Micro Focus Interset 5.9.3 Installation and Configuration Guide Interset 5.9.3 Installation and Configuration Guide © Copyright 2020 Micro Focus or one of its affiliates. The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are as may be set forth in the express warranty statements accompanying such products and ser- vices. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is sub- ject to change without notice. Except as specifically indicated otherwise, this document contains confidential information and a valid license is required for possession, use or copying. If this work is provided to the U.S. Government, con- sistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Docu- mentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. - 2 - Interset 5.9.3 Installation and Configuration Guide Contents Introduction 7 Supported Environments 7 Supported Data Sources 9 Intended Audience 10 Installation 10 How to Use This Guide 11 Additional Support 12 Prerequisites 13 Interset Cluster Components 15 Interset Components 15 Third-party Components 15 Component Distribution 18 Interset Configuration 18 Create a Local YUM Repository for Offline Installation 22 Install a New Interset Cluster 25 Copy and Untar the Interset Installer Archive 27 Edit the Interset Installer Configuration File 28 Edit the Secure Properties File 30 Download Oracle JDK 8 and the Java Cryptography Extension (JCE) 31 Perform the Base Configuration of All Nodes 32 Install the Ambari Server 35 Install the Ambari Cluster 39 Change the Ambari Administrator Password 49 Configure Ambari Managed Services 51 Install Cloudera Manager 52 Install the Cloudera Cluster 53 Add Services 57 Configure Cloudera Managed Services 60 - 3 - Interset 5.9.3 Installation and Configuration Guide Generate the TLS Certificates 62 Configure the Key Distribution Centre (KDC) 63 Configure Kerberos on Ambari 64 Configure Ambari with TLS 67 Configure Kerberos on Cloudera 69 Configure Cloudera with TLS 69 Install the Interset Schema Registry 70 Configure the Master Node 71 Configure the Stream Node 72 Configure the Search Node 73 Configure the Reporting Node 74 Configure Authentication 77 Local Interset Authentication 77 LDAP Authentication 78 SAML Authentication 81 Configure Single Sign-on with SAML and Okta 92 Configure Workflow 94 Install Apache Nifi 97 Configure a New Data Source 98 Configure an SSL Context Service 99 Create a Process Group 100 Configure the Schema Registry 100 Enable the Controller Services 101 Configure the Data Flow 101 Start the Data Flow 107 Run Analytics 110 Running Analytics in a secure environment 110 Configure the Search Indexes 111 Enable Windowed Analytics 116 Configure the 'Peek-Back' Window for Windowed Analytics 116 - 4 - Interset 5.9.3 Installation and Configuration Guide Appendix A: Configure the Sample Data 118 Create the Samples Tenant 118 Create an Administrator User for the Samples Tenant 118 Copy the Interset Sample Datasets 119 Configure the Sample Authentication Data Source 119 Run Analytics 119 Appendix B: Run the Enable Kerberos Wizard on Cloudera 120 Getting Started 120 Setup KDC 121 Manage krb5.conf 122 Setup KDC Account 123 Configure Kerberos 124 Summary 124 Appendix C: Optional Installations and Configurations 125 Configure Redundancy & High Availability (Optional) 125 Enable HDP Services (e.g. HBase, HDFS, Storm, YARN, ZooKeeper) High Availability 125 Enable HDFS High Availability (HA) 128 Enable YARN High Availability 129 Enable HBase High Availability 129 Enable Storm High Availability (HA) 130 Enable ZooKeeper High Availability 131 Enable Elasticsearch High Availability 132 Configure DXL (Optional) 132 Set Up the McAfee ESM Parser 135 Configure Splunk (Optional) 136 Edit the rules.conf Configuration File 136 Restart the Workflow Engine 136 Configure the Splunk KV_MODE 137 Configure Phantom (Optional) 137 Configure the Phantom API 137 - 5 - Interset 5.9.3 Installation and Configuration Guide Edit the rules.conf Configuration File 137 Validate the Phantom Integration 138 Appendix D: Configure NiFi To Use LDAP 139 nifi.properties 139 login-identity-provider.xml 140 authorizers.xml 141 Multiple NiFi nodes: Node Identity Provider 143 Secured Enviornment certificates 144 Appendix E: Add New Nodes to an Existing Cloudera Cluster 145 Appendix F: Assigning services to a New node in Cloudera 150 Index 152 - 6 - Interset 5.9.3 Installation and Configuration Guide Introduction This guide describes how to install and configure Interset 5.9.3. It also provides an overview of the Interset cluster requirements, dependencies, components, and best practices information. Interset uses data science and advanced analytics to identify the top risky entities and behaviors occur- ring in your organization. Using your organization's data, Interset establishes the normal behavior for your organizational entities and then, using