2. Watchguard
  3. HawkEye G

Watchguard HawkEye G User guide

  • Hello! I am an AI chatbot trained to assist you with the Watchguard HawkEye G User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
UserGuide,Release4.0.1
2
HawkEye G Team ([email protected])
Release 4.0.1
Copyright © WatchGuard Technologies 2016. All rights reserved.
This document is for informational purposes only. WatchGuard makes no
warranties, expressed or implied, as to the information in this document. The name
of any companies and products referenced may represent trademarks that are
herein property of their respective owners.
3
RevisionHistory
Date Version Description
7/8/2016 4.0.1 (rev-3)
Updated for release 4.0.1
Added Host Ransomware Prevention information
Updated screenshots
4/1/2016 4.0 (rev-2)
Updated for release 4.0
Updated screenshots
Added Lastline information
10/31/2015
3.2 (rev-1)
New unresolved indicator display.
Audit log updates(added/deleted/edited) to include:
email addresses, event forwarding, authentication,
passwords (without showing the actual password),
Wildfire configuration, threat feed - file, threat feed -
network, exclusion list, whitelist, manual changes to
devices, BotTrap, HGNS, Domain, Credentials, and
adding/removing devices from groups.
Edit changes now show old and new values, as well
as in the audit logs for multi-field entries.
Surveys are now entered in the user’s browser time
zone. Only one survey per day can be entered for
each survey.
Device/Host page now has the Installed State
selected in the column filter.
Search Filter in Incident page does not search for
the Host or IP. That search is now done in the
Host/IP column heading.
The baseline survey can now be viewed from the
link on the Threat Sync/Incidents page.
Navigation sub-menus now remain open until the
user closes them even if the user selects a new
menu item.
Bulk actions on a device’s indicators on the incident
page are now limited to the last 25 by date/time.
Selecting a device on the Incidents page will now
open a new Host window page with that device
selected in the Host filter.
Addition Information for an indicator will now show if
additional hosts have seen this indicator.
The underlying data in the Health page is
recalculated every 2 minutes regardless of the
refresh rate for the display.
Clicking on the Dashboard infections will open the
Indicators page with the associated score filter set.
4
Clicking on the Dashboard remediations will open
the Indicators page with the associated filters set
(Score, Action requested, and User).
A device can only belong to one (1) HawkEye G
group.
The event forwarding message format can now
select between CEF and CSKV.
The user now has the ability to override for a
selected group the Global Host Sensor settings
defined by the administrator.
Reworded heuristics labeling
There is a new Dashboard display for Unresolved
Indicators that is a timeline of unremediated
indicators, the dates they were observed, and the
volume of indicators.
Dashboard Medium/Low infections now include
Indicators with scores of 5,4,3 and does not include
2.
Running a survey no longer requires a password
confirmation.
Create Devices when Unknown hosts heartbeat
Added Red Hat survey templates
9/14/2015 3.1.1 (rev-0)
Changed the symbols and to Yes and No,
respectively, in column data.
The Administrator can now specify a group's full
distinguished name (DN) to designate role
mappings.
5
TableofContents
1. HawkEyeG 18
1.1 Introduction 18
1.2 WhatisHawkEyeG? 19
1.2.1 Features 19
1.2.2 OperationalPrinciples 19
1.3 Components 21
1.3.1 Host 21
1.3.2 Interface 21
1.3.3 Communicator 21
1.3.4 Decrypter 21
1.3.5 EventDataWarehouse(EDW) 21
1.3.6 AnalyticsEngine 21
1.3.7 RulesEngine 22
1.3.8 Host
SensorManager(HSM) 22
1.3.9 HawkeyeGNetworkSensor(HGNS) 22
1.3.10 BotTrap 22
1.3.11 Database 22
1.3.12 HostSensors 22
1.3.13 HawkEyeGThreatSync™IntegrationwithFireEyeandPaloAltoNetworks 23
2.HawkEyeGUserInterface 24
2.1 Introduction 24
2.2 HawkEyeGWebInterface 24
2.2.1 Navigation
Pane 25
2.2.2 UserPane 27
2.2.3 ViewPane 27
2.3 HawkEyeGGeneralControls 27
2.3.1 Login 27
2.3.2 Logout 28
2.3.3 ChangeUserSettings 29
2.3.4 ForgottenPassword 31
2.3.5 SystemBusy 34
2.3.6 CYBERCONLevel 34
2.3.6.1 ChangingCYBERCONLevels 35
2.3.6.2 CYBERCONLevelsDefined 36
2.3.7 DisplayFeatures 36
2.3.7.1 FilteringbyProvidedButtons 37
2.3.7.2 ListPagination 38
6
2.3.7.3 Search 39
2.3.7.4 UnicodeandForeignLanguageSets 42
2.3.7.5 ExpandforDetails 43
2.3.8 Edit/ChangeConfirmation 44
3.UserRoles 45
3.1 AdministratorRole 45
3.1.1 Reports 46
3.1.2 Users 46
3.1.2.1 AddaUser 46
3.1.2.2 DeleteaUser 47
3.1.2.3 ModifyaUser 48
3.1.3 Settings 49
3.1.3.1 Analytics 49
3.1.3.2 Authentication 51
3.1.3.3 EmailAlerts 52
3.1.3.4 EventForwarding 54
3.1.3.4.1 AddaServer 54
3.1.3.4.2 DeleteaServer 56
3.1.3.4.3 ModifyaServer 56
3.1.3.5 General 57
3.1.3.5.1 ThreatSyncSettings 58
3.1.3.5.2 ActionBackoffSettings 58
3.1.3.5.3 SurveySettings 58
3.1.3.5.4 AddressCheckInterval 58
3.1.3.5.5 ActiveDirectorySettings 58
3.1.3.6 HostSensor 58
3.1.3.6.1 HostSensorSettings 58
3.1.3.6.2 HostSensorDriveConfigurationSetting 59
3.1.3.6.3 SurveySizeLimits 59
3.1.3.6.4 HostSensorSettings 59
3.1.3.7 HostSensorManager 59
3.1.3.8 Lastline 61
3.1.3.9 Manager 61
3.1.3.10 Network 62
3.1.3.11 Proxy 65
3.1.3.12 ThreatFeed 65
3.1.3.13 Wildfire 66
3.1.4 System 66
3.1.4.1 PurgeAuditLogData 66
3.1.4.2 FactoryReset 67
3.1.4.3 Reboot 68
3.1.4.4 ShutDown 69
3.2 Analyst 69
3.3 Observer 71
7
3.4 Operator 72
3.4.1 Dashboard 73
3.4.2 ThreatSync 80
3.4.2.1 Incidents 80
3.4.2.2 Indicators 80
3.4.2.3 Policy 80
3.4.2.3.1 AddaNewPolicy 81
3.4.2.3.2 EditaPolicy 85
3.4.2.3.3 DuplicateaPolicy 85
3.4.2.3.4 FilterAdjustment 86
3.4.2.3.5 DeleteaPolicy 86
3.4.2.4 Whitelist 87
3.4.2.5 Exclusions 90
3.4.2.6 NetworkEvents 92
3.4.2.6.1 Display 92
3.4.2.6.2 HGNSActions 94
3.4.2.7 Search 95
3.4.3 Reports 96
3.4.4 Devices 97
3.4.4.1 Hosts 97
3.4.4.1.1 HostSensorColumnHeadings 98
3.4.4.1.2 EditaDevice 106
3.4.4.1.3 RemoveaDevice 107
3.4.4.1.4 ClearaDevice 108
3.4.4.1.5 AddanewDevice 108
3.4.4.1.6 ManuallyDownloadHostSensor 109
3.4.4.2 SurveyHistory 110
3.4.4.3 SurveySchedules 113
3.4.4.3.1 ScheduleaSurvey 114
3.4.4.3.2 ModifyaSurvey 117
3.4.4.3.3 DeleteaSurvey 117
3.4.4.4 SurveyTemplates 118
3.4.4.4.1 DefaultSurveys 118
3.4.4.4.2 AddNewSurveyTemplate 134
3.4.4.4.3 EditNondefaultSurveyTemplate 138
3.4.4.4.4 DeleteNondefaultSurveyTemplate 138
3.4.4.5 NetworkSensor 138
3.4.4.6 BotTrap 142
3.4.5 Configuration 143
3.4.5.1 Accounts 143
3.4.5.1.1 EditanAccount 144
3.4.5.1.2 RemoveanAccount 145
3.4.5.1.3 AddanAccountManually 145
3.4.5.2 Credentials 146
3.4.5.2.1 EditCredentials 146
8
3.4.5.2.2 DeleteCredentials 147
