For e series broadband services routers - bgp and mpls configuration (742 pages)
Summary of Contents for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - REV1
Page 1
Security Threat Response Manager STRM Users Guide Release 2008.2 R2 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 408-745-2000 www.juniper.net Part Number: 530-027294-01, Revision 1...
Page 2
Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
ONTENTS BOUT UIDE Conventions Technical Documentation Contacting Customer Support STRM BOUT Logging In to STRM Dashboard Offense Manager Event Viewer Flow Viewer Assets Network Surveillance Reports Using STRM Sorting Results Refreshing the Interface Pausing the Interface Investigating IP Addresses Viewing STRM Time Accessing On-line Help STRM Administration Console SING THE...
Page 4
Reports Enterprise Security State Enterprise Vulnerability State System Summary Adding Items ANAGING ETWORK CTIVITY Using the Network Surveillance Menu Global Views Asset Map Bookmarks QRL Options Viewing Network Activity Interpreting the Graphs Changing the View Changing Flow Attributes Changing Traffic Location Investigating Traffic Using TopN Viewing the TopN Information Investigating Traffic...
Page 5
Managing Offenses By Targets Viewing Offenses By Targets Searching Targets Managing Offenses By Networks Viewing Offenses By Networks Searching Networks Marking an Item For Follow-Up Adding Notes Configuring Notification Managing Network Anomalies Viewing Network Anomaly Offenses Closing Offenses Forwarding Network Anomaly Offenses Exporting Offenses SING THE VENT...
Page 6
Editing an Asset Deleting Assets Deleting an Asset Deleting All Assets Importing Asset Profiles Exporting Assets ANAGING EPORTS Using the Reports Interface Using the Navigation Menu Using the Toolbar Viewing Reports Grouping Reports Creating a Group Editing a Group Copying a Template to Another Group Deleting a Template From a Group Assigning a Report to a Group Creating a Report...
Documentation directly from the Juniper Networks support web site at https://juniper.net/support. Once you access the Juniper Networks support web site, locate the product and software release for which you require documentation. Your comments are important to us. Please send your e-mail comments about this guide or any of the Juniper Networks documentation to: documentation@juniper.net.
Page 8
Customer Support maintaining STRM, you can contact Customer Support as follows: Log a support request 24/7: https://juniper.net/support/ • For access to the Juniper Networks support web site, please contact Customer Support. Access Juniper Networks support and Self-Service support using e-mail: •...
Page 9
STRM BOUT STRM is a network security management platform that provides situational awareness and compliance support through the combination of flow-based network knowledge, security event correlation, and asset-based vulnerability assessment. This chapter provides an overview of the STRM interface including: Logging In to STRM •...
STRM BOUT Click Login To STRM. Step 3 For your STRM Console, a default license key provides you access to the interface for 5 weeks. A window appears providing the date that the temporary license key will expire. For information on installing a permanent license key, see the STRM Administration Guide.
Offense Manager Offense Manager The Offense Manager tab provides a view into all offenses occurring on your network. From the Offense Manager, you can investigate an offense to determine the root cause of an issue. You can also resolve the issue. Note: For more information on Offense Manager, see Chapter 5 Investigating Offenses.
STRM BOUT Flow Viewer The Flow Viewer tab allows you to monitor and investigate flow data in real-time or perform advanced searches. A flow is a communication session between two hosts. Viewing flow information allows you to determine how the traffic is communicated, what was communicated (if the content capture option is enabled), and includes such details as when, who, how much, protocols, ASN values, IfIndex values, or priorities.
Page 13
Assets Note: For more information, see Chapter 8 Managing Assets. STRM Users Guide...
STRM BOUT Network The Network Surveillance tab is a real-time network behavioral and anomaly Surveillance monitoring interface that allows you to monitor the traffic on your network and how your network is behaving. The Network Surveillance tab displays what areas of your network are producing the most traffic, what applications are running, and what types of threatening or out of policy traffic are present on your network.
Reports Reports Reports is a flexible and robust reporting package that allows you to create, distribute, and manage reports for any data within STRM. Reports allows you to create customized reports for operational and executive use by combining any combination of information (such as, security or network) into a single report. You can also use the many pre-installed report templates included with STRM.
STRM BOUT Click the Name column heading again if you wish to sort the information in ascending order. Refreshing the Several STRM interfaces, including the Event Viewer, Offense Manager, Flow Interface Viewer, and the Dashboard allow you to refresh the interface. This refresh option is located in the right corner of the interface.
STRM Administration Console Table 1-1 Additional Options (continued) Menu Sub-Menu Description Port Scan Performs a NMAP scan of the selected IP address. This option is only available if NMAP is installed on your system. For more information on installing NMAP, see your vendor documentation.
Page 18
STRM BOUT • Managing vulnerability assessment and scanners - Allows you to schedule scans to keep your vulnerability assessment data up-to-date. Configure sensor devices - Allows you to configure sensor devices, which • provide events to your deployment through DSMs. Configure flow sources - Allows you to configure flow sources, such as, •...
Page 19
SING THE ASHBOARD The Dashboard allows you to create a customized portal to monitor any data STRM collects, to which you have access. The Dashboard is the default view when you log in to STRM and allows you to monitor several areas of your network at the same time.
Page 20
SING THE ASHBOARD • Most Recent Offenses Local Networks - Inbound Bytes • Local Networks - Outbound Bytes • • Top Category Types Top Attackers • Note: The items that appear on your Dashboard depends on the access you have been granted.
About the Dashboard Using the Dashboard You can add, remove, or detach items on the Dashboard. Once added, each item appears with a titlebar. Using the Dashboard, you can: Adding Items - Provides the list of items that you can add to your Dashboard. •...
SING THE ASHBOARD Network You can add several Network Surveillance items to your Dashboard to display your Surveillance current network traffic activity. You can choose to display traffic data and TopN data. Traffic data is displayed by graphs, complete with legends; TopN data is displayed in bar charts, and allows you to investigate your traffic from the Dashboard.
Network Surveillance Note: You can click any area of the graph, or click the dynamic legend to immediately access the Network Surveillance interface. To customize your Threats display: Period of Time - Using the drop-down list box, select the period of time you •...
SING THE ASHBOARD Offense Manager You can add several Offense Manager items to your Dashboard. The Offense Manager displays data for offenses, attackers, and local targets detected on your network. Offense Manager options include: Offenses • Attackers and Targets • Categories •...
Offense Manager To customize your display: Period of Time - Using the drop-down list box, select the period of time you • wish the Dashboard graph to display. Chart Type - You can display the data using a Time Series (default), Line •...
SING THE ASHBOARD Event Viewer The Event Viewer items allow you to monitor and investigate events in real-time. Event Viewer options include: Events Over Time • Events By Severity • Top Devices • Note: Hidden or closed events are not included in the values that appear in the Dashboard.
Event Viewer Top Devices The Top Devices item displays a pie chart that specifies the top 10 devices that sent events to STRM within the last 15 minutes. The number of events sent from the specified device is indicated in the pie chart. This item allows you to view potential changes in behavior, for example, if a firewall device that is typically not in the top 10 list is now contributing to a large percentage of the overall message count, you should investigate this occurrence.
SING THE ASHBOARD Reports The Reports option allows you to display the top recently generated reports. The display provides the report title, the time and date the report was generated, and the format of the report. Enterprise Security The Enterprise Security State represents your network’s current security posture. State The security state is formulated from monitoring the security data from flows, external events, and security data to create a single metric that reveals the security...
Enterprise Vulnerability State Vulnerability Risk - The vulnerability risk level (0 to 10) applied to an asset. • This is a weighted value applied by calculating the average of the risks of each asset in your network. Network Weight - The numerical value applied to the importance of each •...
SING THE ASHBOARD System Summary The Summary item provides a high-level summary of activity within the past 24 hours. Within the summary item, you can view the following information: Flows (Past 24 Hours) - Specifies the total number of active flows seen within •...
ANAGING ETWORK CTIVITY The Network Surveillance interface allows you to monitor behavioral profiles of systems and applications when security breaches or other behavior is suspected. You can investigate and scrutinize your network traffic from all available STRM views. This chapter provides information on using the Network Surveillance interface including: Using the Network Surveillance Menu •...
