Watchguard HawkEye G User guide

Type
User guide
UserGuide,Release4.0.1
2
HawkEye G Team ([email protected])
Release 4.0.1
Copyright © WatchGuard Technologies 2016. All rights reserved.
This document is for informational purposes only. WatchGuard makes no
warranties, expressed or implied, as to the information in this document. The name
of any companies and products referenced may represent trademarks that are
herein property of their respective owners.
3
RevisionHistory
Date Version Description
7/8/2016 4.0.1 (rev-3)
Updated for release 4.0.1
Added Host Ransomware Prevention information
Updated screenshots
4/1/2016 4.0 (rev-2)
Updated for release 4.0
Updated screenshots
Added Lastline information
10/31/2015
3.2 (rev-1)
New unresolved indicator display.
Audit log updates(added/deleted/edited) to include:
email addresses, event forwarding, authentication,
passwords (without showing the actual password),
Wildfire configuration, threat feed - file, threat feed -
network, exclusion list, whitelist, manual changes to
devices, BotTrap, HGNS, Domain, Credentials, and
adding/removing devices from groups.
Edit changes now show old and new values, as well
as in the audit logs for multi-field entries.
Surveys are now entered in the user’s browser time
zone. Only one survey per day can be entered for
each survey.
Device/Host page now has the Installed State
selected in the column filter.
Search Filter in Incident page does not search for
the Host or IP. That search is now done in the
Host/IP column heading.
The baseline survey can now be viewed from the
link on the Threat Sync/Incidents page.
Navigation sub-menus now remain open until the
user closes them even if the user selects a new
menu item.
Bulk actions on a device’s indicators on the incident
page are now limited to the last 25 by date/time.
Selecting a device on the Incidents page will now
open a new Host window page with that device
selected in the Host filter.
Addition Information for an indicator will now show if
additional hosts have seen this indicator.
The underlying data in the Health page is
recalculated every 2 minutes regardless of the
refresh rate for the display.
Clicking on the Dashboard infections will open the
Indicators page with the associated score filter set.
4
Clicking on the Dashboard remediations will open
the Indicators page with the associated filters set
(Score, Action requested, and User).
A device can only belong to one (1) HawkEye G
group.
The event forwarding message format can now
select between CEF and CSKV.
The user now has the ability to override for a
selected group the Global Host Sensor settings
defined by the administrator.
Reworded heuristics labeling
There is a new Dashboard display for Unresolved
Indicators that is a timeline of unremediated
indicators, the dates they were observed, and the
volume of indicators.
Dashboard Medium/Low infections now include
Indicators with scores of 5,4,3 and does not include
2.
Running a survey no longer requires a password
confirmation.
Create Devices when Unknown hosts heartbeat
Added Red Hat survey templates
9/14/2015 3.1.1 (rev-0)
Changed the symbols and to Yes and No,
respectively, in column data.
The Administrator can now specify a group's full
distinguished name (DN) to designate role
mappings.