3.4.5.2.3 AddCredentials 147
3.4.5.2.4 AssignAssetstotheCredential 148
3.4.5.2.5 RemoveAssetsfromanassignedCredential 148
3.4.5.2.6 DeviceswithCredentials 149
3.4.5.2.7 DeviceswithoutCredentials 149
3.4.5.3 Domain 149
3.4.5.3.1 EditaDomain 150
3.4.5.3.2 RemoveaDomain 150
3.4.5.3.3 AddaDomain 151
3.4.5.4 Groups 152
3.4.5.4.1 AddaGroup 155
3.4.5.4.2 EditaGroup 156
3.4.5.4.3 RemoveaGroup 157
3.4.5.4.4 SyncandUnsyncGroups 158
3.4.5.5 HostSensorConfiguration 159
3.4.5.6 ThreatList‐File 161
3.4.5.6.1 AddMD5Threat 161
3.4.5.6.2 ImportMD5Threats 162
3.4.5.6.3 ViewMD5ThreatDetails 163
3.4.5.6.4 RemoveMD5Threat 163
3.4.5.6.5 WhitelistMD5Threat 163
3.4.5.6.6 ReaddMD5Threat 164
3.4.5.7 ThreatList‐Network 165
3.4.5.7.1 AddaThreat 166
3.4.5.7.2 ViewNetworkThreat 167
3.4.5.7.3 WhiteListNetworkThreat 167
3.4.5.7.4 ReaddNetworkThreat 168
3.4.5.7.5 BuildThreatFeed 168
3.4.6 System 169
3.4.6.1 AuditLog 169
3.4.6.2 Health 170
4.ThreatSyncIncidents 172
4.1 IncidentBulkActions 180
4.2 IncidentColumnHeadings 181
4.3 IncidentDetailColumnHeadings 184
4.4 IncidentDetailsAdditionalInfo 187
4.4.1 HostRansomwarePrevent ionAdditionalInfoPreventMode 191
4.4.2 HostRansomwarePrevent ionAdditionalInfoDetectMode 192
5.ThreatSyncIndicators 194
5.1 IndicatorSortingHeadings 195
5.2 IndicatorBulkActions 203
5.3 ExportIndicators 206
5.4 IndicatorBarChart 206
9
5.5 IndicatorPieChart 209
5.6 IndicatorStackedTimeSeries 210
6.ContentExtraction 211
6.1 ConfigurationRequirements 211
6.2 UserInterfaceConfigurationforContentExtraction 211
6.2.1 ConfigureLastlineAPISettings 212
6.2.2 ConfigureNetworkSensorConfigurationandPolicyforContentEx traction 213
6.2.2.1 ConfiguringDNSServerstobeUsedbytheNetworkSensor 213
6.2.2.2 Configuring(optional)HTTPProxytobeUsedbytheNetworkSensor 214
6.2.2.3 ConfiguringContentExtractionPolicyontheNetworkSensor 216
6.3 NetworkSensorConfigurationforContentExtraction 218
6.3.1 DeterminingPresenceofDefaultGateway 218
6.3.2 ConfiguringaDefaultGateway 218
6.4 ValidatingtheNetworkSensorConfiguration 220
6.4.1 ConfirmNetworkSensorAbletoAccessDNSResolvers 220
6.4.2 ConfirmNetworkSensorAbletoAccessThirdPartyMalwareAnalysisSystem
221
7.SupportedOperatingSystems 222
8.Glossary 223
9.AppendixAOpenSource 225
10
ListofFigures
Figure 1: HawkEye G Component Diagram ................................................................................ 20
Figure 2: HawkEye G Web Interface .......................................................................................... 25
Figure 3: HawkEye G Operator default page with pane collapsed ............................................. 26
Figure 4: ThreatSync Section expanded ..................................................................................... 26
Figure 5: Navigation pane with 2 sub-menu lists open ............................................................... 26
Figure 6: User Pane details ........................................................................................................ 27
Figure 7: User Login page .......................................................................................................... 28
Figure 8: User Logout page ........................................................................................................ 28
Figure 9: User Interface details ................................................................................................... 29
Figure 10: User Settings page .................................................................................................... 29
Figure 11: Unsaved Changes prompt ......................................................................................... 30
Figure 12: Login Screen .............................................................................................................. 31
Figure 13: Forgot Password Email Confirmation Screen ............................................................ 31
Figure 14: Forgot Password Reset page .................................................................................... 32
Figure 15: Password Reset Confirmation Email Example .......................................................... 32
Figure 16: New Password Screen .............................................................................................. 33
Figure 17: Login page with password reset confirmation message ............................................ 33
Figure 18: System Busy Icon ...................................................................................................... 34
Figure 19: User pane details ....................................................................................................... 34
Figure 20: Changing CYBERCON Level .................................................................................... 35
Figure 21: CYBERCON Level Change Confirmation .................................................................. 35
Figure 22: Display Filter Selection Example ............................................................................... 37
Figure 23: Information box example ........................................................................................... 37
Figure 24: Incident Filter buttons with “Last 7 days” range applied............................................. 37
Figure 25: Incident Filter buttons after Reset .............................................................................. 37
Figure 26: Pagination Example ................................................................................................... 38
Figure 27: Drop-down list of pages ............................................................................................. 38
Figure 28: Number of Items per page selections ........................................................................ 39
Figure 29: All Incidents ............................................................................................................... 40
Figure 30: Incident Results with “th-win” filter ............................................................................. 40
Figure 31: Partial MD5 Hash filter ............................................................................................... 41
Figure 32: Process List displaying Foreign Data Set .................................................................. 42
Figure 33: Incidents list at the device level ................................................................................. 43
Figure 34: Incidents list details for a specific device ................................................................... 43
Figure 35: Edit/Change Confirmation display ............................................................................. 44