ANAGING ETWORK CTIVITY • Flow Types - Displays traffic by specific flow types. Custom Views - Displays traffic for any Custom Views. By default, the Custom • Views includes the following ASN and IfIndex views. These views are populated when STRM detects Autonomous System Number (ASN) and IfIndex values from network flows.
Using the Network Surveillance Menu Bookmarks You can create a bookmark from any area on the STRM graphs. This allows you to access your bookmarks at any time to revisit a specific network location or specific time frame. When creating a bookmark, the following options are available: Add With Time - Saves the QRL with the time period that is displayed on the •...
ANAGING ETWORK CTIVITY • Toggle Auto Refresh - Allows you to enable or disable the automatic graph refresh. When disabled, the count down timer is not displayed on the graphs. By default, the automatic refresh is enabled. Viewing Network The graphs are the main components on the Network Surveillance interface. The Activity graphs are a graphical representation of your network objects;...
Page 35
Viewing Network Activity Your network administrator can enable or disable any Global View. Disabling views saves processing power on large structured networks. Depending on your current network activity or the type of traffic you are monitoring, some views may be of more value than others. Note: You must have administrative permissions to enable/disable views.
ANAGING ETWORK CTIVITY • Scale - The scale option, located on the top left above the graph, allows you to adjust the graph view. The plus and minus signs allow you to zoom in or zoom out to change the appearance of the traffic. When zooming in on the traffic, the measured increment reduces in size.
Page 37
Viewing Network Activity networks. When you select a Global or Custom View, the Pivot To box displays the available navigation options for that view. To change the view: From the main STRM interface, click the Network Surveillance tab. Step 1 The Network Surveillance window appears.
ANAGING ETWORK CTIVITY Changing Flow You can change the flow attributes on the graphs using the options available in the Attributes Layers box. You can display bytes per second, packets per second, and hosts per interval. Each option has a series of items to display specific details of your current view. Table 3-2 Layers Box Parameter Description...
Viewing Network Activity Changing Traffic You can change the location of traffic that the graphs display using the QRL Location Definition box. Used with the Pivot To function, the QRL Definition allows you to navigate between views. The QRL Definition lists the components that are displayed or removed from your traffic that is displayed on the graphs.
ANAGING ETWORK CTIVITY entire list of legend components, select QRL Options > Expand Legend from the menu. Investigating You can determine which areas of your network are generating the highest level of Traffic Using TopN activity. The TopN box reveals details the view that is currently displayed on your graphs.
Investigating Traffic Using TopN Unique Ports - Available only when viewing the Local Networks View. • Specifies the traffic layer as the number of ports in use. Options include: Normal, Log, and 1/X. Investigating Traffic To investigate traffic using TopN: Click the Network Surveillance tab.
ANAGING ETWORK CTIVITY Inbound Local -The highest level of activity for inbound local bytes. • Inbound Remote -The highest level of activity for inbound remote bytes. • • Outbound Local - The highest level of activity for outbound local bytes. Outbound Remote - The highest level of activity for outbound remote bytes.
Page 43
Investigating Flows byte sizes, packet lengths, and flow counts for both sending and receiving transmissions. The types of traffic for your network appear in the dynamic legend located beside your graphs. This includes all traffic types found on your network. Also, STRM identifies your network location by visually displaying a marker on the lower left corner of your graph.
Page 44
ANAGING ETWORK CTIVITY The results appear. For more information on interpreting results, see Chapter 7 Using the Flow Viewer. To search for a single IP address, click Search. The Flow Search window appears. For more information, see Chapter 7 Using the Flow Viewer.
Page 45
ANAGING ENTRIES Sentries provide an alerting function for your network. A sentry can monitor any number of views and generate an alert when traffic in one of the monitored views meets the specified criteria. A non-administrative user can create sentries, however, only an administrative user can configure advanced sentries on a system-wide basis.
ANAGING ENTRIES About Sentries You can create sentries that perform actions when certain specified conditions are met. These actions can include sending an e-mail notification or storing sentry event information. You can also add sentry alerts for a specific traffic type. You can save Packages for use with other sentries.
Page 47
About Sentries You can also specify that any undesirable actions must occur for a particular period of time before an alert generates. For example, you can configure a sentry indicating that a mail server must communicate with a large number of additional hosts for several minutes before an alert generates.
ANAGING ENTRIES A Security/Policy sentry is useful for detecting undesirable policy issues such as remote access to client networks, Peer-to-Peer (P2P)/Instant Messaging (IM) or other misuse applications, or inappropriate use of business applications. Threshold A Threshold sentry monitors your deployment for activity that exceeds the configured threshold of the sentry.
Creating a Sentry Table 4-1 provides the details of the Sentry List window: Table 4-1 Sentry List Window Parameter Description Name Specifies the name of the configured item. Owner Specifies the name of the user who created the sentry. Action Provides one of the following options: Allows you to edit the details.
Page 50
ANAGING ENTRIES Creating a A Security/Policy sentry monitors your deployment for any security or policy Security/Policy offense. To create a Security/Policy sentry: Sentry Click the Network Surveillance tab. Step 1 The Network Surveillance interface appears. Navigate to the appropriate view you wish the sentry to apply. Step 2 For information on navigating views, see Chapter 3 Managing Your Network...
Page 51
Creating a Sentry Enter Values for the Parameters: Step 5 Table 4-2 Security/Policy Sentry Parameters Parameter Action Objects Using the menu tree, select the view object you wish this sentry to monitor. This list includes the objects in your network. All selected objects appear under Selected Components.
Page 52
ANAGING ENTRIES Table 4-2 Security/Policy Sentry Parameters (continued) Parameter Action Time of day is relevant Select the check box if you wish this sentry to consider the time of day. When selected, the time of day fields appear. Using the drop-down list box, select the time of day you wish this sentry to consider.
Page 53
Creating a Sentry Table 4-3 Sentry Attributes Parameters (continued) Parameter Action Maximum emitted events Specify the maximum number of times you wish this event per IP to generate per IP address. For example, if you set the maximum alerts to 2, only two events are generated per attacker IP address.
Page 54
ANAGING ENTRIES Table 4-4 Sentry Response Parameters (continued) Parameter Sub-Parameter Action Trigger Trigger Script Using the drop-down list box, specify the action you wish the sentry engine to perform. The options include: Trigger Script - Specify if you wish this sentry to •...
Page 55
Creating a Sentry Creating a Behavior A Behavior sentry monitors your network to detect changes in behavior. To create Sentry a behavior sentry: Click the Network Surveillance tab. Step 1 The Network Surveillance interface appears. Navigate to the appropriate view you wish the sentry to apply. Step 2 For information on navigating views, see Chapter 3 Managing Your Network...
Page 56
ANAGING ENTRIES Enter values for the parameters: Step 5 Table 4-6 Behavior Sentry Parameters Parameter Action Current traffic level Specify the weight (1 to 100) that you wish to assign to the current traffic levels against the learned behaviors and the current trend.
Page 57
Creating a Sentry Table 4-6 Behavior Sentry Parameters (continued) Parameter Action Alert sensitivity Specify the sensitivity (1 to 100) level for this alert. This level indicates how far outside the predicted values before a violation generates. A value of 1 indicates the measured value cannot be outside the predicted value and a value of 100 indicates the traffic is more than four times larger than the predicted value.
Page 58
ANAGING ENTRIES Table 4-6 Behavior Sentry Parameters (continued) Parameter Action Season length Specify the length of time you wish this sentry to consider a season. A season indicates the cycle of data, which STRM uses to determine future data flow. For example, the below graph shows that traffic is low on the weekend but peaks regularly during the week.
Page 59
Creating a Sentry Table 4-6 Behavior Sentry Parameters (continued) Parameter Action Day of the week is Select the check box if you wish this sentry to consider the relevant day of the week. When selected, day of the week fields appear.
Page 60
ANAGING ENTRIES Table 4-7 Sentry Attributes Parameters (continued) Parameter Action Weight Specify the relative importance of this sentry. This determines the ranking that the generated event displays in the Offense Manager. STRM uses the following formula to calculate the weight: ((sentry weight + network weight + object weight)/3/time difference Where time difference is:...
Page 61
Creating a Sentry Table 4-8 Sentry Response Parameters (continued) Parameter Sub-Parameter Action Email Specify the recipient(s) of the notification e-mail sent Recipient(s) by the sentry engine. Separate multiple entries with a comma. Format Specify the amount of text included in the e-mail. Options include: Subject Only, Brief, Detailed - Text, Detailed - HTML.
