Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - REV1 Manual

page of 246

/ 246
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual

Security Threat Response Manager

STRM Users Guide

Release 2008.2 R2

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089

USA

408-745-2000

www.juniper.net

Part Number: 530-027294-01, Revision 1

Table of Contents

Summary of Contents for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - REV1

Page 1 Security Threat Response Manager STRM Users Guide Release 2008.2 R2 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 408-745-2000 www.juniper.net Part Number: 530-027294-01, Revision 1...
Page 2 Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Page 3: Table Of Contents
ONTENTS BOUT UIDE Conventions Technical Documentation Contacting Customer Support STRM BOUT Logging In to STRM Dashboard Offense Manager Event Viewer Flow Viewer Assets Network Surveillance Reports Using STRM Sorting Results Refreshing the Interface Pausing the Interface Investigating IP Addresses Viewing STRM Time Accessing On-line Help STRM Administration Console SING THE...
Page 4 Reports Enterprise Security State Enterprise Vulnerability State System Summary Adding Items ANAGING ETWORK CTIVITY Using the Network Surveillance Menu Global Views Asset Map Bookmarks QRL Options Viewing Network Activity Interpreting the Graphs Changing the View Changing Flow Attributes Changing Traffic Location Investigating Traffic Using TopN Viewing the TopN Information Investigating Traffic...
Page 5 Managing Offenses By Targets Viewing Offenses By Targets Searching Targets Managing Offenses By Networks Viewing Offenses By Networks Searching Networks Marking an Item For Follow-Up Adding Notes Configuring Notification Managing Network Anomalies Viewing Network Anomaly Offenses Closing Offenses Forwarding Network Anomaly Offenses Exporting Offenses SING THE VENT...
Page 6 Editing an Asset Deleting Assets Deleting an Asset Deleting All Assets Importing Asset Profiles Exporting Assets ANAGING EPORTS Using the Reports Interface Using the Navigation Menu Using the Toolbar Viewing Reports Grouping Reports Creating a Group Editing a Group Copying a Template to Another Group Deleting a Template From a Group Assigning a Report to a Group Creating a Report...
Page 7: Conventions
Documentation directly from the Juniper Networks support web site at https://juniper.net/support. Once you access the Juniper Networks support web site, locate the product and software release for which you require documentation. Your comments are important to us. Please send your e-mail comments about this guide or any of the Juniper Networks documentation to: documentation@juniper.net.
Page 8 Customer Support maintaining STRM, you can contact Customer Support as follows: Log a support request 24/7: https://juniper.net/support/ • For access to the Juniper Networks support web site, please contact Customer Support. Access Juniper Networks support and Self-Service support using e-mail: •...
Page 9 STRM BOUT STRM is a network security management platform that provides situational awareness and compliance support through the combination of flow-based network knowledge, security event correlation, and asset-based vulnerability assessment. This chapter provides an overview of the STRM interface including: Logging In to STRM •...
Page 10: Dashboard
STRM BOUT Click Login To STRM. Step 3 For your STRM Console, a default license key provides you access to the interface for 5 weeks. A window appears providing the date that the temporary license key will expire. For information on installing a permanent license key, see the STRM Administration Guide.
Page 11: Offense Manager
Offense Manager Offense Manager The Offense Manager tab provides a view into all offenses occurring on your network. From the Offense Manager, you can investigate an offense to determine the root cause of an issue. You can also resolve the issue. Note: For more information on Offense Manager, see Chapter 5 Investigating Offenses.
Page 12: Flow Viewer
STRM BOUT Flow Viewer The Flow Viewer tab allows you to monitor and investigate flow data in real-time or perform advanced searches. A flow is a communication session between two hosts. Viewing flow information allows you to determine how the traffic is communicated, what was communicated (if the content capture option is enabled), and includes such details as when, who, how much, protocols, ASN values, IfIndex values, or priorities.
Page 13 Assets Note: For more information, see Chapter 8 Managing Assets. STRM Users Guide...
Page 14: Network Surveillance
STRM BOUT Network The Network Surveillance tab is a real-time network behavioral and anomaly Surveillance monitoring interface that allows you to monitor the traffic on your network and how your network is behaving. The Network Surveillance tab displays what areas of your network are producing the most traffic, what applications are running, and what types of threatening or out of policy traffic are present on your network.
Page 15: Reports
Reports Reports Reports is a flexible and robust reporting package that allows you to create, distribute, and manage reports for any data within STRM. Reports allows you to create customized reports for operational and executive use by combining any combination of information (such as, security or network) into a single report. You can also use the many pre-installed report templates included with STRM.
Page 16: Refreshing The Interface
STRM BOUT Click the Name column heading again if you wish to sort the information in ascending order. Refreshing the Several STRM interfaces, including the Event Viewer, Offense Manager, Flow Interface Viewer, and the Dashboard allow you to refresh the interface. This refresh option is located in the right corner of the interface.
Page 17: Viewing Strm Time
STRM Administration Console Table 1-1 Additional Options (continued) Menu Sub-Menu Description Port Scan Performs a NMAP scan of the selected IP address. This option is only available if NMAP is installed on your system. For more information on installing NMAP, see your vendor documentation.
Page 18 STRM BOUT • Managing vulnerability assessment and scanners - Allows you to schedule scans to keep your vulnerability assessment data up-to-date. Configure sensor devices - Allows you to configure sensor devices, which • provide events to your deployment through DSMs. Configure flow sources - Allows you to configure flow sources, such as, •...
Page 19 SING THE ASHBOARD The Dashboard allows you to create a customized portal to monitor any data STRM collects, to which you have access. The Dashboard is the default view when you log in to STRM and allows you to monitor several areas of your network at the same time.
Page 20 SING THE ASHBOARD • Most Recent Offenses Local Networks - Inbound Bytes • Local Networks - Outbound Bytes • • Top Category Types Top Attackers • Note: The items that appear on your Dashboard depends on the access you have been granted.
Page 21: Using The Dashboard
About the Dashboard Using the Dashboard You can add, remove, or detach items on the Dashboard. Once added, each item appears with a titlebar. Using the Dashboard, you can: Adding Items - Provides the list of items that you can add to your Dashboard. •...
Page 22: Traffic
SING THE ASHBOARD Network You can add several Network Surveillance items to your Dashboard to display your Surveillance current network traffic activity. You can choose to display traffic data and TopN data. Traffic data is displayed by graphs, complete with legends; TopN data is displayed in bar charts, and allows you to investigate your traffic from the Dashboard.
Page 23: Topn
Network Surveillance Note: You can click any area of the graph, or click the dynamic legend to immediately access the Network Surveillance interface. To customize your Threats display: Period of Time - Using the drop-down list box, select the period of time you •...
Page 24: Offenses
SING THE ASHBOARD Offense Manager You can add several Offense Manager items to your Dashboard. The Offense Manager displays data for offenses, attackers, and local targets detected on your network. Offense Manager options include: Offenses • Attackers and Targets • Categories •...
Page 25: Attackers And Targets
Offense Manager To customize your display: Period of Time - Using the drop-down list box, select the period of time you • wish the Dashboard graph to display. Chart Type - You can display the data using a Time Series (default), Line •...
Page 26: Event Viewer
SING THE ASHBOARD Event Viewer The Event Viewer items allow you to monitor and investigate events in real-time. Event Viewer options include: Events Over Time • Events By Severity • Top Devices • Note: Hidden or closed events are not included in the values that appear in the Dashboard.
Page 27: Top Devices
Event Viewer Top Devices The Top Devices item displays a pie chart that specifies the top 10 devices that sent events to STRM within the last 15 minutes. The number of events sent from the specified device is indicated in the pie chart. This item allows you to view potential changes in behavior, for example, if a firewall device that is typically not in the top 10 list is now contributing to a large percentage of the overall message count, you should investigate this occurrence.
Page 28: Enterprise Security State
SING THE ASHBOARD Reports The Reports option allows you to display the top recently generated reports. The display provides the report title, the time and date the report was generated, and the format of the report. Enterprise Security The Enterprise Security State represents your network’s current security posture. State The security state is formulated from monitoring the security data from flows, external events, and security data to create a single metric that reveals the security...
Page 29: Enterprise Vulnerability State
Enterprise Vulnerability State Vulnerability Risk - The vulnerability risk level (0 to 10) applied to an asset. • This is a weighted value applied by calculating the average of the risks of each asset in your network. Network Weight - The numerical value applied to the importance of each •...
Page 30: System Summary
SING THE ASHBOARD System Summary The Summary item provides a high-level summary of activity within the past 24 hours. Within the summary item, you can view the following information: Flows (Past 24 Hours) - Specifies the total number of active flows seen within •...
Page 31: Using The Network Surveillance Menu Global Views