Figure 36: Administrator Default Screen ..................................................................................... 45
Figure 37: Add User Example Screen ........................................................................................ 46
Figure 38: User drop-down menu for Remove User ................................................................... 47
Figure 39: User Deletion Confirmation Screen ........................................................................... 47
Figure 40: User Modification Screen ........................................................................................... 48
11
Figure 41: Change Password Screen ......................................................................................... 49
Figure 42: Analytics view pane ................................................................................................... 50
Figure 43: Change Confirmation Window ................................................................................... 50
Figure 44: Microsoft Active Directory Authentication window ..................................................... 51
Figure 45: Admin settings for email alerts ................................................................................... 53
Figure 46: Send Test Email window ........................................................................................... 53
Figure 47: Representative Email Alert ........................................................................................ 53
Figure 48: Event Forwarding Window ......................................................................................... 54
Figure 49: Add Server Example Screen ..................................................................................... 54
Figure 50: Event Forwarding Facility List .................................................................................... 55
Figure 51: Event Forwarding Message Type List ....................................................................... 55
Figure 52: User drop-down menu for Remove Server ................................................................ 56
Figure 53: Server Deletion Confirmation Screen ........................................................................ 56
Figure 54: Server Modification Screen ........................................................................................ 56
Figure 55: General view pane (top half) ...................................................................................... 57
Figure 56: General view pane (bottom half) ................................................................................ 57
Figure 57: Host Sensor view pane (top half) ............................................................................... 60
Figure 58: Host Sensor view pane (bottom half) ......................................................................... 60
Figure 59: Lastline view pane ..................................................................................................... 61
Figure 60: Manager View pane (top half) .................................................................................... 62
Figure 61: Manager View pane (bottom half) .............................................................................. 62
Figure 62: Network view pane (top half) ..................................................................................... 63
Figure 63: Network view pane (bottom half) ............................................................................... 63
Figure 64: Duplicate IP address error message ......................................................................... 64
Figure 65: Proxy view pane ........................................................................................................ 65
Figure 66: Threat Feed View Pane ............................................................................................. 65
Figure 67: Wildfire Settings view pane ........................................................................................ 66
Figure 68: Administrator Audit Log view pane ............................................................................ 67
Figure 69: Administrator System/Health view pane .................................................................... 67
Figure 70: First Factory Reset Confirmation ............................................................................... 68
Figure 71: Second Factory Reset Confirmation .......................................................................... 68
Figure 72: HawkEye G Reboot confirmation ............................................................................... 68
Figure 73: Reboot Warning Banner ............................................................................................ 69
Figure 74: Analyst Screen ........................................................................................................... 70
Figure 75: Observer Default Screen ........................................................................................... 71
Figure 76: Operator Dashboard Screen ...................................................................................... 72
Figure 77: Dashboard View Pane ............................................................................................... 73
Figure 78: ThreatSync Incidents page with Critical Score (10,9,8) filters applied ....................... 74
Figure 79: ThreatSync Incidents Page with Automated specific filters applied ........................... 74
Figure 80:ThreatSync/Network Events page .............................................................................. 75
Figure 81: Devices/Hosts page ................................................................................................... 76
Figure 82: Unresolved Indicators timeline ................................................................................... 77
Figure 83: Unresolved Indicator Details ...................................................................................... 77
Figure 84: Zoom in on Unresolved Indicator Timeline ................................................................ 77
12
Figure 85: Zoomed results of Timeline ....................................................................................... 77
Figure 86: Indicator Page for Bubble .......................................................................................... 78
Figure 87: Dashboard Top Host Indicators ................................................................................. 79
Figure 88: ThreatSync Incident page .......................................................................................... 80
