1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV...
  6. Manual

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT REV 1 Manual

Strm log management users guide
Hide thumbs Also See for SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT REV 1:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Administration Manual
Security Threat Response Manager
STRM Log Management Users Guide
Release 2008.2 R2
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-027300-01, Revision 1

Advertisement

Table of Contents
loading

Related Manuals for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT REV 1

Summary of Contents for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT REV 1

  • Page 1 Security Threat Response Manager STRM Log Management Users Guide Release 2008.2 R2 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 408-745-2000 www.juniper.net Part Number: 530-027300-01, Revision 1...
  • Page 2 Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

  • Page 3: Table Of Contents

    ONTENTS BOUT UIDE Conventions Technical Documentation Contacting Customer Support STRM L SLIM BOUT ANAGEMENT Logging In to STRM Log Management Dashboard Event Viewer Reports Using STRM Log Management Sorting Results Refreshing the Interface Pausing the Interface Investigating IP Addresses STRM Log Management Time Accessing On-line Help STRM Log Management Administration Console SING THE...
  • Page 4 Viewing Raw Events Viewing Aggregate Normalized Events Using the Search Searching Events Deleting Saved Searches Modifying Event Mapping Exporting Events ONFIGURING ULES Viewing Rules Enabling/Disabling Rules Creating a Rule Event Rule Tests Copying a Rule Deleting a Rule Grouping Rules Viewing Groups Creating a Group Editing a Group...
  • Page 5 EFAULT ULES AND UILDING LOCKS Default Rules Default Building Blocks LOSSARY NDEX...

  • Page 7: Bout His Uide

    Documentation directly from the Juniper Networks support web site at https://juniper.net/support. Once you access the Juniper Networks support web site, locate the product and software release for which you require documentation. Your comments are important to us. Please send your e-mail comments about this guide or any of the Juniper Networks documentation to: documentation@juniper.com.

  • Page 8: Contacting Customer Support

    STRM Log Management, you can contact Customer Support as follows: Log a support request 24/7: https://juniper.net/support • For access to the Juniper Networks support web site, please contact Customer Support. Access Juniper Networks support and Self-Service support using e-mail: •...

  • Page 9: About Strm Log Management Slim

    STRM L BOUT ANAGEMENT STRM Log Management is a network security management platform that provides situational awareness and compliance support through security event correlation, analysis, and reporting. This chapter provides an overview of the STRM Log Management interface including: Logging In to STRM Log Management •...

  • Page 10: Dashboard

    STRM L BOUT ANAGEMENT temporary license key will expire. For information on installing a permanent license key, see the STRM Log Management Administration Guide. Dashboard The Dashboard tab is the default interface that appears when you log in to STRM Log Management.

  • Page 11: Event Viewer

    Event Viewer Event Viewer The Event Viewer allows you to view event logs being sent to STRM Log Management in real-time, or through searches. The Event Viewer is a powerful tool for performing in-depth investigations on event data. Note: For more information, see Chapter 3 Using the Event Viewer.

  • Page 12: Using Strm Log Management

    STRM L BOUT ANAGEMENT Using STRM Log Using STRM Log Management, you can: Management Sort the results. See Sorting Results. • Refresh the interface. See Refreshing the Interface. • Pause the current display. See Pausing the Interface. • Further investigate an IP address. See Investigating IP Addresses.

  • Page 13: Strm Log Management Time

    Using STRM Log Management Table 1-1 Additional Options Menu Sub-Menu Description Information DNS Lookup Searches for DNS entries based on the IP address. WHOIS Lookup Searches for the registered owner of a remote IP address (Default system server: whois.crsnic.net.) Port Scan Performs a NMAP scan of the selected IP address.

  • Page 14: Strm Log Management Administration Console

    STRM L BOUT ANAGEMENT STRM Log The STRM Log Management Administration Console is a client-based application Management that provides administrative users access to administrative functionality including: Administration System Configuration - Allows you configure system wide STRM Log • Console Management settings including, users, thresholds, system settings, backup and recovery, license keys, network hierarchy, authentication, or automatic updates.

  • Page 15: Sing The Ashboard

    SING THE ASHBOARD The Dashboard allows you to create a customized portal to monitor any data STRM Log Management collects, to which you have access. The Dashboard is the default view when you log in to STRM Log Management and allows you to monitor several areas of your network at the same time.