ANAGING ETWORK CTIVITY The Network Surveillance interface allows you to monitor behavioral profiles of systems and applications when security breaches or other behavior is suspected. You can investigate and scrutinize your network traffic from all available STRM views. This chapter provides information on using the Network Surveillance interface including: Using the Network Surveillance Menu •...
Page 32: Asset Map
ANAGING ETWORK CTIVITY • Flow Types - Displays traffic by specific flow types. Custom Views - Displays traffic for any Custom Views. By default, the Custom • Views includes the following ASN and IfIndex views. These views are populated when STRM detects Autonomous System Number (ASN) and IfIndex values from network flows.
Page 33: Bookmarks
Using the Network Surveillance Menu Bookmarks You can create a bookmark from any area on the STRM graphs. This allows you to access your bookmarks at any time to revisit a specific network location or specific time frame. When creating a bookmark, the following options are available: Add With Time - Saves the QRL with the time period that is displayed on the •...
Page 34: Viewing Network Activity
ANAGING ETWORK CTIVITY • Toggle Auto Refresh - Allows you to enable or disable the automatic graph refresh. When disabled, the count down timer is not displayed on the graphs. By default, the automatic refresh is enabled. Viewing Network The graphs are the main components on the Network Surveillance interface. The Activity graphs are a graphical representation of your network objects;...
Page 35 Viewing Network Activity Your network administrator can enable or disable any Global View. Disabling views saves processing power on large structured networks. Depending on your current network activity or the type of traffic you are monitoring, some views may be of more value than others. Note: You must have administrative permissions to enable/disable views.
Page 36: Changing The View
ANAGING ETWORK CTIVITY • Scale - The scale option, located on the top left above the graph, allows you to adjust the graph view. The plus and minus signs allow you to zoom in or zoom out to change the appearance of the traffic. When zooming in on the traffic, the measured increment reduces in size.
Page 37 Viewing Network Activity networks. When you select a Global or Custom View, the Pivot To box displays the available navigation options for that view. To change the view: From the main STRM interface, click the Network Surveillance tab. Step 1 The Network Surveillance window appears.
Page 38: Changing Flow Attributes
ANAGING ETWORK CTIVITY Changing Flow You can change the flow attributes on the graphs using the options available in the Attributes Layers box. You can display bytes per second, packets per second, and hosts per interval. Each option has a series of items to display specific details of your current view. Table 3-2 Layers Box Parameter Description...
Page 39: Changing Traffic Location
Viewing Network Activity Changing Traffic You can change the location of traffic that the graphs display using the QRL Location Definition box. Used with the Pivot To function, the QRL Definition allows you to navigate between views. The QRL Definition lists the components that are displayed or removed from your traffic that is displayed on the graphs.
Page 40: Investigating Traffic Using Topn Viewing The Topn Information
ANAGING ETWORK CTIVITY entire list of legend components, select QRL Options > Expand Legend from the menu. Investigating You can determine which areas of your network are generating the highest level of Traffic Using TopN activity. The TopN box reveals details the view that is currently displayed on your graphs.
Page 41: Investigating Traffic
Investigating Traffic Using TopN Unique Ports - Available only when viewing the Local Networks View. • Specifies the traffic layer as the number of ports in use. Options include: Normal, Log, and 1/X. Investigating Traffic To investigate traffic using TopN: Click the Network Surveillance tab.
Page 42: Investigating Flows
ANAGING ETWORK CTIVITY Inbound Local -The highest level of activity for inbound local bytes. • Inbound Remote -The highest level of activity for inbound remote bytes. • • Outbound Local - The highest level of activity for outbound local bytes. Outbound Remote - The highest level of activity for outbound remote bytes.
Page 43 Investigating Flows byte sizes, packet lengths, and flow counts for both sending and receiving transmissions. The types of traffic for your network appear in the dynamic legend located beside your graphs. This includes all traffic types found on your network. Also, STRM identifies your network location by visually displaying a marker on the lower left corner of your graph.
Page 44 ANAGING ETWORK CTIVITY The results appear. For more information on interpreting results, see Chapter 7 Using the Flow Viewer. To search for a single IP address, click Search. The Flow Search window appears. For more information, see Chapter 7 Using the Flow Viewer.
Page 45 ANAGING ENTRIES Sentries provide an alerting function for your network. A sentry can monitor any number of views and generate an alert when traffic in one of the monitored views meets the specified criteria. A non-administrative user can create sentries, however, only an administrative user can configure advanced sentries on a system-wide basis.
Page 46: About Sentries
ANAGING ENTRIES About Sentries You can create sentries that perform actions when certain specified conditions are met. These actions can include sending an e-mail notification or storing sentry event information. You can also add sentry alerts for a specific traffic type. You can save Packages for use with other sentries.
Page 47 About Sentries You can also specify that any undesirable actions must occur for a particular period of time before an alert generates. For example, you can configure a sentry indicating that a mail server must communicate with a large number of additional hosts for several minutes before an alert generates.
Page 48: Viewing Sentries
ANAGING ENTRIES A Security/Policy sentry is useful for detecting undesirable policy issues such as remote access to client networks, Peer-to-Peer (P2P)/Instant Messaging (IM) or other misuse applications, or inappropriate use of business applications. Threshold A Threshold sentry monitors your deployment for activity that exceeds the configured threshold of the sentry.
Page 49: Creating A Sentry
Creating a Sentry Table 4-1 provides the details of the Sentry List window: Table 4-1 Sentry List Window Parameter Description Name Specifies the name of the configured item. Owner Specifies the name of the user who created the sentry. Action Provides one of the following options: Allows you to edit the details.
Page 50 ANAGING ENTRIES Creating a A Security/Policy sentry monitors your deployment for any security or policy Security/Policy offense. To create a Security/Policy sentry: Sentry Click the Network Surveillance tab. Step 1 The Network Surveillance interface appears. Navigate to the appropriate view you wish the sentry to apply. Step 2 For information on navigating views, see Chapter 3 Managing Your Network...
Page 51 Creating a Sentry Enter Values for the Parameters: Step 5 Table 4-2 Security/Policy Sentry Parameters Parameter Action Objects Using the menu tree, select the view object you wish this sentry to monitor. This list includes the objects in your network. All selected objects appear under Selected Components.
Page 52 ANAGING ENTRIES Table 4-2 Security/Policy Sentry Parameters (continued) Parameter Action Time of day is relevant Select the check box if you wish this sentry to consider the time of day. When selected, the time of day fields appear. Using the drop-down list box, select the time of day you wish this sentry to consider.
Page 53 Creating a Sentry Table 4-3 Sentry Attributes Parameters (continued) Parameter Action Maximum emitted events Specify the maximum number of times you wish this event per IP to generate per IP address. For example, if you set the maximum alerts to 2, only two events are generated per attacker IP address.
Page 54 ANAGING ENTRIES Table 4-4 Sentry Response Parameters (continued) Parameter Sub-Parameter Action Trigger Trigger Script Using the drop-down list box, specify the action you wish the sentry engine to perform. The options include: Trigger Script - Specify if you wish this sentry to •...
Page 55 Creating a Sentry Creating a Behavior A Behavior sentry monitors your network to detect changes in behavior. To create Sentry a behavior sentry: Click the Network Surveillance tab. Step 1 The Network Surveillance interface appears. Navigate to the appropriate view you wish the sentry to apply. Step 2 For information on navigating views, see Chapter 3 Managing Your Network...
Page 56 ANAGING ENTRIES Enter values for the parameters: Step 5 Table 4-6 Behavior Sentry Parameters Parameter Action Current traffic level Specify the weight (1 to 100) that you wish to assign to the current traffic levels against the learned behaviors and the current trend.
Page 57 Creating a Sentry Table 4-6 Behavior Sentry Parameters (continued) Parameter Action Alert sensitivity Specify the sensitivity (1 to 100) level for this alert. This level indicates how far outside the predicted values before a violation generates. A value of 1 indicates the measured value cannot be outside the predicted value and a value of 100 indicates the traffic is more than four times larger than the predicted value.
Page 58 ANAGING ENTRIES Table 4-6 Behavior Sentry Parameters (continued) Parameter Action Season length Specify the length of time you wish this sentry to consider a season. A season indicates the cycle of data, which STRM uses to determine future data flow. For example, the below graph shows that traffic is low on the weekend but peaks regularly during the week.
Page 59 Creating a Sentry Table 4-6 Behavior Sentry Parameters (continued) Parameter Action Day of the week is Select the check box if you wish this sentry to consider the relevant day of the week. When selected, day of the week fields appear.
Page 60 ANAGING ENTRIES Table 4-7 Sentry Attributes Parameters (continued) Parameter Action Weight Specify the relative importance of this sentry. This determines the ranking that the generated event displays in the Offense Manager. STRM uses the following formula to calculate the weight: ((sentry weight + network weight + object weight)/3/time difference Where time difference is:...
Page 61 Creating a Sentry Table 4-8 Sentry Response Parameters (continued) Parameter Sub-Parameter Action Email Specify the recipient(s) of the notification e-mail sent Recipient(s) by the sentry engine. Separate multiple entries with a comma. Format Specify the amount of text included in the e-mail. Options include: Subject Only, Brief, Detailed - Text, Detailed - HTML.
