Security Analytics 8.0.4 Reference Guide Updated: Wednesday, October 30, 2019 Symantec Security Analytics 8.0.x Copyrights, Trademarks, and Intellectual Property Copyright © 2019 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. Security Analytics Support Your serial number is visible in About. n Contact Information: support.symantec.com/en_US/contact-support.html n Symantec Customer Care, Network Protection: [email protected] n Security Analytics Documentation: support.symantec.com n Documentation Feedback: [email protected] 2 of 413 Security Analytics Reference Guide Table of Contents Recognized Applications 6 Application Groups 7 Backup and Restore 8 Backup 9 Restore 11 BPF Syntax 11 GRE Encapsulation and BPF Filters 12 Syslog Facilities 13 Standard Syslog Facilities 13 Standard Syslog Levels and Priorities 14 Disable SSH Root Logins 14 MD5-Encrypted Password for Bootloader 15 Command-Line Interface 17 CLI Commands 17 Supported Linux Commands 20 csr.sh 22 dscapture 22 dscapture clearpersist 23 dscapture cleartime 23 dscapture init 23 dscapture map 23 dscapture mapshow 24 dscapture settime 24 dscapture shutdown 24 dscapture start 25 dscapture status 25 dscapture stop 25 dscapture unmap 25 dsfilter 26 dsfirewall 27 dslc 28 dslc add 28 dslc del 30 dslc disable 30 dslc enable 32 dslc export 33 dslc factory 33 dslc import 33 3 of 413 Symantec Security Analytics 8.0.x dslc set 33 dslc show 36 dslogdump 36 dsmigrate.sh 36 Setup 37 Migrate the Data 38 dsmigratedata 40 Setup 40 Data-Migration Procedure 41 Operation of dsmigratedata 43 Restarting dsmigratedata 44 dspcapimport 44 dsportmapping 45 dsregen 46 dszap 48 Actions Performed 49 Running dszap 49 dump_slot 50 dump_slot_chain 50 dump_slot_header slot_<number> 50 dump_slot_elements <filename> 51 dump_slot_pcap <packet_number> 51 dump_slot_trail 51 dump_space_table_entry <slot_id> 52 walk_space_table_journal 52 dynfilter 52 lsi-rate-tool 54 lsi-show 55 MegaCli | megacli 56 scm migrator 57 scm pivot_only_provider 60 Add a Pivot-Only Provider 60 Pivot-Only Provider Demonstration 62 Delete a Pivot-Only Provider 65 Sample Pivot-Only Providers 65 scm sessions 67 scm solera_acl elevate 68 syntax 68 scm tally 68 4 of 413 Security Analytics Reference Guide Web Services APIs 70 Install and Test the SoleraConnector Class 71 Session-Based APIs 73 Pivot to Summary Page 73 Single Time-Value Configuration 74 API Changes in Security Analytics 8.0.x 74 Advanced API Queries 75 Alerts APIs 77 Anomalies APIs 90 Authentication APIs 99 BPF Filters APIs 109 Capture APIs 114 Central Manager APIs 130 Data Enrichment APIs 151 Date/Time APIs 171 Drive-Space Management APIs 175 Extractor APIs 179 Geolocation APIs 212 Indicators APIs 217 License APIs 227 Logging and Communication APIs 230 Network APIs 255 Packet Analyzer APIs 261 PCAP APIs 263 Playback APIs 287 Report and Report Status APIs 289 Rules APIs 322 Security APIs 329 Statistics APIs 349 Summary Page APIs 351 System APIs 361 Upgrades APIs 363 User Account APIs 368 Web Interface Settings APIs 387 API Appendix 396 5 of 413 Symantec Security Analytics 8.0.x Using Polling with the APIs 396 Polling for Reports 397 Polling Script for Artifacts 397 Syntax: Identity Path 398 Syntax: Enhanced Primary Filter Array 398 Syntax: Advanced-Filter Array 399 Syntax: Primary Filter Array 401 Syntax: Timespan Array 402 Syntax: Timespan Date Array 402 Syntax: Geolocation Internal Labels 402 Syntax: Scheduled Events 403 LDAP Schema Values 403 Menu > Analyze > Alerts > Summary 405 Menu > Analyze > Anomalies > Summary 405 Capture Summaries Inputs 405 Using the APIs 406 Best Practices 406 Downloading Extracted Artifacts 407 Downloading PCAPs 411 Recognized Applications 59 New Recognized Applications in Security Analytics 8.0.4. Total: ~2900 To obtain an XLSX or CSV list of recognized applications, select Reference > Recognized Applications in the Help Files, which are located: n In the web interface under About > Help > [language]. n On