  • Page 16: Using The Dashboard

    SING THE ASHBOARD You can move and position items to meet your requirements. You can stack items in one panel or distribute them evenly within the three panels. When positioning items, each item automatically resizes in proportion to the panel. The Dashboard interface refreshes regularly to display the most recent information.

  • Page 17: Events By Severity

    Event Viewer Note: You must have the required permissions to access Event Viewer items. To customize your display: Period of Time - Using the drop-down list box, select the period of time you • wish the Dashboard graph to display. Chart Type - You can display the data using a Time Series (default), Line •...

  • Page 18: Reports

    SING THE ASHBOARD you to view potential changes in behavior, for example, if a firewall device that is typically not in the top 10 list is now contributing to a large percentage of the overall message count, you should investigate this occurrence. Reports The Reports option allows you to display the top recently generated reports.

  • Page 19: Adding Items

    Adding Items Adding Items You can add multiple displays to the Dashboard interface. To add an item to the Dashboard: Click the Dashboard tab. Step 1 The Dashboard interface appears. From the toolbar, click Add Item. Step 2 A list of menu items appears. Navigate through the categories, options include: Step 3 Event Viewer...

  • Page 21: Using The Event Viewer

    SING THE VENT IEWER An event is an action that occurs on a network or a host. The Event Viewer allows you to monitor and investigate events in real-time or perform advanced searches. You must have permission to view the Event Viewer interface. For more information on assigning roles, see the STRM Log Management Administration Guide.

  • Page 22: Using The Event Viewer Interface

    SING THE VENT IEWER Using the Event This section provides information on using the Event Viewer interface including: Viewer Interface Using the Toolbar • Using the Right-Click Menu Options • Using the Toolbar Using the toolbar, you can access the following options: Table 3-1 Toolbar Options Option Description...

  • Page 23: Viewing Events

    Viewing Events Viewing Events By default, the Event Viewer interface displays normalized events. Initially, the Event Viewer displays events that occurred during the previous minute and the interface refreshes each minute. You can sort the resulting tables by clicking on a column heading. A single click of the desired column sorts the results in descending order and a second click on the heading sorts the results in ascending order.
  • Page 24 SING THE VENT IEWER Table 3-2 Event Viewer (continued) Parameter Description Event Count Specifies the total number of bundled events that constitute this normalized event. Events are bundled when many of the same type of event for the same source and destination IP address are seen within a short period of time.
  • Page 25 Viewing Events Table 3-3 Event Details Parameter Description Event Name Specifies the normalized name of the event. Low Level Specifies the low-level category of this event. Category For more information on categories, see the Event Category Correlation Reference Guide. Event Description Specifies a description of the event, if available.

  • Page 26: Viewing Raw Events

    SING THE VENT IEWER Table 3-3 Event Details (continued) Parameter Description Device Specifies the device that sent the event to STRM Log Management. Event Count Specifies the total number of bundled events that constitute this normalized event. Events are bundled when many of the same type of event for the same source and destination IP address are seen within a short period of time.

  • Page 27: Viewing Aggregate Normalized Events

    Viewing Events The raw events window results provides the following information: Table 3-5 Raw Events Parameters Parameter Description Current Filters The top of the table displays the details of the filter applied to the search results. To clear these filter values, click Clear Filter. Start Time Specifies the time of the first event, as reported to STRM Log Management by the device.
  • Page 28 SING THE VENT IEWER Table 3-6 Aggregate Normalized Events (continued) Aggregate Option Description High Level Category Displays a summarized list of events grouped by the high-level category of the event. For more information on categories, see the Event Category Correlation Reference Guide. Low Level Category Displays a summarized list of events grouped by the low-level category of the event.
  • Page 29 Viewing Events Table 3-6 Aggregate Normalized Events (continued) Aggregate Option Description Src IP/ Dst IP/ Event Displays a summarized list of events grouped by the source Name/ User IP address, destination IP address, event name, and user. Src IP/ Dst IP/ User Displays a summarized list of events grouped by the source IP address, destination IP address , and the username associated with the event.
  • Page 30 SING THE VENT IEWER Table 3-6 Aggregate Normalized Events (continued) Aggregate Option Description Src IP/ Low Level Cat Displays a summarized list of events grouped by the source IP address and the low-level category. For more information on categories, see the Event Category Correlation Reference Guide.
  • Page 31 Viewing Events The events window results provides the following information: Table 3-7 Event Name Parameters Parameter Description Current Filters The top of the table displays the details of the filter applied to the search results. To clear these filter values, click Clear Filter. Graphs Displays a bar chart representing the top 10 aggregates, depending on the chosen aggregate option.
  • Page 32 SING THE VENT IEWER Table 3-7 Event Name Parameters (continued) Parameter Description Category Specifies the low-level category of this event. If there are multiple categories associated with this event, this field indicates Multiple and the number. For more information on categories, see the Event Category Correlation Reference Guide.