advanced analytics, identifies the anomalous behaviors that con- stitute potential risks such as compromised accounts, insider threats, or other cyber threats. Interset's innovative user experience, true machine learning, and big data platform easily identify and pri- oritize high risk anomalies, allowing your security practitioners to instantly explore the underlying raw event data. The Interset analytical models apply risk scores to individual users to provide security teams with relevant, prioritized information quickly enough to stop the activity before data loss occurs. Interset is a server-based product that is deployed in a clustered configuration. This means that the soft- ware is distributed across multiple machines, where each machine (which can be a physical machine or a virtual machine running on a VM server such as VMware ESX) is called a node. The distribution of load and responsibilities across multiple nodes is what makes the Interset solution a scalable system that can handle large amounts of data: the more nodes in your deployment, the more data Interset can handle. Important: This guide provides instructions for the secure installation and configuration of Inter- set software and its associated platform. For information about installing Interset in an unsecured environment, Contact Micro Focus Customer Support at https://soft- waresupport.softwaregrp.com/. We recommend that you deploy the Interset product and platform in a segregated net- work with as little external access as possible (for example, exposing only the ports required for installation to the IP address(es) performing the installation -- TCP 22, 443, 8080). Following the installation, additional exceptions should be created for management and end-user networks. Whenever possible, we recommend that end-users have access only to the Report- ing node on TCP 443; this provides access to the Interset UI and API. Admin- istrators should have significantly broader access, and it is generally recommended that this be handled via firewall rules and/or SSH tunnelling. Supported Environments Interset Analytics 5.9.3 is supported in the following x86_64 environments: l CentOS 7.6 l Red Hat Enterprise 7.6 - 7 - Interset 5.9.3 Installation and Configuration Guide Interset 5.9.3 is supported with the following third-party components: l Oracle OpenJDK 8u201/211 l Elasticsearch 6.8.1 Interset 5.9.3 is supported with HDP 3.1.0, including the following components: Ambari 2.7.3.0 AsyncHBase 1.8.2 Avro 1.8.2 Hadoop 3.1.1 HBase 2.0.2 Hortonworks Schema Registry 0.5.3 Kafka 2.0.0 NiFi 1.10.0 Phoenix 5.0.0 Scala 2.11.8 Spark 2.3.2 Storm 1.2.1 ZooKeeper 3.4.6 TLS 1.2 - 8 - Interset 5.9.3 Installation and Configuration Guide Interset 5.9.3 is supported with CDH 6.1.1, including the following components: AsyncHBase 1.8.2 Avro 1.8.2 Hadoop 3.0.0 HBase 2.1.1 Hortonworks Schema Registry 0.5.3 Kafka 2.0 NiFi 1.10.0 Phoenix 5.0.0-HBase-2.1.0-cdh6.1.1 Scala 2.11.8 Spark 2.4 Storm 1.2.1 ZooKeeper 3.4.5 TLS 1.2 Interset 5.9.3 supports the following Web browsers: l Google Chrome 74 and above l Mozilla Firefox 67 and above Supported Data Sources Interset 5.9.3 supports the following data sources. For .csv data sources, the delimiter can be customized. l Active Directory ® l Active Directory event logs stored in McAfee Enterprise Security Manager (ESM) ® l Active Directory event logs stored in Splunk l Active Directory event logs stored in Micro Focus ArcSight Logger l Active Directory event logs stored in IBM QRadar l Windows Security event logs (.csv) l Interset-extracted Windows event logs (.csv) l Universal Windows event logs (.csv) l Windows Event Viewer-extracted event logs (.csv) l Active Directory authentication logs l Universal Alerts stored in third-party DLP systems (.csv) l NetFlow l Version 5 l Version 9 l Version 10 (IPFIX) - 9 - Interset 5.9.3 Installation and Configuration Guide l Repository l Perforce l P4AUDIT logs l Perforce Structured Server audit logs l GitHub Enterprise audit logs l Universal repository logs (.csv) l Pluggable Authentication Module (PAM) AuditD logs (.csv) l Printer logs l Windows printer events stored in Splunk l Windows event logs (.csv) l Universal logs (.csv) l Universal Web Proxy (.csv) l Violations l Email Data l VPN Interset 5.9.3 data ingest uses NiFi for data extraction, transformation, and loading. It supports the pro- cessing of data set files in the following compression formats: l tar l gzip l tar gzip To ingest packaged data from other containers such as Arcsight, IBM QRadar, McAfee ESM, and Splunk, please contact Micro Focus Customer Support at https://softwaresupport.softwaregrp.com/. Intended Audience This Guide assumes that you are an experienced system administrator with sound Linux skills and are familiar with your organization's server environment, security infrastructure, and data sources.