5
TableofContents
1. HawkEyeG 18
1.1 Introduction 18
1.2 WhatisHawkEyeG? 19
1.2.1 Features 19
1.2.2 OperationalPrinciples 19
1.3 Components 21
1.3.1 Host 21
1.3.2 Interface 21
1.3.3 Communicator 21
1.3.4 Decrypter 21
1.3.5 EventDataWarehouse(EDW) 21
1.3.6 AnalyticsEngine 21
1.3.7 RulesEngine 22
1.3.8 Host
SensorManager(HSM) 22
1.3.9 HawkeyeGNetworkSensor(HGNS) 22
1.3.10 BotTrap 22
1.3.11 Database 22
1.3.12 HostSensors 22
1.3.13 HawkEyeGThreatSync™IntegrationwithFireEyeandPaloAltoNetworks 23
2.HawkEyeGUserInterface 24
2.1 Introduction 24
2.2 HawkEyeGWebInterface 24
2.2.1 Navigation
Pane 25
2.2.2 UserPane 27
2.2.3 ViewPane 27
2.3 HawkEyeGGeneralControls 27
2.3.1 Login 27
2.3.2 Logout 28
2.3.3 ChangeUserSettings 29
2.3.4 ForgottenPassword 31
2.3.5 SystemBusy 34
2.3.6 CYBERCONLevel 34
2.3.6.1 ChangingCYBERCONLevels 35
2.3.6.2 CYBERCONLevelsDefined 36
2.3.7 DisplayFeatures 36
2.3.7.1 FilteringbyProvidedButtons 37
2.3.7.2 ListPagination 38
6
2.3.7.3 Search 39
2.3.7.4 UnicodeandForeignLanguageSets 42
2.3.7.5 ExpandforDetails 43
2.3.8 Edit/ChangeConfirmation 44
3.UserRoles 45
3.1 AdministratorRole 45
3.1.1 Reports 46
3.1.2 Users 46
3.1.2.1 AddaUser 46
3.1.2.2 DeleteaUser 47
3.1.2.3 ModifyaUser 48
3.1.3 Settings 49
3.1.3.1 Analytics 49
3.1.3.2 Authentication 51
3.1.3.3 EmailAlerts 52
3.1.3.4 EventForwarding 54
3.1.3.4.1 AddaServer 54
3.1.3.4.2 DeleteaServer 56
3.1.3.4.3 ModifyaServer 56
3.1.3.5 General 57
3.1.3.5.1 ThreatSyncSettings 58
3.1.3.5.2 ActionBackoffSettings 58
3.1.3.5.3 SurveySettings 58
3.1.3.5.4 AddressCheckInterval 58
3.1.3.5.5 ActiveDirectorySettings 58
3.1.3.6 HostSensor 58
3.1.3.6.1 HostSensorSettings 58
3.1.3.6.2 HostSensorDriveConfigurationSetting 59
3.1.3.6.3 SurveySizeLimits 59
3.1.3.6.4 HostSensorSettings 59
3.1.3.7 HostSensorManager 59
3.1.3.8 Lastline 61
3.1.3.9 Manager 61
3.1.3.10 Network 62
3.1.3.11 Proxy 65
3.1.3.12 ThreatFeed 65
3.1.3.13 Wildfire 66
3.1.4 System 66
3.1.4.1 PurgeAuditLogData 66
3.1.4.2 FactoryReset 67
3.1.4.3 Reboot 68
3.1.4.4 ShutDown 69
3.2 Analyst 69
3.3 Observer 71
7
3.4 Operator 72
3.4.1 Dashboard 73
3.4.2 ThreatSync 80
3.4.2.1 Incidents 80
3.4.2.2 Indicators 80
3.4.2.3 Policy 80
3.4.2.3.1 AddaNewPolicy 81
3.4.2.3.2 EditaPolicy 85
3.4.2.3.3 DuplicateaPolicy 85
3.4.2.3.4 FilterAdjustment 86
3.4.2.3.5 DeleteaPolicy 86
3.4.2.4 Whitelist 87
3.4.2.5 Exclusions 90
3.4.2.6 NetworkEvents 92
3.4.2.6.1 Display 92
3.4.2.6.2 HGNSActions 94
3.4.2.7 Search 95
3.4.3 Reports 96
3.4.4 Devices 97
3.4.4.1 Hosts 97
3.4.4.1.1 HostSensorColumnHeadings 98
3.4.4.1.2 EditaDevice 106
3.4.4.1.3 RemoveaDevice 107
3.4.4.1.4 ClearaDevice 108
3.4.4.1.5 AddanewDevice 108
3.4.4.1.6 ManuallyDownloadHostSensor 109
3.4.4.2 SurveyHistory 110
3.4.4.3 SurveySchedules 113
3.4.4.3.1 ScheduleaSurvey 114
3.4.4.3.2 ModifyaSurvey 117
3.4.4.3.3 DeleteaSurvey 117
3.4.4.4 SurveyTemplates 118
3.4.4.4.1 DefaultSurveys 118
3.4.4.4.2 AddNewSurveyTemplate 134
3.4.4.4.3 EditNondefaultSurveyTemplate 138
3.4.4.4.4 DeleteNondefaultSurveyTemplate 138
3.4.4.5 NetworkSensor 138
3.4.4.6 BotTrap 142
3.4.5 Configuration 143
3.4.5.1 Accounts 143
3.4.5.1.1 EditanAccount 144
3.4.5.1.2 RemoveanAccount 145
3.4.5.1.3 AddanAccountManually 145
3.4.5.2 Credentials 146
3.4.5.2.1 EditCredentials 146
8
3.4.5.2.2 DeleteCredentials 147
3.4.5.2.3 AddCredentials 147
3.4.5.2.4 AssignAssetstotheCredential 148
3.4.5.2.5 RemoveAssetsfromanassignedCredential 148
3.4.5.2.6 DeviceswithCredentials 149
3.4.5.2.7 DeviceswithoutCredentials 149
3.4.5.3 Domain 149
3.4.5.3.1 EditaDomain 150
3.4.5.3.2 RemoveaDomain 150
3.4.5.3.3 AddaDomain 151
3.4.5.4 Groups 152
3.4.5.4.1 AddaGroup 155
3.4.5.4.2 EditaGroup 156
3.4.5.4.3 RemoveaGroup 157
3.4.5.4.4 SyncandUnsyncGroups 158
3.4.5.5 HostSensorConfiguration 159
3.4.5.6 ThreatList‐File 161
3.4.5.6.1 AddMD5Threat 161
3.4.5.6.2 ImportMD5Threats 162
3.4.5.6.3 ViewMD5ThreatDetails 163
3.4.5.6.4 RemoveMD5Threat 163
3.4.5.6.5 WhitelistMD5Threat 163
3.4.5.6.6 ReaddMD5Threat 164
3.4.5.7 ThreatList‐Network 165
3.4.5.7.1 AddaThreat 166
3.4.5.7.2 ViewNetworkThreat 167
3.4.5.7.3 WhiteListNetworkThreat 167
3.4.5.7.4 ReaddNetworkThreat 168
3.4.5.7.5 BuildThreatFeed 168
3.4.6 System 169
3.4.6.1 AuditLog 169
3.4.6.2 Health 170
4.ThreatSyncIncidents 172
4.1 IncidentBulkActions 180
4.2 IncidentColumnHeadings 181
4.3 IncidentDetailColumnHeadings 184
4.4 IncidentDetailsAdditionalInfo 187
4.4.1 HostRansomwarePrevent ionAdditionalInfoPreventMode 191
4.4.2 HostRansomwarePrevent ionAdditionalInfoDetectMode 192
5.ThreatSyncIndicators 194
5.1 IndicatorSortingHeadings 195
5.2 IndicatorBulkActions 203
5.3 ExportIndicators 206
5.4 IndicatorBarChart 206
9
5.5 IndicatorPieChart 209
5.6 IndicatorStackedTimeSeries 210
6.ContentExtraction 211
6.1 ConfigurationRequirements 211
6.2 UserInterfaceConfigurationforContentExtraction 211
6.2.1 ConfigureLastlineAPISettings 212
6.2.2 ConfigureNetworkSensorConfigurationandPolicyforContentEx traction 213
6.2.2.1 ConfiguringDNSServerstobeUsedbytheNetworkSensor 213
6.2.2.2 Configuring(optional)HTTPProxytobeUsedbytheNetworkSensor 214
6.2.2.3 ConfiguringContentExtractionPolicyontheNetworkSensor 216
6.3 NetworkSensorConfigurationforContentExtraction 218
6.3.1 DeterminingPresenceofDefaultGateway 218
6.3.2 ConfiguringaDefaultGateway 218
6.4 ValidatingtheNetworkSensorConfiguration 220