ANAGING ENTRIES Creating an Anomaly An anomaly sentry monitors your deployment for any abnormal activity. This sentry Sentry generates an alert in one of the following situations: If a consistently inactive object becomes active. • If a consistently active object becomes inactive. •...
Page 63
Creating a Sentry Select the Anomaly option. Click Next. Step 4 The Sentry Parameters window appears. Enter values for the parameters: Step 5 STRM Users Guide...
Page 64
ANAGING ENTRIES Table 4-9 Anomaly Sentry Parameters Parameter Action Large Window Specify an extended period of time you wish the system to monitor flows in your network. This allows the system a basis of comparison for traffic over an extended period of time.
Page 65
Creating a Sentry Click Next. Step 6 The Sentry Attributes window appears. Enter values for the parameters: Step 7 Table 4-10 Sentry Attributes Parameters Parameter Action Sentry Name Specify a name you wish to assign this sentry. Sentry Description Specify a description for this sentry. Weight Specify the relative importance of this sentry.
Page 66
ANAGING ENTRIES Table 4-10 Sentry Attributes Parameters (continued) Parameter Action Minimum Activations Specify the minimum number of times you wish this Before Alert activity to occur before an alert generates. We recommend that you specify at least four activations before alert. Delay Between Alerts Specify the number of intervals, after of the first occurrence of this alert, before the next occurrence of this...
Creating a Sentry Table 4-11 Sentry Response Parameters (continued) Parameter Sub-Parameter Action Trigger Trigger Script Using the drop-down list box, specify the action you wish the sentry engine to perform. The options include: Trigger Script - Specify if you wish this sentry to •...
Page 68
ANAGING ENTRIES Below the graph, click Add Sentry. Step 3 The Add Sentry Wizard appears. Specify the Threshold option. Step 4 The Sentry Parameters window appears. Enter values for the parameters: Step 5 STRM Users Guide...
Page 69
Creating a Sentry Table 4-12 Threshold Sentry Parameters Parameter Action Above Select the option if you wish to this sentry to monitor activity above a threshold value. When selected, the Alert if data rate is above field appears. Specify the threshold value. Below Select the option if you wish to this sentry to monitor activity below a threshold value.
Page 70
ANAGING ENTRIES Enter values for the parameters: Step 7 Table 4-13 Sentry Attributes Parameters Parameter Action Sentry Name Specify a name you wish to assign this sentry. Sentry Description Specify a description for this sentry. Weight Specify the relative importance of this sentry. This determines the ranking that the generated event displays in the Offense Manager.
Page 71
Creating a Sentry Table 4-13 Sentry Attributes Parameters (continued) Parameter Action Delay Between Alerts Specify the number of intervals, after of the first occurrence of this alert, before the next occurrence of this event. Maximum responses per Specify the maximum number of times you wish this event event to generate.
ANAGING ENTRIES Table 4-14 Threshold Sentry Response Parameters (continued) Parameter Sub-Parameter Action Trigger Trigger Script Using the drop-down list box, specify the action you wish the sentry engine to perform. The options include: Trigger Script - Specify if you wish this sentry to •...
Page 73
Creating a Sentry Select Custom. Click Next. Step 4 Note: You can also create a sentry using an existing Package, select the Use an existing Package option and use the drop-down list box to select the desired Package. This option allows you to edit the values of the Package but not the Logic Unit.
Page 74
ANAGING ENTRIES Table 4-15 Custom Sentry Parameters Parameter Action Applications Using the menu tree, select all applications you wish this sentry to monitor. All selected applications appear under Selected Components. Date is relevant Select the check box if you wish this sentry to consider date.
Page 75
Creating a Sentry var testObj = new CustomFunction( $$Counter, other_custom_vars); function test() return testObj.test(); You can use all the functions available with JavaScript functionality as well as the following functions: Table 4-16 JavaScript Functions Function Description thresholdCheck Monitors policy and threshold objects. By default, this value monitors each object separately.
Page 76
ANAGING ENTRIES Table 4-17 Sentry Attributes Parameters Parameter Action Save this as a named Select the check box if you wish to save this information logic package as a sentry Package. Logic Name Specify a name you wish to assign to this Package. Description Specify a description for this Package.
Page 77
Creating a Sentry Table 4-18 Sentry Attributes Parameters (continued) Parameter Action Weight Specify the relative importance of this sentry. This determines the ranking that the generated event displays in the Offense Manager. STRM uses the following formula to calculate the weight: (sentry weight + network weight + object weight)/3/time difference Where time difference is:...
ANAGING ENTRIES Table 4-19 Sentry Response Parameters (continued) Parameter Sub-Parameter Action Trigger Trigger Script Using the drop-down list box, specify the action you wish the sentry engine to perform. The options include: Trigger Script - Specify if you wish this sentry to •...
Page 79
Editing a Sentry Update values for the parameters, as necessary: Step 4 If you are editing a Security/Policy sentry: Table 4-20 Edit Security/Policy Sentry Parameter Description Name Specify a name for this sentry. Description Specify a description for this sentry. This description appears as an annotation in the Offense Manager if this sentry causes an offense to generate.
Page 80
ANAGING ENTRIES Table 4-21 Edit Behavior, Anomaly, or Threshold Sentry (continued) Parameter Description Maximum Specify the maximum number of number of times you wish this responses per event to generate a response. events Is Enabled Select the check box to enable this sentry. Clear the check box to disable the sentry.
Page 81
Editing a Sentry Table 4-22 Default Variables Parameter Description $$Base Specify the current traffic level weight that you wish to assign to the current traffic levels against the learned behaviors and the current trend. This variable is for behavioral sentries. The higher the value indicates more weight on the previously recorded value.
Page 82
ANAGING ENTRIES Table 4-22 Default Variables (continued) Parameter Description $$SmallWindow Specify an extended period of time you wish to the system to monitor flows in your network. This allows the system a basis of comparison for traffic over an extended period of time. If the large window and small window values exceed a certain threshold, the sentry generates an alert.
Page 83
NVESTIGATING FFENSES The Offense Manager allows you to investigate offenses, behaviors, anomalies, targets, and attackers on your network. STRM can correlate events and network activity with targets located across multiple networks in the same offense, and ultimately the same network incident. This allows you to effectively investigate each offense in your network.
NVESTIGATING FFENSES • Marking an Item For Follow-Up Configuring Notification • Managing Network Anomalies • Exporting Offenses • Using the Offense Using the Offense Manager interface, you can access the following options for Manager managing security and policy events, behaviors, anomalies, targets, and attackers on your network: Table 5-1 Offense Manager Interface Options Menu...
Managing Offenses The My Offenses interface appears. For information on managing your offenses, Managing Offenses. Managing Offenses You can use the Offense Manager to view a list of offenses that have been identified by STRM on your network. All offenses are listed with the highest magnitude first.
Page 86
NVESTIGATING FFENSES Table 5-2 Viewing Offenses Parameters (continued) Parameter Description Description Specifies the details for the offense. Attacker/Src Specifies the IP address of the attacker or source of the attack. Magnitude Specifies the relative importance of the offense. The magnitude bar provides a visual representation of all the correlated variables of the offense, attacker, target, or network.
Page 87
Managing Offenses Hint: The top of the panel displays the navigation trail to the current view. If you wish to return to a previously viewed panel, click the panel name on the navigation trail. Hint: To view any section of the summary panel is greater details, click the associated toolbar option.
Page 88
NVESTIGATING FFENSES Table 5-3 Offense Details Panel (continued) Parameter Description Magnitude Specifies the relative importance of the offense. The magnitude bar provides a visual representation of all the correlated variables of the offense, attacker, target, or network. Variables include Relevance, Severity, and Credibility. Point your mouse to the magnitude bar to display the values and the calculated magnitude.
Page 89
Managing Offenses Table 5-3 Offense Details Panel (continued) Parameter Description Assigned to Specifies the user assigned to this offense. If not user is assigned, this field indicates Not Assigned. Click Not Assigned to assign this offense to a user. Attacker Specifies information on details of the attacker that created this Summary offense.
Page 90
NVESTIGATING FFENSES Table 5-3 Offense Details Panel (continued) Parameter Description Last Events Specifies the date and time that this event was detected for this category in this offense. Top 5 Targets Specifies the top 5 local targets, organized by magnitude, which are part of this offense.
