actionconnector magic - hewlett packard enterprise
Post on 17-Jan-2022
4 Views
Preview:
TRANSCRIPT
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
TT3030 - ActionConnector Magic Prepared by
George A. Boitano 617-524-0171
gboitano@semplicityinc.com www.semplicityinc.com
© Copyright 2014 SEMplicity, Inc.
Please give me your feedback…
Session: TT3030 Speaker: George A. Boitano Use the mobile app:
1. Access “My schedule” 2. Click on this session 3. Go to “Rate & review”
If the session is not on your schedule, access it via the session scheduler, click on it, and go to “Rate & review.”
Or use the hard copy surveys Thank you for providing your feedback, which helps HP enhance content for future events.
TurboTalk Objectives
∗ Focus on ActionConnector Use Cases for Automation: ∗ GeoMaps ∗ ShunStunner ∗ AutoMailer ∗ IDM/Governance Enforcement
∗ Limited technical information ∗ More detailed technical information in supplemental
materials ∗ 5-10 Minutes for Q&A
Why Automate (part 1)?
Detecting true-positive events is only the start. Events must be handled appropriately. What could go wrong? • Detected event missed
• Too many events to process • Notified personnel absent or busy • Standard Operating Procedures not found • Wrong Standard Operating Procedure followed • Human error in following procedures • Communication errors • Other event handling problems?
Why Automate (part 2)?
Repetitive Tasks are Bad! • Loss of morale • Increased human error • Danger of missing more important
events that really require human analysis and intervention
Human Beings are Expensive!
ActionConnector Lineage
∗ Originally designed to automate rule response: ∗ Connected to ArcSight Threat Response Manager (TRM) and Network
Synergy Platform (NSP) Appliances, ∗ Blocked network traffic, deactivated nodes, etc.
∗ In 2012, renamed & generalized to support custom integrations
∗ Currently used by:
∗ ForeScout: Network Access Control, ∗ Mandiant: Threat Detection, ∗ CyberArk: APT Detection, ∗ NIKSUN: Network Monitoring, ∗ Aveksa: Identity Management & Data Governance (I wrote this one). ∗ Others?
ActionConnector Event Flow ActionConnector Host
Action Connector <appl>. counteract. properties
Script/Program
3rd-Party Application
regex. X. sdkrfilereader. properties
Rule Action
SmartConnector Commands + Parameters
SmartMessage Event
Executable + Arguments
Response
Request
Logic
Integration Command Request
Integration Command Response
ActionConnector Application Points
∗ Integration Commands: • Similar to Tools in
functionality, • Available from Viewer and
Editor, • Can extract fields from
events, or use $selectedField,
• Run on ActionConnector, not on Console workstation,
• Return a text response in a viewer window,
• Not Interactive, • Only text returned to
Analyst.
• Rule Actions: • Invoked automatically from Rules
under Actions, • All defined ActionConnectors and
associated commands available, • Default ActionConnector script
timeout: 5 minutes, • Can use event fields, local and
global variables, velocity templates as command parameters,
• Asynchronous - rule does not hang waiting for response,
• Response not available to correlation rule that issued command…unless join rule.
Use Case: ShunStunner ∗ Correlation Rule ∗ Triggers on multiple repetitive firewall blocks for known malicious
IP address. ∗ Integration Command ∗ Invoked from main channel, one row selected.
∗ Calls ShunStunner Command on ActionConnector, ∗ Passes Attacker IP Address.
∗ ActionConnector calls ShunStunner.py ∗ Validates that IP address is not internal, ∗ Connects to HPNA server via SOAP, ∗ Issues Shuns on ~30 firewalls for that IP.
∗ Validation via content built around shun firewall logs
Use Case: GeoMaps ∗ Firewall Blocks Report
∗ Runs every 10 minutes, creates csv of firewall blocks: IP addr, # of blocks ∗ Correlation Rule
∗ Fires when report run based on report:101 internal event ∗ Rule action calls ActionConnector GeoMap command
∗ Passes IP, number of blocks, IP reputation (from Active List) ∗ ActionConnector runs csv2csv.py
∗ Reads latest csv file generated by report ∗ Creates KML file in manager web directory
∗ GeoMap invoked from any browser ∗ Web page served from Manager ∗ Calls Google Maps API, passing html and kml
∗ Thanks to Ray Cotten for design of Google Maps API solution
Use Case: AutoMailer ∗ Invocation
∗ Manually, via Integration Command ∗ Automatically, via rule action
∗ Parameters ∗ Event Information, including sourceUserName &/or destinationUserName
∗ ActionConnector runs automailer.py: ∗ Looks up sourceUserName/destinationUserName in ActiveDirectory ∗ Applies passed event information to appropriate email template ∗ Sends email to user copying manager and appropriate dept. support group
∗ Useful for: ∗ Malware infections ∗ Health events ∗ Minor policy violations ∗ ??
Other Use Cases ∗ IDM/Governance Policy Enforcement (I wrote this one) ∗ Invoked from rules detecting new privilege granted ∗ Calls IDM API to determine whether grant is allowed
∗ Is there an approved changed request open? ∗ Parse results of call, which return to ActionConnector in their
own event ∗ Trigger high-priority rule if violation detected
∗ Automatic Quarantine of Suspicious Devices ∗ Malware infection ∗ Host scans
∗ Customized WhoIs Integration Command ∗ Fetch IP information from multiple sites, format for Analyst use
∗ Other Ideas???
Thank you for attending! Don’t forget to provide your feedback!
For more information, contact: George A. Boitano
617-524-0171 gboitano@semplicityinc.com
www.semplicityinc.com
© Copyright 2014 SEMplicity, Inc.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session TT3030 Speaker George Boitano
Please give me your feedback
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
top related