6.0 administration guide...10-0-0-90.securonix.com/10.0.0.90:8032 cs_event_enrichment running...

SNYPR 6.0

ADMINISTRATIONGUIDE

Securonix Proprietary Statement

Thismaterial constitutes proprietary and trade secret information of Securonix, andshall not be disclosed to any thirdparty, nor usedby the recipient except under the terms andconditions prescribedby Securonix.

The trademarks, servicemarks, and logos of Securonix andothers usedherein are the property of Securonix or theirrespective owners.

Securonix Copyright Statement

Thismaterial is also protectedby FederalCopyright Lawand is not to be copiedor reproduced in any form,using anymedium,without the prior written authorization of Securonix.

Howeve/r, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and reference.

Information in this document is subject to change without notice. The software described in this document is furnishedunder a license agreement or nondisclosure agreement. The softwaremay be usedor copiedonly in accordance withthe terms of those agreements.Nothing herein shouldbe construedas constituting an additionalwarranty. Securonixshall not be liable for technical or editorial errors or omissions containedherein.Nopart of this publicationmay bereproduced, stored in a retrieval system,or transmitted in any formor anymeans electronicormechanical, includingphotocopying and recording for any purpose other than the purchaser's internal use without the written permission ofSecuronix.

Copyright 2017©Securonix All rights reserved.

Contact Information

Securonix, Inc.

14665Midway Rd.Ste. 100,Addison, TX75001

www.securonix.com

855.732.6649

Revision History

Date Product Version Description

05/13/2017 6.0 First Release

06/08/2017 6.0 SecondRelease

06/15/2017 6.0 Revision

06/29/2017 6.0 Revision

Copyright©2017Securonix, Inc.Page | 2

SNYPR6.0Administration Guide

Table of Contents2

Introduction 5

Who Should Read This Guide 5

User Interface Elements 6

Configure SNYPR Hadoop Settings 12

Tenant-Config 13

Kafka 13

Solr 18

Impala 24

HBase 28

HDFS 33

Redis 40

Spark 40

Settings 43

Configuring the Application 43

Application Settings 43

General Settings 43

Data Import Settings 44

Single Sign-on 46

Granular Access Control 47

Quick Links 47

DNS Servers 48

Hadoop 48

Housekeeping Jobs 49

LDAPAuthentication 51

Log Settings 54

Application Logs 54

Logging 55

Manage License 58

Spark Jobs 59

Safe Domains 59

SAML Settings 60



SMTP Server Settings 64

UI Preferences 66

Access Control 67

Setting Up Access Control 67

Creating Users 67

Creating Roles 71

Creating Groups 75

Managing Users, Groups, and Roles 78

Password Control 81

Workflows 84

Configuring Workflows 85

Connection Types 97

Managing Connection Types 97

Adding a New Connection Type 98

Uploading or Downloading Files 99

Registering Connectors 99

Threat Library 101

Updating from the Threat Exchange 102

Exploring the Threat Library 105

Deploying Content from the Threat Library 115

Email Templates 116

Using Email Templates 116

JobMonitor 119

Monitoring Jobs 119

Viewing Job Details 121

Editing, Re-Running or Deleting Jobs 122

Spark Jobs Administration 123

Administering Spark Jobs In Cloudera 123

Stopping Spark Jobs in Cloudera Manager 127

Administering Spark Jobs using Command Line 130

Spark Job Properties 137

Appendix A: Access Privileges 145

Index 266



IntroductionSNYPR is a big data security analytics platform built on Hadoop that utilizes Securonix machine learning-based anomaly detection techniques and threat models to detect sophisticated cyber and insider attacks.SNYPR uses Hadoop both as its distributed security analytics engine and long-term data retention engine.Hadoop nodes can be added as needed, allowing the solution to scale horizontally to support hundreds ofthousands of events per second (EPS).

Features:

l Supports a rich variety of security data including security event logs, user identity data, access privileges,threat intelligence, asset metadata, and netflow data.

l Normalizes, indexes, and correlates security event logs, network flows, and application transactions.

l Utilizesmachine learning-based anomaly detection techniques, including behavior profiling, peer groupanalytics, pattern analysis, and event rarity to detect advanced threats.

l Provides out-of-the-box threat and risk models for detection and prioritization of insider threat, cyberthreat, and fraud.

l Risk-ranks entities involved in threats to enable an entity-centric (user or devices) approach to mitigatingthreats.

l Provides Spotter, a blazing-fast search feature with normalized search syntax that enables investigators toinvestigate today’s threats and track advanced persistent threats over long periods of time, with all dataavailable at all times.

l Provides the Investigation Workbench to detect links across disparate datasets to enable quickinvestigations and hunting for cyber threats.

Who Should Read This GuideThis guide provides detailed information about configuring and administering the SNYPR application.

The SNYPR Administration Guide is written for:

l System administrators and service providers who need information about how to monitor and administerthe platform at a systems level.

l Businessmanagers and other users in a supervisory role who need information about how to useSNYPR to grant employees and partners access to applications, check for policy violations, and managecases.

If you require additional information, the following documents are available:

l SNYPR Architecture Guide - for system administrators, system integrators, and deployment teamswhoneed to determine SNYPR deployment options in a Hadoop cluster.

l SNYPR Installation Guide – for system administrators, system integrators, and deployment teamswhoneed to install the application.


SNYPR6.0Administration GuideIntroduction

l SNYPR Integration Guide – for deployment engineers and service providers responsible for integratingdata sources and creating content, and compliance officers and IT specialists who need to configureand maintain Risk Management functionality.

l SNYPR User Guide - for information security professionals, security analysts who need to detect andmanage threats, and risk and compliance officers, and IT specialists who need to use SNYPR's reportingcapabilities to monitor and remediate compliance.

User Interface ElementsSome of the common elements found throughout the application are shown in the following image:

A. SNYPR Logo: Click from any screen to return to the Security Command Center home screen.

B. Main Menu: Click to expand navigation options.

C. Current Screen: Click to return to the home screen for the current menu item.

D. Quick Search: Enter text to search within SNYPR.

E. Connection Status: Click the to view theConnection Status for all Hadoop components running on



your environment.

The green check mark indicates the component is running; a red X indicates the component is notrunning.

Click to view details of each component.

To configure settings for Hadoop components, navigate toMenu > Administration > Settings >Hadoop and following the instructions in Configuring Hadoop Settings.

F. Notifications: View job failure notifications and download exports including Spotter reports and query



results. To delete notifications, click the red X.

To download reports, click the download icon. For information on how to export Spotter reports, seeSpotter.

G. Three DotMenu: Access the following screens:

Geolocation

From this screen, view the geolocation of the network source of specific resources.



You can perform the following actions:

a. ToggleAnalyze Violation Data to Yes to analyze data.

b. Click refresh icon to refresh results.

c. Click erase icon to clear results

d. Select a resource from the dropdown.

e. Select a time range from the dropdown.

f. Use +/- to zoom in/out from themap.

g. Click and drag mouse around to pan and tilt map view.

h. Click icons on the right side to switchmap view:

OpLogs

From this screen, you can view messages generated while executing Spark jobs.