6.4.1 ConfirmNetworkSensorAbletoAccessDNSResolvers 220
6.4.2 ConfirmNetworkSensorAbletoAccessThirdPartyMalwareAnalysisSystem
221
7.SupportedOperatingSystems 222
8.Glossary 223
9.AppendixAOpenSource 225
10
ListofFigures
Figure 1: HawkEye G Component Diagram ................................................................................ 20
Figure 2: HawkEye G Web Interface .......................................................................................... 25
Figure 3: HawkEye G Operator default page with pane collapsed ............................................. 26
Figure 4: ThreatSync Section expanded ..................................................................................... 26
Figure 5: Navigation pane with 2 sub-menu lists open ............................................................... 26
Figure 6: User Pane details ........................................................................................................ 27
Figure 7: User Login page .......................................................................................................... 28
Figure 8: User Logout page ........................................................................................................ 28
Figure 9: User Interface details ................................................................................................... 29
Figure 10: User Settings page .................................................................................................... 29
Figure 11: Unsaved Changes prompt ......................................................................................... 30
Figure 12: Login Screen .............................................................................................................. 31
Figure 13: Forgot Password Email Confirmation Screen ............................................................ 31
Figure 14: Forgot Password Reset page .................................................................................... 32
Figure 15: Password Reset Confirmation Email Example .......................................................... 32
Figure 16: New Password Screen .............................................................................................. 33
Figure 17: Login page with password reset confirmation message ............................................ 33
Figure 18: System Busy Icon ...................................................................................................... 34
Figure 19: User pane details ....................................................................................................... 34
Figure 20: Changing CYBERCON Level .................................................................................... 35
Figure 21: CYBERCON Level Change Confirmation .................................................................. 35
Figure 22: Display Filter Selection Example ............................................................................... 37
Figure 23: Information box example ........................................................................................... 37
Figure 24: Incident Filter buttons with “Last 7 days” range applied............................................. 37
Figure 25: Incident Filter buttons after Reset .............................................................................. 37
Figure 26: Pagination Example ................................................................................................... 38
Figure 27: Drop-down list of pages ............................................................................................. 38
Figure 28: Number of Items per page selections ........................................................................ 39
Figure 29: All Incidents ............................................................................................................... 40
Figure 30: Incident Results with “th-win” filter ............................................................................. 40
Figure 31: Partial MD5 Hash filter ............................................................................................... 41
Figure 32: Process List displaying Foreign Data Set .................................................................. 42
Figure 33: Incidents list at the device level ................................................................................. 43
Figure 34: Incidents list details for a specific device ................................................................... 43
Figure 35: Edit/Change Confirmation display ............................................................................. 44
Figure 36: Administrator Default Screen ..................................................................................... 45
Figure 37: Add User Example Screen ........................................................................................ 46
Figure 38: User drop-down menu for Remove User ................................................................... 47
Figure 39: User Deletion Confirmation Screen ........................................................................... 47
Figure 40: User Modification Screen ........................................................................................... 48
11
