Watchguard HawkEye G User guide

Brand: Watchguard

Model: HawkEye G

Type: User guide

UserGuide,Release4.0.1

HawkEye G Team ([email protected])

Release 4.0.1

This document is for informational purposes only. WatchGuard makes no

warranties, expressed or implied, as to the information in this document. The name

of any companies and products referenced may represent trademarks that are

herein property of their respective owners.

RevisionHistory

Date Version Description

7/8/2016 4.0.1 (rev-3)

 Updated for release 4.0.1

 Added Host Ransomware Prevention information

 Updated screenshots

4/1/2016 4.0 (rev-2)

 Updated for release 4.0

 Updated screenshots

 Added Lastline information

10/31/2015

3.2 (rev-1)

 New unresolved indicator display.

 Audit log updates(added/deleted/edited) to include:

email addresses, event forwarding, authentication,

passwords (without showing the actual password),

Wildfire configuration, threat feed - file, threat feed -

network, exclusion list, whitelist, manual changes to

devices, BotTrap, HGNS, Domain, Credentials, and

adding/removing devices from groups.

 Edit changes now show old and new values, as well

as in the audit logs for multi-field entries.

 Surveys are now entered in the user’s browser time

zone. Only one survey per day can be entered for

each survey.

 Device/Host page now has the Installed State

selected in the column filter.

 Search Filter in Incident page does not search for

the Host or IP. That search is now done in the

Host/IP column heading.

 The baseline survey can now be viewed from the

link on the Threat Sync/Incidents page.

 Navigation sub-menus now remain open until the

user closes them even if the user selects a new

menu item.

 Bulk actions on a device’s indicators on the incident

page are now limited to the last 25 by date/time.

 Selecting a device on the Incidents page will now

open a new Host window page with that device

selected in the Host filter.

 Addition Information for an indicator will now show if

additional hosts have seen this indicator.

 The underlying data in the Health page is

recalculated every 2 minutes regardless of the

refresh rate for the display.

 Clicking on the Dashboard infections will open the

Indicators page with the associated score filter set.

 Clicking on the Dashboard remediations will open

the Indicators page with the associated filters set

(Score, Action requested, and User).

 A device can only belong to one (1) HawkEye G

group.

 The event forwarding message format can now

select between CEF and CSKV.

 The user now has the ability to override for a

selected group the Global Host Sensor settings

defined by the administrator.

 Reworded heuristics labeling

 There is a new Dashboard display for Unresolved

Indicators that is a timeline of unremediated

indicators, the dates they were observed, and the

volume of indicators.

 Dashboard Medium/Low infections now include

Indicators with scores of 5,4,3 and does not include

 Running a survey no longer requires a password

confirmation.

 Create Devices when Unknown hosts heartbeat

 Added Red Hat survey templates

9/14/2015 3.1.1 (rev-0)

 Changed the symbols and to Yes and No,

respectively, in column data.

 The Administrator can now specify a group's full

distinguished name (DN) to designate role

mappings.