To view messages, complete the following:

1. Click + to start a Consumer.

2. SelectDatasource, Job,Policy, and Policy from dropdowns.

3. Specify the max number of messages. Default 1000.

4. Click Stop to stop retrieving messages.

Debug

From this screen, view error messages and associated data to debug the SNYPR application.

Click an option to see associated data.

Outbox

From this screen, view the SNYPR email queue and send or delete messages in the outbox.

H. Admin: View the user name of the current user, change current user password, and log out.



To change the current user's password, click Change Password, enter the old and new password,confirm the new password, and click Update. To log out, click Log Out.



Configure SNYPR Hadoop SettingsSNYPR by Securonix leverages Hadoop technologies including HDFS, Impala, Kafka, HBase, Solr and Yarn.After integrating Hadoop, youmust configure Hadoop settings within the SNYPR application.

When you log in to the SNYPR application for the first time, you will be prompted to configure your Hadoopsettings. You can access the Hadoop settings at any time from the Hadoop Settingsmenu.

To configure the Hadoop settings in SNYPR, complete the following steps:

1. Log in to the application.

2. Navigate toMenu > Settings.

3. Click Hadoop from the left navigation pane.

Note: Click the green three bar icon to minimize and maximize the left navigation pane.

4. Select the Hadoop distribution in your environment:

l Cloudera: Cloudera, Inc. provides Apache Hadoop-based software, support and services, andtraining to business customers. Cloudera's open-source Apache Hadoop distribution, CDH (Cloudera Distribution including Apache Hadoop), targets enterprise-class deployments of thattechnology.


SNYPR6.0Administration GuideConfigure SNYPRHadoopSettings

l Hortonworks: Hortonworks is a big data software company that develops and supports ApacheHadoop for the distributed processing of large data sets across computer clusters.

5. Click the name of the component you would like to configure.

Note: The circles beside the names of the components indicate the status of completion asfollows:Gray: Not startedOrange: Incomplete or unsuccessfully configuredGreen: Successfully configured

Tenant-ConfigSNYPR supports a multi-tenant environment in whichmultiple instances of the application can run in a sharedenvironment within a cluster, either on different servers or on different ports on the same server. To select thetenant ID of the tenant for the current instance of the application, complete the following steps:

1. Select a tenant from the dropdown orCreate a New Tenant.

2. Enter a New Tenant name for a new tenant.

3. Click Save.

4. Click Finish.

KafkaKafka is a distributed publish-subscribe messaging system that is designed to be fast, scalable, and durable.Kafka maintains feeds of messages in topics and consumers read from topics. Since Kafka is a distributedsystem, topics are partitioned and replicated acrossmultiple nodes. In SNYPR, Kafka plays an important rolein publishing and consuming activity data and notifications.

To configure Kafka, follow these steps:



1. Click Add Broker.

2. Enter the URL/s of the broker/s including port number 9092 (default).

Note: You can find the URLs of the Kafka brokers you set up during Hadoop integration inCloudera Manager by navigating to Kafka > Instances.

3. Enter Zookeeper Quorum URLs using commas (,) to separate entries.

Note: Default port is 2181.

Note: You can find the URLs for Zookeeper in Cloudera Manager by navigating to Zookeeper> Instances.



4. Enter the names of the Kafka topics you created when preparing the infrastructure:

a. Enriched Topic

b. Raw Topic

c. Unprocessed Topic

d. Configuration Messages Topic

e. Indexer Counts Topic

f. Job Tracker Topic

g. LogMessage Topic

h. Violations TopicTo find the names of topics you created, use the following command from a command-line interface:

a. [root@ ~]# kafka-topics -list --zookeeper :2181

Example: [root@10-0-0-90 ~]# kafka-topics -list --zookeeper10.0.0.90:2181

5. Complete the following information:

a. Delimiter: Specify the delimiter for raw events. Example |.

b. Publish Threshold: Specify the number of events the application publishes at one time.Default 20000.

c. Max Message Size: Specify the maxmessage size for Kafka Topics. Default 32768.

d. Batch Size: Specify the batch size in bytes. Default 16384.

e. Linger: Specify the linger duration inmilliseconds. Default 1.



Note: If you have fewer messages than batch size accumulated for partition, the applicationwill "linger" for the specified time waiting for more records to publish.

f. Compression Type: Select the compression type for data generated by the producer from thedropdown:

g. Failed Events Folder: Enter a folder name if you would like to move the events Kafka failed topublish to a specific location. Default none.

h. Interval to check failed events: Specific an interval in milliseconds to check failed events. Default0.

i. Enrichment Compression Batch Size: Specify a value. Recommended: 10000.

j. Raw Compression Batch Size: Specify a value. Recommended: 10000.

6. Click Test to verify connection and check status.



7. Click Save when status is successful.

SolrSolr is a popular search platform. It can index and search activity data and return recommendations forrelated content based on the search query's taxonomy. In SNYPR, Solr is used in Spotter to create complexqueries and interactive visualization.

To configure Solr, complete the following steps:

1. Specify theAuthentication Type from the dropdown.

a. NoAuth: Proceed without entering additional information.

b. Kerberos: Enter the following information:



l Host FQDN: Enter the fully qualified domain name of the host.

l Realm: Specify the realmwhere the Kerberos database is stored. The realm lives on onecomputer (KDC) and can have read-only slave servers (similar to a cluster).

l Key Tab Path: Enter a key tab path. A key tab is a file containing pairs of Kerberos principalsand encrypted keys, which are derived from the Kerberos password.

l Principal: Enter a principal. A principal is an identity that Kerberos is able to authenticate.Principalsmay represent users, network hosts, or network services.

l Jaas Conf File Path: Enter the Jaas Conf file path.

l Service Name: Specify a service name.

l Authentication Mechanism: Specify an authenticationmechanism.

c. LDAP: Enter the following information:



l Username: Specify the user name. For help, see help.snypr.settings.ldap.username.

l Password: Specify the LDAP password. For help, see help.snypr.settings.ldap.password.

d. Kerberos with Trust Store: Enter the following information:







l Service Name: Specify a service name. Example: impala.

l Trust Store Path: Enter a trust store path.



l Trust Store Path Password: Enter the trust store password.


l SSL Value: Enter the SSL value.


2. Enter ZKQuorum URLs using commas (,) to separate entries.

Note: Default port is 2181.

Note: You can find the URL of Zookeeper in Cloudera Manager by navigating to Zookeeper >Instances.

3. Append /solr to the last URL after the port number.

Example: 10.0.0.62:2181,10.0.0.61:2181,10.0.0.60:2181/solr

4. Specify a uniqueName for each data collection:

a. Lookup

b. Watchlist

c. Control Core

d. IP Mapping

e. TPI

f. Entity Metadata

g. Risk Score

h. Activity

i. Violation

j. Daily Violations Summary



k. Entity Relation

l. Users

m. Violation Control Core

Note: In Solr, data is indexed into collections, which allows for faster results from search queriesin Spotter. For more information about how to search data collections, refer to the SNYPRUserGuide.

5. Specify theNo (number) of Shards into which to split the data within each collections.

Note: A shard refers to an individual partition of data within Solr.