Figure 89: Manage Policy View Pane ......................................................................................... 81
Figure 90: Add Policy View Pane ................................................................................................ 82
Figure 91: Threshold Cybercon information ................................................................................ 82
Figure 92: Threshold Score information ...................................................................................... 83
Figure 93: Threat Score Settings ................................................................................................ 83
Figure 94: Edit Policy View Pane ................................................................................................ 85
Figure 95: Policy Duplication Example ....................................................................................... 85
Figure 96: Policy View Pane filter selection ................................................................................ 86
Figure 97: Deleting Policy Confirmation Screen ......................................................................... 86
Figure 98: Whitelist screen ......................................................................................................... 87
Figure 99: Mitigation Whitelist ..................................................................................................... 87
Figure 100: Add Mitigation Whitelist ........................................................................................... 88
Figure 101: Whitelist detail example ........................................................................................... 88
Figure 102: Mitigation Whitelist “Inspect” menu .......................................................................... 89
Figure 103: Edit Mitigation Whitelist screen ................................................................................ 89
Figure 104: Remove Mitigation Whitelist confirmation dialog ..................................................... 89
Figure 105: Exclusion screen ...................................................................................................... 90
Figure 106: Add Exclusion item .................................................................................................. 91
Figure 107: Exclusion detail example ......................................................................................... 91
Figure 108: Exclusion “Inspect” menu ........................................................................................ 92
Figure 109: Remove Exclusion confirmation dialog .................................................................... 92
Figure 110: Network Events default view pane ........................................................................... 93
Figure 111: Network Events view pane with date range ............................................................. 93
Figure 112: Network Event Detail Example ................................................................................ 94
Figure 113: Network Events Action Descriptions ........................................................................ 94
Figure 114: Threat Search View Pane ........................................................................................ 95
Figure 115: Threat Search Example ........................................................................................... 95
Figure 116: Reports view ............................................................................................................ 96
Figure 117: Report is being generated ....................................................................................... 96
Figure 118: Report is ready to view ............................................................................................ 96
Figure 119: Hosts Default Window ............................................................................................. 97
Figure 120: Device Synced confirmation .................................................................................... 97
Figure 121: Hosts View Pane with “th-win” Search filter applied ................................................ 99
Figure 122: Hosts View Pane with "Installed" filter applied ....................................................... 100
Figure 123: Install Host Sensor example .................................................................................. 101
Figure 124: Remove Host Sensor example .............................................................................. 101
Figure 125: Multiple Device Host Sensor example ................................................................... 102
Figure 126: Device Detail Screen with Surveys tab selected ................................................... 102
Figure 127: Device Detail tabs .................................................................................................. 102
Figure 128: All Surveys for Device ............................................................................................ 103
13
Figure 129: Survey Details for Selected Target ........................................................................ 104
Figure 130: Failed Survey Warning tab .................................................................................... 104
Figure 131: Baseline Survey Results screen ............................................................................ 105
Figure 132: Baseline Survey results if no Host Sensor installed .............................................. 105
Figure 133: Device Detail Screen with IP History tab selected ................................................. 106
Figure 134: Device Detail Screen with Sensor tab selected ..................................................... 106
Figure 135: Device Action Drop-down List ................................................................................ 107
Figure 136: Edit Device Screen ................................................................................................ 107
Figure 137: Confirmation Delete Screen ................................................................................... 107
Figure 138: Add Device Screen ................................................................................................ 108
Figure 139: Host Sensor Download window ............................................................................. 109
Figure 140: Host Sensor Download confirmation ..................................................................... 109
Figure 141: Survey History View Pane ..................................................................................... 110