  • Page 33: Using The Search

    Using the Search Using the Search The Event Viewer allows you to search for a specific event or a set of events. You can also save event search criteria for future use. This section provides information on searching events including: Searching Events •...
  • Page 34 SING THE VENT IEWER Table 3-8 Event Search Criteria Parameter Description Saved Searches Using the drop-down list box, select a previously saved search you wish to apply to this search, if desired. Other options include: Delete - Using the drop-down list box, select the search you •...
  • Page 35 Using the Search Table 3-8 Event Search Criteria (continued) Parameter Description Search Order Specify the order you wish to display for the search results. The options are: Descending or Ascending. Click Filter. Step 4 If you selected a sort criteria in your Search Parameters, the normalized events appear.

  • Page 36: Deleting Saved Searches

    SING THE VENT IEWER Table 3-9 Save Search Parameters Parameter Description Include in my Select the check box if you wish to include this search in your Quick Quick Search items, which is available in the Search drop-down list box. Searches Share with Select the check box if you wish to share these search requirements...

  • Page 37: Modifying Event Mapping

    Modifying Event Mapping Modifying Event STRM automatically maps an event of a Device Support Module (DSM), also Mapping known as a sensor device, for normalization purposes. Using the event mapping tool, you can associate or map a normalized or raw event to a high-level and low-level category (or QID).
  • Page 38 SING THE VENT IEWER Choose one of the following options: Step 4 If you know the QID that you wish to map to this event, enter the desired QID in the Enter QID field. Go to Step If you wish to search for a particular QID, go to Step To search for a particular QID or high and low-level categories that you wish to Step 5...

  • Page 39: Exporting Events

    Exporting Events Exporting Events You can export events in Extensible Markup Language (XML) or Comma Separated Values (CSV). To export events: Click the Event Viewer tab. Step 1 The Event Viewer window appears. Choose one of the following: Step 2 If you wish to export the event(s) in XML format, select Export to XML from the Actions drop-down list box.
  • Page 40 SING THE VENT IEWER STRM Log Management Users Guide...

  • Page 41: Configuring Rules

    ONFIGURING ULES An event is an incident that is detected by your security devices in your enterprise. You can create an event rule to events by performing a series of tests. If all the conditions of a test are true, the rule generate a response. Building blocks are rules without a response.

  • Page 42: Viewing Rules

    ONFIGURING ULES This chapter includes: Viewing Rules • Enabling/Disabling Rules • Creating a Rule • Copying a Rule • Deleting a Rule • Grouping Rules • Editing Building Blocks • Viewing Rules To view deployed rules, rule type, and status: Select the Event Viewer tab.