6. Enter a Replication Factor to specify the number of times to replicate each shard within each collection.

7. Enter the following information:

a. Batch size: Specify the number of events indexed during a single to commit to Solr during indexing.Default 1000.

b. Inter Batch Sleep: Specify the duration inmilliseconds to wait before retrying index for a failedbatch. Default 5.

c. Percentage of Indexing Servers: Use the dropdown to specify the percentage of indexing serversto be used for activity indexing. Default 70.

d. Enable Multi Collection Indexing: SelectYes orNo. If enabled, multiple collections will be createdby the event indexing job whenever the soft threshold is reached. DefaultYes.



e. Collection Soft Threshold: Specify the size of the document each collection should have if multiplecollection is enabled. This is only a soft threshold; each collection will have documents near to theconfigured value. Default 100,000,000.

8. Click Test to verify connection and test status.


ImpalaImpala is a massively scalable parallel processing (MPP) SQL query engine for data stored in a computercluster running Apache Hadoop. Impala brings scalable parallel database technology to Hadoop, enablingusers to issue low-latency SQL queries to data stored in HDFS and Apache HBase without requiring datamovement or transformation.

To configure Impala, follow these steps:










2. Enter the Connection URL of Impala using default port 21050.

Note: You can find the Connection URL of Impala in Cloudera Manager by navigating toImpala > Instances.

3. Enter the Impala Database name.

To find the Database name created during Hadoop integration, log in to the Impala shell and use thefollowing query:

[.securonix.com:21000] > show databases;

Example:

[10-0-0-90.securonix.com:21000]: # su - impala $ impala-shell > showdatabases;[10-0-0-90.securonix.com:21000]: # su - impala $ impala-shell> quit;

4. Specify the Table Prefix to use for resources. Example: securonixresource.

5. Specify the JDBC Driver. Example: com.cloudera.impala.jdbc4.driver.

6. Specify the number of Partitions per Page. Default 0.



HBaseApache HBase is an open-source non-relational (NoSQL) database that runs on top of HDFS and providesreal-time read/write access to those large datasets. Hbase scales linearly to handle large datasets withbillions of rows and millions of columns, and it easily combines data sources that use a wide variety ofdifferent structures and schemas.

To configure HBase, complete the following steps:







2. Enter theName Space created during Hadoop integration. Example: securonix.

To find the Name Space created during Hadoop integration, log in to the HBase shell and use thefollowing command:

hbase(main):002:0: # hbase shell > list_namespacehbase(main):002:0: # hbase shell > quit

3. Use slider to selectYes orNo to Split Tables in Hbase. DefaultYes.

4. Specify the number ofRegions. Default 3.

5. Specify the Resources required to connect to HBase. Example: file:///etc/hbase/conf/hbase-site.xml



HDFSThe Hadoop Distributed File System (HDFS) is designed to store very large data sets reliably and to streamthose data sets at high bandwidth to user applications. HDFS stores file systemmetadata and applicationdata separately. HDFS storesmetadata on a dedicated server called the NameNode. Applications data arestored on other servers called DataNodes.

To configure HDFS, complete the following steps:







2. Specify theHDFS Site. HDFS site is required to connect to HDFS.Example: file:///etc/hadoop/conf/hdfs-site.xml.

3. Specify theCore Site. The Core site is required to connect to HDFS.Example: file:///etc/hadoop/conf/core-site.xml.

4. Specify theCluster HDFS Site. The Cluster HDFS Site is required to connect to HDFS Cluster.Example: file:///etc/hadoop/conf/hdfs-site.xml.

5. Specify theCluster Core Site. The Cluster Core Site is required to connect to HDFS Cluster.Example: file:///etc/hadoop/conf/core-site.xml.



6. Specify theUsername of HDFS.

7. Specify theWorking Directory created within the Service Account Folder for SNYPR during Hadoopintegration. Example: /user/securonix.

8. Specify the Product Directory created during Hadoop integration. Example: snypr.

9. Specify theHDFS Directory for storing Unparsed Events. Example: Invalid.

10. Specify theHDFS Directory for storing Violations.





RedisRedis is an open-source software project that implements data structure servers. It is networked and in-memory, and it stores keys with optional durability.

To configure Redis, complete the following steps:

1. Specify the IP Address for the Redis database.

2. Specify a Password if set by the administrator.

3. Specify a Port Number. Default 6379.

4. Specify a Connection Pool size for Redis connections. Recommended default: 10.



SparkThemain feature of Spark is its in-memory cluster computing that increases the processing speed of anapplication. Spark is designed to cover a wide range of workloads such as batch applications, iterativealgorithms, interactive queries, and streaming. In SNYPR, Spark is used in ingestion, indexing, and analyticsalgorithms.

To configure Spark, complete the following steps:



1. Specify the Spark Defaults. The Spark Defaults are required to runSpark. Example: /etc/spark/conf/spark-defaults.conf.



2. Use the slider to Enable Kerberos.

l If Yes: Enter KeyTab Path for connection to YarnMaster server. Example: /Securonix/securonix_home/security/securonix.keytab.

l IfNo: Proceed without entering additional information.

3. Specify the Yarn Master IP.

Note: To find the YarnMaster IP, use Cloudera Manager to navigate to Yarn > Instances. TheYarnMaster IP corresponds to the ResourceManager (Active) IP.

4. Specify the SSH Port for the YarnMaster server. Default 22.

5. Specify the SSH UserName. Example: securonix.

6. Specify the SSH Password.

7. Specify the path of the Yarn Site xml file. Example: /etc.hadoop/conf/yarn-site.xml.

8. Click Save.



SettingsMuch of the behind-the-scenes work of the SNYPR application is handled from the Administrationmenu.

Configuring the ApplicationTo access the SNYPR customization settings, navigate toMenu > Administration > Settings.

Application SettingsOn the Application Settings page, configure the following options:

General SettingsFrom the General Settings option, you can configure the following information:


SNYPR6.0Administration GuideSettings

l Application Time zone: The time zone for the application server.

l Database Time zone: The time zone for the database server.

l Date Format: Select frommultiple date/time formats from the dropdown box.

l Session Timeout: Enter a timeout period for sessions in seconds.

Data Import SettingsThe application ismulti-threaded to perform parallel processing. Each event file is processed by spawningmultiple threads. Each thread simultaneously parses the event log file, performs correlation, and inserts theprocessed log into the database. You can configure the settings for various data import activities in thissection.



Multithreading: Use the Yes/No switch to enable or disable parallel processing in the application. If youselect Yes, youmust also configure the following settings:

For Activity Import:

l Maximum Threads: The number of threads that are spawned during the import of activities andevents. (The default is 30.)

l Maximum Lines per Thread: The number of lines provided that are processed by each thread.(The default value is 20000.) Each user file is processed by spawning multiple threads. Each threadsimultaneously parses the user file, checks for identity lifecycle changes, and inserts the processeddata into the database.

