Security Analytics 8.1.x Reference Guide Updated: Friday, November 15, 2019 Security Analytics Reference Guide Security Analytics 8.1 Copyrights, Trademarks, and Intellectual Property Copyright © 2019 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. 3 Security Analytics Reference Guide Security Analytics 8.1 Table of Contents Recognized Applications 9 Application Groups 9 Backup and Restore 11 Backup 11 Specify the Storage Location 12 Manual Backup 12 Encrypted Backup 12 Scheduled Backup 13 Restore 13 BPF Syntax 15 GRE Encapsulation and BPF Filters 15 Syslog Facilities 17 Standard Syslog Facilities 17 Standard Syslog Levels and Priorities 18 Disable SSH Root Logins 19 MD5-Encrypted Password for Bootloader 20 Command-Line Interface 21 CLI Commands 21 Supported Linux Commands 24 csr.sh 26 dscapture 26 dscapture clearpersist 26 dscapture cleartime 27 dscapture init 27 dscapture map 27 dscapture mapshow 27 dscapture settime 28 dscapture shutdown 28 dscapture start 28 dscapture status 29 dscapture stop 29 dscapture unmap 29 dsfilter 29 dsfirewall, dsfirewall6 30 4 Security Analytics Reference Guide Security Analytics 8.1 dslc 32 dslc add 32 dslc del 34 dslc disable 34 dslc enable 35 dslc export 36 dslc factory 37 dslc import 37 dslc set 37 dslc show 39 dslogdump 39 dsmigrate.sh 40 Setup 41 Migrate the Data 42 dsmigratedata 44 Setup 44 Interface Configuration 45 Data-Migration Procedure 45 Operation of dsmigratedata 47 Restarting dsmigratedata 48 Stateful Restart 48 Stateless Restart 48 dspcapimport 48 dsportmapping 49 dsregen 50 dszap 51 Actions Performed 53 Running dszap 53 dump_slot 55 dump_slot_chain 55 dump_slot_header slot_<number> 55 dump_slot_elements <filename> 55 dump_slot_pcap <packet_number> 56 dump_slot_trail 56 dump_space_table_entry <slot_id> 56 walk_space_table_journal 57 5 Security Analytics Reference Guide Security Analytics 8.1 dynfilter 57 lsi-rate-tool 58 lsi-show 60 MegaCli | megacli 61 scm pivot_only_provider 62 Add a Pivot-Only Provider 62 Pivot-Only Provider Demonstration 63 Delete a Pivot-Only Provider 66 Sample Pivot-Only Providers 66 scm sessions 68 scm solera_acl elevate 69 scm tally 69 Web Services APIs 71 Install and Test the SoleraConnector Class 71 Session-Based APIs 73 Pivot to Summary Page 73 Single Time-Value Configuration 74 API Changes in Security Analytics 8.1.x 75 New APIs 75 Modified APIs 75 Advanced API Queries 77 Example Queries 77 Combining Different Namespaces 77 Alerts APIs 79 Anomalies APIs 91 Authentication APIs 100 BPF Filters APIs 111 Capture APIs 116 Central Manager APIs 137 Data Enrichment APIs 158 Date/Time APIs 178 6 Security Analytics Reference Guide Security Analytics 8.1 Drive-Space Management APIs 182 Extractor APIs 186 Geolocation APIs 219 Indicators APIs 226 License APIs 236 Logging and Communication APIs 240 Metadata APIs 265 Network APIs 268 Packet Analyzer APIs 274 PCAP APIs 277 Playback APIs 300 Report and Report Status APIs 302 Rules APIs 338 Security APIs 347 Statistics APIs 367 Summary Page APIs 369 System APIs 378 Upgrades APIs 380 User Account APIs 386 Web Interface Settings APIs 405 API Appendix 414 Using Polling with the APIs 415 Syntax: Identity Path 415 7 Security Analytics Reference Guide Security Analytics 8.1 Syntax: Enhanced Primary Filter Array 415 Syntax: Advanced-Filter Array 416 Syntax: Primary Filter Array 418 Syntax: Timespan Array 419 Syntax: Timespan Date Array 419 Syntax: Geolocation Internal Labels 419 Syntax: Scheduled Events 419 LDAP Schema Values 420 Menu > Analyze > Alerts > Summary 422 Menu > Analyze > Anomalies > Summary 422 Capture Summaries Inputs 422 Using the APIs 424 Best Practices 424 Downloading Extracted Artifacts 424 Downloading PCAPs 428 Resources 432 8 Security Analytics Reference Guide Security Analytics 8.1 Recognized Applications 59 New Recognized Applications in Security Analytics 8.1.1. Total: ~2900 To obtain an XLSX or CSV list of recognized applications, select Reference > Recognized Applications in the