Page 91
Managing Offenses Table 5-3 Offense Details Panel (continued) Parameter Description Destination Specifies the destination IP address or name of this event. Start Time Specifies the date and time when the first event was detected in this normalized event. Top 5 Annotations Specifies the top 5 annotations for this offense. Click Annotations to view additional information.
Page 92
NVESTIGATING FFENSES Table 5-4 Offense Panel Toolbar (continued) Icon Function Allows you to view all local targets for this offense including: Flag - Specifies action taken on the offense, for example, if a flag • appears, the offense is marked for follow-up or if a user icon appears, the offense has been assigned to a user.
Page 93
Managing Offenses Table 5-4 Offense Panel Toolbar (continued) Icon Function Allows you to view category information for this offense including: Hint: You can also further investigate the events relating to a specific category by using the right mouse button (right-click) and select Events.
NVESTIGATING FFENSES Table 5-4 Offense Panel Toolbar (continued) Icon Function Allows you to search for all events for this offense. For information on Chapter 6 Using the Event Viewer searching events, see The number of events results displayed is determined by the Web Max Matched Results parameter in the System Settings.
Page 95
Managing Offenses Enter values for the parameters: Step 4 Table 5-5 Offense Search Parameters Item Description Offense Id Specify the offense identifier you wish to search. Attacker IP Specify the IP address or CIDR range of the attacker. Assigned to Using the drop-down list box, select for an offense assigned to a user specific user.
NVESTIGATING FFENSES Table 5-5 Offense Search Parameters (continued) Item Description Last Event Select the check box if you wish to search offenses that the last Between detected event occurred within a certain time period. Once you select the check box, use the calendar to select the dates you wish to search.
Page 97
Managing Offenses Closing Filtered Offenses • Hiding Offenses To hide an offense: Click the Offense Manager tab. Step 1 The Offense Manager window appears. Click All Offenses. Step 2 The Offenses panel appears. Select the offense you wish to hide. Step 3 Hint: To hide multiple offenses, hold the CTRL key while you select each offense you wish to hide.
NVESTIGATING FFENSES From the Actions drop-down list box, select Close. Step 4 A confirmation window appears. Click Ok. Step 5 The Offense Summary window appears with the original option selected in the navigation menu. Note: Once you close an offense, the counts that appear in the By Category section of the Offense Manager may take several minutes to reflect the closed offense.
Viewing Offense By Category From the Username drop-down list box, select the user you wish to assign this Step 5 offense. Click Save. Step 6 The offense is assigned to the selected user. The user icon appears in the Flag column of the offenses indicating the offense is assigned.
Page 101
Viewing Offense By Category Table 5-6 By Category Window Parameters Parameter Description Category Name Allows you to view offenses based on the following high-level categories: Application - Events relating to application activity. • Access - Events resulting from an attempt to access network •...
Page 102
NVESTIGATING FFENSES Table 5-6 By Category Window Parameters (continued) Parameter Description System - Events related to system changes, software • installation, or status messages. User Defined- Events related to custom rules. • VIS Host Discovery - Events related to Vulnerability •...
Managing Offenses By Attacker For information on managing offenses, see Managing Offenses. Managing Offenses You can view offenses by attacker. An attacker is the source host that has By Attacker generated offenses as a result of attempting to attack your system. All attackers are listed with the highest magnitude first.
Page 104
NVESTIGATING FFENSES The Attacker/Source panel provides the following information: Table 5-7 Attacker/Source Parameters Parameter Description Follow-up Flag Specifies action taken on the attacker, for example, if a flag appears, the attacker is marked for follow-up. Point your mouse over the icon to display additional information. Identify Specifies the IP address of the attacker.
Page 105
Managing Offenses By Attacker Table 5-8 View Options Icon Option Displays all targets for the attacker. Displays all offenses for this attacker. The Attacker details panel appears. Hint: If you wish to view the offense in a new window, press CTRL+double-click. The details panel provides the following information: Hint: The top of the panel displays the navigation trail to the current view.
Page 106
NVESTIGATING FFENSES Table 5-9 Attacker Details Panel (continued) Parameter Description Location Specifies the location of the attacker. Offense(s) Specifies the names of the offenses associated with this attacker. To view additional information on the offense, click the name or term that appears. Local Specifies the local target of the offense.
Page 107
Managing Offenses By Attacker Table 5-11 List of Local Targets (continued) Parameter Description IP/DNS Name Specifies the IP address of the target. If DNS lookups is enabled in the STRM Administration Console, you can view the DNS name by pointing your mouse over the IP address or asset name. For more information, see the STRM Administration Guide.
Page 108
NVESTIGATING FFENSES Table 5-13 List of Offenses Parameter Description Flag Specifies action taken on the offense, for example, if a flag appears, the offense is marked for follow-up or if a user icon appears, the offense has been assigned to a user. Point your mouse over the icon to display additional information.
Page 109
Managing Offenses By Attacker Table 5-14 Offense Panel Toolbar (continued) Icon Function Allows you to view category information for this offense including: Hint: You can also further investigate the events relating to a specific category by using the right mouse button (right-click) and select Events.
NVESTIGATING FFENSES Table 5-14 Offense Panel Toolbar (continued) Icon Function Actions Using the Actions drop-down list box, you can choose one of the following actions: Hide - Allows you to hide this offense. For more information on • Hiding Offenses hiding offenses, see Show - Allows you to show all hidden offenses.
Page 111
Managing Offenses By Attacker Table 5-15 Attacker Search Parameters (continued) Item Description Event Count Using the drop-down list box, select if you wish to search the event count equal to, less than, or greater than the configured value. Start Date Select the check box if you wish to search attackers whose existence Between was first recorded in the STRM database during a certain time period.
NVESTIGATING FFENSES Managing Offenses You can view a list of local targets for offenses generated in your deployment. All By Targets targets are listed with the highest magnitude first. This section includes: • Viewing Offenses By Targets Searching Targets • Viewing Offenses By To view offenses by targets: Targets...
Page 113
Managing Offenses By Targets Table 5-16 Viewing Target Parameters Parameter Description Magnitude Specifies the relative importance of the target. The magnitude bar provides a visual representation of all the correlated variables of the target. Variables include the vulnerability assessment risk and threat under.
Page 114
NVESTIGATING FFENSES Hint: The top of the panel displays the navigation trail to the current view. If you wish to return to a previously viewed panel, click the panel name on the navigation trail. The Local Targets details panel provides the following information: Table 5-18 Targets Details Panel Parameter Description...
Page 115
Managing Offenses By Targets Table 5-18 Targets Details Panel (continued) Parameter Description Attacker(s)/Src Specifies the attackers of the offense associated with this target. To view additional information on the attackers, click the IP address or term that appears. If the attacker is a single source, an IP address appears. You can click the IP address to view the target details.
Page 116
NVESTIGATING FFENSES Table 5-20 List of Offenses (continued) Parameter Description Magnitude Specifies the relative importance of this target. The magnitude bar provides a visual representation of all the correlated variables of the target. Variables include credibility, relevance, and severity. Point your mouse to the magnitude bar to display values and the calculated magnitude.
Page 117
Managing Offenses By Targets Table 5-21 Offense Panel Toolbar (continued) Icon Function Allows you to view all targeted networks for this offense including: Flag - Specifies action taken on the offense, for example, if a flag • appears, the offense is marked for follow-up or if a user icon appears, the offense has been assigned to a user.
NVESTIGATING FFENSES Table 5-22 List of Attackers (continued) Parameter Description Magnitude Specifies the relative importance of this attacker. The magnitude bar provides a visual representation of all the correlated variables of the attacker. Variables include the vulnerability assessment risk and the amount of threat posed. Point your mouse to the magnitude bar to values for the offense and the calculated magnitude.
Page 119
Managing Offenses By Targets Enter values for the parameters: Step 4 Table 5-24 Target Search Parameters Item Description Target IP Specify the IP address of the target. Magnitude Using the drop-down list box, select if you wish to search magnitude equal to, less than, or greater than the configured value.
NVESTIGATING FFENSES Managing Offenses You can view the list of offenses grouped by network. All networks are listed with By Networks the highest magnitude first. This section includes: • Viewing Offenses By Networks Searching Networks • Viewing Offenses By To view offenses by networks: Networks Click the Offense Manager tab.