For User Import:

l Maximum Threads: The number of threads that are spawned during the import of users. (Thedefault value is 20.)

l Maximum Lines Per Thread: The number of lines provided that are processed by each thread.(The default value is 10000.)

l Preview data refresh interval: Specify the number of minutes for which the preview data is cached.During this period, if the Preview button is clicked again, the application retrieves preview data fromcache, otherwise refreshes from the data source. (The default value is 30.)

l Save events after each file Imported (Yes/No): Enable this setting if you wish to save the eventsafter each file is processed. If this is set to no, all of the filesmatching the file pattern will be processedprior to saving to the database.

l Split input event file into smaller files (Yes/No): Use this setting to split the input file to smallerchunks for processing. If an extremely large file is encountered (greater than 1 GB), you can split thefile to increase the processing speed.

l Clear correlation: (Yes/No) Makes the disabled access account (disabled during access import)an orphan and removes the past correlation.

l Clear attributes: (Yes/No) Removes all access attributes from the disabled access account(disabled during access import).

l Ignore Account Name Case: (Yes/No) Imports all access accounts as all upper case. If the sameaccess account name is encountered with lower case and upper case, this setting prevents duplicateaccount names.

Single Sign-onThis screen enables the application for user authentication and Single Sign-on (SSO).



Hostname = Enter the URL for the host; for example, company.com.

Logout URL = Enter the logout URL, for example: http://www.google.com. Once you are logged out, youwill be redirected to this URL.

Granular Access Control

Enable data and resource-level access control: To allow access control based on the organizationsassigned to users, selectYES. (You can assign organizations to users fromConfigure > Access Control.)

Quick LinksThis screen allows you to add items to the Menu Bar.



Quick Link Title

Menu Title: This field determines the label that appears on the Menu Bar.

Quick Link URLs

l Name: This determines the link name under the mainMenu Bar name.

l Protocol: Select either http or https.

l URL: Enter the URL that you want to link to when users click the item under the Menu Bar.

l Order: This determines the order that in which the links appear under the Menu Bar.

l +/-: Click the plus sign to add another Quick Link item. Click the minus sign to remove an existing item.

DNS ServersTo access the DNS Servers to add and change the IP entries for your DNS servers:

1. Navigate to Configure > Settings.

2. On the left navigation pane, click DNS Servers.

3. Change, add, or remove IP addresses as needed.

HadoopFor details about the Hadoop component settings, please refer to Configure SNYPR Hadoop Settings.



Housekeeping JobsSome recordsmaintained by the application do not hold much value as the data ages. These recordsmaybe deleted after a period. The application provides housekeeping jobs to delete these aging records. Decidehow long to maintain these records and configure the housekeeping jobs to remove old data. To access thehousekeeping jobs:

1. Navigate to Configure > Settings.

2. On the left navigation pane, click Housekeeping Jobs.

Types of Housekeeping Jobs

Job Name DescriptionRecommendedSchedule

User ImportHistory Every time auser import is fired, the SNYPRapplicationstores the history of the number of newusers, deletedusers, updatedusers, etc. This jobclears this table basedon the input days.

For example, query fired:DELETEFROMUserimporthistoryWHERE importdate

Job Name DescriptionRecommendedSchedule

Activity User IPMapping Clears the activity user IPmapping that ismaintained forIP address attribution.

For example, query Fired:DELETEFROMActivityuseripmappingWHERE lastupdate

6. On the Schedule Housekeeping Job screen, you can enter a Job Description in the text box (optional).

7. To configure email notifications, set Enable Job Related Notifications to YES.

8. You can configure the application to send notification emails upon success, failure, or misfired. Completethe email notifications as needed.

9. From theRun Job options, select the frequency for which you want to run the housekeeping job.

10. To save the housekeeping job, click Save. To run the housekeeping job now, click Run.

LDAP Authentication

Prerequisites for setting up LDAP Authentication

1. The LDAP account should have read permissions for the organizational unit against which theapplication authenticates.

2. Identify the DN (Distinguished Name) for the account. For example: cn=svc_[DN];OU=ServiceAccounts;DC=[DN];DC=com

3. Identify the following additional parameters that are required for AD authentication:

l The IP address/hostname of the domain controller.

l The OU (organizational units) containing the different users that should be authenticated.

Understanding the ConfigurationBy default, the application authenticates against the local MySQL data store. However, this can be changed toauthenticate the users against Active Directory.

Note: The authorization for the users is performed based on locally assigned roles.

l managerDn =

l managerPassword =



l grails.plugins.springsecurity.ldap.context.server = (ex:ldap://xx.xx.xx.xx:389 orldaps://xx.xx.xx.xx:636)

l grails.plugins.springsecurity.ldap.authorities.groupSearchBase =

l grails.plugins.springsecurity.ldap.search.base =

To change the default LDAP authentication:

1. Add the following line to the ldap-config.properties file in the “/securonix/securonix_home/conf/”:

grails.plugins.springsecurity.ldap.authorities.groupSearchFilter=member={0}

2. Add the userid (same as AD login) for the application, and provide the appropriate access controls. Bydefault, the system uses the sAMAccountName for authentication. This can be changed by changing thefollowing value:

grails.plugins.springsecurity.ldap.search.filter=sAMAccountName={0}

3. Change ‘sAMAccountName’ to cn, dn, or other distinguishable value as required.

4. If local user authenticationmust be enabled, comment the following line; otherwise, authentication will beonly against AD. Uncomment it to authenticate only against AD.

grails.plugins.springsecurity.providerNames = ldapAuthProvider

5. To debug the errors faced, make the following changes to the log4j.properties files:

log4j.logger.org.springframework.security=DEBUG

Note: If there are multiple domains to be configured, create a virtual directory that has the entire list ofusers. Use the credentials of the virtual directory in the ldap-config.properties files.

Configure LDAP

1. Go to “/securonix/securonix_home/conf/”.

2. Open the file: ldap-config.properties.

3. Make following changes:

grails.plugins.springsecurity.providerNames = ldapAuthProvidergrails.plugins.springsecurity.ldap.context.managerDn = The path of LDAPgrails.plugins.springsecurity.ldap.context.managerPassword = Passwordgrails.plugins.springsecurity.ldap.context.server = ldap://master serveripgrails.plugins.springsecurity.ldap.authorities.ignorePartialResultException = truegrails.plugins.springsecurity.ldap.search.searchSubtree = truegrails.plugins.springsecurity.ldap.search.base = dc=oracledemo,dc=comgrails.plugins.springsecurity.ldap.authorities.groupSearchFilter=member(0)

4. In the application, navigate to Configure > Settings, and then select LDAP Authentication.

5. For the Enable LDAP Authentication setting, selectYES.



6. Complete the following settings:

l Server: Enter the IP address for Active Directory (ldap://[ip]:[port]/).

l Base: Enter the base directory to start the search. For example, dc=mycompany,dc=com].

l Enter the appropriateManager DN.

l Enter the appropriateManager Password.

l Retrieve Database Roles: Select whether to retrieve additional roles from the database using theUser/Role many-to-many.

l Retrieve Group Roles: Select, whether to infer roles based on group membership.

l Ignore Partial Result Exception: Select whether to ignore partial result exceptions.

l Search Subtree: Select whether you want to search in subtrees.

l Search Filter: This is the pattern to be used for the user search. For Example, {0} is the user’s DN.

l Group Search Base: Enter the base DN fromwhich the search for group membership should beperformed.

l Group Search Filter: Enter the pattern to be used for the user search. For example, {0} is the user’sDN.

l Group Role Attribute: Enter the ID of the attribute which contains the role name for a group.