Figure 41: Change Password Screen ......................................................................................... 49
Figure 42: Analytics view pane ................................................................................................... 50
Figure 43: Change Confirmation Window ................................................................................... 50
Figure 44: Microsoft Active Directory Authentication window ..................................................... 51
Figure 45: Admin settings for email alerts ................................................................................... 53
Figure 46: Send Test Email window ........................................................................................... 53
Figure 47: Representative Email Alert ........................................................................................ 53
Figure 48: Event Forwarding Window ......................................................................................... 54
Figure 49: Add Server Example Screen ..................................................................................... 54
Figure 50: Event Forwarding Facility List .................................................................................... 55
Figure 51: Event Forwarding Message Type List ....................................................................... 55
Figure 52: User drop-down menu for Remove Server ................................................................ 56
Figure 53: Server Deletion Confirmation Screen ........................................................................ 56
Figure 54: Server Modification Screen ........................................................................................ 56
Figure 55: General view pane (top half) ...................................................................................... 57
Figure 56: General view pane (bottom half) ................................................................................ 57
Figure 57: Host Sensor view pane (top half) ............................................................................... 60
Figure 58: Host Sensor view pane (bottom half) ......................................................................... 60
Figure 59: Lastline view pane ..................................................................................................... 61
Figure 60: Manager View pane (top half) .................................................................................... 62
Figure 61: Manager View pane (bottom half) .............................................................................. 62
Figure 62: Network view pane (top half) ..................................................................................... 63
Figure 63: Network view pane (bottom half) ............................................................................... 63
Figure 64: Duplicate IP address error message ......................................................................... 64
Figure 65: Proxy view pane ........................................................................................................ 65
Figure 66: Threat Feed View Pane ............................................................................................. 65
Figure 67: Wildfire Settings view pane ........................................................................................ 66
Figure 68: Administrator Audit Log view pane ............................................................................ 67
Figure 69: Administrator System/Health view pane .................................................................... 67
Figure 70: First Factory Reset Confirmation ............................................................................... 68
Figure 71: Second Factory Reset Confirmation .......................................................................... 68
Figure 72: HawkEye G Reboot confirmation ............................................................................... 68
Figure 73: Reboot Warning Banner ............................................................................................ 69
Figure 74: Analyst Screen ........................................................................................................... 70
Figure 75: Observer Default Screen ........................................................................................... 71
Figure 76: Operator Dashboard Screen ...................................................................................... 72
Figure 77: Dashboard View Pane ............................................................................................... 73
Figure 78: ThreatSync Incidents page with Critical Score (10,9,8) filters applied ....................... 74
Figure 79: ThreatSync Incidents Page with Automated specific filters applied ........................... 74
Figure 80:ThreatSync/Network Events page .............................................................................. 75
Figure 81: Devices/Hosts page ................................................................................................... 76
Figure 82: Unresolved Indicators timeline ................................................................................... 77