TableofContents

1. HawkEyeG 18

1.1 Introduction 18

1.2 WhatisHawkEyeG? 19

1.2.1 Features 19

1.2.2 OperationalPrinciples 19

1.3 Components 21

1.3.1 Host 21

1.3.2 Interface 21

1.3.3 Communicator 21

1.3.4 Decrypter 21

1.3.5 EventDataWarehouse(EDW) 21

1.3.6 AnalyticsEngine 21

1.3.7 RulesEngine 22

1.3.8 Host

SensorManager(HSM) 22

1.3.9 HawkeyeGNetworkSensor(HGNS) 22

1.3.10 BotTrap 22

1.3.11 Database 22

1.3.12 HostSensors 22

1.3.13 HawkEyeGThreatSync™IntegrationwithFireEyeandPaloAltoNetworks 23

2. HawkEyeGUserInterface 24

2.1 Introduction 24

2.2 HawkEyeGWebInterface 24

2.2.1 Navigation

Pane 25

2.2.2 UserPane 27

2.2.3 ViewPane 27

2.3 HawkEyeGGeneralControls 27

2.3.1 Login 27

2.3.2 Logout 28

2.3.3 ChangeUserSettings 29

2.3.4 ForgottenPassword 31

2.3.5 SystemBusy 34

2.3.6 CYBERCONLevel 34

2.3.6.1 ChangingCYBERCONLevels 35

2.3.6.2 CYBERCONLevelsDefined 36

2.3.7 DisplayFeatures 36

2.3.7.1 FilteringbyProvidedButtons 37

2.3.7.2 ListPagination 38

2.3.7.3 Search 39

2.3.7.4 UnicodeandForeignLanguageSets 42

2.3.7.5 ExpandforDetails 43

2.3.8 Edit/ChangeConfirmation 44

3. UserRoles 45

3.1 AdministratorRole 45

3.1.1 Reports 46

3.1.2 Users 46

3.1.2.1 AddaUser 46

3.1.2.2 DeleteaUser 47

3.1.2.3 ModifyaUser 48

3.1.3 Settings 49

3.1.3.1 Analytics 49

3.1.3.2 Authentication 51

3.1.3.3 EmailAlerts 52

3.1.3.4 EventForwarding 54

3.1.3.4.1 AddaServer 54

3.1.3.4.2 DeleteaServer 56

3.1.3.4.3 ModifyaServer 56

3.1.3.5 General 57

3.1.3.5.1 ThreatSyncSettings 58

3.1.3.5.2 ActionBackoffSettings 58

3.1.3.5.3 SurveySettings 58

3.1.3.5.4 AddressCheckInterval 58

3.1.3.5.5 ActiveDirectorySettings 58

3.1.3.6 HostSensor 58

3.1.3.6.1 HostSensorSettings 58

3.1.3.6.2 HostSensorDriveConfigurationSetting 59

3.1.3.6.3 SurveySizeLimits 59

3.1.3.6.4 HostSensorSettings 59

3.1.3.7 HostSensorManager 59

3.1.3.8 Lastline 61

3.1.3.9 Manager 61

3.1.3.10 Network 62

3.1.3.11 Proxy 65

3.1.3.12 ThreatFeed 65

3.1.3.13 Wildfire 66

3.1.4 System 66

3.1.4.1 PurgeAuditLogData 66

3.1.4.2 FactoryReset 67

3.1.4.3 Reboot 68

3.1.4.4 ShutDown 69

3.2 Analyst 69

3.3 Observer 71

3.4 Operator 72

3.4.1 Dashboard 73

3.4.2 ThreatSync 80

3.4.2.1 Incidents 80

3.4.2.2 Indicators 80

3.4.2.3 Policy 80

3.4.2.3.1 AddaNewPolicy 81

3.4.2.3.2 EditaPolicy 85

3.4.2.3.3 DuplicateaPolicy 85

3.4.2.3.4 FilterAdjustment 86

3.4.2.3.5 DeleteaPolicy 86

3.4.2.4 Whitelist 87

3.4.2.5 Exclusions 90

3.4.2.6 NetworkEvents 92

3.4.2.6.1 Display 92

3.4.2.6.2 HGNSActions 94

3.4.2.7 Search 95

3.4.3 Reports 96

3.4.4 Devices 97

3.4.4.1 Hosts 97

3.4.4.1.1 HostSensorColumnHeadings 98

3.4.4.1.2 EditaDevice 106

3.4.4.1.3 RemoveaDevice 107

3.4.4.1.4 ClearaDevice 108

3.4.4.1.5 AddanewDevice 108

3.4.4.1.6 ManuallyDownloadHostSensor 109

3.4.4.2 SurveyHistory 110

3.4.4.3 SurveySchedules 113

3.4.4.3.1 ScheduleaSurvey 114

3.4.4.3.2 ModifyaSurvey 117

3.4.4.3.3 DeleteaSurvey 117

3.4.4.4 SurveyTemplates 118

3.4.4.4.1 DefaultSurveys 118

3.4.4.4.2 AddNewSurveyTemplate 134

3.4.4.4.3 EditNon‐defaultSurveyTemplate 138

3.4.4.4.4 DeleteNon‐defaultSurveyTemplate 138

3.4.4.5 NetworkSensor 138

3.4.4.6 BotTrap 142

3.4.5 Configuration 143

3.4.5.1 Accounts 143

3.4.5.1.1 EditanAccount 144

3.4.5.1.2 RemoveanAccount 145

3.4.5.1.3 AddanAccountManually 145

3.4.5.2 Credentials 146

3.4.5.2.1 EditCredentials 146

3.4.5.2.2 DeleteCredentials 147

3.4.5.2.3 AddCredentials 147

3.4.5.2.4 AssignAssetstotheCredential 148

3.4.5.2.5 RemoveAssetsfromanassignedCredential 148

3.4.5.2.6 DeviceswithCredentials 149

3.4.5.2.7 DeviceswithoutCredentials 149

3.4.5.3 Domain 149

3.4.5.3.1 EditaDomain 150

3.4.5.3.2 RemoveaDomain 150

3.4.5.3.3 AddaDomain 151

3.4.5.4 Groups 152

3.4.5.4.1 AddaGroup 155

3.4.5.4.2 EditaGroup 156

3.4.5.4.3 RemoveaGroup 157

3.4.5.4.4 SyncandUnsyncGroups 158

3.4.5.5 HostSensorConfiguration 159

3.4.5.6 ThreatList‐File 161

3.4.5.6.1 AddMD5Threat 161

3.4.5.6.2 ImportMD5Threats 162

3.4.5.6.3 ViewMD5ThreatDetails 163

3.4.5.6.4 RemoveMD5Threat 163

3.4.5.6.5 WhitelistMD5Threat 163

3.4.5.6.6 Re‐addMD5Threat 164

3.4.5.7 ThreatList‐Network 165

3.4.5.7.1 AddaThreat 166

3.4.5.7.2 ViewNetworkThreat 167

3.4.5.7.3 WhiteListNetworkThreat 167

3.4.5.7.4 Re‐addNetworkThreat 168

3.4.5.7.5 BuildThreatFeed 168

3.4.6 System 169

3.4.6.1 AuditLog 169

3.4.6.2 Health 170

4. ThreatSyncIncidents 172

4.1 IncidentBulkActions 180

4.2 IncidentColumnHeadings 181

4.3 IncidentDetailColumnHeadings 184

4.4 IncidentDetailsAdditionalInfo 187

4.4.1 HostRansomwarePrevent ionAdditionalInfo–PreventMode 191

4.4.2 HostRansomwarePrevent ionAdditionalInfo–DetectMode 192

5. ThreatSyncIndicators 194

5.1 IndicatorSortingHeadings 195

5.2 IndicatorBulkActions 203

5.3 ExportIndicators 206

5.4 IndicatorBarChart 206

5.5 IndicatorPieChart 209

5.6 IndicatorStackedTimeSeries 210

6. ContentExtraction 211

6.1 ConfigurationRequirements 211

6.2 UserInterfaceConfigurationforContentExtraction 211