7. When you have finished, click Save.

Log SettingsThis section allows you to view the application and set the log levels for eachmodule in theSNYPRapplication. To access the log settings, navigate toMenu > Administration > Settings. Select LogSettings from the left pane.

Application LogsThis option displays the application logs and provides an option to set the application logs to auto update. Ifyou selectYES, an additional option to Disable Auto Update After a specified period is available.



Logging

Setting up Logging to securonix.log FileThe SNYPR application logs both errors and debug statements to a log file. Conveniently namedsecuronix.log, the log file is located in the “/logs” directory.

You can change the location of the securonix.log file to any desired folder.

To specify the location of the log file:

1. Navigate to /WEB-INF/classes.

2. Search for a file named log4j.properties.

3. Open the file with a text editor.

4. To specify the location of the logs file, search for the following line under the # File Appender heading:

log4j.appender.file.file=.../securonix.log

Note: To begin logging to the new location, youmust restart the application.

Changing the log formatBy default, the log file does not include the date on which the log waswritten. This is because of the followingdirective in log4j.properties:

log4j.appender.file.layout.ConversionPattern=%d{ABSOLUTE} %-5p [%c{1}] %m%n

For example, from securonix.log:

09:37:26,744 DEBUG [LoginController] auth. Getting license information…

If you want to change this setting to include the date, use the following format:

log4j.appender.file.layout.ConversionPattern==%d{dd MMM yyyy HH:mm:ss,SSS} %-4r [%t] %-5p %c{1}%x - %m%n



Log LevelsERROR: The ERROR level designates error events that might still allow the application to continue running.

FATAL: The FATAL level designates very severe error events that will presumably lead the application toabort.

OFF: Turn off logging.

WARN: TheWARN level designates potentially harmful situations.

INFO: The INFO level designates informational messages that highlight the progress of the application atcoarse-grained level.

ALL: The ALL level has the lowest possible rank and is intended to turn on all logging.

DEBUG: The DEBUG level designates fine-grained informational events that are most useful to debug anapplication.

TRACE: The TRACE level designates finer-grained informational events than the DEBUG level.

Changing Logging LevelsLogging can be changed for eachmodule within the application. To change the logging levels, perform thefollowing steps:

1. Navigate toMenu > Administration > Settings.

2. On the left navigation pane, click Log Settings > Logging.

3. Change the log level for the desired module.

4. To save your changes, click Update.

Change Log Levels forModules

The following modules are available for logging:

l Imports: Logging for User Import and Glossary Import actions.

l Activity Imports: Logging for Activity Import for various connections.

l Policy Engine: Detect Behavioral Analytics, Anomaly Detection

l Web Services: Web application components.

l Work Flow: SOC TeamReview, Activity Outlier Workflow, Access CertificationWorkflow.

l Licensing: Logging for Managing, updating license.

l Views: Users, Resources, Peers, Organizations, Application.

l Run: Access, Activity, Policy violations, Behavior Profiles.

l Reports: Running and rendering reports.

l Configure: All actions available under the configure menu.

l UI Utilities: Analytical Activities, Applications, Dashboard, Incidents, Organizations, Peer, Resource,Detect, Transaction, User, Utility Impl, Token, CommonUI Utilities,Workbench Util.



Log Level Choices

All modules have the same log level choices. The default setting for each, however, is different. Choices are:

l All: All has the lowest possible rank and is intended to turn on all logging.

l Debug: Designates fine-grained informational events that are most useful to debug an application.

l Error: Designates error events that might still allow the application to continue running.

l Fatal: Designates very severe error events that will presumably lead the application to abort.

l Info: Designates informational messages that highlight the progress of the application at a coarse-grained level.

l Off: Off has the highest possible rank and is intended to turn off logging.

l Trace: Designates finer-grained informational events than debug.

l Warn: Designates potentially harmful situations.

Set Log Levels

To set the log levels:

1. From the Select a resource to view logs dropdown list, select a module to view its current Log Level.

2. To change the current log level for a specific module, select an option from the Log Level dropdown.



3. To save your changes, click Update.

Manage LicenseThis section allows you to review your licenses installed with the application. View details about the currentlicenses including number of users and resources licensed, license issue and expiration date and issuerdetails. To manage licenses, navigate toMenu > Administration > Settings. SelectManage License fromthe left pane.



Current License

Installed LicensesThis section displays the installed licenses, which you can uninstall by clicking theUninstall button.

Install/Upgrade LicenseIn the Install/Upgrade License options you can upload a new license and enter a new activation key.

Spark JobsTo configure Spark, refer to Configure SNYPR Hadoop Settings.

Safe DomainsWhen you want to exclude domains from lists generated by third party intelligence (TPI), add it to the safe



domain list. To add a safe domain, go toMenu > Administration > Settings. SelectSafe Domains from theleft pane, and add the domain in the right window.

SAML SettingsSecurity AssertionMarkup Language (SAML) is an XML-based, open-standard data format for exchangingauthentication and authorization data between parties, in particular, between an identity provider and aservice provider. SAML settings are related to configuration of single-sign on (SSO), which help reduce theadministrative overhead of distributing multiple authentication tokens to the user.

To configure the SAML settings:

1. Navigate toMenu > Administration > Settings, and then from the left navigation pane, selectSAMLSettings. On the SAML Settings page, you can:

2. l Generate metadata for the new Service Provider

l Share the metadata for the Service Provider

l Obtain a list of registered Identity Providers

l Create users with Securonix

3. Click theClick here to generate new service provider metadata link.



4. The SAML Current Settings screen appears.

l Entity ID: The Entity ID is a unique identifier for an identity or service provider. This value is includedin the generated metadata.

l Entity Base URL: Base to generate URLs for this server. For example: https://myServer:443/saml-app. Enter the public address fromwhich your server will be accessed.

l Entity Alias: The Alias is an internal mechanism that allows the application to collocate multipleservice providers on one server. The alias entity must be unique.

l Include IDP Discovery: Select this option to include identity provider discovery in the metadata.



l SSOBindings: Select the bindings to use for SSO, which include Post, PAOS, and Artifact. Thebinding, in general, determine how an SAML request and responsemap to protocols for messagingand communication.

l Security Profile: From the dropdown list, select the option you want to use for trust of signature,encryption, and SSL/TLS credentials.

l Signing Key: The key used for digital signatures of SAMLmessages

l Encryption Key: The key used for digital encryption of SAMLmessages

l SSL/TLS Key: The key used to authenticate an instance for SSL/TLS connections

l Sign metadata: Select this option to digitally sign the generated metadata with the specifiedsignature key.

l Sign sent AuthNRequests: If selected, the generated metadata is digitally signed using thespecified signature key.

l Require signed authentication Assertion: If selected, the generated metadata is digitally signedusing the specified signature key.

l Require signed LogoutRequest: If selected, the generated metadata request is digitally signed forlogout requests using the specified signature key.



l Require signed LogoutResponse: If selected, the generated metadata request is digitally signedfor logout responses using the specified signature key.

l Require signed ArtifactResolve: If selected, the generated metadata request is digitally signed forartifact resolution using the specified signature key.