  • Page 43: Enabling/Disabling Rules

    Enabling/Disabling Rules Enabling/Disabling To enable or disable a rule: Rules Select the Event Viewer tab. Step 1 The Event Viewer window appears. Click Rules. Step 2 The Rules List window appears. In the Display drop-down list box, select Rules. Step 3 The list of deployed rules appear.
  • Page 44 ONFIGURING ULES Note: If you do not wish to view the Welcome to the Custom Rules Wizard window again, select the Skip this page when running the rules wizard check box. Read the introductory text. Click Next. Step 4 The Rules Test Stack Editor window appears. To add a test to a rule: Step 5 STRM Log Management Users Guide...
  • Page 45 Creating a Rule In the Test Group drop-down list box, select the type of test you wish to apply to this rule. The resulting list of tests appear. For information on tests, see Event Rule Tests. For each test you wish to add to the rule, select the + sign beside the test. The selected test(s) appear in the Rule field.
  • Page 46 ONFIGURING ULES Table 4-1 Functions Group Test Description Default Test Name Parameters Multi-Rule Allows you to use saved when an event Configure the following parameters: Event Function building blocks and other rules matches any of the any - Specify either any or all of •...
  • Page 47 Creating a Rule Table 4-1 Functions Group (continued) Test Description Default Test Name Parameters Multi-Rule Allows you to use saved when at least this Configure the following parameters: Event Function building blocks or other rules to number of these this number - Specify the number •...
  • Page 48 ONFIGURING ULES Table 4-1 Functions Group (continued) Test Description Default Test Name Parameters Multi-Event Allows you to test the number of when a(n) IP address/ Configure the following parameters: Counter events from configured Port/QID/Event/ IP address/ Port/QID/Event/ • Function conditions, such as, source IP Device/Category Device/Category - Specify the address.
  • Page 49 Creating a Rule Table 4-1 Functions Group (continued) Test Description Default Test Name Parameters Multi-Rule You can also use building when all of these Configure the following parameters: Function blocks or existing rules to rules, in order, with rules - Specify the rules you wish •...
  • Page 50 ONFIGURING ULES Table 4-1 Functions Group (continued) Test Description Default Test Name Parameters Multi-Rule You can also use building when at least this Configure the following parameters: Function blocks or existing rules to number of these this number - Specify the number •...
  • Page 51 Creating a Rule Table 4-1 Functions Group (continued) Test Description Default Test Name Parameters Multi-Rule You can also use building when any of these Configure the following parameters: Function blocks or existing rules to rules with the same IP rules - Specify the rules you wish •...
  • Page 52 ONFIGURING ULES Table 4-2 Event Rule Response Parameters Parameter Description Severity Select the check box if you wish this rule to set or adjust severity to the configured level. Once selected, you can configure the desired level. Credibility Select the check box if you wish this rule to set or adjust credibility to the configured level.

  • Page 53: Event Rule Tests

    Creating a Rule Table 4-2 Event Rule Response Parameters (continued) Parameter Description Send to SysLog Select the check box if you wish to log the event. By default, the check box is clear. For example, the syslog output may resemble: Sep 28 12:39:01 localhost.localdomain ECS: Rule 'Name of Rule' Fired: 172.16.60.219:12642 ->...
  • Page 54 ONFIGURING ULES Table 4-3 Event Property Tests Test Description Default Test Name Parameters Local Network Valid when the event occurs when the local network is one of the following - Specify the Object in the specified network. one of the following areas of the network you wish this test networks to apply.
  • Page 55 Creating a Rule Table 4-3 Event Property Tests (continued) Test Description Default Test Name Parameters Credibility Valid when the event when the event credibility Configure the following parameters: credibility is greater than, is greater than 5 greater than - Specify whether the •...
  • Page 56 ONFIGURING ULES Table 4-3 Event Property Tests (continued) Test Description Default Test Name Parameters False Positive When you tune false when the false positive signatures - Specify the false positive Tuning positive events in the Event signature matches one of signature you wish this test to Viewer, the resulting tuning the following signatures...
  • Page 57 Creating a Rule Table 4-4 IP / Port Test Group (continued) Test Description Default Test Name Parameters Remote Port Valid when the remote port when the remote port is one ports - Specify the ports you wish of the event is one of the of the following ports this test to consider.

  • Page 58: Copying A Rule

    ONFIGURING ULES Device Tests The device tests include: Table 4-6 Device Tests Test Description Default Test Name Parameters Source Device Valid when one of the when the event(s) were these devices - Specify the devices configured source devices is detected by one or that you wish this test to detect.

  • Page 59: Deleting A Rule

    Deleting a Rule Deleting a Rule To delete a rule: Select the Event Viewer tab. Step 1 The Event Viewer window appears. Click Rules. Step 2 The Rules List window appears. In the Display drop-down list box, select Rules. Step 3 Select the rule you wish to duplicate.

  • Page 60: Creating A Group

    ONFIGURING ULES The list of items assigned to that group appear. Step 5 Creating a Group To create a group: Select the Event Viewer tab. Step 1 The Event Viewer window appears. Click Rules. Step 2 The Rules List window appears. Click Groups.

  • Page 61: Editing A Group

    Grouping Rules Name - Specify the name you wish to assign to the new group. The name may • be up to 255 characters in length. Description - Specify a description you wish to assign to this group. The • description may be up to 255 characters in length.