Page 62: Creating An Anomaly Sentry
ANAGING ENTRIES Creating an Anomaly An anomaly sentry monitors your deployment for any abnormal activity. This sentry Sentry generates an alert in one of the following situations: If a consistently inactive object becomes active. • If a consistently active object becomes inactive. •...
Page 63 Creating a Sentry Select the Anomaly option. Click Next. Step 4 The Sentry Parameters window appears. Enter values for the parameters: Step 5 STRM Users Guide...
Page 64 ANAGING ENTRIES Table 4-9 Anomaly Sentry Parameters Parameter Action Large Window Specify an extended period of time you wish the system to monitor flows in your network. This allows the system a basis of comparison for traffic over an extended period of time.
Page 65 Creating a Sentry Click Next. Step 6 The Sentry Attributes window appears. Enter values for the parameters: Step 7 Table 4-10 Sentry Attributes Parameters Parameter Action Sentry Name Specify a name you wish to assign this sentry. Sentry Description Specify a description for this sentry. Weight Specify the relative importance of this sentry.
Page 66 ANAGING ENTRIES Table 4-10 Sentry Attributes Parameters (continued) Parameter Action Minimum Activations Specify the minimum number of times you wish this Before Alert activity to occur before an alert generates. We recommend that you specify at least four activations before alert. Delay Between Alerts Specify the number of intervals, after of the first occurrence of this alert, before the next occurrence of this...
Page 67: Creating A Threshold Sentry
Creating a Sentry Table 4-11 Sentry Response Parameters (continued) Parameter Sub-Parameter Action Trigger Trigger Script Using the drop-down list box, specify the action you wish the sentry engine to perform. The options include: Trigger Script - Specify if you wish this sentry to •...
Page 68 ANAGING ENTRIES Below the graph, click Add Sentry. Step 3 The Add Sentry Wizard appears. Specify the Threshold option. Step 4 The Sentry Parameters window appears. Enter values for the parameters: Step 5 STRM Users Guide...
Page 69 Creating a Sentry Table 4-12 Threshold Sentry Parameters Parameter Action Above Select the option if you wish to this sentry to monitor activity above a threshold value. When selected, the Alert if data rate is above field appears. Specify the threshold value. Below Select the option if you wish to this sentry to monitor activity below a threshold value.
Page 70 ANAGING ENTRIES Enter values for the parameters: Step 7 Table 4-13 Sentry Attributes Parameters Parameter Action Sentry Name Specify a name you wish to assign this sentry. Sentry Description Specify a description for this sentry. Weight Specify the relative importance of this sentry. This determines the ranking that the generated event displays in the Offense Manager.
Page 71 Creating a Sentry Table 4-13 Sentry Attributes Parameters (continued) Parameter Action Delay Between Alerts Specify the number of intervals, after of the first occurrence of this alert, before the next occurrence of this event. Maximum responses per Specify the maximum number of times you wish this event event to generate.
Page 72: Creating A Custom Sentry
ANAGING ENTRIES Table 4-14 Threshold Sentry Response Parameters (continued) Parameter Sub-Parameter Action Trigger Trigger Script Using the drop-down list box, specify the action you wish the sentry engine to perform. The options include: Trigger Script - Specify if you wish this sentry to •...
Page 73 Creating a Sentry Select Custom. Click Next. Step 4 Note: You can also create a sentry using an existing Package, select the Use an existing Package option and use the drop-down list box to select the desired Package. This option allows you to edit the values of the Package but not the Logic Unit.
Page 74 ANAGING ENTRIES Table 4-15 Custom Sentry Parameters Parameter Action Applications Using the menu tree, select all applications you wish this sentry to monitor. All selected applications appear under Selected Components. Date is relevant Select the check box if you wish this sentry to consider date.
Page 75 Creating a Sentry var testObj = new CustomFunction( $$Counter, other_custom_vars); function test() return testObj.test(); You can use all the functions available with JavaScript functionality as well as the following functions: Table 4-16 JavaScript Functions Function Description thresholdCheck Monitors policy and threshold objects. By default, this value monitors each object separately.
Page 76 ANAGING ENTRIES Table 4-17 Sentry Attributes Parameters Parameter Action Save this as a named Select the check box if you wish to save this information logic package as a sentry Package. Logic Name Specify a name you wish to assign to this Package. Description Specify a description for this Package.
Page 77 Creating a Sentry Table 4-18 Sentry Attributes Parameters (continued) Parameter Action Weight Specify the relative importance of this sentry. This determines the ranking that the generated event displays in the Offense Manager. STRM uses the following formula to calculate the weight: (sentry weight + network weight + object weight)/3/time difference Where time difference is:...
Page 78: Editing A Sentry
ANAGING ENTRIES Table 4-19 Sentry Response Parameters (continued) Parameter Sub-Parameter Action Trigger Trigger Script Using the drop-down list box, specify the action you wish the sentry engine to perform. The options include: Trigger Script - Specify if you wish this sentry to •...
Page 79 Editing a Sentry Update values for the parameters, as necessary: Step 4 If you are editing a Security/Policy sentry: Table 4-20 Edit Security/Policy Sentry Parameter Description Name Specify a name for this sentry. Description Specify a description for this sentry. This description appears as an annotation in the Offense Manager if this sentry causes an offense to generate.
Page 80 ANAGING ENTRIES Table 4-21 Edit Behavior, Anomaly, or Threshold Sentry (continued) Parameter Description Maximum Specify the maximum number of number of times you wish this responses per event to generate a response. events Is Enabled Select the check box to enable this sentry. Clear the check box to disable the sentry.
Page 81 Editing a Sentry Table 4-22 Default Variables Parameter Description $$Base Specify the current traffic level weight that you wish to assign to the current traffic levels against the learned behaviors and the current trend. This variable is for behavioral sentries. The higher the value indicates more weight on the previously recorded value.
Page 82 ANAGING ENTRIES Table 4-22 Default Variables (continued) Parameter Description $$SmallWindow Specify an extended period of time you wish to the system to monitor flows in your network. This allows the system a basis of comparison for traffic over an extended period of time. If the large window and small window values exceed a certain threshold, the sentry generates an alert.
Page 83 NVESTIGATING FFENSES The Offense Manager allows you to investigate offenses, behaviors, anomalies, targets, and attackers on your network. STRM can correlate events and network activity with targets located across multiple networks in the same offense, and ultimately the same network incident. This allows you to effectively investigate each offense in your network.
Page 84: Using The Offense Manager
NVESTIGATING FFENSES • Marking an Item For Follow-Up Configuring Notification • Managing Network Anomalies • Exporting Offenses • Using the Offense Using the Offense Manager interface, you can access the following options for Manager managing security and policy events, behaviors, anomalies, targets, and attackers on your network: Table 5-1 Offense Manager Interface Options Menu...
Page 85: Managing Offenses
Managing Offenses The My Offenses interface appears. For information on managing your offenses, Managing Offenses. Managing Offenses You can use the Offense Manager to view a list of offenses that have been identified by STRM on your network. All offenses are listed with the highest magnitude first.
Page 86 NVESTIGATING FFENSES Table 5-2 Viewing Offenses Parameters (continued) Parameter Description Description Specifies the details for the offense. Attacker/Src Specifies the IP address of the attacker or source of the attack. Magnitude Specifies the relative importance of the offense. The magnitude bar provides a visual representation of all the correlated variables of the offense, attacker, target, or network.
Page 87 Managing Offenses Hint: The top of the panel displays the navigation trail to the current view. If you wish to return to a previously viewed panel, click the panel name on the navigation trail. Hint: To view any section of the summary panel is greater details, click the associated toolbar option.
Page 88 NVESTIGATING FFENSES Table 5-3 Offense Details Panel (continued) Parameter Description Magnitude Specifies the relative importance of the offense. The magnitude bar provides a visual representation of all the correlated variables of the offense, attacker, target, or network. Variables include Relevance, Severity, and Credibility. Point your mouse to the magnitude bar to display the values and the calculated magnitude.
Page 89 Managing Offenses Table 5-3 Offense Details Panel (continued) Parameter Description Assigned to Specifies the user assigned to this offense. If not user is assigned, this field indicates Not Assigned. Click Not Assigned to assign this offense to a user. Attacker Specifies information on details of the attacker that created this Summary offense.
Page 90 NVESTIGATING FFENSES Table 5-3 Offense Details Panel (continued) Parameter Description Last Events Specifies the date and time that this event was detected for this category in this offense. Top 5 Targets Specifies the top 5 local targets, organized by magnitude, which are part of this offense.
Page 91 Managing Offenses Table 5-3 Offense Details Panel (continued) Parameter Description Destination Specifies the destination IP address or name of this event. Start Time Specifies the date and time when the first event was detected in this normalized event. Top 5 Annotations Specifies the top 5 annotations for this offense. Click Annotations to view additional information.
Page 92 NVESTIGATING FFENSES Table 5-4 Offense Panel Toolbar (continued) Icon Function Allows you to view all local targets for this offense including: Flag - Specifies action taken on the offense, for example, if a flag • appears, the offense is marked for follow-up or if a user icon appears, the offense has been assigned to a user.