4. To continue, click Generate Metadata. The new Service Provider metadata is generated.

5. TheMetadata Management for SAML screen appears to with the newly-generated Service Providermetadata. Share the metadata with the Service Provider to allow for redirection of request to theapplication.

6. To obtain a list of registered identity providers, click the link. TheMetadata Management for SAML screenappears to download the metadata for the Identity Provider.



7. Copy the metadata provided by the SAML provider in the text box to register the new Identity Provider.

8. Click Submit to save the identity provider (IDP) metadata.

SMTP Server SettingsThe application uses the mail server for the following purposes:

l To send email notifications on a violation.

l To send job success/failure notifications.

l To send email notifications on user lifecycle changes (new, updated, and terminated users).

l To send notification emails for case-related issues.

l To receive emails when comments are added to existing cases.



Adding an SMTP Server

To set up a new SMTP server:

1. Navigate toMenu > Administration > Settings.

2. On the left navigation pane, click SMTP Server Settings.

3. To add a new server, click Add New Mail Server.

4. Use the following steps to configure the General Settings section:



a. Mail Box Name: You can keep the default setting or provide a name of your choice.

b. Host: Enter a host name for the mail server.

c. Port: Enter an outgoing port.

d. From email: Type the name of the email account used for sending email.

e. SSL enabled?: Toggle the YES/NO switch to enable or disable SSL communication.

f. Authentication required: If the mail server requires authentication, selectYES.

g. UserName and Password: If authentication is set to YES, enter the username and password.

6. Use the following steps to configure theMore Settings section:

a. Font name: Select a font type from the dropdown list. The default font is Arial.

b. Font size: Enter the size of the font you want to use in your email notifications. The default font size is2.

c. Batch size: Enter the number of email notifications that are sent in a batch. The default setting is 25.

d. Interval: Enter the number of seconds for retrial. The default is 10.

e. Process In Batch: Choose whether you want to send email notifications in batches. The default isYes.

f. StopWhen Done: Choose whether you want to stop sending email notifications when all of themessages in queue are completed. The default is Yes.

7. When you have finished, click Save. You can also save settings and send a test email, or test the SMTPserver using choices at the bottom of the Mail Server Settings screen:

UI PreferencesYou can enter a brief description that you want to display on the logon page.



Access ControlSNYPR allows Administrators to restrict access to selected screens in the user interface. Access is restrictedto authorized users based on their roles. Roles are created based on job functions.

To configure role based access control, navigate toMenu > Administration > Access Control.

Setting Up Access Control

Before setting up access control, determine the roles and capabilities to assign to each role. Additionally,decide which users should be assigned to each role.

Setting up access control requires two steps:

1. Create roles and assign capabilities to roles.

2. Create users and assign them to roles.

3. [Optional] Create groups and assign users to groups.

Note: Security groupsmake it easier to manage users by allowing bulk actions. Permissionsassigned to groups are inherited by all members within the group.

Creating UsersYou can grant analysts access to the application and assign them specific privileges. To create a new analystand grant privileges, complete the following steps:


SNYPR6.0Administration GuideAccessControl

Enter User Information

1. Navigate toMenu> Administration > Access Control.

2. ClickManage Users from the Access Control navigation pane.

3. Click + > Create User.

4. Provide the following details:

l User Name: Enter the name user will use to log in to the application.

l Password: Enter the password user will use to log in to the application.

l Re-Enter Password: Re-enter the password user will use to log in to the application.

l First Name: Enter the user's first name.

l Last Name: Enter the user's last name.

l Email: Enter the user's email.



l Enabled?: Toggle to Yes to enable user.

5. Click Save &Next.

Assign Roles to the user

1. Toggle the slider to Yes for the roles you would like to assign to this user.

Note: Users will only be able to access certain screens in the UI based on the roles you select.




Assign Groups to the usersBased on the groups you select for this analyst, they will only be able to view or take actions on casesassigned to this group. Admin users can view all cases, regardless of the group to which the case is assigned.To assign groups to this analyst, complete the following steps:

1. Toggle to Yes to assign the user to a group.

To add a new group, Click Add New Group and enter the following information:

l Name: Enter the group name.

l Type: Select a group type from the dropdown.



l Email: Specify the group email address.


3. Ensure the user was created successfully from theAccess Controlmain screen.

Creating RolesRoles withmeaningful names (for example: Auditors, security operations, forensics, investigator, etc.) make iteasier to perform access control. You can assignmultiple capabilities to Roles. These capabilities allowusers to access specific modules of the application.

To create a role, complete the following steps:

1. Navigate toMenu > Administration > Access Control.

2. ClickManage Roles from the Access Control navigation pane.



1. Click + > Create Role.

2. Provided the following information:

l Role Name: Enter a unique name for the role.

l Description: Enter a brief description about the purpose and privileges granted to the role.

l Privileges: Grant privileges to the role.

a. Select the areas of the UI to which the role is granted access. These areas include

l Dashboard

l View

l Add Data



l Analytics

l Reports

l Configure

l Third Party Intelligence

l Other

l Application Status

l Geolocation

l Investigation Workbench

b. Select individual privileges within the areas (for example, Configure-System) using > or >> toselect all.

Note: Privileges are grouped based on the module (i.e. dashboard, manage, detect,respond, reports, and configure). For a complete list of privileges, see Appendix A.

Example: Grant all dashboard privileges to role

3. Click Save.

The following table shows typical Roles included in the application:



Role Description

Access Certifier Main task: Certify user access privileges

l Can log in and view the risky entitlements for the users who report to themanager/certifier

l Has access to specific Security Dashboards (Access Review Categoryonly)

Access Scanner Main Task:Detect user access privilege outliers

l Is a role typically assigned to users running access outliers and on-boarding access entitlements into the application and limits access withinthe application to only access-related screens and access-relatedresource groups

l Has screen access configured by the admin

Admin Main Task:Configure the application

Has highest level of access available

l Has ability to add/ delete data in the application

l Has ability to create/ modify/ delete jobs

l Has ability to create / modify / delete users, roles, and groups

l Has ability to control access to the application

l Has ability to encrypt / mask data

Auditor Main Task:Monitor the SNYPRapplication health

l Has ability to access the administrative dashboard to review alloperational/ IT metrics about events and data sources in the systems

Business Unit Manager Main Task:Monitor riskprofile for business units

l Allows business unit managers to log in to the application and review therisk profile associated to the users within their business units.

l Is not typically given admin privileges and is unable to add or removedata within the application.