6.2.1 ConfigureLastlineAPISettings 212

6.2.2 ConfigureNetworkSensorConfigurationandPolicyforContentEx traction 213

6.2.2.1 ConfiguringDNSServerstobeUsedbytheNetworkSensor 213

6.2.2.2 Configuring(optional)HTTPProxytobeUsedbytheNetworkSensor 214

6.2.2.3 ConfiguringContentExtractionPolicyontheNetworkSensor 216

6.3 NetworkSensorConfigurationforContentExtraction 218

6.3.1 DeterminingPresenceofDefaultGateway 218

6.3.2 ConfiguringaDefaultGateway 218

6.4 ValidatingtheNetworkSensorConfiguration 220

6.4.1 ConfirmNetworkSensorAbletoAccessDNSResolvers 220

6.4.2 ConfirmNetworkSensorAbletoAccessThird‐PartyMalwareAnalysisSystem

221

7. SupportedOperatingSystems 222

8. Glossary 223

9. AppendixA–OpenSource 225

ListofFigures

Figure 1: HawkEye G Component Diagram ................................................................................ 20

Figure 2: HawkEye G Web Interface .......................................................................................... 25

Figure 3: HawkEye G Operator default page with pane collapsed ............................................. 26

Figure 4: ThreatSync Section expanded ..................................................................................... 26

Figure 5: Navigation pane with 2 sub-menu lists open ............................................................... 26

Figure 6: User Pane details ........................................................................................................ 27

Figure 7: User Login page .......................................................................................................... 28

Figure 8: User Logout page ........................................................................................................ 28

Figure 9: User Interface details ................................................................................................... 29

Figure 10: User Settings page .................................................................................................... 29

Figure 11: Unsaved Changes prompt ......................................................................................... 30

Figure 12: Login Screen .............................................................................................................. 31

Figure 13: Forgot Password Email Confirmation Screen ............................................................ 31

Figure 14: Forgot Password Reset page .................................................................................... 32

Figure 15: Password Reset Confirmation Email Example .......................................................... 32

Figure 16: New Password Screen .............................................................................................. 33

Figure 17: Login page with password reset confirmation message ............................................ 33

Figure 18: System Busy Icon ...................................................................................................... 34

Figure 19: User pane details ....................................................................................................... 34

Figure 20: Changing CYBERCON Level .................................................................................... 35

Figure 21: CYBERCON Level Change Confirmation .................................................................. 35

Figure 22: Display Filter Selection Example ............................................................................... 37

Figure 23: Information box example ........................................................................................... 37

Figure 24: Incident Filter buttons with “Last 7 days” range applied............................................. 37

Figure 25: Incident Filter buttons after Reset .............................................................................. 37

Figure 26: Pagination Example ................................................................................................... 38

Figure 27: Drop-down list of pages ............................................................................................. 38

Figure 28: Number of Items per page selections ........................................................................ 39

Figure 29: All Incidents ............................................................................................................... 40

Figure 30: Incident Results with “th-win” filter ............................................................................. 40

Figure 31: Partial MD5 Hash filter ............................................................................................... 41

Figure 32: Process List displaying Foreign Data Set .................................................................. 42

Figure 33: Incidents list at the device level ................................................................................. 43