Page 93 Managing Offenses Table 5-4 Offense Panel Toolbar (continued) Icon Function Allows you to view category information for this offense including: Hint: You can also further investigate the events relating to a specific category by using the right mouse button (right-click) and select Events.
Page 94: Searching Offenses
NVESTIGATING FFENSES Table 5-4 Offense Panel Toolbar (continued) Icon Function Allows you to search for all events for this offense. For information on Chapter 6 Using the Event Viewer searching events, see The number of events results displayed is determined by the Web Max Matched Results parameter in the System Settings.
Page 95 Managing Offenses Enter values for the parameters: Step 4 Table 5-5 Offense Search Parameters Item Description Offense Id Specify the offense identifier you wish to search. Attacker IP Specify the IP address or CIDR range of the attacker. Assigned to Using the drop-down list box, select for an offense assigned to a user specific user.
Page 96: Removing Offenses
NVESTIGATING FFENSES Table 5-5 Offense Search Parameters (continued) Item Description Last Event Select the check box if you wish to search offenses that the last Between detected event occurred within a certain time period. Once you select the check box, use the calendar to select the dates you wish to search.
Page 97 Managing Offenses Closing Filtered Offenses • Hiding Offenses To hide an offense: Click the Offense Manager tab. Step 1 The Offense Manager window appears. Click All Offenses. Step 2 The Offenses panel appears. Select the offense you wish to hide. Step 3 Hint: To hide multiple offenses, hold the CTRL key while you select each offense you wish to hide.
Page 98: Assigning Offenses To Users
NVESTIGATING FFENSES From the Actions drop-down list box, select Close. Step 4 A confirmation window appears. Click Ok. Step 5 The Offense Summary window appears with the original option selected in the navigation menu. Note: Once you close an offense, the counts that appear in the By Category section of the Offense Manager may take several minutes to reflect the closed offense.
Page 99: Viewing Offense By Category
Viewing Offense By Category From the Username drop-down list box, select the user you wish to assign this Step 5 offense. Click Save. Step 6 The offense is assigned to the selected user. The user icon appears in the Flag column of the offenses indicating the offense is assigned.
Page 100 NVESTIGATING FFENSES STRM Users Guide...
Page 101 Viewing Offense By Category Table 5-6 By Category Window Parameters Parameter Description Category Name Allows you to view offenses based on the following high-level categories: Application - Events relating to application activity. • Access - Events resulting from an attempt to access network •...
Page 102 NVESTIGATING FFENSES Table 5-6 By Category Window Parameters (continued) Parameter Description System - Events related to system changes, software • installation, or status messages. User Defined- Events related to custom rules. • VIS Host Discovery - Events related to Vulnerability •...
Page 103: Managing Offenses By Attacker Viewing Offenses By Attacker
Managing Offenses By Attacker For information on managing offenses, see Managing Offenses. Managing Offenses You can view offenses by attacker. An attacker is the source host that has By Attacker generated offenses as a result of attempting to attack your system. All attackers are listed with the highest magnitude first.
Page 104 NVESTIGATING FFENSES The Attacker/Source panel provides the following information: Table 5-7 Attacker/Source Parameters Parameter Description Follow-up Flag Specifies action taken on the attacker, for example, if a flag appears, the attacker is marked for follow-up. Point your mouse over the icon to display additional information. Identify Specifies the IP address of the attacker.
Page 105 Managing Offenses By Attacker Table 5-8 View Options Icon Option Displays all targets for the attacker. Displays all offenses for this attacker. The Attacker details panel appears. Hint: If you wish to view the offense in a new window, press CTRL+double-click. The details panel provides the following information: Hint: The top of the panel displays the navigation trail to the current view.
Page 106 NVESTIGATING FFENSES Table 5-9 Attacker Details Panel (continued) Parameter Description Location Specifies the location of the attacker. Offense(s) Specifies the names of the offenses associated with this attacker. To view additional information on the offense, click the name or term that appears. Local Specifies the local target of the offense.
Page 107 Managing Offenses By Attacker Table 5-11 List of Local Targets (continued) Parameter Description IP/DNS Name Specifies the IP address of the target. If DNS lookups is enabled in the STRM Administration Console, you can view the DNS name by pointing your mouse over the IP address or asset name. For more information, see the STRM Administration Guide.
Page 108 NVESTIGATING FFENSES Table 5-13 List of Offenses Parameter Description Flag Specifies action taken on the offense, for example, if a flag appears, the offense is marked for follow-up or if a user icon appears, the offense has been assigned to a user. Point your mouse over the icon to display additional information.
Page 109 Managing Offenses By Attacker Table 5-14 Offense Panel Toolbar (continued) Icon Function Allows you to view category information for this offense including: Hint: You can also further investigate the events relating to a specific category by using the right mouse button (right-click) and select Events.
Page 110: Searching Attackers
NVESTIGATING FFENSES Table 5-14 Offense Panel Toolbar (continued) Icon Function Actions Using the Actions drop-down list box, you can choose one of the following actions: Hide - Allows you to hide this offense. For more information on • Hiding Offenses hiding offenses, see Show - Allows you to show all hidden offenses.
Page 111 Managing Offenses By Attacker Table 5-15 Attacker Search Parameters (continued) Item Description Event Count Using the drop-down list box, select if you wish to search the event count equal to, less than, or greater than the configured value. Start Date Select the check box if you wish to search attackers whose existence Between was first recorded in the STRM database during a certain time period.
Page 112: Managing Offenses By Targets
NVESTIGATING FFENSES Managing Offenses You can view a list of local targets for offenses generated in your deployment. All By Targets targets are listed with the highest magnitude first. This section includes: • Viewing Offenses By Targets Searching Targets • Viewing Offenses By To view offenses by targets: Targets...
Page 113 Managing Offenses By Targets Table 5-16 Viewing Target Parameters Parameter Description Magnitude Specifies the relative importance of the target. The magnitude bar provides a visual representation of all the correlated variables of the target. Variables include the vulnerability assessment risk and threat under.
Page 114 NVESTIGATING FFENSES Hint: The top of the panel displays the navigation trail to the current view. If you wish to return to a previously viewed panel, click the panel name on the navigation trail. The Local Targets details panel provides the following information: Table 5-18 Targets Details Panel Parameter Description...
Page 115 Managing Offenses By Targets Table 5-18 Targets Details Panel (continued) Parameter Description Attacker(s)/Src Specifies the attackers of the offense associated with this target. To view additional information on the attackers, click the IP address or term that appears. If the attacker is a single source, an IP address appears. You can click the IP address to view the target details.
Page 116 NVESTIGATING FFENSES Table 5-20 List of Offenses (continued) Parameter Description Magnitude Specifies the relative importance of this target. The magnitude bar provides a visual representation of all the correlated variables of the target. Variables include credibility, relevance, and severity. Point your mouse to the magnitude bar to display values and the calculated magnitude.
Page 117 Managing Offenses By Targets Table 5-21 Offense Panel Toolbar (continued) Icon Function Allows you to view all targeted networks for this offense including: Flag - Specifies action taken on the offense, for example, if a flag • appears, the offense is marked for follow-up or if a user icon appears, the offense has been assigned to a user.
Page 118: Searching Targets
NVESTIGATING FFENSES Table 5-22 List of Attackers (continued) Parameter Description Magnitude Specifies the relative importance of this attacker. The magnitude bar provides a visual representation of all the correlated variables of the attacker. Variables include the vulnerability assessment risk and the amount of threat posed. Point your mouse to the magnitude bar to values for the offense and the calculated magnitude.
Page 119 Managing Offenses By Targets Enter values for the parameters: Step 4 Table 5-24 Target Search Parameters Item Description Target IP Specify the IP address of the target. Magnitude Using the drop-down list box, select if you wish to search magnitude equal to, less than, or greater than the configured value.
Page 120: Managing Offenses By Networks
NVESTIGATING FFENSES Managing Offenses You can view the list of offenses grouped by network. All networks are listed with By Networks the highest magnitude first. This section includes: • Viewing Offenses By Networks Searching Networks • Viewing Offenses By To view offenses by networks: Networks Click the Offense Manager tab.
Page 121 Managing Offenses By Networks Table 5-25 Viewing Network Parameters (continued) Parameter Description Magnitude Specifies the relative importance of the attacks in the network. The magnitude bar provides a visual representation of all the correlated variables of the network. Variables include the threat posed, threat under, and vulnerability risk: Threat Posing - The calculated value for this network over •...
Page 122 NVESTIGATING FFENSES Hint: The top of the panel displays the navigation trail to the current view. If you wish to return to a previously viewed panel, click the panel name on the navigation trail. The Networks details panel provides the following information: Table 5-27 Networks Details Panel Parameter Description...
Page 123 Managing Offenses By Networks Table 5-27 Networks Details Panel (continued) Parameter Description Attacker(s)/Src Specifies the attacker of this network. To view additional information on the attacker, click the IP address or term that appears. If the attacker is a single source, an IP address appears. You can click the IP address to view the attacker details.