Case Analyst Main Task:ViewandManage Cases

l Has access to the Incident Dashboard

l Has ability to review and work on cases

l Is unable to configure any jobs or import data into the application



Role Description

Hunters Main Task:Hunt team

l Has access to Security Dashboards

l Has ability to drill-down and investigate incidents using tools such as theInvestigationWorkbench for data link analysis

License Manager Main Task:Manage application licensing

l Has access only to the license screen to re-register license details andvalidate licenses

l Is unable to access any other screen or view data for the user

Operations Team Main Task:End-to-endmonitoring of the application

l Has ability to view the health and operation of the application from end-to-end

l Has ability to ensure data imports were scheduled correctly, activityimports and scheduled jobs ran properly

l Has ability to modify the settings to ensure the end-to-end flow is working

Privacy Manager Main Task:Decrypt PII (Personally identifiable information) data

l Has the ability to decrypt users' PII data within the application when dataencryption is enabled

l Has access only to certain screens controlled by the admin (typicalscreens are 'Manage Users' and 'High-Risk Users')

l Is not typically given access to view the underlying data that causedviolations

System Owner Main Task:Manage riskposture by application

l Allows application owners to view the risk profile for all users of theapplication

l Is typically given admin privileges to the application for which they are theowners

l Has screen access configurable from the UI

User Admin Main Task:Manage applications

l Is a role assigned to application admins.

l Can be configured if users need some super user privileges but not alladmin privileges.

l Has screen access configurable from the UI

Creating GroupsBy creating groups and assigning users to them, you havemore control over user permissions. You can



directly assign roles to groups and assign organizations to groups. All users belonging to the group willinherit the roles and organizations assigned to the group.

To create a group, complete the following steps:

1. Navigate toMenu > Administration > Access Control.

2. ClickManage Groups from the Access Control navigation pane.

1. Navigate to + > Create Group.

2. Provide the following details:



l Name: Enter a descriptive name for the group.

l Type: Select a group type from the dropdown.

l Email: Specify the group email address.

l Mail Box: Select mail box from dropdown. Default default.

l Parent group: Search to select a Parent Group from existing groups (for example, Administrators).

3. Click Next.

4. Click Add User(s) to add users to group or click Next.



a. Add User(s): Search for specific users or type * to search all, check the boxes of the users youwould like to add, and click Add Selected User(s).

b. Next: Proceed to Assign roles to group.

5. Toggle to Yes for the roles you would like to assign to the group.

6. Click Save.

Managing Users, Groups, and RolesFrom the left sidebar menu on the Access Control main screen, you can edit settings for users, roles, andgroups and set password control options.



To export Users, Roles, or Groups in CSV, XML, PDF, or RTF format, click the export icon and select a fileformat. The file will download to your local machine.

Manage UsersYou can take the following actions from the icons on the right side of each user listing:

Change Password

Edit User

Delete User

Note: You cannot delete or disable the Admin user.



Manage Roles

You can take the following actions on the right side of each role listing:

Edit Role

Delete Role

Note: A special role in SNYPR gives users with the role ROLE_PRIVACYMANAGERMASKING theability to unmask (not unencrypt) masked data with a few steps.When creating users and groups,enable the role ROLE_PRIVACYMANAGERMASKING to use this feature.

Manage Groups

You can take the following actions on the right side of each group listing:



EditGroup

Delete Group

Password Control

1. Toggle slider to Yes to manage password settings.



Parameter Description

MinimumLength Theminimumnumber of characters used in apassword.

MaximumLength Themaximumnumber of characters used in apassword.

MinimumUpper CaseLetters

Theminimumnumber of upper case letters required in apassword.

MinimumLower CaseLetters

Theminimumnumber of lower case letters required in apassword.

Numbers Allowed? By default, numbers are allowed in passwords. Toggle toNo to disallownumbers inpasswords.

MinimumNumbers Theminimumcount of numbers required in apassword.



Parameter Description

SpecialCharactersAllowed

This option only appears ifNumbers Allowed? is set toYes. By default, specialcharacters are allowed in apassword. Toggle toNo to disallow special characters in apassword.

Lockafter ‘n’ login failures The number of login attempts thatwill result in account lockout.

Passwordnever expires? Set toYes to have passwords be non-expiring. If set toYES, the passwordexpiration periodandRemainder Interval settings disappear.

Passwordexpirationperiod

IfPassword never expires? is set toNo, enter the number of days before apasswordchange is required.

Remainder Interval Set the number of days for passwordexpiry notification.



WorkflowsSNYPR provides several default workflows to handle incidents and casemanagement. You can createcustomworkflows to take specific actions on cases, or you canmake changes to the existing workflows.Workflows are invoked in the following screens within the application:

l Security Command Center

l Policy Violations

l InvestigationWorkbench

The diagram displays the following sample workflow:

1. The user begins the case workflow by creating a case from the Violation Summary screen.

2. The user takes action to claim the case, assign the case to another analyst, or close the case.

3. The analyst to whom the case is assigned takes appropriate action to resolve the case.

4. The case is closed or assigned to another analyst to re-verify the resolution, or the user can reopen theclosed case for further investigation.


SNYPR6.0Administration GuideWorkflows

Configuring WorkflowsTo configure workflows, complete the following steps:

1. Navigate toMenu > Administration >Workflows.

2. Click three bar icon to display the left navigation pane to view existing User Defined,Bulk Assignment,and Systemworkflows.

3. Click the name of a workflow to configure.

OR



4. Click + > Create NewWorkflow.

General Details

1. Complete the following information:

a. Workflow Name: Enter a unique name for the workflow.

b. Default Assign To: Select one or all of theAssign To options (Groups, Users, and Other).

To change the order of theAssign To options, use your mouse to click and drag the options into thecorrect order.



Note: The order in which the options are selected will be the order in which the applicationwill assign the case. For example, if the order is Group followed by User, SNYPRwill try toassign the case to the group. If the group is unavailable, the case is assigned to theindividual user selected.

a. Assign Case to selected Group: Select from dropdown to assign cases in this workflow to aparticular group.

b. Assign Case to select User: Select from dropdown to assign cases in this workflow to a particularuser.



c. Assign case to Other: Use > or >> to assign case in this workflow to other. Example: OrganizationOwner.



a. Default Notification Email Template: Select from dropdown orCreate New Email Template:

Create New Email Template: Complete the pop up form to create a new template:



a. Sender Name: Enter the name of the sender.

b. Template Name: Enter a unique template name.

c. Description: Enter a brief description of the template.

d. To: Enter the email address of the recipient in the form of [email protected].

e. CC: Enter the email address of the carbon copied recipient in the form [email protected].



f. BCC: Enter the email address of the blind carbon copied recipient in the form [email protected].

g. Subject: Enter a one-line description of the contents of the email.

h. HTML Enabled: SelectYes orNo. Default: Yes.

i. Store in Outbox prior to sending?: SelectYes orNo. Default: Yes.

j. Use this template for: Select from dropdown. Example: AccessOutlier.

k. Owner: Use > or >> to select the user that will own the organization. Use < or

1. Click Add Action to add an action for this step in the workflow.

Note: The Open case step for this workflow is already in place.

2. Configure actions:



a. Action Name: Enter a unique name for the action.

b. Assign to: Select assignees and usemouse to drag options into the order in which the applicationwill assign the case.

c. Functions: Select functions and usemouse to drag into the order in which the application willprocess them.

d. Action Tooltip Information: Enter information to show in tool tip.

e. Change Case Status to: Select from dropdown. Example: Open.

f. Show User Input Form?:

1. SelectYes to create an input screen that will be displayed to the user when this action is taken duringthe case work flow.