Figure 34: Incidents list details for a specific device ................................................................... 43

Figure 35: Edit/Change Confirmation display ............................................................................. 44

Figure 36: Administrator Default Screen ..................................................................................... 45

Figure 37: Add User Example Screen ........................................................................................ 46

Figure 38: User drop-down menu for Remove User ................................................................... 47

Figure 39: User Deletion Confirmation Screen ........................................................................... 47

Figure 40: User Modification Screen ........................................................................................... 48

Figure 41: Change Password Screen ......................................................................................... 49

Figure 42: Analytics view pane ................................................................................................... 50

Figure 43: Change Confirmation Window ................................................................................... 50

Figure 44: Microsoft Active Directory Authentication window ..................................................... 51

Figure 45: Admin settings for email alerts ................................................................................... 53

Figure 46: Send Test Email window ........................................................................................... 53

Figure 47: Representative Email Alert ........................................................................................ 53

Figure 48: Event Forwarding Window ......................................................................................... 54

Figure 49: Add Server Example Screen ..................................................................................... 54

Figure 50: Event Forwarding Facility List .................................................................................... 55

Figure 51: Event Forwarding Message Type List ....................................................................... 55

Figure 52: User drop-down menu for Remove Server ................................................................ 56

Figure 53: Server Deletion Confirmation Screen ........................................................................ 56

Figure 54: Server Modification Screen ........................................................................................ 56

Figure 55: General view pane (top half) ...................................................................................... 57

Figure 56: General view pane (bottom half) ................................................................................ 57

Figure 57: Host Sensor view pane (top half) ............................................................................... 60

Figure 58: Host Sensor view pane (bottom half) ......................................................................... 60

Figure 59: Lastline view pane ..................................................................................................... 61

Figure 60: Manager View pane (top half) .................................................................................... 62

Figure 61: Manager View pane (bottom half) .............................................................................. 62

Figure 62: Network view pane (top half) ..................................................................................... 63

Figure 63: Network view pane (bottom half) ............................................................................... 63

Figure 64: Duplicate IP address error message ......................................................................... 64

Figure 65: Proxy view pane ........................................................................................................ 65

Figure 66: Threat Feed View Pane ............................................................................................. 65

Figure 67: Wildfire Settings view pane ........................................................................................ 66

Figure 68: Administrator Audit Log view pane ............................................................................ 67

Figure 69: Administrator System/Health view pane .................................................................... 67

Figure 70: First Factory Reset Confirmation ............................................................................... 68

Figure 71: Second Factory Reset Confirmation .......................................................................... 68

Figure 72: HawkEye G Reboot confirmation ............................................................................... 68

Figure 73: Reboot Warning Banner ............................................................................................ 69

Figure 74: Analyst Screen ........................................................................................................... 70

Figure 75: Observer Default Screen ........................................................................................... 71

Figure 76: Operator Dashboard Screen ...................................................................................... 72

Figure 77: Dashboard View Pane ............................................................................................... 73

Figure 78: ThreatSync Incidents page with Critical Score (10,9,8) filters applied ....................... 74

Figure 79: ThreatSync Incidents Page with Automated specific filters applied ........................... 74

Figure 80:ThreatSync/Network Events page .............................................................................. 75

Figure 81: Devices/Hosts page ................................................................................................... 76

Figure 82: Unresolved Indicators timeline ................................................................................... 77



Figure 83: Unresolved Indicator Details ...................................................................................... 77

Figure 84: Zoom in on Unresolved Indicator Timeline ................................................................ 77

Figure 85: Zoomed results of Timeline ....................................................................................... 77

Figure 86: Indicator Page for Bubble .......................................................................................... 78

Figure 87: Dashboard Top Host Indicators ................................................................................. 79

Figure 88: ThreatSync Incident page .......................................................................................... 80

Figure 89: Manage Policy View Pane ......................................................................................... 81

Figure 90: Add Policy View Pane ................................................................................................ 82

Figure 91: Threshold Cybercon information ................................................................................ 82

Figure 92: Threshold Score information ...................................................................................... 83

Figure 93: Threat Score Settings ................................................................................................ 83

Figure 94: Edit Policy View Pane ................................................................................................ 85

Figure 95: Policy Duplication Example ....................................................................................... 85

Figure 96: Policy View Pane filter selection ................................................................................ 86

Figure 97: Deleting Policy Confirmation Screen ......................................................................... 86

Figure 98: Whitelist screen ......................................................................................................... 87

Figure 99: Mitigation Whitelist ..................................................................................................... 87

Figure 100: Add Mitigation Whitelist ........................................................................................... 88

Figure 101: Whitelist detail example ........................................................................................... 88

Figure 102: Mitigation Whitelist “Inspect” menu .......................................................................... 89

Figure 103: Edit Mitigation Whitelist screen ................................................................................ 89