Page 124 NVESTIGATING FFENSES Table 5-29 List of Attackers (continued) Parameter Description Magnitude Specifies the relative importance of this attacker. The magnitude bar provides a visual representation of all the correlated variables of the attacker. Variables include the vulnerability assessment risk and the amount of threat posed. Point your mouse to the magnitude bar to values for the offense and the calculated magnitude.
Page 125 Managing Offenses By Networks Table 5-31 List of Targets (continued) Parameter Description Magnitude Specifies the relative importance of this target. The magnitude bar provides a visual representation of all the correlated variables of the target. Point your mouse to the magnitude bar to values for the offense and the calculated magnitude.
Page 126 NVESTIGATING FFENSES The List of Offenses appears. Table 5-33 List of Offenses Parameter Description Flag Specifies action taken on the offense, for example, if a flag appears, the offense is marked for follow-up or if a user icon appears, the offense has been assigned to a user. Point your mouse over the icon to display additional information.
Page 127 Managing Offenses By Networks Table 5-34 Offense Panel Toolbar Icon Function Allows you to view all attackers for this offense including: Flag - Specifies action taken on the attacker, for example, if a flag • appears, the attacker is marked for follow-up. Point your mouse over the icon to display additional information.
Page 128 NVESTIGATING FFENSES Table 5-34 Offense Panel Toolbar (continued) Icon Function Allows you to view all local targets for this offense including: Flag - Specifies action taken on the offense, for example, if a flag • appears, the offense is marked for follow-up or if a user icon appears, the offense has been assigned to a user.
Page 129 Managing Offenses By Networks Table 5-34 Offense Panel Toolbar (continued) Icon Function Allows you to view category information for this offense including: Hint: You can also further investigate the events relating to a specific category by using the right mouse button (right-click) and select Events.
Page 130: Searching Networks
NVESTIGATING FFENSES Table 5-34 Offense Panel Toolbar (continued) Icon Function Actions Using the Actions drop-down list box, you can choose one of the following actions: Hide - Allows you to hide this offense. For more information on • Hiding Offenses hiding offenses, see Show - Allows you to show all hidden offenses.
Page 131: Marking An Item For Follow-Up
Marking an Item For Follow-Up Table 5-35 Networks Search Parameters (continued) Item Description Threat Posing Using the drop-down list box, select if you wish to search the threat posed is equal to, less than, or greater than the configured value. Event Count Using the drop-down list box, select if you wish to search the event count equal to, less than, or greater than the configured value.
Page 132: Configuring Notification
NVESTIGATING FFENSES Enter any notes you wish to include for this offense. You can enter notes up to Step 5 2000 characters. Click Save. Step 6 Notes are added to this offense. For all offenses that have notes attached, a notes icon appears in the flag column of the summary interface.
Page 133: Managing Network Anomalies
Managing Network Anomalies In the Email address(es) field, enter the email address of the user you wish to Step 5 notify if a change occurs to the selected offense. Separate multiple e-mail addresses with a comma. Click Save. Step 6 Managing Network You can create sentries for your deployment and if an event generates as a result Anomalies...
Page 134 NVESTIGATING FFENSES Double-click the offense you wish to view. Step 3 The details panel appears. The details panel provides the following information: Table 5-36 Details Panel Parameter Description Incident Specifies the last five incidents for a network anomaly offense. A network anomaly offense can contain multiple incidents that occur under certain conditions.
Page 135: Closing Offenses
Managing Network Anomalies Table 5-36 Details Panel (continued) Parameter Description Network Location Specifies the network location that the event occurred. Layer Specifies the layer in which the network anomaly offense was generated. Event Number Specifies the number for the event. This number increments for each event.
Page 136: Forwarding Network Anomaly Offenses
NVESTIGATING FFENSES Closing All Offenses To close all offenses: Click the Offense Manager tab. Step 1 The Offense Manager appears. In the navigation menu, click Network Anomalies. Step 2 The Network Anomalies panel appears. Click Close All. Step 3 Forwarding Network A non-administrative user can create sentries, however, only administrative users Anomaly Offenses can configure advanced sentries on a system-wide basis.
Page 137: Exporting Offenses
Exporting Offenses Exporting Offenses You can export offenses in Extensible Markup Language (XML) or Comma Separated Values (CSV). To export offenses: Click the Event Viewer tab. Step 1 The Offense Manager window appears. Choose one of the following: Step 2 If you wish to export the offenses in XML format, select Export to XML from the Actions drop-down list box.
Page 139 SING THE VENT IEWER An event is an action that occurs on a network or a host. The Event Viewer allows you to monitor and investigate events in real-time or perform advanced searches. The Event Viewer indicates which events are being correlated to offenses and which are not.
Page 140: Using The Event Viewer Interface
SING THE VENT IEWER Using the Event This section provides information on using the Event Viewer interface including: Viewer Interface Using the Toolbar • Using the Right-Click Menu Options • Using the Toolbar Using the toolbar, you can access the following options: Table 6-1 Toolbar Options Option Description...
Page 141: Viewing Events
Viewing Events Table 6-2 Right-Click Options (continued) Button Description Filter on Allows you to filter on the selected event, depending on the selected item in the event. For example, if you right-click on a Category of IP Protocol Anomaly, the following filter options appear: Filter on Category is IP Protocol Anomaly Filter on Category is not IP Protocol Anomaly...
Page 142 SING THE VENT IEWER From the Display drop-down list box, select None. Step 2 Table 6-3 Event Viewer Parameter Description Current Filters The top of the table displays the details of the filter applied to the search results. To clear these filter values, click Clear Filter. Allows you to view details of the offense associated with this Viewing the Associated event.
Page 143 Viewing Events Double-click the event you wish to view in greater detail. Step 3 The event details window appears. The details results provides the following information: Table 6-4 Event Details Parameter Description Event Name Specifies the normalized name of the event. Low Level Specifies the low-level category of this event.
Page 144 SING THE VENT IEWER Table 6-4 Event Details (continued) Parameter Description Pre NAT Source For a firewall or another device capable of NAT, this parameter Port indicates the source port before the NAT values were applied. Pre NAT For a firewall or another device capable of NAT, this parameter Destination IP indicates the destination IP address before the NAT values were applied.
Page 145: Viewing Raw Events
Viewing Events The event details provides the following functions: Table 6-5 Event Details Toolbar Icon Function Allows you to return to the list of events. Allows you to display the offenses that the event was correlated to. Allows you to edit the event mapping. For more information, Modifying Event Mapping Allows you to tune the event viewer to prevent false positive events from generating into offenses.
Page 146: Viewing Aggregate Normalized Events
SING THE VENT IEWER Table 6-6 Raw Events Parameters (continued) Parameter Description Start Time Specifies the time of the first event, as reported to STRM by the device. Device Specifies the device that originated the event. Payload Specifies the original event payload information in UTF-8 format. Viewing Aggregate Using the Event Viewer, you can view events aggregated (grouped) by various Normalized Events...
Page 147 Viewing Events Table 6-7 Aggregate Normalized Events (continued) Aggregate Option Description Relevance Relevance indicates the significance of an event. This option displays a summarized list of events grouped by the relevance of the event. Username Displays a summarized list of events grouped by the username associated with the events.
Page 148 SING THE VENT IEWER Table 6-7 Aggregate Normalized Events (continued) Aggregate Option Description Event Type/ Device Displays a summarized list of events grouped by the event Group name and the device group. Device Group/ High Displays a summarized list of events grouped by the device Level Cat group and the high-level category.
Page 149 Viewing Events Table 6-7 Aggregate Normalized Events (continued) Aggregate Option Description Src IP / Dst IP/ Low Displays a summarized list of events grouped by the source Level Cat IP address to destination IP addresses and the low-level category. For more information on categories, see the Event Category Correlation Reference Guide.
Page 150 SING THE VENT IEWER Table 6-8 Event Name Parameters (continued) Parameter Description Source IP Specifies the source IP address associated with this event. If there are multiple IP addresses associated with this event, this field indicates Multiple and the number. Destination IP Specifies the destination IP address associated with this event.
Page 151: Searching Events
Searching Events Searching Events The Event Viewer allows you to search for a specific event or a set of events. You can also save event search criteria for future use. This section provides information on searching events including: Searching Events •...
Page 152 SING THE VENT IEWER Table 6-9 Event Search Criteria Parameter Description Saved Searches Using the drop-down list box, select a previously saved search you wish to apply to this search, if desired. Other options include: Delete - Using the drop-down list box, select the search you •...
Page 153 Searching Events Table 6-9 Event Search Criteria (continued) Parameter Description Search Order Specify the order you wish to display for the search results. The options are: Descending or Ascending. Click Filter. Step 4 If you selected a sort criteria in your Search Parameters, the normalized events appear.
Page 154: Deleting Saved Searches