Note: You can add fields to an input screen including text, dropdownmenu choices, richtext, assignment option, date, and file upload. You can add fields in one section or createseparate screen sections. You can require input by setting the toggle to Yes.

2. Click Design New Screen to create new input screen and Save:



a. Screen Name: Enter a unique screen name. Example: User Comment.

b. Create New Section: Click to create a new Section.

c. Field Label: Enter a label name for the field.

d. Field Type: Select from dropdown. Example: text area.

e. Field Value: Select if available for Field Type.

f. Dimension: Enter a Width and Height.

g. Required?: Toggle to Yes to require the user complete input screen.

h. +/-: Use to add/remove comments.

g. SLA Configuration: Toggle to Yes to enable SLA configuration.

a. Level: Enter a value for SLA level.

b. Duration Days: Enter a numeric value for duration in days.

c. Notification Email Template: Select from dropdown orCreate New Email Template.

d. Functions: Select from list.

e. +/-: Use to add/remove entries.

3. Click AddWorkflow Step to add a new step to the workflow.



1. Enter a Step Name. Example: Completed.

2. Click Save.

3. Add Actions for this step in the workflow using the previous steps.

4. View available actions for each step in the workflow.

Click Remove Action(s) to remove actions from steps.

5. Click Finish.

6. View or edit Workflow from the left navigation pane on theMenu > Administration >Workflowsmainscreen.



Connection TypesWhen you ingest data into SNYPR, youmust set up connections with the source system. These connectionscan all be viewed collectively in Connection Types.

Managing Connection TypesTo navigate to Connection Types, go toMenu > Administration > Connection Types.

The top menu in the left-pane provides options to:


SNYPR6.0Administration GuideConnection Types

l Filter the connection types by using the Filter Icon .

l Use the Advanced Options icon for advanced filtering of the connection types.

l Click the + button to add a new connection, upload or download a file for connection types, and registerconnectors.

l Click any pre-configured connection type from the left pane to edit or delete.

Adding a New Connection TypeTo add a new connection type, click the +button, and selectAdd New Connection from the dropdown.

Add the new connection in the screen that appears to the right.



Enter details into the respective fields, select the relevant options from the dropdown, and click Save.

This new connection type becomes available in the left pane, which you can edit or delete later.

Uploading or Downloading FilesClick the + button to upload or download files for the connection types. This functionality allows you to FTP,SFTP, or SCP any file to a source or destination of your choice.

Registering ConnectorsIf a new connector is added to SNYPR, you need to register it first so that it is available for configuring dataimport.

Click the + button and selectRegister Connectors from the dropdown to register a connector.



Enter all the relevant fields, such as the source you want to connect to and the connector class. By default, theclass files for connectors are present in the folder [Custom Location]/webapps/Snypr/WEB-INF/classes.

Enable the connector to make the connection visible, and click Save. If you disable the connector, it ishidden from the list of connections for importing data.

The list of default connectors available with SNYPRare listed at the bottom of the page. Scroll down to view

the complete list. You can edit the default connectors by clicking the Edit icon .



Threat LibraryThe Threat Library bundles connectors, parsers, reports, dashboards, policies and threat models for manydata sources. Securonix maintains a centralized Threat Exchange to continuously update and distribute allcontent to the Threat Library

The Threat Library features the following content:

Dashboards: Securonix provides custom dashboards to gain data insights for your organizations for thevarious types of policies and threats for the available data sources.

Connectors and Parsers: Securonix can ingest data from a variety of devices and products. In order toproperly analyze the data, this data must be normalized into meaningful attributes. Based on the format of thedata, Securonix employs techniques such as using regular expressions, splitting using a delimiter, XMLparsing, JSON parsing or using custom code.

Policies: Securonix applies several types of analytical techniques to detect indicators of threats. Policies isthe term used by Securonix to indicate the checks that must be run on each device to detect these threatindicators. The checksmay include various types of analytical techniques.

ThreatModels: Multiple threat indicators that occur in a pattern and involve similar entities tend to have amuch higher risk of being a real threat. Threat Models define these patterns and associate threat indicators tothe threat that they signify.

To access the Threat Library, navigate toMenu > Analytics > Threat Library.

You can use the Threat Library to:

l Check the Threat Exchange for updates

l Explore the list of connectors, parsers, reports, dashboards, policies and threat models available for eachdata source

l Import and deploy new content for a data source with a single click


SNYPR6.0Administration GuideThreat Library

Updating from the Threat ExchangeThe Securonix Threat Model Exchange™ is a library of threat models sourced by the Securonix cyberresearch team in collaboration with our cross-industry client base, partners and national security leaders. Theexchange enables customers to access, download and deploy the latest Securonix threat models with asingle click. Youmust download content from the Threat Exchange to access the content in the ThreatLibrary.

To check the Threat Exchange for updates to connectors, parsers, reports, dashboards, policies and threatmodels, complete the following steps:

PrerequisiteEnable a connection to the SecuronixDB. If this connection is not enabled, you will be unable to downloadcontent from the Threat Exchange and will receive the following error message: Download FailedSecuronix DB connection properties are not available.



To enable this connection, click Click here to check SecuronixDB connection details. You will beredirected to Administration > Connection Types. See Connection Types for information about how toadd a connection.

Check for Updates

1. Navigate toMenu > Administration > Threat Library.:

2. Click Check for Updates.



SNYPR automatically downloads content from the Threat Exchange.

3. Click Explore Threat Library when content has downloaded successfully.



Exploring the Threat LibraryTo view available and deployed resource types, policies, and threat models in the Threat Library, completethe following steps:

1. Navigate toMenu > Administration > Threat Library.

2. Click Explore Threat Library.



Application StatsThe Application Stats screen shows the list of Applications deployed in the SNYPR environment. By default,the Resource Types for All Applications are displayed in the Resource Types section.

Note: Unlicensed Applications appear in gray and will not display content.

Application

You can view the following content for the applications that have been deployed in the SNYPR environment:

l List of Resource Types

l Number of Policies

l Number of Threat Models

You can perform the following actions from this section:



a. Click the icon to view the list of Resource Types for the Application.

b. Click an Application name to view details.

Resource Types

When you click an application name, you can view details about the available and deployed ResourceTypes for that Application. From this screen, you can perform the following actions:

Available Resources

Click Available Resource Types for Deployment to view the list of available resources. You can take thefollowing actions:

a. View the Format and number of Policies for each Resource Type.

b. Filter list by Functionality or Vendor.



c. Click Import Data to add the Resource Type.

You will be redirected to theAdd Data > Activity Data Import screen. See Importing Activity Data forinformation about how to import activity data.

Note:When you import data from this screen, all available policies, connectors, parsers, anddashboards are automatically deployed. Threat models are deployed manually. See DeployingContent from the Threat Library for information about how to deploy threat mode

6.0 administration guide...10-0-0-90.securonix.com/10.0.0.90:8032 cs_event_enrichment running...

Documents