Figure 104: Remove Mitigation Whitelist confirmation dialog ..................................................... 89

Figure 105: Exclusion screen ...................................................................................................... 90

Figure 106: Add Exclusion item .................................................................................................. 91

Figure 107: Exclusion detail example ......................................................................................... 91

Figure 108: Exclusion “Inspect” menu ........................................................................................ 92

Figure 109: Remove Exclusion confirmation dialog .................................................................... 92

Figure 110: Network Events default view pane ........................................................................... 93

Figure 111: Network Events view pane with date range ............................................................. 93

Figure 112: Network Event Detail Example ................................................................................ 94

Figure 113: Network Events Action Descriptions ........................................................................ 94

Figure 114: Threat Search View Pane ........................................................................................ 95

Figure 115: Threat Search Example ........................................................................................... 95

Figure 116: Reports view ............................................................................................................ 96

Figure 117: Report is being generated ....................................................................................... 96

Figure 118: Report is ready to view ............................................................................................ 96

Figure 119: Hosts Default Window ............................................................................................. 97

Figure 120: Device Synced confirmation .................................................................................... 97

Figure 121: Hosts View Pane with “th-win” Search filter applied ................................................ 99

Figure 122: Hosts View Pane with "Installed" filter applied ....................................................... 100

Figure 123: Install Host Sensor example .................................................................................. 101

Figure 124: Remove Host Sensor example .............................................................................. 101

Figure 125: Multiple Device Host Sensor example ................................................................... 102

Figure 126: Device Detail Screen with Surveys tab selected ................................................... 102

Figure 127: Device Detail tabs .................................................................................................. 102

Figure 128: All Surveys for Device ............................................................................................ 103

Figure 129: Survey Details for Selected Target ........................................................................ 104

Figure 130: Failed Survey Warning tab .................................................................................... 104

Figure 131: Baseline Survey Results screen ............................................................................ 105

Figure 132: Baseline Survey results if no Host Sensor installed .............................................. 105

Figure 133: Device Detail Screen with IP History tab selected ................................................. 106

Figure 134: Device Detail Screen with Sensor tab selected ..................................................... 106

Figure 135: Device Action Drop-down List ................................................................................ 107

Figure 136: Edit Device Screen ................................................................................................ 107

Figure 137: Confirmation Delete Screen ................................................................................... 107

Figure 138: Add Device Screen ................................................................................................ 108

Figure 139: Host Sensor Download window ............................................................................. 109

Figure 140: Host Sensor Download confirmation ..................................................................... 109

Figure 141: Survey History View Pane ..................................................................................... 110

Figure 142: Survey Type Filter Example ................................................................................... 110

Figure 143: Survey Details Window .......................................................................................... 111

Figure 144: Survey Details ........................................................................................................ 111

Figure 145: Run Survey form .................................................................................................... 112

Figure 146: Survey Limit Example ............................................................................................ 112

Figure 147: Device Details for Limited Survey Data – Warnings tab ........................................ 113

Figure 148: Survey Schedules View Pane ................................................................................ 113

Figure 149: Schedule Survey Screen ....................................................................................... 114

Figure 150: Edit Scheduled Survey Screen .............................................................................. 117

Figure 151: Delete Survey Confirmation Screen ...................................................................... 117

Figure 152: Quick Survey Example .......................................................................................... 118

Figure 153: Quick Survey Incident Example ............................................................................. 118

Figure 154: Quick Survey Results Example ............................................................................. 119

Figure 155: Quick Survey Process Details ............................................................................... 119

Figure 156: Basic Dynamic Survey Example ............................................................................ 120

Figure 157: Basic Dynamic Survey Incident Example .............................................................. 120

Figure 158: Basic Dynamic Survey Details ............................................................................... 121

Figure 159: Basic Dynamic Survey Network Address Detail Example ..................................... 121

Figure 160: Basic Forensic Survey Example ............................................................................ 122

Figure 161: Basic Forensic Survey Incident Example .............................................................. 122

Figure 162: Basic Forensic Survey Results Example ............................................................... 123

Figure 163: Basic Forensic Survey File Detail Example ........................................................... 123

Figure 164: Advanced Forensic Survey Example ..................................................................... 124

Figure 165: Advanced Forensic Survey Incident Example ....................................................... 124

Figure 166: Advanced Forensic Survey Incident Example details ............................................ 125

Figure 167: Advanced Forensic Survey Registry Detail Example ............................................ 125

Figure 168: Red Hat Quick Survey Example ............................................................................ 126

Figure 169: Red Hat Quick Survey Incident Example ............................................................... 126

Figure 170: Red Hat Quick Survey Results Example ............................................................... 127

Figure 171: Red Hat Quick Survey Process Details ................................................................. 127