Figure 142: Survey Type Filter Example ................................................................................... 110
Figure 143: Survey Details Window .......................................................................................... 111
Figure 144: Survey Details ........................................................................................................ 111
Figure 145: Run Survey form .................................................................................................... 112
Figure 146: Survey Limit Example ............................................................................................ 112
Figure 147: Device Details for Limited Survey Data – Warnings tab ........................................ 113
Figure 148: Survey Schedules View Pane ................................................................................ 113
Figure 149: Schedule Survey Screen ....................................................................................... 114
Figure 150: Edit Scheduled Survey Screen .............................................................................. 117
Figure 151: Delete Survey Confirmation Screen ...................................................................... 117
Figure 152: Quick Survey Example .......................................................................................... 118
Figure 153: Quick Survey Incident Example ............................................................................. 118
Figure 154: Quick Survey Results Example ............................................................................. 119
Figure 155: Quick Survey Process Details ............................................................................... 119
Figure 156: Basic Dynamic Survey Example ............................................................................ 120
Figure 157: Basic Dynamic Survey Incident Example .............................................................. 120
Figure 158: Basic Dynamic Survey Details ............................................................................... 121
Figure 159: Basic Dynamic Survey Network Address Detail Example ..................................... 121
Figure 160: Basic Forensic Survey Example ............................................................................ 122
Figure 161: Basic Forensic Survey Incident Example .............................................................. 122
Figure 162: Basic Forensic Survey Results Example ............................................................... 123
Figure 163: Basic Forensic Survey File Detail Example ........................................................... 123
Figure 164: Advanced Forensic Survey Example ..................................................................... 124
Figure 165: Advanced Forensic Survey Incident Example ....................................................... 124
Figure 166: Advanced Forensic Survey Incident Example details ............................................ 125
Figure 167: Advanced Forensic Survey Registry Detail Example ............................................ 125
Figure 168: Red Hat Quick Survey Example ............................................................................ 126
Figure 169: Red Hat Quick Survey Incident Example ............................................................... 126
Figure 170: Red Hat Quick Survey Results Example ............................................................... 127
Figure 171: Red Hat Quick Survey Process Details ................................................................. 127
Figure 172: Red Hat Basic Dynamic Survey Example .............................................................. 128
14
Figure 173: Red Hat Basic Dynamic Survey Incident Example ................................................ 128
Figure 174: Red Hat Basic Dynamic Survey Details ................................................................. 129
Figure 175: Red Hat Basic Dynamic Survey Network Address Detail Example ....................... 129
Figure 176: Red Hat Basic Forensic Survey Example .............................................................. 130
Figure 177: Red Hat Basic Forensic Survey Incident Example ................................................ 130
Figure 178: Red Hat Basic Forensic Survey Results Example ................................................. 131
Figure 179: Red Hat Basic Forensic Survey File Detail Example ............................................. 131
Figure 180: Red Hat Advanced Forensic Survey Example ....................................................... 132
Figure 181: Red Hat Advanced Forensic Survey Incident Example ......................................... 132
Figure 182: Red Hat Advanced Forensic Survey Incident Example details .............................. 133
Figure 183: Red Hat Advanced Forensic Survey Process Detail Example............................... 133
Figure 184: Survey Templates View Pane ................................................................................ 134
Figure 185: Add Template screen #1 ........................................................................................ 135
Figure 186: Add Template screen #2 ........................................................................................ 135
Figure 187: Walk Directory “Quick Add” drop-down menu ....................................................... 136
Figure 188: Walk Directory walk depth drop-down list .............................................................. 136
Figure 189: Add Template screen #3 ........................................................................................ 137
Figure 190: Add Template screen #4 – Template Summary .................................................... 137
Figure 191: Network Sensor View Pane – CYBERCON levels ................................................ 138
Figure 192: Network Sensor detail tabs .................................................................................... 139
Figure 193: Network Sensor Policy tab ..................................................................................... 139
Figure 194: Network Sensor Configuration tab ......................................................................... 140
Figure 195: HGNS In-Line change error message ................................................................... 141
Figure 196: Network Sensor Content Extraction tab ................................................................. 141
Figure 197: Network Sensor Statistics tab ................................................................................ 142
