysis support for event sources that the RSA enVision platform does not support. RSA enVision Help. Provides comprehensive instructions on setting up RSA enVision processing options and using RSA enVision analysis tools. RSA continues to assess and improve the documentation. Check RSA SecurCare Online for the latest documentation.

Support and Service

RSA SecurCare Online https://knowledge.rsasecurity.com

Customer Support Information www.rsa.com/support

RSA Secured Partner Solutions Directory www.rsasecured.com

RSA SecurCare Online offers a knowledgebase that contains answers to common questions and solutions to known problems. It also offers information on new releases, important technical news, and software downloads. The RSA Secured Partner Solutions Directory provides information about third-party hardware and software products that have been certified to work with RSA products. The directory includes Implementation Guides with step-by-step instructions and other information about interoperation of RSA products with these third-party products.

Before You Call Customer Support Make sure that you have direct access to the computer running the RSA enVision Event Explorer software. Please have the following information available when you call:  The serial number of the appliance to which Event Explorer connects. On a 60-series appliance, you can find the seven-character serial number on the chassis tag on the back of the appliance, or open a Dell Openmanage Server Administrator session, and click System > Properties > Summary to find the serial number in the chassis service tag field.  RSA enVision Event Explorer software version number.  The name and version of the operating system under which the problem occurs.

8 Preface RSA enVision Event Explorer 4.1 Installation Guide

1 RSA enVision Event Explorer As part of the RSA enVision platform, the RSA enVision Event Explorer module is an advanced tool for managing incidents and performing forensic analysis on event data. Event Explorer benefits include: Entry point for incident management. Retrieve, display, and triage security incidents in real time. Data mining. Drill down and locate specific event data for compliance and investigation of possible security breaches. Interactive user monitoring. Zoom from an enterprise-wide to single-user view to track and analyze user activities. Detailed application and system insight. Gain insight into business operations through real-time application analysis. Event Explorer is a client application. You install Event Explorer on your client and establish a connection to an RSA enVision appliance. For complete information on setting up and using enVision, see the enVision Help.

1: RSA enVision Event Explorer 9

RSA enVision Event Explorer 4.1 Installation Guide

2 Requirements for Using RSA enVision Event Explorer

This chapter describes the requirements that you must meet to use RSA enVision Event Explorer.

RSA enVision Compatibility RSA enVision Event Explorer 4.1 is compatible only with RSA enVision sites running RSA enVision 4.0 or later.

Note: If you use RSA enVision Event Explorer 4.1 with an RSA enVision site running RSA enVision 4.0, the Universal Table data model and associated functionality are not available. For more information, see the Event Explorer Help. RSA enVision Event Explorer 4.0.x is not compatible with RSA enVision 4.1.

License Requirements To use Event Explorer, your organization must have a valid RSA enVision license key with enough users to meet your needs. The default enVision license key allows up to 15 users per Application Server to log on to Event Explorer concurrently in a multiple appliance site or up to 5 users in a single appliance site. You can purchase a license key that allows more users. For more information on the enVision license key, see the enVision Help topic “License Key.”

2: Requirements for Using RSA enVision Event Explorer 11 RSA enVision Event Explorer 4.1 Installation Guide

User Permission Requirements To allow you to log on to Event Explorer, your RSA enVision administrator must: • Set you up as a user in enVision with your user account set to Enabled. For more information, see the enVision Help topic “Users.” • Give you access permissions for Event Explorer. For more information, see the enVision Help topic “Event Explorer Permissions.” • Give you permission to view at least one event source (device) on the enVision appliance. For more information, see the enVision Help topic “Device Access Filters.” • Give you site access permission for the site on the enVision appliance to which you want to establish an event trace. For more information, see the enVision Help topic “Site Login Permissions.”

Important: An administrator can force a log off for an Event Explorer user from within the enVision application. For more information, see the enVision Help topic “Force User Log Out.”

Client Requirements The following table describes client configurations for PCs running Microsoft Windows XP, Windows 7, or Windows Server 2008, based on how you intend to use Event Explorer. If you do not follow these recommendations, you may experience poor performance when you carry out simultaneous tasks, such as running more than one event trace.

Incident Management and Moderate Event Heavy Event Trace Item Light Event Trace Trace Usage Usage Usage

Microsoft Windows XP, Microsoft Windows 7 64-bit, or Microsoft Windows Server 2008 64-bit (R1 or R2) OS Note: Event Explorer does not support any locale other than English (United States).

Event Explorer uses 1.5.0_13, which comes bundled with the application and is not separately installed on your client.

Java JRE Note: RSA enVision Event Explorer also supports JRE 1.6.0_20, however it is not bundled with the application. For instructions on upgrading the JRE, see the Event Explorer Help topic, “Upgrade Event Explorer Java SE Runtime Environment (JRE).”