Page 121
Managing Offenses By Networks Table 5-25 Viewing Network Parameters (continued) Parameter Description Magnitude Specifies the relative importance of the attacks in the network. The magnitude bar provides a visual representation of all the correlated variables of the network. Variables include the threat posed, threat under, and vulnerability risk: Threat Posing - The calculated value for this network over •...
Page 122
NVESTIGATING FFENSES Hint: The top of the panel displays the navigation trail to the current view. If you wish to return to a previously viewed panel, click the panel name on the navigation trail. The Networks details panel provides the following information: Table 5-27 Networks Details Panel Parameter Description...
Page 123
Managing Offenses By Networks Table 5-27 Networks Details Panel (continued) Parameter Description Attacker(s)/Src Specifies the attacker of this network. To view additional information on the attacker, click the IP address or term that appears. If the attacker is a single source, an IP address appears. You can click the IP address to view the attacker details.
Page 124
NVESTIGATING FFENSES Table 5-29 List of Attackers (continued) Parameter Description Magnitude Specifies the relative importance of this attacker. The magnitude bar provides a visual representation of all the correlated variables of the attacker. Variables include the vulnerability assessment risk and the amount of threat posed. Point your mouse to the magnitude bar to values for the offense and the calculated magnitude.
Page 125
Managing Offenses By Networks Table 5-31 List of Targets (continued) Parameter Description Magnitude Specifies the relative importance of this target. The magnitude bar provides a visual representation of all the correlated variables of the target. Point your mouse to the magnitude bar to values for the offense and the calculated magnitude.
Page 126
NVESTIGATING FFENSES The List of Offenses appears. Table 5-33 List of Offenses Parameter Description Flag Specifies action taken on the offense, for example, if a flag appears, the offense is marked for follow-up or if a user icon appears, the offense has been assigned to a user. Point your mouse over the icon to display additional information.
Page 127
Managing Offenses By Networks Table 5-34 Offense Panel Toolbar Icon Function Allows you to view all attackers for this offense including: Flag - Specifies action taken on the attacker, for example, if a flag • appears, the attacker is marked for follow-up. Point your mouse over the icon to display additional information.
Page 128
NVESTIGATING FFENSES Table 5-34 Offense Panel Toolbar (continued) Icon Function Allows you to view all local targets for this offense including: Flag - Specifies action taken on the offense, for example, if a flag • appears, the offense is marked for follow-up or if a user icon appears, the offense has been assigned to a user.
Page 129
Managing Offenses By Networks Table 5-34 Offense Panel Toolbar (continued) Icon Function Allows you to view category information for this offense including: Hint: You can also further investigate the events relating to a specific category by using the right mouse button (right-click) and select Events.
NVESTIGATING FFENSES Table 5-34 Offense Panel Toolbar (continued) Icon Function Actions Using the Actions drop-down list box, you can choose one of the following actions: Hide - Allows you to hide this offense. For more information on • Hiding Offenses hiding offenses, see Show - Allows you to show all hidden offenses.
Marking an Item For Follow-Up Table 5-35 Networks Search Parameters (continued) Item Description Threat Posing Using the drop-down list box, select if you wish to search the threat posed is equal to, less than, or greater than the configured value. Event Count Using the drop-down list box, select if you wish to search the event count equal to, less than, or greater than the configured value.
NVESTIGATING FFENSES Enter any notes you wish to include for this offense. You can enter notes up to Step 5 2000 characters. Click Save. Step 6 Notes are added to this offense. For all offenses that have notes attached, a notes icon appears in the flag column of the summary interface.
Managing Network Anomalies In the Email address(es) field, enter the email address of the user you wish to Step 5 notify if a change occurs to the selected offense. Separate multiple e-mail addresses with a comma. Click Save. Step 6 Managing Network You can create sentries for your deployment and if an event generates as a result Anomalies...
Page 134
NVESTIGATING FFENSES Double-click the offense you wish to view. Step 3 The details panel appears. The details panel provides the following information: Table 5-36 Details Panel Parameter Description Incident Specifies the last five incidents for a network anomaly offense. A network anomaly offense can contain multiple incidents that occur under certain conditions.
Managing Network Anomalies Table 5-36 Details Panel (continued) Parameter Description Network Location Specifies the network location that the event occurred. Layer Specifies the layer in which the network anomaly offense was generated. Event Number Specifies the number for the event. This number increments for each event.
NVESTIGATING FFENSES Closing All Offenses To close all offenses: Click the Offense Manager tab. Step 1 The Offense Manager appears. In the navigation menu, click Network Anomalies. Step 2 The Network Anomalies panel appears. Click Close All. Step 3 Forwarding Network A non-administrative user can create sentries, however, only administrative users Anomaly Offenses can configure advanced sentries on a system-wide basis.
Exporting Offenses Exporting Offenses You can export offenses in Extensible Markup Language (XML) or Comma Separated Values (CSV). To export offenses: Click the Event Viewer tab. Step 1 The Offense Manager window appears. Choose one of the following: Step 2 If you wish to export the offenses in XML format, select Export to XML from the Actions drop-down list box.
Page 139
SING THE VENT IEWER An event is an action that occurs on a network or a host. The Event Viewer allows you to monitor and investigate events in real-time or perform advanced searches. The Event Viewer indicates which events are being correlated to offenses and which are not.
SING THE VENT IEWER Using the Event This section provides information on using the Event Viewer interface including: Viewer Interface Using the Toolbar • Using the Right-Click Menu Options • Using the Toolbar Using the toolbar, you can access the following options: Table 6-1 Toolbar Options Option Description...
Viewing Events Table 6-2 Right-Click Options (continued) Button Description Filter on Allows you to filter on the selected event, depending on the selected item in the event. For example, if you right-click on a Category of IP Protocol Anomaly, the following filter options appear: Filter on Category is IP Protocol Anomaly Filter on Category is not IP Protocol Anomaly...
Page 142
SING THE VENT IEWER From the Display drop-down list box, select None. Step 2 Table 6-3 Event Viewer Parameter Description Current Filters The top of the table displays the details of the filter applied to the search results. To clear these filter values, click Clear Filter. Allows you to view details of the offense associated with this Viewing the Associated event.
Page 143
Viewing Events Double-click the event you wish to view in greater detail. Step 3 The event details window appears. The details results provides the following information: Table 6-4 Event Details Parameter Description Event Name Specifies the normalized name of the event. Low Level Specifies the low-level category of this event.
Page 144
SING THE VENT IEWER Table 6-4 Event Details (continued) Parameter Description Pre NAT Source For a firewall or another device capable of NAT, this parameter Port indicates the source port before the NAT values were applied. Pre NAT For a firewall or another device capable of NAT, this parameter Destination IP indicates the destination IP address before the NAT values were applied.
Viewing Events The event details provides the following functions: Table 6-5 Event Details Toolbar Icon Function Allows you to return to the list of events. Allows you to display the offenses that the event was correlated to. Allows you to edit the event mapping. For more information, Modifying Event Mapping Allows you to tune the event viewer to prevent false positive events from generating into offenses.
SING THE VENT IEWER Table 6-6 Raw Events Parameters (continued) Parameter Description Start Time Specifies the time of the first event, as reported to STRM by the device. Device Specifies the device that originated the event. Payload Specifies the original event payload information in UTF-8 format. Viewing Aggregate Using the Event Viewer, you can view events aggregated (grouped) by various Normalized Events...
Page 147
Viewing Events Table 6-7 Aggregate Normalized Events (continued) Aggregate Option Description Relevance Relevance indicates the significance of an event. This option displays a summarized list of events grouped by the relevance of the event. Username Displays a summarized list of events grouped by the username associated with the events.
Page 148
SING THE VENT IEWER Table 6-7 Aggregate Normalized Events (continued) Aggregate Option Description Event Type/ Device Displays a summarized list of events grouped by the event Group name and the device group. Device Group/ High Displays a summarized list of events grouped by the device Level Cat group and the high-level category.
Page 149
Viewing Events Table 6-7 Aggregate Normalized Events (continued) Aggregate Option Description Src IP / Dst IP/ Low Displays a summarized list of events grouped by the source Level Cat IP address to destination IP addresses and the low-level category. For more information on categories, see the Event Category Correlation Reference Guide.