Figure 198: BotTrap Policy view pane ...................................................................................... 142
Figure 199: Accounts View Pane .............................................................................................. 143
Figure 200: Refresh Accounts button ....................................................................................... 144
Figure 201: Account Details window ......................................................................................... 144
Figure 202: Account Delete Confirmation ................................................................................. 145
Figure 203: Add Account Screen .............................................................................................. 145
Figure 204: Credentials View Pane .......................................................................................... 146
Figure 205: Credential Detail Screen ........................................................................................ 146
Figure 206: Delete Administrator Confirmation ......................................................................... 147
Figure 207: Add Credentials Screen ......................................................................................... 147
Figure 208: Credential Asset Example ..................................................................................... 148
Figure 209: Remove Credentials Screen .................................................................................. 148
Figure 210: Domain View Pane ................................................................................................ 149
Figure 211: Edit Domain View Pane ......................................................................................... 150
Figure 212: Remove Domain Confirmation ............................................................................... 150
Figure 213: Add Domain Screen ............................................................................................... 151
Figure 214: Groups View Pane ................................................................................................. 152
Figure 215: Group Host Sensor tab .......................................................................................... 153
Figure 216: Group Host Sensor Configuration tab .................................................................... 154
15
Figure 217: Add Group Screen, Accounts type ........................................................................ 155
Figure 218: Add Group Screen, IP Subnet type ....................................................................... 155
Figure 219: Add Group Screen, Device type ............................................................................ 156
Figure 220: Edit Group Screen for Accounts ............................................................................ 156
Figure 221: Edit Group Screen for IP subnet ............................................................................ 157
Figure 222: Delete Group Confirmation Screen ........................................................................ 157
Figure 223: Sync Group Icon .................................................................................................... 158
Figure 224: Sync Group Confirmation ...................................................................................... 158
Figure 225: Unsync Group ........................................................................................................ 158
Figure 226: Unsync Group Confirmation .................................................................................. 158
Figure 227: Refresh Data and Icon ........................................................................................... 159
Figure 228: Host Sensor Configuration ..................................................................................... 159
Figure 229: Host Sensor Download confirmation ..................................................................... 160
Figure 230: Age Off for Quarantined Files Information window ................................................ 160
Figure 231: Age Off for Quarantined Files Drop down list ........................................................ 160
Figure 232: MD5 Threat List View Pane ................................................................................... 161
Figure 233: Add MD5 Threat Window ....................................................................................... 162
Figure 234: Import MD5 Threats window .................................................................................. 162
Figure 235: MD5 Threat Details ................................................................................................ 163
Figure 236: MD5 Threat Removal Confirmation ....................................................................... 163
Figure 237: MD5 Whitelist Threat Confirmation ........................................................................ 163
Figure 238: Whitelist (Inactive) MD5 Threat example ............................................................... 164
Figure 239: Re-add MD5 Threat Confirmation .......................................................................... 164
Figure 240: Manage Threat List – Network View Pane ............................................................ 165
Figure 241: Add Threat Window ............................................................................................... 166
Figure 242: Add Threat Type Selections .................................................................................. 167
Figure 243: Active Threat Detail View ....................................................................................... 167
Figure 244: Inactive Threat Detail View .................................................................................... 167
Figure 245: Network Threat Whitelist example ......................................................................... 167
Figure 246: Whitelist Network Threat Confirmation window ..................................................... 168
Figure 247: Network Threat Re-Add example .......................................................................... 168
Figure 248: Re-add Network Threat Confirmation window ....................................................... 168
Figure 249: Build Threat Feed refresh ...................................................................................... 168
Figure 250: Operator Audit Log view pane ............................................................................... 169
Figure 251: Exclusion Parameter Changed .............................................................................. 170