SING THE VENT IEWER Table 6-10 Save Search Parameters Parameter Description Include in my Select the check box if you wish to include this search in your Quick Quick Search items, which is available in the Search drop-down list box. Searches Share with Select the check box if you wish to share these search requirements...
Page 155: Modifying Event Mapping
Modifying Event Mapping For information on managing offenses, see Chapter 5 Investigating Offenses. Modifying Event STRM automatically maps an event of a Device Support Module (DSM), also Mapping known as a sensor device, for normalization purposes. Using the event mapping tool, you can associate or map a normalized or raw event to a high-level and low-level category (or QID).
Page 156 SING THE VENT IEWER Choose one of the following options: Step 4 If you know the QID that you wish to map to this event, enter the desired QID in the Enter QID field. Go to Step If you wish to search for a particular QID, go to Step To search for a particular QID or high and low-level categories that you wish to Step 5...
Page 157: Tuning False Positives
Tuning False Positives Tuning False You can use the Event Viewer to tune out False Positive events from created Positives offenses in STRM by using the False Positive Tuning function. You must have appropriate permissions for creating customized rules to tune false positives. For more information on roles, see the STRM Administration Guide.
Page 158: Exporting Events
SING THE VENT IEWER Note: STRM does not allow you to select both Any Events and Any Source or Destination since this builds a custom rules that would cause STRM to stop creating offenses. Click Tune. Step 6 Note: You can tune false positive events from the summary or details panel. Exporting Events You can export events in Extensible Markup Language (XML) or Comma Separated Values (CSV).
Page 159 SING THE IEWER The Flow Viewer allows you to monitor and investigate flow data in real-time or perform advanced searches. A flow is a communication session between two hosts. Viewing flow information allows you to determine how the traffic is communicated, what was communicated (if the content capture option is enabled), and includes such details as protocols, ASN values, IfIndex values, or priorities.
Page 160: Using The Flow Viewer Interface
SING THE IEWER Using the Flow This section provides information on using the Flow Viewer interface including: Viewer Interface Using the Toolbar • Using the Right-Click Menu Options • Using the Toolbar Using the toolbar, you can access the following options: Table 7-1 Flow Viewer Interface Options Option Description...
Page 161: Viewing Flows
Viewing Flows Viewing Flows By default, the Flow Viewer displays flows that occurred during the previous minute. The interface refreshes each minute. You can also view flows using one of the following options: Viewing Flows • Viewing Aggregated Flows • Viewing Flows To view flows: Click the Flow Viewer tab.
Page 162 SING THE IEWER Table 7-2 Flow Viewer Parameters (continued) Parameter Description Total Bytes Specifies the total number of bytes associated with the flow. Source Packets Specifies the total number of packets from the source. Destination Specifies the total number of packets from the destination. Packets Total Packets Specifies the total number of packets associated with the flow.
Page 163 Viewing Flows The details results provides the following information: Table 7-3 Flow Details Parameter Description Flow Type Specifies the flow type. Protocol Specifies the protocol associated with this flow. Flow Direction Specifies the direction of the host that started the flow. For example, if the first flow indicates the direction as in but bytes/packets are inbound, the remote IP address started the flow.
Page 164: Viewing Aggregated Flows
SING THE IEWER Table 7-3 Flow Details (continued) Parameter Description Source ASN Specifiers the source ASN number. Destination ASN Specifies the destination ASN number. Source if INdex Specifies the source ifIndex number. Destination If Specifies the destination ifIndex number. Index Start Time Specifies the start time of the flow, as reported to STRM by the device.
Page 165 Viewing Flows Table 7-4 Aggregate Flows (continued) Aggregate Option Description Destination Network Displays a summarized list of flows grouped by the destination network of the flow. Application Displays a summarized list of flows grouped by the application that originated the flow. Protocol Displays a summarized list of flows grouped by the protocol responsible for the flow.
Page 166 SING THE IEWER Table 7-4 Aggregate Flows (continued) Aggregate Option Description Src IP/ Application Displays a summarized list of flows grouped by the source IP address and the application responsible for the flow. Src IP/ Dst IP Displays a summarized list of flows grouped by the source and destination IP addresses.
Page 167 Viewing Flows Table 7-5 Source or Destination Parameters (continued) Parameter Description Graphs Displays a bar chart representing the top 10 aggregates, depending on the chosen aggregate option. Click Hide Chart if you wish to remove the graph from your display. Legend Reference A colored box in this field associated this flows to the graph.
Page 168 SING THE IEWER Table 7-6 Aggregate Parameters (continued) Parameter Description Destination Port Specifies the destination port of the flow. If there are multiple destination ports associated with this event, this field indicates Multiple and the number. Destination Specifies the destination network of the flow. If there are multiple Network destination networks associated with this event, this field indicates Multiple and the number.
Page 169 Viewing Flows Table 7-7 Application (continued) Parameter Description Source IP Specifies the number of source IP addresses associated with this flow. Source Network Specifies the source network of the flow. If there are multiple source networks associated with this event, this field indicates Multiple and the number.
Page 170: Using The Search
SING THE IEWER Using the Search The Flow Viewer allows you to search for a specific flow or a set of flows. You can also save flow search criteria for future use. This section provides information on searching flows including: Searching Flows •...
Page 171 Using the Search Table 7-8 Flow Search Criteria Parameter Description Saved Searches Using the drop-down list box, select a previously saved search you wish to apply to this search, if desired. Other options include: Delete - Using the drop-down list box, select the search you •...
Page 172 SING THE IEWER Table 7-8 Flow Search Criteria (continued) Parameter Description Rank By Allows you rank your search results using one of the following options: Bytes In • Bytes Out • Total Bytes • Packets In • Packets Out • Total Packets •...
Page 173: Exporting Flows
Exporting Flows Table 7-9 Save Search Parameters Parameter Description Search Name Specify a name you wish to assign to this search criteria. Time Range Choose one of the following options: Real Time - Select this option if you wish to filter on flows while in •...
Page 174 SING THE IEWER The status window appears. When the export is complete, the window disappears or click Notify When Done to resume your activities and receive a notification when the export is complete. STRM Users Guide...
Page 175: Searching Asset Profiles
ANAGING SSETS STRM automatically discovers assets (servers and hosts) operating on your network, based on passive QFlow data as well as vulnerability data allowing STRM to build an asset profile. Asset profiles display what services are running on each asset. This profile data is used for correlation purposes to help reduce false positives, for example, if an attack occurs trying to exploit a specific service running on a specific asset, STRM can determine if the asset is vulnerable to this attack by correlating the attack to the asset profile.
Page 176 ANAGING SSETS Choose one of the following options: Step 3 Current - Searches current asset profile values. This is the default. • History - Searches the database for assets associated with a specific user • name, user group, MAC address, or within a specified time frame. Enter values for the parameters: Step 4 Table 8-1 Assets Panel...
Page 177 Searching Asset Profiles Table 8-1 Assets Panel (continued) Parameter Description User Name Specify the user of the asset. This field supports using special characters to aid your search including: * - Specifies any text. ? - Specifies any single character. ! - Specifies that you wish to change the * or ? symbol to a valid symbol.
Page 178 ANAGING SSETS Table 8-1 Assets Panel (continued) Parameter Description Date Range Select the date range check box. Using the To and From fields, select the date and time you wish to search. This option only appears if you select the History option. Choose one of the following options: Step 5 If you wish to search for all asset profiles in your deployment, click Show All.
Page 179 Searching Asset Profiles Table 8-2 Asset Window Parameter Description Weight Specifies the asset weight of the asset. Last Seen Specifies the last date and time that the asset appeared. If the asset was manually entered but never actively or passively seen, the column indicates Never.
Page 180 ANAGING SSETS Table 8-3 Asset Profile Window (continued) Parameter Description How Threatened Specifies the threat level (0 to 10) to the asset where 0 is the lowest and 10 is the highest. This is a weighted value against all other hosts in your deployment. Asset Weight Using the drop-down list box, specify the level of importance you wish to associate with this asset.
Page 181: Adding An Asset Profile
Adding an Asset Profile Table 8-5 History Information (continued) Parameter Description Machine Name Specifies the machine name of this asset. If unknown, this field is blank. User Specifies the user for this asset. If unknown, this field is blank. User Group Specifies the user group for this asset.
Page 182: Editing An Asset
ANAGING SSETS Table 8-6 Add Asset Profile Parameters (continued) Parameter Description Description Specifies the description of the asset. Asset Weight Using the drop-down list box, specify the asset weight you wish to assign to this asset. The range is 0 to 10. Click Save.
Page 183 Editing an Asset Table 8-7 Asset Profile Window (continued) Parameter Description Operating System Specifies the operating system running on the asset. Host Name (DNS Name) Specifies the IP address or DNS name of the asset. Asset Weight Specify the asset weight of the asset. VA Risk Level Specifies the vulnerability assessment risk level (0 to 10) for the asset where 0 is the lowest and 10 is the highest.