Page 150
SING THE VENT IEWER Table 6-8 Event Name Parameters (continued) Parameter Description Source IP Specifies the source IP address associated with this event. If there are multiple IP addresses associated with this event, this field indicates Multiple and the number. Destination IP Specifies the destination IP address associated with this event.
Searching Events Searching Events The Event Viewer allows you to search for a specific event or a set of events. You can also save event search criteria for future use. This section provides information on searching events including: Searching Events •...
Page 152
SING THE VENT IEWER Table 6-9 Event Search Criteria Parameter Description Saved Searches Using the drop-down list box, select a previously saved search you wish to apply to this search, if desired. Other options include: Delete - Using the drop-down list box, select the search you •...
Page 153
Searching Events Table 6-9 Event Search Criteria (continued) Parameter Description Search Order Specify the order you wish to display for the search results. The options are: Descending or Ascending. Click Filter. Step 4 If you selected a sort criteria in your Search Parameters, the normalized events appear.
SING THE VENT IEWER Table 6-10 Save Search Parameters Parameter Description Include in my Select the check box if you wish to include this search in your Quick Quick Search items, which is available in the Search drop-down list box. Searches Share with Select the check box if you wish to share these search requirements...
Modifying Event Mapping For information on managing offenses, see Chapter 5 Investigating Offenses. Modifying Event STRM automatically maps an event of a Device Support Module (DSM), also Mapping known as a sensor device, for normalization purposes. Using the event mapping tool, you can associate or map a normalized or raw event to a high-level and low-level category (or QID).
Page 156
SING THE VENT IEWER Choose one of the following options: Step 4 If you know the QID that you wish to map to this event, enter the desired QID in the Enter QID field. Go to Step If you wish to search for a particular QID, go to Step To search for a particular QID or high and low-level categories that you wish to Step 5...
Tuning False Positives Tuning False You can use the Event Viewer to tune out False Positive events from created Positives offenses in STRM by using the False Positive Tuning function. You must have appropriate permissions for creating customized rules to tune false positives. For more information on roles, see the STRM Administration Guide.
SING THE VENT IEWER Note: STRM does not allow you to select both Any Events and Any Source or Destination since this builds a custom rules that would cause STRM to stop creating offenses. Click Tune. Step 6 Note: You can tune false positive events from the summary or details panel. Exporting Events You can export events in Extensible Markup Language (XML) or Comma Separated Values (CSV).
Page 159
SING THE IEWER The Flow Viewer allows you to monitor and investigate flow data in real-time or perform advanced searches. A flow is a communication session between two hosts. Viewing flow information allows you to determine how the traffic is communicated, what was communicated (if the content capture option is enabled), and includes such details as protocols, ASN values, IfIndex values, or priorities.
SING THE IEWER Using the Flow This section provides information on using the Flow Viewer interface including: Viewer Interface Using the Toolbar • Using the Right-Click Menu Options • Using the Toolbar Using the toolbar, you can access the following options: Table 7-1 Flow Viewer Interface Options Option Description...
Viewing Flows Viewing Flows By default, the Flow Viewer displays flows that occurred during the previous minute. The interface refreshes each minute. You can also view flows using one of the following options: Viewing Flows • Viewing Aggregated Flows • Viewing Flows To view flows: Click the Flow Viewer tab.
Page 162
SING THE IEWER Table 7-2 Flow Viewer Parameters (continued) Parameter Description Total Bytes Specifies the total number of bytes associated with the flow. Source Packets Specifies the total number of packets from the source. Destination Specifies the total number of packets from the destination. Packets Total Packets Specifies the total number of packets associated with the flow.
Page 163
Viewing Flows The details results provides the following information: Table 7-3 Flow Details Parameter Description Flow Type Specifies the flow type. Protocol Specifies the protocol associated with this flow. Flow Direction Specifies the direction of the host that started the flow. For example, if the first flow indicates the direction as in but bytes/packets are inbound, the remote IP address started the flow.
SING THE IEWER Table 7-3 Flow Details (continued) Parameter Description Source ASN Specifiers the source ASN number. Destination ASN Specifies the destination ASN number. Source if INdex Specifies the source ifIndex number. Destination If Specifies the destination ifIndex number. Index Start Time Specifies the start time of the flow, as reported to STRM by the device.
Page 165
Viewing Flows Table 7-4 Aggregate Flows (continued) Aggregate Option Description Destination Network Displays a summarized list of flows grouped by the destination network of the flow. Application Displays a summarized list of flows grouped by the application that originated the flow. Protocol Displays a summarized list of flows grouped by the protocol responsible for the flow.
Page 166
SING THE IEWER Table 7-4 Aggregate Flows (continued) Aggregate Option Description Src IP/ Application Displays a summarized list of flows grouped by the source IP address and the application responsible for the flow. Src IP/ Dst IP Displays a summarized list of flows grouped by the source and destination IP addresses.
Page 167
Viewing Flows Table 7-5 Source or Destination Parameters (continued) Parameter Description Graphs Displays a bar chart representing the top 10 aggregates, depending on the chosen aggregate option. Click Hide Chart if you wish to remove the graph from your display. Legend Reference A colored box in this field associated this flows to the graph.
Page 168
SING THE IEWER Table 7-6 Aggregate Parameters (continued) Parameter Description Destination Port Specifies the destination port of the flow. If there are multiple destination ports associated with this event, this field indicates Multiple and the number. Destination Specifies the destination network of the flow. If there are multiple Network destination networks associated with this event, this field indicates Multiple and the number.
Page 169
Viewing Flows Table 7-7 Application (continued) Parameter Description Source IP Specifies the number of source IP addresses associated with this flow. Source Network Specifies the source network of the flow. If there are multiple source networks associated with this event, this field indicates Multiple and the number.
SING THE IEWER Using the Search The Flow Viewer allows you to search for a specific flow or a set of flows. You can also save flow search criteria for future use. This section provides information on searching flows including: Searching Flows •...
Page 171
Using the Search Table 7-8 Flow Search Criteria Parameter Description Saved Searches Using the drop-down list box, select a previously saved search you wish to apply to this search, if desired. Other options include: Delete - Using the drop-down list box, select the search you •...
Page 172
SING THE IEWER Table 7-8 Flow Search Criteria (continued) Parameter Description Rank By Allows you rank your search results using one of the following options: Bytes In • Bytes Out • Total Bytes • Packets In • Packets Out • Total Packets •...
Exporting Flows Table 7-9 Save Search Parameters Parameter Description Search Name Specify a name you wish to assign to this search criteria. Time Range Choose one of the following options: Real Time - Select this option if you wish to filter on flows while in •...
Page 174
SING THE IEWER The status window appears. When the export is complete, the window disappears or click Notify When Done to resume your activities and receive a notification when the export is complete. STRM Users Guide...
ANAGING SSETS STRM automatically discovers assets (servers and hosts) operating on your network, based on passive QFlow data as well as vulnerability data allowing STRM to build an asset profile. Asset profiles display what services are running on each asset. This profile data is used for correlation purposes to help reduce false positives, for example, if an attack occurs trying to exploit a specific service running on a specific asset, STRM can determine if the asset is vulnerable to this attack by correlating the attack to the asset profile.
Page 176
ANAGING SSETS Choose one of the following options: Step 3 Current - Searches current asset profile values. This is the default. • History - Searches the database for assets associated with a specific user • name, user group, MAC address, or within a specified time frame. Enter values for the parameters: Step 4 Table 8-1 Assets Panel...
Page 177
Searching Asset Profiles Table 8-1 Assets Panel (continued) Parameter Description User Name Specify the user of the asset. This field supports using special characters to aid your search including: * - Specifies any text. ? - Specifies any single character. ! - Specifies that you wish to change the * or ? symbol to a valid symbol.
Page 178
ANAGING SSETS Table 8-1 Assets Panel (continued) Parameter Description Date Range Select the date range check box. Using the To and From fields, select the date and time you wish to search. This option only appears if you select the History option. Choose one of the following options: Step 5 If you wish to search for all asset profiles in your deployment, click Show All.
Page 179
Searching Asset Profiles Table 8-2 Asset Window Parameter Description Weight Specifies the asset weight of the asset. Last Seen Specifies the last date and time that the asset appeared. If the asset was manually entered but never actively or passively seen, the column indicates Never.