Figure 172: Red Hat Basic Dynamic Survey Example .............................................................. 128

Figure 173: Red Hat Basic Dynamic Survey Incident Example ................................................ 128

Figure 174: Red Hat Basic Dynamic Survey Details ................................................................. 129

Figure 175: Red Hat Basic Dynamic Survey Network Address Detail Example ....................... 129

Figure 176: Red Hat Basic Forensic Survey Example .............................................................. 130

Figure 177: Red Hat Basic Forensic Survey Incident Example ................................................ 130

Figure 178: Red Hat Basic Forensic Survey Results Example ................................................. 131

Figure 179: Red Hat Basic Forensic Survey File Detail Example ............................................. 131

Figure 180: Red Hat Advanced Forensic Survey Example ....................................................... 132

Figure 181: Red Hat Advanced Forensic Survey Incident Example ......................................... 132

Figure 182: Red Hat Advanced Forensic Survey Incident Example details .............................. 133

Figure 183: Red Hat Advanced Forensic Survey Process Detail Example............................... 133

Figure 184: Survey Templates View Pane ................................................................................ 134

Figure 185: Add Template screen #1 ........................................................................................ 135

Figure 186: Add Template screen #2 ........................................................................................ 135

Figure 187: Walk Directory “Quick Add” drop-down menu ....................................................... 136

Figure 188: Walk Directory walk depth drop-down list .............................................................. 136

Figure 189: Add Template screen #3 ........................................................................................ 137

Figure 190: Add Template screen #4 – Template Summary .................................................... 137

Figure 191: Network Sensor View Pane – CYBERCON levels ................................................ 138

Figure 192: Network Sensor detail tabs .................................................................................... 139

Figure 193: Network Sensor Policy tab ..................................................................................... 139

Figure 194: Network Sensor Configuration tab ......................................................................... 140

Figure 195: HGNS In-Line change error message ................................................................... 141

Figure 196: Network Sensor Content Extraction tab ................................................................. 141

Figure 197: Network Sensor Statistics tab ................................................................................ 142

Figure 198: BotTrap Policy view pane ...................................................................................... 142

Figure 199: Accounts View Pane .............................................................................................. 143

Figure 200: Refresh Accounts button ....................................................................................... 144

Figure 201: Account Details window ......................................................................................... 144

Figure 202: Account Delete Confirmation ................................................................................. 145

Figure 203: Add Account Screen .............................................................................................. 145

Figure 204: Credentials View Pane .......................................................................................... 146

Figure 205: Credential Detail Screen ........................................................................................ 146

Figure 206: Delete Administrator Confirmation ......................................................................... 147

Figure 207: Add Credentials Screen ......................................................................................... 147

Figure 208: Credential Asset Example ..................................................................................... 148

Figure 209: Remove Credentials Screen .................................................................................. 148

Figure 210: Domain View Pane ................................................................................................ 149

Figure 211: Edit Domain View Pane ......................................................................................... 150

Figure 212: Remove Domain Confirmation ............................................................................... 150

Figure 213: Add Domain Screen ............................................................................................... 151

Figure 214: Groups View Pane ................................................................................................. 152

Figure 215: Group Host Sensor tab .......................................................................................... 153

Figure 216: Group Host Sensor Configuration tab .................................................................... 154

Figure 217: Add Group Screen, Accounts type ........................................................................ 155

Figure 218: Add Group Screen, IP Subnet type ....................................................................... 155

Figure 219: Add Group Screen, Device type ............................................................................ 156

Figure 220: Edit Group Screen for Accounts ............................................................................ 156

Figure 221: Edit Group Screen for IP subnet ............................................................................ 157

Figure 222: Delete Group Confirmation Screen ........................................................................ 157

Figure 223: Sync Group Icon .................................................................................................... 158

Figure 224: Sync Group Confirmation ...................................................................................... 158

Figure 225: Unsync Group ........................................................................................................ 158

Figure 226: Unsync Group Confirmation .................................................................................. 158

Figure 227: Refresh Data and Icon ........................................................................................... 159

Figure 228: Host Sensor Configuration ..................................................................................... 159

Figure 229: Host Sensor Download confirmation ..................................................................... 160

Figure 230: Age Off for Quarantined Files Information window ................................................ 160

Figure 231: Age Off for Quarantined Files Drop down list ........................................................ 160

Figure 232: MD5 Threat List View Pane ................................................................................... 161

Figure 233: Add MD5 Threat Window ....................................................................................... 162

Figure 234: Import MD5 Threats window .................................................................................. 162

Figure 235: MD5 Threat Details ................................................................................................ 163

Figure 236: MD5 Threat Removal Confirmation ....................................................................... 163

Figure 237: MD5 Whitelist Threat Confirmation ........................................................................ 163

Figure 238: Whitelist (Inactive) MD5 Threat example ............................................................... 164