  • Page 62: Copying An Item To Another Group(S)

    ONFIGURING ULES Click Ok. Step 7 If you wish to change the location of the group, click the new group and drag the Step 8 folder to the desired location in your menu tree. Close the Groups window. Step 9 Copying an Item to Using the groups functionality, you can copy a rule or building block to one or Another Group(s)

  • Page 63: Deleting An Item From A Group

    Grouping Rules Select the check box for the group(s) to which you wish to copy the rule or building Step 6 block. Click Assign Groups. Step 7 Close the Groups window. Step 8 Deleting an Item from To delete a rule or building block from a group: a Group Note: Deleting a group removes this rule or building block from the Rules interface.

  • Page 64: Assigning An Item To A Group

    ONFIGURING ULES Assigning an Item to To assign a rule or building block to a group: a Group Select the Event Viewer tab. Step 1 The Event Viewer window appears. Click Rules. Step 2 The Rules List window appears. Select the rule or building block you wish to assign to a group. Step 3 From the Actions drop-down list box, select Assign Groups.
  • Page 65 Editing Building Blocks Update the building block, as necessary. Click Next. Step 5 Continue through the wizard. For more information, see Creating a Rule. Step 6 The Rule Summary appears. STRM Log Management Users Guide...
  • Page 66 ONFIGURING ULES Click Finish. Step 7 STRM Log Management Users Guide...

  • Page 67: Managing Reports

    ANAGING EPORTS The Reports interface allows you to create, distribute, and manage reports. You can use the Report Wizard to create executive and operational level reports. STRM Log Management provides default templates that you can use to generate your report data, using various intervals. You can edit any template to present customized data when distributing reports to other STRM Log Management users, however, administrative users can see all reports created by STRM Log Management users.

  • Page 68: Using The Reports Interface

    ANAGING EPORTS Using the Reports This section provides information on using the Reports interface including: Interface Using the Navigation Menu • Using the Toolbar • Using the Navigation The default main Reports interface displays generated reports. The navigation Menu menu provides access to reports, templates, and branding including: Table 5-1 Navigation Menu Options Menu Columns...

  • Page 69: Using The Toolbar

    Viewing Reports Table 5-1 Navigation Menu Options (continued) Menu Columns Description Author Displays the STRM Log Management user that created the template. Output Displays the report format. Branding Branding Navigates to the report branding option. See Your Report Using the Toolbar You can perform the following actions: Table 5-2 Toolbar Icon Descriptions Option...

  • Page 70: Grouping Reports

    ANAGING EPORTS • HTML - Hyper Text Markup Language format RTF - Rich Text Format • XML - Extensible Markup Language • XLS - Microsoft Excel format. • The XML and XLS formats are only available for reports using a single chart table format (portrait or landscape).

  • Page 71: Creating A Group

    Grouping Reports Editing a Group • Copying a Template to Another Group • • Deleting a Template From a Group Assigning a Report to a Group • Creating a Group To create a group: Click the Reports tab. Step 1 The Reports interface appears.

  • Page 72: Editing A Group

    ANAGING EPORTS • Name - Specify the name you wish to assign to the new group. The name may be up to 255 characters in length. Description - Specify a description you wish to assign to this group. The • description may be up to 255 characters in length.

  • Page 73: Deleting A Template From A Group

    Grouping Reports Copying a Template Using the groups functionality, you can copy a template from one group to another. to Another Group To copy a template: Click the Reports tab. Step 1 The Reports interface appears. Click the Report Templates menu option. Step 2 A list of templates appears.

  • Page 74: Assigning A Report To A Group

    ANAGING EPORTS Click the Report Templates menu option. Step 2 A list of templates appears. Click Groups. Step 3 The Reports Group window appears. From the menu tree, select the top level group. Step 4 From the list of groups, select the group you wish to delete. Step 5 Click Remove.