12 2: Requirements for Using RSA enVision Event Explorer RSA enVision Event Explorer 4.1 Installation Guide

Incident Management and Moderate Event Heavy Event Trace Item Light Event Trace Trace Usage Usage Usage

Processor Pentium 4 or higher

RAM 2 GB RAM 2 GB RAM 3 GB RAM

CPU 1 CPU (minimum) 2 CPUs (minimum) 4 CPUs (minimum)

CPU Speed 2 GHz (minimum)

Disk RPM 7,200 7,200 10,000 RAID

100 MB of free disk space for the Event Explorer application ( the amount Disk Space of space required for persisted databases is based on need)

Network 100baseTX network event trace to the enVision appliances (minimum)

Browser Microsoft Internet Explorer 7.0 or later, Mozilla Firefox 2.5 or later

Display 1024x768 at 16-bit color (minimum) Resolution

DPI Setting Normal (96 DPI)

Font Size Normal

Note: If you upgrade the Java JDK version on the RSA enVision appliance to which Event Explorer is connected, you should manually upgrade your client JRE to match the version on the server. For instructions, see the Event Explorer Help topic “Upgrade Event Explorer Java SE Runtime Environment (JRE).”

Port Requirements To use RSA enVision Event Explorer, you must be able to connect to various ports on each RSA enVision appliance.

2: Requirements for Using RSA enVision Event Explorer 13 RSA enVision Event Explorer 4.1 Installation Guide

To connect to RSA enVision appliances running RSA enVision 4.0, you must be able to connect to the ports described in the following table.

On Appliance Type Usage Ports Port Direction (For Multiple Appliance Sites Only)

Connection from Event TCP 2010 Inbound and D-SRV Explorer to NIC Server Outbound Service

Connection from Event HTTP 8080 Inbound and A-SRV Explorer to the NIC HTTPS 8443 Outbound Web Server Service

Connection from Event TCP 1098, 1099, Inbound and A-SRV Explorer to the NIC 3873, and 4444 Outbound App Server Service

To connect to RSA enVision appliances running RSA enVision 4.1, you must be able to connect to the ports described in the following table.

On Appliance Type Usage Ports Port Direction (For Multiple Appliance Sites Only)

Connection from Event TCP 2010 Inbound and D-SRV Explorer to NIC Server Outbound Service

HTTP connection from TCP 8080 Inbound and A-SRV Event Explorer to the Outbound NIC Web Server Service.

HTTPs connection from TCP 8443 Inbound and A-SRV Event Explorer to the Outbound NIC Web Server Service.

For information on the available NIC services, see the enVision Help topic “NIC Services.”

Note: The D-SRV port 2010 traffic is not encrypted.

14 2: Requirements for Using RSA enVision Event Explorer RSA enVision Event Explorer 4.1 Installation Guide

3 Install RSA enVision Event Explorer You can install and use RSA enVision Event Explorer on a client running Microsoft Windows XP, Windows 7 64-bit, or Windows Server 2008 64-bit. RSA enVision Event Explorer 4.1 is compatible only with enVision sites running RSA enVision 4.0 or later.

To install Event Explorer: 1. Download the Event Explorer installation file, as follows: a. Go to https://knowledge.rsasecurity.com, and log on to RSA SecurCare Online. b. Under Browse by Product Family, click RSA enVision. c. Click the Downloads tab. d. Under Event Explorer Downloads, click RSA enVision Event Explorer 4.1 - Win. e. Click RSA enVision Event Explorer 4.1 - Win. f. When prompted, specify the directory into which you want to download the file, and click Save. 2. In the specified directory, double-click enVision_4.1_Event_Explorer.zip to unzip the file. 3. Double-click RSA_EventExplorerInstall4100bnnnn.exe to launch the installation wizard. 4. Complete the installation wizard. The wizard creates a shortcut on your desktop for Event Explorer, and the installation is complete. If you choose to launch Event Explorer while completing the wizard, Event Explorer starts.

3: Install RSA enVision Event Explorer 15 RSA enVision Event Explorer 4.1 Installation Guide

After installation, Event Explorer files are found in the following locations: • Application files are under \Program Files (x86)\Network Intelligence Corporation\Event Explorer on Windows 7 and Windows Server 2008, and under \Program Files\Network Intelligence Corporation\Event Explorer on Microsoft XP. • User configuration files (for example, event traces and log files) are under \Users\user-short-name\EventExplorer\Event Explorer on Windows 7 and Windows Server 2008, and under \Documents and Settings\user-short-name\EventExplorer\Event Explorer on Windows XP.

Note: User configuration files only appear after the first time that you run the application.

Next Steps Perform post installation tasks. See “Allow Non-Administrative Users to Run RSA enVision Event Explorer.”

Allow Non-Administrative Users to Run RSA enVision Event Explorer After you install Event Explorer, you must make the following security changes to allow users without administrative rights to run Event Explorer on this client.

Before You Begin “Install RSA enVision Event Explorer.”

To allow non-administrative users to run Event Explorer: • Set EELauncher.exe to run as administrator.

Note: This file is located under \Program Files\Network Intelligence Corporation\Event Explorer\bin on Windows XP and under \Program Files (x86)\Network Intelligence Corporation\Event Explorer\bin on Windows 7 and Windows Server 2008.