https://support.symantec.com/content/unifiedweb/en_US/Documentation.1145515.html. Select the appropriate version, and then under Administration Guide open the Security Analytics 8.0.4 WebGuide. The applications in the files can be identified by Security Analytics. The values in these tables appear in the Application, Application Group and Application Group over Time reports and report widgets and are valid for application_ group=<application_group> and application_id=<application_id> in the primary filter bar, for example, application_group="Network Service" or application_id=twitter 6 of 413 Security Analytics Reference Guide Application Groups Following are sample applications that are included in each application group. Where the last item is preceded by the word "and," all applications for that group are listed: n Antivirus — zonealarm, zonealarm_update, sophos_update, and lookout_ms n Application Service — citrix_pvs, ldap, syslog, perforce, windows_marketplace, xfs n Audio/Video — apple_music, baidu_player, google_play_music, gotomeeting, h245, hulu, iheartradio, itunes, netflix, pplive, qqlive, rtsp, spotify n Authentication — chap, diameter, krb5, pap, radius, tacacs_plus n Behavioral — high_entropy and spid n Compression — ccp and comp n Database — db2, drda, mysql, postgres, sybase, tds, tns n Encrypted — i2p, ipsec, isakmp, ocsp, ssh, ssl, tor, and tor2web n ERP — sap n File Server — afp, ftp, gmail_drive, netbios, nfs, smb, tftp n File Transfer — aim_transfer, bits, filesharepro, imessage_file_download, irc_transfer, irods, jabber_transfer, mypocket, paltalk_transfer, and ymsg_transfer n Forum — google_groups, ircs, kaskus, linkedin, live_groups, mibbet, nntp, nntps, odnoklassniki, r10, tapatalk, vkontakte, and yahoo_groups n Game — all_slots_casino, angry_birds, candy_crush_saga, cstrike, eve_online, poker_stars, qq_r2, quake, runescape, wow n Instant Messaging — aim, badoo, facebook_messenger, gmail_chat, gtalk, irc, jabber, qq, whatsapp, ymsg n Mail — imap, imaps, lotusnotes, mapi, pop3, pop3s, smtp, and smtps n Microsoft Office — groove n Middleware — amqp, dcerpc, diop, giop, iiop, java_rmi, rpc, soap, thrift n Network Management — cdp, cip, enip, lcp, modbus, netflow, rsvp, sccm, snmp, wccp n Network Service — 8021q, arp, crudp, dccp, dhcp, dnp3, dns, eth, fibre_channel, hopopt, icmp, ip, ip6, isis, mux, nbns, ntp, sctp, svn, udp, whois n Peer to Peer — bitcoin, bittorrent, directconnect, edonkey, filetopia, gnutella, kazaa, qqmusic, thunder n Printer — apple_airprint, bjnp, cups, ipp, jetdirect, and lpr n Routing — bgp, eigrp, mpls, ospf, rip1, rip2, stp 7 of 413 Symantec Security Analytics 8.0.x n Security Service — fsecure, ghostsurf, mcafee, and peerguardian n Standard — established, incomplete, malformed, and unknown n Telephony — bssap and isup n Terminal — rlogin, rsh, telnet, telnets, and tnvip n Thin Client — anydesk, gotomypc, ica, jedi, pcanywhere, radmin, rdp, vmware, x11 n Tunneling — etherip, gre, http_tunnel, l2tp, ppp, pppoe, socks5, teredo n WAP — bxml, mmse, smpp, ucp, wsp, wtls, and wtp n Web — 4chan, abcnews, alibaba, amazon_aws, baidu, bbc, disney_channel, ebay, elpais, facebook, flickr, google, http, https, kaspersky, nytimes, outlook, pandora, reddit, sharepoint, travelocity, tumblr, twitter, wikipedia, windows_update, yahoo, youtube n Webmail — gmail, live_hotmail, mailru, orangemail, owa, yandex_webmail, ymail2, zimbra Backup and Restore The backup and restore scripts save system data but not the data on the capture and index drives. To migrate capture data, use dsmigratedata (version 7.x) or dsmigrate.sh (version 8.x). Use scm migrator for users, rules, indicators, and similar settings. The types of data saved in the backup archive include but are not limited to the following: n Network configuration n Filters n Disk configuration files n Geolocation data n Authentication configuration data n Playback sessions n Local user accounts n Some crontab-related configuration