  • Page 75: Creating A Template

    Creating a Report Content - Definition of the chart that is placed in the container. • This section includes: • Creating a Template Configuring Charts • Selecting a Graph Type • Creating a Template To create a template: Click the Reports tab. Step 1 The Reports interface appears.
  • Page 76 ANAGING EPORTS Select a scheduling option. Click Next. Step 3 Table 5-3 Report Scheduling Parameter Default Settings This report should be scheduled to run Manually Generates a report one time only. This is the default setting; however, you may generate this report as often as required. Hourly Schedules the report to generate at the end of each hour using the data from the previous hour.
  • Page 77 Creating a Report Table 5-3 Report Scheduling (continued) Parameter Default Settings Monthly Schedules the report to generate each month using the data from the previous month. Using the drop-down list box, select the date you wish to generate the report. The default is the 1st day. Also, using the drop-down list box, select a time to begin the reporting cycle.
  • Page 78 ANAGING EPORTS From the Orientation drop-down list box, select the page orientation and then click Step 4 the desired layout. Click Next. The Specify Report Contents window appears: Select values for the following parameters: Step 5 • Report Title - Specify a title for your report. The title can be up to 100 characters in length - do not use special characters.
  • Page 79 Creating a Report The Layout Preview window appears providing a preview of how your data appears. Note: Charts that appear in the preview window do not display actual data. This is a graphical representation of the layout you have configured. Preview your report.
  • Page 80 ANAGING EPORTS Select the desired distribution channels. Click Next. Step 11 Table 5-4 Report Distribution Parameter Sub-Parameter Description Report Select the check box if you wish to send the Console report to the Reports interface. Note: You must have appropriate network permissions to share your report with other users.
  • Page 81 Creating a Report Enter values for the following parameters. Click Next. Step 12 Table 5-5 Finishing Up Parameter Description Report Template Specify a description for this template. This description appears Description on the Report Summary page and is included in the report distribution e-mail.

  • Page 82: Configuring Charts

    ANAGING EPORTS Configuring Charts The chart type determines how your data and network objects are presented in your report. Data can be charted with several characteristics and created in a single report. The following chart types are available for each template: •...
  • Page 83 Creating a Report Enter values for the following parameters: Table 5-6 Event/Logs Chart Container Details Parameter Description Container Details - Events/Logs Chart Title Specify a chart title to a maximum of 100 characters. Chart Sub-Title Clear the check box to change the automatically created sub-title.
  • Page 84 ANAGING EPORTS Table 5-6 Event/Logs Chart Container Details (continued) Parameter Description Manually Using the calendar, select range of dates you wish this report to consider. The default is the current date. Using the drop-down list boxes, select a time to begin and end generating the report.
  • Page 85 Creating a Report Time Series The Time Series Chart displays options, such as pivoting and delta comparisons, that allow you to create charts that compare a data for two different periods of time. To configure a Time Series Chart, enter values for the following parameters: Table 5-7 Time Series Chart Container Details Parameter...
  • Page 86 ANAGING EPORTS Table 5-7 Time Series Chart Container Details (continued) Parameter Description Stacked_Bar - When selecting this option, you must also • select the Timeline Interval from the Additional Details section. Stacked_Bar_Base_Line - When selecting this option, • you must also select the Timeline Interval and choose the Baseline parameters.
  • Page 87 Creating a Report Table 5-7 Time Series Chart Container Details (continued) Parameter Description Monthly Choose one of the following options: All data from previous month • Data from a previous month - Using the drop-down list • boxes, select the dates to begin and end generating the report.
  • Page 88 ANAGING EPORTS Table 5-7 Time Series Chart Container Details (continued) Parameter Description Expand To Include Using the drop-down list box, select an option to include on the graph. Options include: None - View Objects and Network Locations are graphed • exactly as shown in the View Object tree menu.
  • Page 89 Creating a Report Enter values for the following parameters: Table 5-8 TopN Time Series Container Details Parameter Description Container Details - TopN Time Series Chart Chart Title Specify a chart title to a maximum of 100 characters. Chart Sub-Title Clear the check box to change the automatically created sub-title. Enter a title to a maximum of 100 characters.
  • Page 90 ANAGING EPORTS Table 5-8 TopN Time Series Container Details (continued) Parameter Description Layers Using the drop-down list box, select the traffic layer you wish to appear on the graph. The layer options that appear depends on the selected View Objects. Options Average per Select the check box to graph the average of the selected (view)

  • Page 91: Selecting A Graph Type

    Creating a Report Selecting a Graph Each chart type has a variety of graphs to display your data. The available Type selection is dependent on the chart type you have selected. The colors that appear in the charts that depict network traffic are derived from the network configuration files.

  • Page 92: Using Default Report Templates

    ANAGING EPORTS Table 5-9 Available Graph Types (continued) Stacked Bar Graph Delta Graph Available with the Time Series chart Available with the Time Series chart type. type. Pie Graph Table Graph Available with the following chart type: Available with the following charts: Time Series Time Series •...

  • Page 93: Generating A Report

    Generating a Report Each template is designed to capture and display your existing data. Point your mouse to any template to preview the summary. The summary reveals how the template is configured and the type of information the template is configured to generate.

