© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

TT3030 - ActionConnector Magic Prepared by

George A. Boitano 617-524-0171

gboitano@semplicityinc.com www.semplicityinc.com

© Copyright 2014 SEMplicity, Inc.

Please give me your feedback…

Session: TT3030 Speaker: George A. Boitano Use the mobile app:

1. Access “My schedule” 2. Click on this session 3. Go to “Rate & review”

If the session is not on your schedule, access it via the session scheduler, click on it, and go to “Rate & review.”

Or use the hard copy surveys Thank you for providing your feedback, which helps HP enhance content for future events.

TurboTalk Objectives

∗ Focus on ActionConnector Use Cases for Automation: ∗ GeoMaps ∗ ShunStunner ∗ AutoMailer ∗ IDM/Governance Enforcement

∗ Limited technical information ∗ More detailed technical information in supplemental

materials ∗ 5-10 Minutes for Q&A

ActionConnector = Automation!

Why Automate (part 1)?

Detecting true-positive events is only the start. Events must be handled appropriately. What could go wrong? • Detected event missed

• Too many events to process • Notified personnel absent or busy • Standard Operating Procedures not found • Wrong Standard Operating Procedure followed • Human error in following procedures • Communication errors • Other event handling problems?

Why Automate (part 2)?

Repetitive Tasks are Bad! • Loss of morale • Increased human error • Danger of missing more important

events that really require human analysis and intervention

Human Beings are Expensive!

ActionConnector Lineage

∗ Originally designed to automate rule response: ∗ Connected to ArcSight Threat Response Manager (TRM) and Network

Synergy Platform (NSP) Appliances, ∗ Blocked network traffic, deactivated nodes, etc.

∗ In 2012, renamed & generalized to support custom integrations

∗ Currently used by:

∗ ForeScout: Network Access Control, ∗ Mandiant: Threat Detection, ∗ CyberArk: APT Detection, ∗ NIKSUN: Network Monitoring, ∗ Aveksa: Identity Management & Data Governance (I wrote this one). ∗ Others?

ActionConnector Event Flow ActionConnector Host

Action Connector <appl>. counteract. properties

Script/Program

3rd-Party Application

regex. X. sdkrfilereader. properties

Rule Action

SmartConnector Commands + Parameters

SmartMessage Event

Executable + Arguments

Response

Request

Logic

Integration Command Request

Integration Command Response

ActionConnector Application Points

∗ Integration Commands: • Similar to Tools in

functionality, • Available from Viewer and

Editor, • Can extract fields from

events, or use $selectedField,

• Run on ActionConnector, not on Console workstation,

• Return a text response in a viewer window,

• Not Interactive, • Only text returned to

Analyst.

• Rule Actions: • Invoked automatically from Rules

under Actions, • All defined ActionConnectors and

associated commands available, • Default ActionConnector script

timeout: 5 minutes, • Can use event fields, local and

global variables, velocity templates as command parameters,

• Asynchronous - rule does not hang waiting for response,

• Response not available to correlation rule that issued command…unless join rule.

Use Case: ShunStunner ∗ Correlation Rule ∗ Triggers on multiple repetitive firewall blocks for known malicious

IP address. ∗ Integration Command ∗ Invoked from main channel, one row selected.

∗ Calls ShunStunner Command on ActionConnector, ∗ Passes Attacker IP Address.

∗ ActionConnector calls ShunStunner.py ∗ Validates that IP address is not internal, ∗ Connects to HPNA server via SOAP, ∗ Issues Shuns on ~30 firewalls for that IP.

∗ Validation via content built around shun firewall logs

ShunStunner Invocation

Command Definition on ActionConnector

Relevant Events

Use Case: GeoMaps ∗ Firewall Blocks Report

∗ Runs every 10 minutes, creates csv of firewall blocks: IP addr, # of blocks ∗ Correlation Rule

∗ Fires when report run based on report:101 internal event ∗ Rule action calls ActionConnector GeoMap command

∗ Passes IP, number of blocks, IP reputation (from Active List) ∗ ActionConnector runs csv2csv.py

∗ Reads latest csv file generated by report ∗ Creates KML file in manager web directory

∗ GeoMap invoked from any browser ∗ Web page served from Manager ∗ Calls Google Maps API, passing html and kml

∗ Thanks to Ray Cotten for design of Google Maps API solution

GeoMaps Screen Shot

Sample ActionConnector Event

Use Case: AutoMailer ∗ Invocation

∗ Manually, via Integration Command ∗ Automatically, via rule action

∗ Parameters ∗ Event Information, including sourceUserName &/or destinationUserName

∗ ActionConnector runs automailer.py: ∗ Looks up sourceUserName/destinationUserName in ActiveDirectory ∗ Applies passed event information to appropriate email template ∗ Sends email to user copying manager and appropriate dept. support group

∗ Useful for: ∗ Malware infections ∗ Health events ∗ Minor policy violations ∗ ??

AutoMailer Sample Email

Other Use Cases ∗ IDM/Governance Policy Enforcement (I wrote this one) ∗ Invoked from rules detecting new privilege granted ∗ Calls IDM API to determine whether grant is allowed

∗ Is there an approved changed request open? ∗ Parse results of call, which return to ActionConnector in their

own event ∗ Trigger high-priority rule if violation detected

∗ Automatic Quarantine of Suspicious Devices ∗ Malware infection ∗ Host scans

∗ Customized WhoIs Integration Command ∗ Fetch IP information from multiple sites, format for Analyst use

∗ Other Ideas???

Thank you for attending! Don’t forget to provide your feedback!

For more information, contact: George A. Boitano

617-524-0171 gboitano@semplicityinc.com

www.semplicityinc.com

© Copyright 2014 SEMplicity, Inc.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22

Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session TT3030 Speaker George Boitano

Please give me your feedback

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.