Figure 239: Re-add MD5 Threat Confirmation .......................................................................... 164

Figure 240: Manage Threat List – Network View Pane ............................................................ 165

Figure 241: Add Threat Window ............................................................................................... 166

Figure 242: Add Threat Type Selections .................................................................................. 167

Figure 243: Active Threat Detail View ....................................................................................... 167

Figure 244: Inactive Threat Detail View .................................................................................... 167

Figure 245: Network Threat Whitelist example ......................................................................... 167

Figure 246: Whitelist Network Threat Confirmation window ..................................................... 168

Figure 247: Network Threat Re-Add example .......................................................................... 168

Figure 248: Re-add Network Threat Confirmation window ....................................................... 168

Figure 249: Build Threat Feed refresh ...................................................................................... 168

Figure 250: Operator Audit Log view pane ............................................................................... 169

Figure 251: Exclusion Parameter Changed .............................................................................. 170

Figure 252: Operator Audit Trail CYBERCON Modified ........................................................... 170

Figure 253: Audit Log Filter selections ...................................................................................... 170

Figure 254: Component Heath view pane ................................................................................ 171

Figure 255: Trouble Component Detail Screen ........................................................................ 171

Figure 256: Incidents View Pane (Last 30 days) ...................................................................... 173

Figure 257: Column Filter Selection Example ........................................................................... 173

Figure 258: Incidents Filter Selections ...................................................................................... 174

Figure 259: Threat Sync Date Range Drop-down Menu ........................................................... 174

Figure 260: Search Box ............................................................................................................ 175

Figure 261: Search Results for "csr" ......................................................................................... 175

Figure 262: Search box example .............................................................................................. 175

Figure 263: Host Detail Pop Up window ................................................................................... 176

Figure 264: Incident Details ...................................................................................................... 176

Figure 265: Baseline Survey Popup Window ............................................................................ 177

Figure 266: Device with Prior Host Sensor Installed ................................................................. 178

Figure 267: Reinstall Host Sensor Confirmation ....................................................................... 178

Figure 268: Incidents detail Show Timeline .............................................................................. 179

Figure 269: Incidents detail Timeline ........................................................................................ 179

Figure 270: Incident Details for a Device .................................................................................. 180

Figure 271: Incident Bulk Action Window ................................................................................. 180

Figure 272: Hostname display .................................................................................................. 181

Figure 273: Score Description .................................................................................................. 181

Figure 274: Multiple Outcomes tooltip ...................................................................................... 183

Figure 275: Machine Guided Actions window ........................................................................... 183

Figure 276: Machine Guided Actions with expanded items ...................................................... 184

Figure 277: Action in Progress message .................................................................................. 184

Figure 278: Incident details example ........................................................................................ 185

Figure 279: Indicator Column filter choices ............................................................................... 185

Figure 280: Score fx filter .......................................................................................................... 186

Figure 281: Action Requested/Outcome example .................................................................... 186

Figure 282: Machine Guided Actions “Retry” example ............................................................. 187

Figure 283: Machine Guided Actions “Quarantine File” example ............................................. 187

Figure 284: Addition File Information for Incident ..................................................................... 188

Figure 285: Addition Process Information for Incident .............................................................. 188

Figure 286: Addition Registry Information for Incident .............................................................. 189

Figure 287: Indicators with the same hash ............................................................................... 189

Figure 288: Heuristic Threat Detail window .............................................................................. 190

Figure 289: Addition Palo Alto Network Information for Incident .............................................. 190

Figure 290: Addition BotTrap Information for Incident .............................................................. 190

Figure 291: Host Ransomware Prevention Indicator – Prevent mode ...................................... 191

Figure 292: Host Ransomware Additional Info – Prevent mode ............................................... 191

Figure 293: Host Ransomware Additional Info – Prevent Details ............................................. 192

Figure 294: Host Ransomware Prevention Indicator – Detect Mode ........................................ 192

Figure 295: Host Ransomware Additional Info – Detect Mode ................................................. 193

Figure 296: Host Ransomware Additional Info – Detect Details ............................................... 193

Figure 297: Indicator View Pane ............................................................................................... 194

Figure 298: Score Filter Selections ........................................................................................... 195

Figure 299: HawkEye G Host Sensor Source Indicator full data information ........................... 196

Figure 300: Addition Registry Indicator Information .................................................................. 197

Figure 301: Threat Details for a Registry Indicator ................................................................... 197

Figure 302: Addition File Indicator Information ......................................................................... 198

Figure 303: Threat Details for a File Indicator ........................................................................... 198

Figure 304: File Indicators with the same hash ........................................................................ 198

Figure 305: Addition Process Indicator Information .................................................................. 199

Figure 306: Threat Details for a Process Indicator ................................................................... 199