  • Page 94: Sharing A Report

    ANAGING EPORTS The enter a name window appears. Enter a new name, without spaces, for the template. Step 5 The new template appears. Sharing a Report You can share report templates with other users. This allows you to provide a copy of the selected templates for another user to edit or schedule, as necessary.
  • Page 95 Branding Your Report Click Browse to browse the files located on your system. Step 3 Select the file that contains the desired logo. Click Open. Step 4 The file name appears in the New Image field. Click Upload Image to upload the image to STRM Log Management. Step 5 Note: To make sure your browser displays the new logo, clear your browser cache.
  • Page 97 EFAULT ULES AND UILDING LOCKS This appendix provides the defaults for the rules and building blocks including: • Default Rules Default Building Blocks • Default Rules Default rules include: Table B-6 Default Rules Rule Rule Group Type Enabled Description Default-Rule-Anomaly: Anomaly Event False...
  • Page 98 EFAULT ULES AND UILDING LOCKS Table B-6 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule- Anomaly Event False Reports a host emitting events at a rate greater Anomaly: Rate Analysis than normal. This may be normal, but in some Marked Events cases can be an early warning sign that the host has changed behavior.
  • Page 99 Default Rules Table B-6 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Botnet: Botnet,Exploit Event False Reports a host connecting or attempting to Potential Botnet connect to a DNS server on the Internet. This Connection (DNS) may indicate a host connecting to a Botnet. The host should be investigated for malicious code.
  • Page 100 EFAULT ULES AND UILDING LOCKS Table B-6 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Database: Database Event True Reports when a successful authentication Remote Login Success occurs to a database server from a remote network. Default-Rule-Database: Database Event True Reports when changes to user privileges occurs User Rights Changed...
  • Page 101 Default Rules Table B-6 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Policy: Policy Event True Reports local Peer-to-Peer (P2P) traffic or any Local P2P Server event categorized as P2P. More than 10 hosts Detected were detected connecting to a local host that appears to be operating as a P2P server.
  • Page 102 EFAULT ULES AND UILDING LOCKS Table B-6 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a source IP address attempting Local LDAP Server reconnaissance or suspicious connections on Scanner common LDAP ports to more than 60 hosts in 10 minutes.
  • Page 103 Default Rules Table B-6 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a source IP address attempting Local Proxy Server reconnaissance or suspicious connections on Scanner common proxy server ports to more than 60 hosts in 10 minutes.
  • Page 104 EFAULT ULES AND UILDING LOCKS Table B-6 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event False Adds an additional event into the event stream Recon Followed by when a host that has been performing Accept reconnaissance also has a firewall accept following the reconnaissance activity.
  • Page 105 Default Rules Table B-6 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a remote host attempting Remote Proxy Server reconnaissance or suspicious connections on Scanner common proxy server ports to more than 30 hosts in 10 minutes. Default-Rule-Recon: Recon Event...
  • Page 106 EFAULT ULES AND UILDING LOCKS Table B-6 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports merged reconnaissance events Single Merged Recon generated by some devices. This rule causes all Events these events to create an offense. All devices of this type and their categories should be added to the Default-BB-ReconDetected: Devices which Merge Recon into Single Events building block.
  • Page 107 Default Building Blocks Default Building Default building blocks include: Blocks Table B-7 Default Building Blocks Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event Edit this BB to include all events Definition: Authentication Definitions that indicate an unsuccessful Failures attempt to access the network.
  • Page 108 EFAULT ULES AND UILDING LOCKS Table B-7 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event Edit this BB to include all events Definition: Firewall Definitions that may indicate a firewall system System Errors error.
  • Page 109 Default Building Blocks Table B-7 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event Edit this BB to include all events Definition: Recon Events Definitions that indicate reconnaissance activity. Default-BB-Category Category Event Edit this BB to define Denial of Definition: Service DoS Definitions...
  • Page 110 EFAULT ULES AND UILDING LOCKS Table B-7 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Compliance Compliance, Event Edit this BB to include your GLBA Definition: GLBA Servers Host IP systems. You must then apply Definitions this BB to rules related to failed logins, remote access, etc.
  • Page 111 Default Building Blocks Table B-7 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all the false Default-BB-HostDefinition: Database Server False Positive positive QIDs that occur to or from Database Servers Positive Events database servers that are defined...