Page 180
ANAGING SSETS Table 8-3 Asset Profile Window (continued) Parameter Description How Threatened Specifies the threat level (0 to 10) to the asset where 0 is the lowest and 10 is the highest. This is a weighted value against all other hosts in your deployment. Asset Weight Using the drop-down list box, specify the level of importance you wish to associate with this asset.
Adding an Asset Profile Table 8-5 History Information (continued) Parameter Description Machine Name Specifies the machine name of this asset. If unknown, this field is blank. User Specifies the user for this asset. If unknown, this field is blank. User Group Specifies the user group for this asset.
ANAGING SSETS Table 8-6 Add Asset Profile Parameters (continued) Parameter Description Description Specifies the description of the asset. Asset Weight Using the drop-down list box, specify the asset weight you wish to assign to this asset. The range is 0 to 10. Click Save.
Page 183
Editing an Asset Table 8-7 Asset Profile Window (continued) Parameter Description Operating System Specifies the operating system running on the asset. Host Name (DNS Name) Specifies the IP address or DNS name of the asset. Asset Weight Specify the asset weight of the asset. VA Risk Level Specifies the vulnerability assessment risk level (0 to 10) for the asset where 0 is the lowest and 10 is the highest.
ANAGING SSETS Table 8-9 History Information (continued) Parameter Description Machine Name Specifies the machine name of this asset. If unknown, this field is blank. User Specifies the user for this asset. If unknown, this field is blank. User Group Specifies the user group for this asset. If unknown, this field is blank.
Importing Asset Profiles Search for asset profiles. Step 3 For more information on searching asset profiles, see Searching Asset Profiles From the Actions drop-down list box, select Delete Listed. Step 4 A confirmation window appears. Click Ok. Step 5 Importing Asset You can import asset profile information into STRM.
ANAGING SSETS Click Browse to search for the CSV file you wish to import. Step 4 Click Import Assets to begin the import process. Step 5 Exporting Assets To export assets in XML or CSV format: Click the Assets tab. Step 1 The Assets window appears.
Page 187
ANAGING EPORTS The Reports interface allows you to create, distribute, and manage reports. You can use the Report Wizard to create executive and operational level reports that combine any network traffic and security event data in a single report. STRM provides default templates that you can use to generate your report data, using various intervals.
ANAGING EPORTS Using the Reports This section provides information on using the Reports interface including: Interface Using the Navigation Menu • Using the Toolbar • Using the Navigation The default main Reports interface displays generated reports. The navigation Menu menu provides access to reports, templates, and branding including: Table 9-1 Navigation Menu Options Menu Columns...
Viewing Reports Using the Toolbar You can perform the following actions: Table 9-2 Toolbar Icon Descriptions Option Description Group Using the drop-down list box, allows you to view reports assigned to a specific group. For more information, see Grouping Reports Allows you to manage report groups.
ANAGING EPORTS Note: If you are currently using the FireFox browser and you select the RTF report format, this may launch a new browser window. This does not affect STRM; this is a result of the FireFox browser configuration. Close the window and continue with your STRM session.
Grouping Reports Creating a Group To create a group: Click the Reports tab. Step 1 The Reports interface appears. Click the Report Templates menu option. Step 2 A list of templates appears. Click Groups. Step 3 The Reports Group window appears. From the menu tree, select the group under which you wish to create a new group.
ANAGING EPORTS Editing a Group To edit a group: Click the Reports tab. Step 1 The Reports interface appears. Click the Report Templates menu option. Step 2 A list of templates appears. Click Groups. Step 3 The Reports Group window appears. From the menu tree, select the group you wish to edit.
Grouping Reports From the menu tree, select the template you wish to copy to another group. Step 4 Click Copy. Step 5 The Choose Group window appears. Select the group or groups to which you wish to copy the template. Step 6 Click Copy.
ANAGING EPORTS Click Ok. Step 7 If you wish to change the location of the new group, click the new group and drag Step 8 the folder to the desired location in your menu tree. Close the Report Groups window. Step 9 Assigning a Report You can assign a generated report or report template to a group.
Creating a Report Creating a Template To create a template: Click the Reports tab. Step 1 The Reports interface appears. From the Actions drop-down list box, select Create. Step 2 The Report Wizard appears. Note: Select the check box if you wish to disable the Welcome page. Select a scheduling option.
Page 196
ANAGING EPORTS Table 9-3 Report Scheduling Parameter Default Settings This report should be scheduled to run Manually Generates a report one time only. This is the default setting; however, you may generate this report as often as required. Hourly Schedules the report to generate at the end of each hour using the data from the previous hour.
Page 197
Creating a Report A report can consist of several data. Your network and security data can be presented in a variety of styles, such as tables, pie charts, and bar charts. Styles consist of a number of options, such as delta or baseline. When selecting the layout of a report, consider the type of report you wish to create - do not choose a small chart container for graph content that may display a large number of objects.
Page 198
ANAGING EPORTS Select values for the following parameters: Step 5 Report Title - Specify a title for your report. The title can be up to 100 • characters in length - do not use special characters. Note: Your report is saved by the title name you enter in this field. •...
Page 199
Creating a Report The Layout Preview window appears providing a preview of how your data appears. Note: Charts that appear in the preview window do not display actual data. This is a graphical representation of the layout you have configured. Preview your report.
Page 200
ANAGING EPORTS Select the desired distribution channels. Click Next. Step 11 Table 9-4 Report Distribution Parameter Sub-Parameter Description Report Select the check box if you wish to send the Console report to the Reports interface. Note: You must have appropriate network permissions to share your report with other users.
Page 201
Creating a Report Enter values for the following parameters. Click Next. Step 12 Table 9-5 Finishing Up Parameter Description Report Template Specify a description for this template. This description appears Description on the Report Summary page and is included in the report distribution e-mail.
ANAGING EPORTS Configuring Charts The chart type determines how your data and network objects are presented in your report. Data can be charted with several characteristics and created in a single report. The following chart types are available for each template: •...
Page 203
Creating a Report Enter values for the following parameters: Table 9-6 Event/Logs Chart Container Details Parameter Description Container Details - Events/Logs Chart Title Specify a chart title to a maximum of 100 characters. Chart Sub-Title Clear the check box to change the automatically created sub-title.
Page 204
ANAGING EPORTS Table 9-6 Event/Logs Chart Container Details (continued) Parameter Description Manually Using the calendar, select range of dates you wish this report to consider. The default is the current date. Using the drop-down list boxes, select a time to begin and end generating the report.
Page 205
Creating a Report Flows The Flows Chart allows you to view flow information for a specific period of time. Figure 9-2 Flows Report STRM Users Guide...
Page 206
ANAGING EPORTS Enter values for the following parameters: Table 9-7 Flows Container Details Parameter Description Container Details - Events/Logs Chart Title Specify a chart title to a maximum of 100 characters. Chart Sub-Title Clear the check box to change the automatically created sub-title.
Page 207
Creating a Report Table 9-7 Flows Container Details (continued) Parameter Description Monthly Choose one of the following options: All data from previous month • Data from a previous month - Using the drop-down list • boxes, select the dates to begin and end generating the report.
Page 208
ANAGING EPORTS Enter values for the following parameters: Table 9-8 Time Series Chart Container Details Parameter Description Container Details - Time Series Chart Chart Title Specify a chart title to a maximum of 100 characters. Chart Sub-Title Clear the check box to change the automatically created sub-title.
Page 209
Creating a Report Table 9-8 Time Series Chart Container Details (continued) Parameter Description Stacked_Bar - When selecting this option, you must also • select the Timeline Interval from the Additional Details section. Stacked_Bar_Base_Line - When selecting this option, • you must also select the Timeline Interval and choose the Baseline parameters.
Page 210
ANAGING EPORTS Table 9-8 Time Series Chart Container Details (continued) Parameter Description Monthly Choose one of the following options: All data from previous month • Data from a previous month - Using the drop-down list • boxes, select the dates to begin and end generating the report.
Page 211
Creating a Report Table 9-8 Time Series Chart Container Details (continued) Parameter Description Expand To Include Using the drop-down list box, select an option to include on the graph. Options include: None - View Objects and Network Locations are graphed •...
Page 212
ANAGING EPORTS Enter values for the following parameters: Table 9-9 Top Attackers Container Details Parameter Description Container Details - Top Attackers Chart Title Specify a chart title to a maximum of 100 characters. Chart Sub-Title Clear the check box to change the automatically created sub-title.