Figure 307: HawkEye G Network Sensor Source example ...................................................... 200

Figure 308: FireEye Source example ....................................................................................... 200

Figure 309: Palo Alto Networks Source example ..................................................................... 200

Figure 310: Additional Palo Alto Networks Information ............................................................. 200

Figure 311: Indicator Status Filter Selections ........................................................................... 201

Figure 312: Host/IP Indicator Filter example ............................................................................. 201

Figure 313: Action Log for Failed action ................................................................................... 202

Figure 314: Action Log for No Policy action .............................................................................. 202

Figure 315: Palo Alto Networks Wildfire indicator ..................................................................... 203

Figure 316: Indicators with Files filter applied ........................................................................... 204

Figure 317: Indicators selected for action ................................................................................. 205

Figure 318: Quarantine Confirmation Window .......................................................................... 205

Figure 319: Action Drop Down List Example ............................................................................ 206

Figure 320: Indicator Bar chart ................................................................................................. 207

Figure 321: Bar Category choices ............................................................................................ 207

Figure 322: Number of Bars choices ........................................................................................ 207

Figure 323: Bar details .............................................................................................................. 208

Figure 324: Export Indicator Bar Chart window ........................................................................ 208

Figure 325: Indictor Pie chart .................................................................................................... 209

Figure 326: Indicator Stacked Time Series chart ...................................................................... 210

Figure 327: Configuration of Lastline API settings .................................................................... 212

Figure 328: Configuration of DNS servers for use by the Network Sensor ............................... 214

Figure 329: Configuration of custom proxy server settings for use by the Network Sensor ..... 215

Figure 330: Configuration of content extraction policy for the Network Sensor ........................ 217

Figure 331: Network Sensor CLI output showing default gateway configured ......................... 218

Figure 332: Network Sensor CLI output showing default gateway configured ......................... 219

Figure 333: Verifying the Network Sensor is able to resolve the Lastline FQDN ...................... 220

Figure 334: Network Sensor failure to resolve FQDN for Lastline ............................................ 220

Figure 335: Verifying network connectivity to third-party malware analysis system or customer

HTTP proxy ............................................................................................................................... 221

Figure 336: Server Supported Operating Systems ................................................................... 222

Figure 337: Workstation Support Operating Systems ............................................................... 222

1. HawkEyeG

1.1 Introduction

This guide provides operational instructions and guidelines to allow a user to interact with

HawkEye G.

HawkEye G began based on the need for commercial entities to be able to defend and protect

against malicious code and sophisticated adversaries, such as Advanced Persistent Threats

(APTs), within their enterprise environment. Hexis Cyber Solutions, Inc., via partnership and

relationships, discovered that numerous commercial entities were at a disadvantage for

protecting themselves against sophisticated adversaries. Unlike their government counterparts,

these commercial entities lacked the threat knowledge, personnel, training, and equipment to

successfully deal with these advanced persistent threats. Additionally, these commercial

corporations lacked the large budgets often guaranteed to government agencies.

HawkEye G was designed as a proactive cyber defense solution that acts as a rapid detection

and containment solution. HawkEye G is a force multiplier and automates the incident response

actions of numerous personnel via controlled countermeasures. HawkEye G was designed to

be flexible by incorporating and leveraging the common and existing security technologies of

many organizations.

Hexis Cyber Solutions welcomes you to this innovative technology. Together, we will defend

your network.

1.2 WhatisHawkEyeG?

HawkEye G is Hexis Cyber Solutions’ commercial network security solution, founded on over 10

years of offensive security experience. HawkEye G attempts to minimize the consequences of

data breaches and penetrations through early detection and automated remediation of

advanced persistent threats.

1.2.1 Features

Features include:

 Deep packet inspection via the Hawkeye G Network Sensor (HGNS) device

 Log collection and correlation via Hexis’ Event Data Warehouse (EDW)

 Botnet traffic trapping

 Automated and manual countermeasures

 Host interrogation for malicious indicators with persistent host sensors

 Advanced analytics

 Centrally managed and highly scalable distributions

1.2.2 OperationalPrinciples

HawkEye G secures an enterprise by leveraging a customer’s existing network and

management assets, and by adding components such as the HawkEye G Network Sensor

(HGNS) within the network that provide for IP redirection and DNS injection. Thus, HawkEye G

was designed to be flexible enough to integrate into common infrastructure devices and

networks.

Most of the HawkEye G components reside within their own private network that is completely

isolated from the customer’s network. The component diagram in Figure 1 depicts a typical

deployment of HawkEye G. Supported Host Sensor operating systems are listed in Section 4.

Figure 1: HawkEye G Component Diagram



Page is loading ...

Watchguard HawkEye G User guide

Watchguard HawkEye G User guide

Watchguard HawkEye G User guide

Related papers

Other documents