  • Page 112 EFAULT ULES AND UILDING LOCKS Table B-7 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all the false Internal Attacker to Positive positive QIDs that occur to or from Internal Target False Local-to-Local (L2L) based Positives...
  • Page 113 Default Building Blocks Table B-7 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all the false Remote Attacker to Positive positive QIDs that occur to or from Internal Target False Remote-to-Local (R2L) based Positives...
  • Page 114 EFAULT ULES AND UILDING LOCKS Table B-7 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all the false Default-BB-HostDefinition: Virus Definition Update Positive positive QIDs that occur to or from Virus Definition Categories virus definition or other automatic...
  • Page 115 Default Building Blocks Table B-7 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Host Host Event Edit this BB to define typical FTP Default-BB-False Positive: Definition: FTP Servers Definitions servers. FTP Server False Positives Categories Default-BB-FalsePositve: FTP Server False Positive...
  • Page 116 EFAULT ULES AND UILDING LOCKS Table B-7 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Host Host Event Edit this BB to define typical SSH Default-BB-False Positive: Definition: SSH Servers Definitions servers. SSH Server False Positives Categories Default-BB-FalsePositve: SSH Server False Positive...
  • Page 117 Default Building Blocks Table B-7 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Network Network Event Edit this BB by replacing the other Definition: Honeypot like Definition network with network objects Addresses defined in your network hierarchy that are currently not in use in your network or are used in a honeypot or tarpit installation.
  • Page 118 EFAULT ULES AND UILDING LOCKS Table B-7 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-PortDefinition: Compliance, Event Edit this BB to include all common IM Ports Port\ IM ports. Protocol Definition Default-BB-PortDefinition: Port\ Event Edit this BB to include all common IRC Ports...
  • Page 119 Default Building Blocks Table B-7 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Recon Recon Event Define all Juniper default Detected: All Recon Rules reconnaissance tests. This BB is used to detect a host that has performed reconnaissance such that other follow on tests can be performed.
  • Page 121 LOSSARY Autonomous System Collection of IP networks that all adhere to the same specific and clearly defined Number routing policy. An AS number (ASN) is a unique ID number assigned to each Autonomous System. Address Resolution A protocol for mapping an Internet Protocol (IP) address to a physical machine Protocol (ARP) address recognized in the local network.
  • Page 122 LOSSARY the coalesced event is released to the Event Processor and the next interval begins for matching events. If no matching events arrive during this interval, the process restarts. Otherwise, the coalescing continues with all events counted and released in 10 second intervals. Console Web interface for STRM.
  • Page 123 LOSSARY Event Processor Processes flows collected from one or more Event Collector(s). The events are bundled once again to conserve network usage. Once received, the Event Processor correlates the information from STRM and distributed to the appropriate area, depending on the type of event. Fully Qualified The portion of an Internet Uniform Resource Locator (URL) that fully identifies the Domain Name...
  • Page 124 LOSSARY See Internet Protocol. IP Multicast IP Multicast reduces traffic on a network by delivering a single stream of information to multiple users at one time. IP network A group of IP routers that route IP datagrams. These routers are sometimes referred to as Internet gateways.
  • Page 125 LOSSARY network hierarchy Contains each component of your network, and identifies which objects belong within other objects. The accuracy and completeness of this hierarchy is essential to traffic analysis functions. The network hierarchy provides for storage of flow logs, databases, and TopN files. network objects Components of your network hierarchy.
  • Page 126 LOSSARY you to detect specific, specialized events and forward notifications to either the Offense Manager or log file, e-mail a user, or resolve the event or offense, if the Offense Resolution option is active. severity Indicates the amount of threat an attacker poses in relation to how prepared the target is for the attack.
  • Page 127 LOSSARY violation Includes a violation of corporate policy. Whois Allows you to look up information about registered Internet names and numbers. STRM Log Management Users Guide...
  • Page 129 NDEX viewing associated offense 31 events Administration Console aggregate 21 overview 8 exporting 33 normalized 17 searching 27 viewing 17 exporting branding reports 88 events 33 building blocks about 35 default 101 editing 58 false positives tuning 33 functions 35 conventions 1 customer support contacting 1...
  • Page 130 NDEX reports about 61 brand 88 chart type 76 container 68 content 68 creating 68 creating a template 69 default templates 86 distribution channels 73 editing 86 formatting 73 generate 87 graph type 85 grouping 64 assigning 68 copying 66 creating 65 deleting 67 editing 66...

Table of Contents