• Set EventExplorer.ini to read-write.

Note: This file is located under Program Files\Network Intelligence Corporation\Event Explorer on Windows XP and under Program Files (x86)\Network Intelligence Corporation\Event Explorer on Windows 7 and Windows Server 2008.

These settings allow for automatic changes to the memory options when Event Explorer is launched.

16 3: Install RSA enVision Event Explorer RSA enVision Event Explorer 4.1 Installation Guide

Uninstall RSA enVision Event Explorer

To uninstall Event Explorer: 1. Click Start > Programs > Network Intelligence Corporation > Event Explorer > Event Explorer UnInstall. 2. When prompted to remove the application, click Yes. You are required to restart your client after the application is uninstalled.

3: Install RSA enVision Event Explorer 17

RSA enVision Event Explorer 4.1 Installation Guide

4 Setting Up RSA enVision Event Explorer After you install RSA enVision Event Explorer, complete the following tasks to log on and set up the application: 1. “Specify an RSA enVision Appliance During Your Initial Logon.” 2. “Log On to RSA enVision Event Explorer.” 3. “Select A Default Application Mode.” 4. “Log Off of RSA enVision Event Explorer.”

Specify an RSA enVision Appliance During Your Initial Logon

Important: To log on to Event Explorer, you must be set up as an Event Explorer user in RSA enVision, and there must be a sufficient number of user licenses available. For more information on user permissions, see “User Permission Requirements.”

The first time that you launch Event Explorer after a new installation, a welcome message displays and prompts you to enter information for the enVision appliance to which you want to log on.

Note: This message does not appear if you upgraded Event Explorer from an earlier version.

To log on to Event Explorer for the first time: 1. In the Protocol field, select the protocol (HTTP or HTTPS) with which to connect to the enVision appliance. 2. In the Hostname or IP address field, enter the hostname or IP address. 3. In the Port field, select or enter the port to which to connect. 4. Click OK. Event Explorer opens the Event Explorer Logon window that you will see in all subsequent sessions. 5. Log on to Event Explorer. For instructions, see the following section, “Log On to RSA enVision Event Explorer.”

4: Setting Up RSA enVision Event Explorer 19 RSA enVision Event Explorer 4.1 Installation Guide

Log On to RSA enVision Event Explorer During the Event Explorer logon process, you can update the list of available RSA enVision appliances.

Note: If you plan to retrieve Incident Management or Vulnerability and Asset Management (VAM) data from RSA enVision, RSA recommends that you log on to the Application Server on which the AppServer database resides. For more information, see the Event Explorer Help topic, “RSA enVision Application Servers.”

To log on: 1. Click Start > Programs > Network Intelligence Corporation > Event Explorer > Event Explorer. 2. From the enVision server drop-down list, select or edit an enVision appliance as follows.

Goal Action

Select an appliance from the list. Click the appliance to select it.

Add an appliance to the list. 1. Click New. 2. From the Protocol drop-down list, select a protocol. 3. In the Hostname or IP address field, enter the hostname or IP address. 4. In the Port field, select or enter a port. 5. Click OK.

Remove an appliance from the list. 1. Click the appliance to select it. 2. Click Del.

Edit an appliance that appears in the 1. Click the appliance to select it. list. 2. Click Edit. 3. Edit the fields that you want to change, and click OK.

3. Enter your enVision user name and password in the Username and Password fields for the appliance that you selected in step 2. 4. Click Log On. The user name and password that you entered are used to authenticate to the selected enVision appliance. A progress bar indicates logon status. When the authentication is complete and successful, the Welcome window opens and prompts you to select your default application mode. For instructions, “Select A Default Application Mode.”

20 4: Setting Up RSA enVision Event Explorer RSA enVision Event Explorer 4.1 Installation Guide

Select A Default Application Mode You can use Event Explorer in two ways: • Incident Management mode allows you to track and resolve incoming incidents from the RSA enVision NIC Alerter Service and create new incidents to handle potential security threats. • Event Trace Library mode allows you to perform forensic analysis on event data. You can create event traces to retrieve event data from enVision and then display the data using trace views. You can use event traces as part of an incident investigation or independently. When you log on to Event Explorer for the first time, you must select which mode Event Explorer displays by default in this and future sessions.

Note: You can change your default mode at any time by updating your preferences. Click Tools > Preferences.

To select your default application mode: 1. On the Welcome window, select either Incident Management or Event Trace Library. 2. Click Start. The Event Explorer window opens in the application mode that you selected. For information on using Event Explorer, see the Event Explorer Help.

Log Off of RSA enVision Event Explorer When you are finished using Event Explorer, you can log off to conserve system resources.

To log off of Event Explorer: In the Event Explorer window, click File > Exit.

Important: When you are logged on to Event Explorer, you are not constrained by the RSA enVision Automatic timeout option. Event Explorer does not disconnect users when they are idle for any amount of time.

4: Setting Up RSA enVision Event Explorer 21 RSA enVision Event Explorer 4.1 Installation Guide

22 4: Setting Up RSA enVision Event Explorer