Help Files, which are located: n In the web interface under About > Help > [language]. n On https://support.symantec.com/content/unifiedweb/en_US/Documentation.1145515.html. Select the appropriate version, and then under Administration Guide open the Security Analytics 8.1.1 WebGuide. The applications in the files can be identified by Security Analytics. The values in these tables appear in the Application, Application Group and Application Group over Time reports and report widgets and are valid for application_group=<application_group> and application_id=<application_id> in the primary filter bar, for example, application_group="Network Service" or application_id=twitter Application Groups Following are sample applications that are included in each application group. Where the last item is preceded by the word "and," all applications for that group are listed: n Antivirus — zonealarm, zonealarm_update, sophos_update, and lookout_ms n Application Service — citrix_pvs, ldap, syslog, perforce, windows_marketplace, xfs n Audio/Video — apple_music, baidu_player, google_play_music, gotomeeting, h245, hulu, iheartradio, itunes, netflix, pplive, qqlive, rtsp, spotify n Authentication — chap, diameter, krb5, pap, radius, tacacs_plus n Behavioral — high_entropy and spid n Compression — ccp and comp n Database — db2, drda, mysql, postgres, sybase, tds, tns n Encrypted — i2p, ipsec, isakmp, ocsp, ssh, ssl, tor, and tor2web n ERP — sap n File Server — afp, ftp, gmail_drive, netbios, nfs, smb, tftp n File Transfer — aim_transfer, bits, filesharepro, imessage_file_download, irc_transfer, irods, jabber_ transfer, mypocket, paltalk_transfer, and ymsg_transfer n Forum — google_groups, ircs, kaskus, linkedin, live_groups, mibbet, nntp, nntps, odnoklassniki, r10, tapatalk, vkontakte, and yahoo_groups 9 Security Analytics Reference Guide Security Analytics 8.1 n Game — all_slots_casino, angry_birds, candy_crush_saga, cstrike, eve_online, poker_stars, qq_r2, quake, runescape, wow n Instant Messaging — aim, badoo, facebook_messenger, gmail_chat, gtalk, irc, jabber, qq, whatsapp, ymsg n Mail — imap, imaps, lotusnotes, mapi, pop3, pop3s, smtp, and smtps n Microsoft Office — groove n Middleware — amqp, dcerpc, diop, giop, iiop, java_rmi, rpc, soap, thrift n Network Management — cdp, cip, enip, lcp, modbus, netflow, rsvp, sccm, snmp, wccp n Network Service — 8021q, arp, crudp, dccp, dhcp, dnp3, dns, eth, fibre_channel, hopopt, icmp, ip, ip6, isis, mux, nbns, ntp, sctp, svn, udp, whois n Peer to Peer — bitcoin, bittorrent, directconnect, edonkey, filetopia, gnutella, kazaa, qqmusic, thunder n Printer — apple_airprint, bjnp, cups, ipp, jetdirect, and lpr n Routing — bgp, eigrp, mpls, ospf, rip1, rip2, stp n Security Service — fsecure, ghostsurf, mcafee, and peerguardian n Standard — established, incomplete, malformed, and unknown n Telephony — bssap and isup n Terminal — rlogin, rsh, telnet, telnets, and tnvip n Thin Client — anydesk, gotomypc, ica, jedi, pcanywhere, radmin, rdp, vmware, x11 n Tunneling — etherip, gre, http_tunnel, l2tp, ppp, pppoe, socks5, teredo n WAP — bxml, mmse, smpp, ucp, wsp, wtls, and wtp n Web — 4chan, abcnews, alibaba, amazon_aws, baidu, bbc, disney_channel, ebay, elpais, facebook, flickr, google, http, https, kaspersky, nytimes, outlook, pandora, reddit, sharepoint, travelocity, tumblr, twitter, wikipedia, windows_update, yahoo, youtube n Webmail — gmail, live_hotmail, mailru, orangemail, owa, yandex_webmail, ymail2, zimbra 10 Security Analytics Reference Guide Security Analytics 8.1 Backup and Restore The backup and restore scripts save system data but not the data on the capture and index drives. To migrate capture data, use dsmigratedata (version 7.x) or dsmigrate.sh (version 8.x). The types of data saved in the backup archive include but are not limited to the following: n Network configuration n Filters n Disk configuration files n Geolocation data n Authentication configuration data n Playback sessions n