Page 213
Creating a Report Table 9-9 Top Attackers Container Details (continued) Parameter Description Network Location Using the menu tree, select the network(s) you wish to generate this chart. Top Offenses The Top Offenses chart displays the TopN offenses that are occurring at present time for the network locations you select.
Page 214
ANAGING EPORTS Enter values for the following parameters: Table 9-10 Top Offenses Container Details Parameter Description Container Details - Top Offenses Chart Title Specify a chart title to a maximum of 100 characters. Chart Sub-Title Clear the check box to change the automatically created sub-title.
Page 215
Creating a Report Table 9-10 Top Offenses Container Details (continued) Parameter Description Order Results By: Using the drop-down list box, select how the data is sorted on the graph. Options include: Severity • Magnitude • Relevance • Credibility • Graph Content Network Location From the menu tree, select the network(s) you wish to chart data from.
Page 216
ANAGING EPORTS Enter values for the following parameters: Table 9-11 Top Targeted Assets Container Details Parameter Description Container Details - Top Targeted Assets Chart Title Specify a chart title to a maximum of 100 characters. Chart Sub-Title Clear the check box to change the automatically created sub-title.
Page 217
Creating a Report Table 9-11 Top Targeted Assets Container Details (continued) Parameter Description Network Location From the menu tree, select the network(s) you wish to collect this information. TopN Time Series The TopN Time Series chart allows you to create TopN charts for any data that STRM logs over time, such as usage data for Applications, IPs, Protocols or rate data for events.
Page 218
ANAGING EPORTS Enter values for the following parameters: Table 9-12 TopN Time Series Container Details Parameter Description Container Details - TopN Time Series Chart Chart Title Specify a chart title to a maximum of 100 characters. Chart Sub-Title Clear the check box to change the automatically created sub-title. Enter a title to a maximum of 100 characters.
Page 219
Creating a Report Table 9-12 TopN Time Series Container Details (continued) Parameter Description Daily Choose one of the following options: All data from previous 24 hours • Data of previous day from - Using the drop-down list boxes, • select an hour to begin and end generating the report. Time is available in half-hour increments.
ANAGING EPORTS Table 9-12 TopN Time Series Container Details (continued) Parameter Description Graph top items Using the drop-down list box, select the number of items to include on graphs, then select one of the following: View Objects - Displays the top view objects selected. •...
Page 221
Creating a Report Table 9-13 Available Graph Types (continued) Stacked Base Line Graph Stacked Bar Base Line Graph Available with the Time Series chart Available with the Time Series chart type. type. Bar Graph Horizontal Bar Graph Available with the Time Series chart Available with the following chart types: type.
ANAGING EPORTS Table 9-13 Available Graph Types (continued) Pie Graph Table Graph Available with the following chart type: Available with the following charts: Time Series Time Series • • TopN Time Series Top Attackers • • Top Offenses • Top Targeted Assets •...
Generating a Report Click the Report Templates menu option. Step 2 A list of templates appears. Point your mouse over the templates and preview the summary information. Step 3 Double-click the desired template. Step 4 The Report Wizard appears. Make the necessary changes. See Creating a Report.
ANAGING EPORTS Sharing a Report You can share report templates with other users. This allows you to provide a copy of the selected templates for another user to edit or schedule, as necessary. Once shared, any updates that the user makes to your shared template does not affect your version of the template.
Page 225
Branding Your Report Click Browse to browse the files located on your system. Step 3 Select the file that contains the desired logo. Click Open. Step 4 The file name appears in the New Image field. Click Upload Image to upload the image to STRM. Step 5 Note: To make sure your browser displays the new logo, clear your browser cache.
TNC R SING ECOMMENDATIONS Trusted Network Computing (TNC) recommendations allow you to restrict or deny network access to users based on user name or other credentials. The TNC recommendation uses the asset profile and user identify data collected by STRM. You must have appropriate network access to use the TNC recommendations function.
Page 228
TNC R SING ECOMMENDATIONS View the TNC Recommendation table to identify possible TNC Step 3 recommendations.The table provides the following information: Table 10-1 TNC Recommendations Parameter Description Specifies the MAC address of the user. Host Name Specifies the host name associated with the user. Machine Name Specifies the name of the system associated with the user.
Removing TNC Recommendations not the user is compliant with policy. The options are Compliant, Minor Non-Compliant, or Major Non-Compliant. Duration - Select one of the following options: • - Continue recommendation indefinitely - Enforces the configured recommendation indefinitely. - Continue action until - Enforces the configured recommendation until the configured date and time.
Page 230
TNC R SING ECOMMENDATIONS The Existing TNC Recommendations table provides the following information: Table 10-2 Existing TNC Recommendations Parameter Description Allows you to select existing TNC recommendations. Based On Specifies the existing recommended conditions. The options are: mac, host, machine name, user, user group, or extra data. Recommendation Specifies the recommended action.
Page 231
LOSSARY Autonomous System Collection of IP networks that all adhere to the same specific and clearly defined Number routing policy. An AS number (ASN) is a unique ID number assigned to each Autonomous System. active sub-filters Displays any filtering that has been applied to grouped data found in the Search Flows results table.
Page 232
LOSSARY behavior Indicates the normal manner in which the system or network functions or operates. behavior sentry Monitors your deployment to detect changes in behavior. STRM learns how a particular object typically functions over a period of time. This means that STRM records the number of hosts with your network at different points of the day.
Page 233
LOSSARY collector view Allows you to classify flows based on which QFlow Collector and interface from which they originated. credibility Indicates the integrity of an event or offense as determined by the credibility rating from source devices. Credibility increases as the multiple sources report the same event.
Page 234
LOSSARY external data views Require input from external products, such as an IDS engine (for example, SNORT) or firewalls (for example, Cisco PIX or Checkpoint Firewall). These external products provide information to STRM on specified IP addresses that are correlated to the flows responsible. STRM monitors flows between these systems and tags traffic between the hosts for a configured period of time.
Page 235
LOSSARY Fully Qualified Full path name of a certain point in the network hierarchy. For example, Company Network Name A’s hierarchy has a department object that contains a marketing object. Therefore, (FQNN) the FQNN is CompanyA.Department.Marketing. FQDN See Fully Qualified Domain Name. FQNN See Fully Qualified Network Name.
Page 236
LOSSARY IP Multicast IP Multicast reduces traffic on a network by delivering a single stream of information to multiple users at one time. IP network A group of IP routers that route IP datagrams. These routers are sometimes referred to as Internet gateways. Users access the IP network from a host. Each network in the Internet includes some combination of hosts and IP routers.
Page 237
LOSSARY Local To Remote Internal traffic from a local network to a remote network. (L2R) logic unit Sentry component that includes specific algorithms used to test objects. Magistrate Provides the core processing components of the SIM option. The Magistrate provides views, reports, alerts, and analysis of network traffic and security events. The Magistrate processes the event against the defined custom rules to create an offense.
Page 238
LOSSARY Network Weight The numerical value applied to each network that signifies the importance of the network. The Network weight is user defined. offense Includes multiple events from one host. Open Systems A framework of ISO standards for communication between different systems made Interconnection (OSI) by different vendors, in which the communications process is organized into seven different categories that are placed in a layered sequence based on their...
Page 239
LOSSARY STRM Identifier. A mapping of a single event of an external device to a Q1 Labs unique identifier. STRM Request Specifies what information is queried in your graph and defines how it appears. Language (QRL) The QRL allows you to identify and remember a specific location and view on a network.
Page 240
LOSSARY end-system level. This sentry also monitors violations on usage-based policies, which restrict or allow use of specific applications or network use. This sentry can also specify situations that application usage is allowed. sentry A sentry is an alerting function. It can monitor any number of views and generate an alert when traffic in one of the monitored views meets the specified criteria.
Page 241
LOSSARY TCP resets For TCP-based applications, STRM can issue a TCP reset to either the client or server in a conversation. This stops the communications between the client and the server. threat posing The degree or level of threat an attacker (source) is posing; calculated per interval. Threat posing is calculated using the aggregated target category, added to the aggregated Attacker then multiplied by the average number of offenses the attacker has been associated with.
Page 242
LOSSARY vulnerability risk The vulnerability assessment risk level (0 to 10) for the asset where 0 is the lowest and 10 is the highest. This is a weighted value against all other hosts in your deployment. Vulnerability risk is user defined. STRM Users Guide...