Page 184: Deleting Assets
ANAGING SSETS Table 8-9 History Information (continued) Parameter Description Machine Name Specifies the machine name of this asset. If unknown, this field is blank. User Specifies the user for this asset. If unknown, this field is blank. User Group Specifies the user group for this asset. If unknown, this field is blank.
Page 185: Importing Asset Profiles
Importing Asset Profiles Search for asset profiles. Step 3 For more information on searching asset profiles, see Searching Asset Profiles From the Actions drop-down list box, select Delete Listed. Step 4 A confirmation window appears. Click Ok. Step 5 Importing Asset You can import asset profile information into STRM.
Page 186: Exporting Assets
ANAGING SSETS Click Browse to search for the CSV file you wish to import. Step 4 Click Import Assets to begin the import process. Step 5 Exporting Assets To export assets in XML or CSV format: Click the Assets tab. Step 1 The Assets window appears.
Page 187 ANAGING EPORTS The Reports interface allows you to create, distribute, and manage reports. You can use the Report Wizard to create executive and operational level reports that combine any network traffic and security event data in a single report. STRM provides default templates that you can use to generate your report data, using various intervals.
Page 188: Using The Reports Interface
ANAGING EPORTS Using the Reports This section provides information on using the Reports interface including: Interface Using the Navigation Menu • Using the Toolbar • Using the Navigation The default main Reports interface displays generated reports. The navigation Menu menu provides access to reports, templates, and branding including: Table 9-1 Navigation Menu Options Menu Columns...
Page 189: Using The Toolbar
Viewing Reports Using the Toolbar You can perform the following actions: Table 9-2 Toolbar Icon Descriptions Option Description Group Using the drop-down list box, allows you to view reports assigned to a specific group. For more information, see Grouping Reports Allows you to manage report groups.
Page 190: Grouping Reports
ANAGING EPORTS Note: If you are currently using the FireFox browser and you select the RTF report format, this may launch a new browser window. This does not affect STRM; this is a result of the FireFox browser configuration. Close the window and continue with your STRM session.
Page 191: Creating A Group
Grouping Reports Creating a Group To create a group: Click the Reports tab. Step 1 The Reports interface appears. Click the Report Templates menu option. Step 2 A list of templates appears. Click Groups. Step 3 The Reports Group window appears. From the menu tree, select the group under which you wish to create a new group.
Page 192: Editing A Group
ANAGING EPORTS Editing a Group To edit a group: Click the Reports tab. Step 1 The Reports interface appears. Click the Report Templates menu option. Step 2 A list of templates appears. Click Groups. Step 3 The Reports Group window appears. From the menu tree, select the group you wish to edit.
Page 193: Deleting A Template From A Group
Grouping Reports From the menu tree, select the template you wish to copy to another group. Step 4 Click Copy. Step 5 The Choose Group window appears. Select the group or groups to which you wish to copy the template. Step 6 Click Copy.
Page 194: Assigning A Report To A Group
ANAGING EPORTS Click Ok. Step 7 If you wish to change the location of the new group, click the new group and drag Step 8 the folder to the desired location in your menu tree. Close the Report Groups window. Step 9 Assigning a Report You can assign a generated report or report template to a group.
Page 195: Creating A Template
Creating a Report Creating a Template To create a template: Click the Reports tab. Step 1 The Reports interface appears. From the Actions drop-down list box, select Create. Step 2 The Report Wizard appears. Note: Select the check box if you wish to disable the Welcome page. Select a scheduling option.
Page 196 ANAGING EPORTS Table 9-3 Report Scheduling Parameter Default Settings This report should be scheduled to run Manually Generates a report one time only. This is the default setting; however, you may generate this report as often as required. Hourly Schedules the report to generate at the end of each hour using the data from the previous hour.
Page 197 Creating a Report A report can consist of several data. Your network and security data can be presented in a variety of styles, such as tables, pie charts, and bar charts. Styles consist of a number of options, such as delta or baseline. When selecting the layout of a report, consider the type of report you wish to create - do not choose a small chart container for graph content that may display a large number of objects.
Page 198 ANAGING EPORTS Select values for the following parameters: Step 5 Report Title - Specify a title for your report. The title can be up to 100 • characters in length - do not use special characters. Note: Your report is saved by the title name you enter in this field. •...
Page 199 Creating a Report The Layout Preview window appears providing a preview of how your data appears. Note: Charts that appear in the preview window do not display actual data. This is a graphical representation of the layout you have configured. Preview your report.
Page 200 ANAGING EPORTS Select the desired distribution channels. Click Next. Step 11 Table 9-4 Report Distribution Parameter Sub-Parameter Description Report Select the check box if you wish to send the Console report to the Reports interface. Note: You must have appropriate network permissions to share your report with other users.
Page 201 Creating a Report Enter values for the following parameters. Click Next. Step 12 Table 9-5 Finishing Up Parameter Description Report Template Specify a description for this template. This description appears Description on the Report Summary page and is included in the report distribution e-mail.
Page 202: Configuring Charts
ANAGING EPORTS Configuring Charts The chart type determines how your data and network objects are presented in your report. Data can be charted with several characteristics and created in a single report. The following chart types are available for each template: •...
Page 203 Creating a Report Enter values for the following parameters: Table 9-6 Event/Logs Chart Container Details Parameter Description Container Details - Events/Logs Chart Title Specify a chart title to a maximum of 100 characters. Chart Sub-Title Clear the check box to change the automatically created sub-title.
Page 204 ANAGING EPORTS Table 9-6 Event/Logs Chart Container Details (continued) Parameter Description Manually Using the calendar, select range of dates you wish this report to consider. The default is the current date. Using the drop-down list boxes, select a time to begin and end generating the report.
Page 205 Creating a Report Flows The Flows Chart allows you to view flow information for a specific period of time. Figure 9-2 Flows Report STRM Users Guide...
Page 206 ANAGING EPORTS Enter values for the following parameters: Table 9-7 Flows Container Details Parameter Description Container Details - Events/Logs Chart Title Specify a chart title to a maximum of 100 characters. Chart Sub-Title Clear the check box to change the automatically created sub-title.
Page 207 Creating a Report Table 9-7 Flows Container Details (continued) Parameter Description Monthly Choose one of the following options: All data from previous month • Data from a previous month - Using the drop-down list • boxes, select the dates to begin and end generating the report.
Page 208 ANAGING EPORTS Enter values for the following parameters: Table 9-8 Time Series Chart Container Details Parameter Description Container Details - Time Series Chart Chart Title Specify a chart title to a maximum of 100 characters. Chart Sub-Title Clear the check box to change the automatically created sub-title.
Page 209 Creating a Report Table 9-8 Time Series Chart Container Details (continued) Parameter Description Stacked_Bar - When selecting this option, you must also • select the Timeline Interval from the Additional Details section. Stacked_Bar_Base_Line - When selecting this option, • you must also select the Timeline Interval and choose the Baseline parameters.
Page 210 ANAGING EPORTS Table 9-8 Time Series Chart Container Details (continued) Parameter Description Monthly Choose one of the following options: All data from previous month • Data from a previous month - Using the drop-down list • boxes, select the dates to begin and end generating the report.
Page 211 Creating a Report Table 9-8 Time Series Chart Container Details (continued) Parameter Description Expand To Include Using the drop-down list box, select an option to include on the graph. Options include: None - View Objects and Network Locations are graphed •...
Page 212 ANAGING EPORTS Enter values for the following parameters: Table 9-9 Top Attackers Container Details Parameter Description Container Details - Top Attackers Chart Title Specify a chart title to a maximum of 100 characters. Chart Sub-Title Clear the check box to change the automatically created sub-title.
Page 213 Creating a Report Table 9-9 Top Attackers Container Details (continued) Parameter Description Network Location Using the menu tree, select the network(s) you wish to generate this chart. Top Offenses The Top Offenses chart displays the TopN offenses that are occurring at present time for the network locations you select.
Page 214 ANAGING EPORTS Enter values for the following parameters: Table 9-10 Top Offenses Container Details Parameter Description Container Details - Top Offenses Chart Title Specify a chart title to a maximum of 100 characters. Chart Sub-Title Clear the check box to change the automatically created sub-title.
Page 215 Creating a Report Table 9-10 Top Offenses Container Details (continued) Parameter Description Order Results By: Using the drop-down list box, select how the data is sorted on the graph. Options include: Severity • Magnitude • Relevance • Credibility • Graph Content Network Location From the menu tree, select the network(s) you wish to chart data from.
Page 216 ANAGING EPORTS Enter values for the following parameters: Table 9-11 Top Targeted Assets Container Details Parameter Description Container Details - Top Targeted Assets Chart Title Specify a chart title to a maximum of 100 characters. Chart Sub-Title Clear the check box to change the automatically created sub-title.