Figure 252: Operator Audit Trail CYBERCON Modified ........................................................... 170
Figure 253: Audit Log Filter selections ...................................................................................... 170
Figure 254: Component Heath view pane ................................................................................ 171
Figure 255: Trouble Component Detail Screen ........................................................................ 171
Figure 256: Incidents View Pane (Last 30 days) ...................................................................... 173
Figure 257: Column Filter Selection Example ........................................................................... 173
Figure 258: Incidents Filter Selections ...................................................................................... 174
Figure 259: Threat Sync Date Range Drop-down Menu ........................................................... 174
Figure 260: Search Box ............................................................................................................ 175
16
Figure 261: Search Results for "csr" ......................................................................................... 175
Figure 262: Search box example .............................................................................................. 175
Figure 263: Host Detail Pop Up window ................................................................................... 176
Figure 264: Incident Details ...................................................................................................... 176
Figure 265: Baseline Survey Popup Window ............................................................................ 177
Figure 266: Device with Prior Host Sensor Installed ................................................................. 178
Figure 267: Reinstall Host Sensor Confirmation ....................................................................... 178
Figure 268: Incidents detail Show Timeline .............................................................................. 179
Figure 269: Incidents detail Timeline ........................................................................................ 179
Figure 270: Incident Details for a Device .................................................................................. 180
Figure 271: Incident Bulk Action Window ................................................................................. 180
Figure 272: Hostname display .................................................................................................. 181
Figure 273: Score Description .................................................................................................. 181
Figure 274: Multiple Outcomes tooltip ...................................................................................... 183
Figure 275: Machine Guided Actions window ........................................................................... 183
Figure 276: Machine Guided Actions with expanded items ...................................................... 184
Figure 277: Action in Progress message .................................................................................. 184
Figure 278: Incident details example ........................................................................................ 185
Figure 279: Indicator Column filter choices ............................................................................... 185
Figure 280: Score fx filter .......................................................................................................... 186
Figure 281: Action Requested/Outcome example .................................................................... 186
Figure 282: Machine Guided Actions “Retry” example ............................................................. 187
Figure 283: Machine Guided Actions “Quarantine File” example ............................................. 187
Figure 284: Addition File Information for Incident ..................................................................... 188
Figure 285: Addition Process Information for Incident .............................................................. 188
Figure 286: Addition Registry Information for Incident .............................................................. 189
Figure 287: Indicators with the same hash ............................................................................... 189
Figure 288: Heuristic Threat Detail window .............................................................................. 190
Figure 289: Addition Palo Alto Network Information for Incident .............................................. 190
Figure 290: Addition BotTrap Information for Incident .............................................................. 190
Figure 291: Host Ransomware Prevention Indicator – Prevent mode ...................................... 191
Figure 292: Host Ransomware Additional Info – Prevent mode ............................................... 191
Figure 293: Host Ransomware Additional Info – Prevent Details ............................................. 192
Figure 294: Host Ransomware Prevention Indicator – Detect Mode ........................................ 192
Figure 295: Host Ransomware Additional Info – Detect Mode ................................................. 193
Figure 296: Host Ransomware Additional Info – Detect Details ............................................... 193
Figure 297: Indicator View Pane ............................................................................................... 194
Figure 298: Score Filter Selections ........................................................................................... 195
Figure 299: HawkEye G Host Sensor Source Indicator full data information ........................... 196
Figure 300: Addition Registry Indicator Information .................................................................. 197
Figure 301: Threat Details for a Registry Indicator ................................................................... 197
Figure 302: Addition File Indicator Information ......................................................................... 198
Figure 303: Threat Details for a File Indicator ........................................................................... 198
Figure 304: File Indicators with the same hash ........................................................................ 198
17
Figure 305: Addition Process Indicator Information .................................................................. 199
Figure 306: Threat Details for a Process Indicator ................................................................... 199
Figure 307: HawkEye G Network Sensor Source example ...................................................... 200
Figure 308: FireEye Source example ....................................................................................... 200
Figure 309: Palo Alto Networks Source example ..................................................................... 200
Figure 310: Additional Palo Alto Networks Information ............................................................. 200
Figure 311: Indicator Status Filter Selections ........................................................................... 201
Figure 312: Host/IP Indicator Filter example ............................................................................. 201
Figure 313: Action Log for Failed action ................................................................................... 202
Figure 314: Action Log for No Policy action .............................................................................. 202
Figure 315: Palo Alto Networks Wildfire indicator ..................................................................... 203
Figure 316: Indicators with Files filter applied ........................................................................... 204
Figure 317: Indicators selected for action ................................................................................. 205
Figure 318: Quarantine Confirmation Window .......................................................................... 205
Figure 319: Action Drop Down List Example ............................................................................ 206
Figure 320: Indicator Bar chart ................................................................................................. 207
Figure 321: Bar Category choices ............................................................................................ 207
Figure 322: Number of Bars choices ........................................................................................ 207
Figure 323: Bar details .............................................................................................................. 208
Figure 324: Export Indicator Bar Chart window ........................................................................ 208
Figure 325: Indictor Pie chart .................................................................................................... 209
Figure 326: Indicator Stacked Time Series chart ...................................................................... 210
Figure 327: Configuration of Lastline API settings .................................................................... 212
Figure 328: Configuration of DNS servers for use by the Network Sensor ............................... 214
Figure 329: Configuration of custom proxy server settings for use by the Network Sensor ..... 215
Figure 330: Configuration of content extraction policy for the Network Sensor ........................ 217
Figure 331: Network Sensor CLI output showing default gateway configured ......................... 218
Figure 332: Network Sensor CLI output showing default gateway configured ......................... 219
Figure 333: Verifying the Network Sensor is able to resolve the Lastline FQDN ...................... 220
Figure 334: Network Sensor failure to resolve FQDN for Lastline ............................................ 220
Figure 335: Verifying network connectivity to third-party malware analysis system or customer
HTTP proxy ............................................................................................................................... 221
Figure 336: Server Supported Operating Systems ................................................................... 222
Figure 337: Workstation Support Operating Systems ............................................................... 222
18
1. HawkEyeG
1.1 Introduction
This guide provides operational instructions and guidelines to allow a user to interact with
HawkEye G.
HawkEye G began based on the need for commercial entities to be able to defend and protect
against malicious code and sophisticated adversaries, such as Advanced Persistent Threats
(APTs), within their enterprise environment. Hexis Cyber Solutions, Inc., via partnership and
relationships, discovered that numerous commercial entities were at a disadvantage for
protecting themselves against sophisticated adversaries. Unlike their government counterparts,
these commercial entities lacked the threat knowledge, personnel, training, and equipment to
successfully deal with these advanced persistent threats. Additionally, these commercial
corporations lacked the large budgets often guaranteed to government agencies.
HawkEye G was designed as a proactive cyber defense solution that acts as a rapid detection
and containment solution. HawkEye G is a force multiplier and automates the incident response
actions of numerous personnel via controlled countermeasures. HawkEye G was designed to
be flexible by incorporating and leveraging the common and existing security technologies of
many organizations.
Hexis Cyber Solutions welcomes you to this innovative technology. Together, we will defend
your network.
19
1.2 WhatisHawkEyeG?
HawkEye G is Hexis Cyber Solutions’ commercial network security solution, founded on over 10
years of offensive security experience. HawkEye G attempts to minimize the consequences of
data breaches and penetrations through early detection and automated remediation of
advanced persistent threats.
1.2.1 Features
Features include:
Deep packet inspection via the Hawkeye G Network Sensor (HGNS) device
Log collection and correlation via Hexis’ Event Data Warehouse (EDW)
Botnet traffic trapping
Automated and manual countermeasures
Host interrogation for malicious indicators with persistent host sensors
Advanced analytics
Centrally managed and highly scalable distributions
1.2.2 OperationalPrinciples
HawkEye G secures an enterprise by leveraging a customer’s existing network and
management assets, and by adding components such as the HawkEye G Network Sensor
(HGNS) within the network that provide for IP redirection and DNS injection. Thus, HawkEye G
was designed to be flexible enough to integrate into common infrastructure devices and
networks.
Most of the HawkEye G components reside within their own private network that is completely
isolated from the customer’s network. The component diagram in Figure 1 depicts a typical
deployment of HawkEye G. Supported Host Sensor operating systems are listed in Section 4.
20
Figure 1: HawkEye G Component Diagram
/