Page 217 Creating a Report Table 9-11 Top Targeted Assets Container Details (continued) Parameter Description Network Location From the menu tree, select the network(s) you wish to collect this information. TopN Time Series The TopN Time Series chart allows you to create TopN charts for any data that STRM logs over time, such as usage data for Applications, IPs, Protocols or rate data for events.
Page 218 ANAGING EPORTS Enter values for the following parameters: Table 9-12 TopN Time Series Container Details Parameter Description Container Details - TopN Time Series Chart Chart Title Specify a chart title to a maximum of 100 characters. Chart Sub-Title Clear the check box to change the automatically created sub-title. Enter a title to a maximum of 100 characters.
Page 219 Creating a Report Table 9-12 TopN Time Series Container Details (continued) Parameter Description Daily Choose one of the following options: All data from previous 24 hours • Data of previous day from - Using the drop-down list boxes, • select an hour to begin and end generating the report. Time is available in half-hour increments.
Page 220: Selecting A Graph Type
ANAGING EPORTS Table 9-12 TopN Time Series Container Details (continued) Parameter Description Graph top items Using the drop-down list box, select the number of items to include on graphs, then select one of the following: View Objects - Displays the top view objects selected. •...
Page 221 Creating a Report Table 9-13 Available Graph Types (continued) Stacked Base Line Graph Stacked Bar Base Line Graph Available with the Time Series chart Available with the Time Series chart type. type. Bar Graph Horizontal Bar Graph Available with the Time Series chart Available with the following chart types: type.
Page 222: Using Default Report Templates
ANAGING EPORTS Table 9-13 Available Graph Types (continued) Pie Graph Table Graph Available with the following chart type: Available with the following charts: Time Series Time Series • • TopN Time Series Top Attackers • • Top Offenses • Top Targeted Assets •...
Page 223: Generating A Report
Generating a Report Click the Report Templates menu option. Step 2 A list of templates appears. Point your mouse over the templates and preview the summary information. Step 3 Double-click the desired template. Step 4 The Report Wizard appears. Make the necessary changes. See Creating a Report.
Page 224: Sharing A Report
ANAGING EPORTS Sharing a Report You can share report templates with other users. This allows you to provide a copy of the selected templates for another user to edit or schedule, as necessary. Once shared, any updates that the user makes to your shared template does not affect your version of the template.
Page 225 Branding Your Report Click Browse to browse the files located on your system. Step 3 Select the file that contains the desired logo. Click Open. Step 4 The file name appears in the New Image field. Click Upload Image to upload the image to STRM. Step 5 Note: To make sure your browser displays the new logo, clear your browser cache.
Page 227: Configuring Tnc Recommendations
TNC R SING ECOMMENDATIONS Trusted Network Computing (TNC) recommendations allow you to restrict or deny network access to users based on user name or other credentials. The TNC recommendation uses the asset profile and user identify data collected by STRM. You must have appropriate network access to use the TNC recommendations function.
Page 228 TNC R SING ECOMMENDATIONS View the TNC Recommendation table to identify possible TNC Step 3 recommendations.The table provides the following information: Table 10-1 TNC Recommendations Parameter Description Specifies the MAC address of the user. Host Name Specifies the host name associated with the user. Machine Name Specifies the name of the system associated with the user.
Page 229: Removing Tnc Recommendations
Removing TNC Recommendations not the user is compliant with policy. The options are Compliant, Minor Non-Compliant, or Major Non-Compliant. Duration - Select one of the following options: • - Continue recommendation indefinitely - Enforces the configured recommendation indefinitely. - Continue action until - Enforces the configured recommendation until the configured date and time.
Page 230 TNC R SING ECOMMENDATIONS The Existing TNC Recommendations table provides the following information: Table 10-2 Existing TNC Recommendations Parameter Description Allows you to select existing TNC recommendations. Based On Specifies the existing recommended conditions. The options are: mac, host, machine name, user, user group, or extra data. Recommendation Specifies the recommended action.
Page 231 LOSSARY Autonomous System Collection of IP networks that all adhere to the same specific and clearly defined Number routing policy. An AS number (ASN) is a unique ID number assigned to each Autonomous System. active sub-filters Displays any filtering that has been applied to grouped data found in the Search Flows results table.
Page 232 LOSSARY behavior Indicates the normal manner in which the system or network functions or operates. behavior sentry Monitors your deployment to detect changes in behavior. STRM learns how a particular object typically functions over a period of time. This means that STRM records the number of hosts with your network at different points of the day.
Page 233 LOSSARY collector view Allows you to classify flows based on which QFlow Collector and interface from which they originated. credibility Indicates the integrity of an event or offense as determined by the credibility rating from source devices. Credibility increases as the multiple sources report the same event.
Page 234 LOSSARY external data views Require input from external products, such as an IDS engine (for example, SNORT) or firewalls (for example, Cisco PIX or Checkpoint Firewall). These external products provide information to STRM on specified IP addresses that are correlated to the flows responsible. STRM monitors flows between these systems and tags traffic between the hosts for a configured period of time.
Page 235 LOSSARY Fully Qualified Full path name of a certain point in the network hierarchy. For example, Company Network Name A’s hierarchy has a department object that contains a marketing object. Therefore, (FQNN) the FQNN is CompanyA.Department.Marketing. FQDN See Fully Qualified Domain Name. FQNN See Fully Qualified Network Name.
Page 236 LOSSARY IP Multicast IP Multicast reduces traffic on a network by delivering a single stream of information to multiple users at one time. IP network A group of IP routers that route IP datagrams. These routers are sometimes referred to as Internet gateways. Users access the IP network from a host. Each network in the Internet includes some combination of hosts and IP routers.
Page 237 LOSSARY Local To Remote Internal traffic from a local network to a remote network. (L2R) logic unit Sentry component that includes specific algorithms used to test objects. Magistrate Provides the core processing components of the SIM option. The Magistrate provides views, reports, alerts, and analysis of network traffic and security events. The Magistrate processes the event against the defined custom rules to create an offense.
Page 238 LOSSARY Network Weight The numerical value applied to each network that signifies the importance of the network. The Network weight is user defined. offense Includes multiple events from one host. Open Systems A framework of ISO standards for communication between different systems made Interconnection (OSI) by different vendors, in which the communications process is organized into seven different categories that are placed in a layered sequence based on their...
Page 239 LOSSARY STRM Identifier. A mapping of a single event of an external device to a Q1 Labs unique identifier. STRM Request Specifies what information is queried in your graph and defines how it appears. Language (QRL) The QRL allows you to identify and remember a specific location and view on a network.
Page 240 LOSSARY end-system level. This sentry also monitors violations on usage-based policies, which restrict or allow use of specific applications or network use. This sentry can also specify situations that application usage is allowed. sentry A sentry is an alerting function. It can monitor any number of views and generate an alert when traffic in one of the monitored views meets the specified criteria.
Page 241 LOSSARY TCP resets For TCP-based applications, STRM can issue a TCP reset to either the client or server in a conversation. This stops the communications between the client and the server. threat posing The degree or level of threat an attacker (source) is posing; calculated per interval. Threat posing is calculated using the aggregated target category, added to the aggregated Attacker then multiplied by the average number of offenses the attacker has been associated with.
Page 242 LOSSARY vulnerability risk The vulnerability assessment risk level (0 to 10) for the asset where 0 is the lowest and 10 is the highest. This is a weighted value against all other hosts in your deployment. Vulnerability risk is user defined. STRM Users Guide...
Page 243 NDEX policy 95 potential exploit 95 access category 95 recon 95 Administration Console SIM audit 95 overview 11 suspicious 95 all offenses 79 system 96 annotations VIS host discovery 96 top 5 85 conventions 1 anomaly sentry 41 correlate events 77 creating 56 CRE category 95 application category 95...
Page 244 NDEX right-click 134 searching events 145 toolbar 134 JavaScript functions using 133 custom sentry 69 viewing associated offense 148 events aggregate 140 exporting 131 Layers box 32 normalized 135 Local Networks View 31 searching 145 Logic Unit 40 top 10 84 low-level category 93 viewing 135 exploit category 95...
Page 245 NDEX selecting the layout 191 by category 93 summary 195 closing 90 template 189 closing all filtered offenses 90 time series chart 201 closing filtered offenses 92 toolbar 183 hiding 90 managing 79 top attackers chart 205 top offenses chart 207 removing 90 top targeted assets chart 209 searching 88...
Page 246 NDEX top targeted assets 209 top targeted assets chart 209 TopN viewing 34 TopN time series 211 traffic location changing 33 trigger script 48 variables sentry 74 views changing 30 global 25 VIS Host Discovery category 96 vulnerability risk 23 STRM Users Guide...

This manual is also suitable for:

Security threat response manager 2008.2 r2

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - REV1 Manual

Quick Links

Related Manuals for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - REV1

Summary of Contents for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - REV1

This manual is also suitable for:

Table of Contents