Figure 83: Unresolved Indicator Details ...................................................................................... 77
Figure 84: Zoom in on Unresolved Indicator Timeline ................................................................ 77
12
Figure 85: Zoomed results of Timeline ....................................................................................... 77
Figure 86: Indicator Page for Bubble .......................................................................................... 78
Figure 87: Dashboard Top Host Indicators ................................................................................. 79
Figure 88: ThreatSync Incident page .......................................................................................... 80
Figure 89: Manage Policy View Pane ......................................................................................... 81
Figure 90: Add Policy View Pane ................................................................................................ 82
Figure 91: Threshold Cybercon information ................................................................................ 82
Figure 92: Threshold Score information ...................................................................................... 83
Figure 93: Threat Score Settings ................................................................................................ 83
Figure 94: Edit Policy View Pane ................................................................................................ 85
Figure 95: Policy Duplication Example ....................................................................................... 85
Figure 96: Policy View Pane filter selection ................................................................................ 86
Figure 97: Deleting Policy Confirmation Screen ......................................................................... 86
Figure 98: Whitelist screen ......................................................................................................... 87
Figure 99: Mitigation Whitelist ..................................................................................................... 87
Figure 100: Add Mitigation Whitelist ........................................................................................... 88
Figure 101: Whitelist detail example ........................................................................................... 88
Figure 102: Mitigation Whitelist “Inspect” menu .......................................................................... 89
Figure 103: Edit Mitigation Whitelist screen ................................................................................ 89
Figure 104: Remove Mitigation Whitelist confirmation dialog ..................................................... 89
Figure 105: Exclusion screen ...................................................................................................... 90
Figure 106: Add Exclusion item .................................................................................................. 91
Figure 107: Exclusion detail example ......................................................................................... 91
Figure 108: Exclusion “Inspect” menu ........................................................................................ 92
Figure 109: Remove Exclusion confirmation dialog .................................................................... 92
Figure 110: Network Events default view pane ........................................................................... 93
Figure 111: Network Events view pane with date range ............................................................. 93
Figure 112: Network Event Detail Example ................................................................................ 94
Figure 113: Network Events Action Descriptions ........................................................................ 94
Figure 114: Threat Search View Pane ........................................................................................ 95
Figure 115: Threat Search Example ........................................................................................... 95
Figure 116: Reports view ............................................................................................................ 96
Figure 117: Report is being generated ....................................................................................... 96
Figure 118: Report is ready to view ............................................................................................ 96
Figure 119: Hosts Default Window ............................................................................................. 97
Figure 120: Device Synced confirmation .................................................................................... 97
Figure 121: Hosts View Pane with “th-win” Search filter applied ................................................ 99
Figure 122: Hosts View Pane with "Installed" filter applied ....................................................... 100
Figure 123: Install Host Sensor example .................................................................................. 101
Figure 124: Remove Host Sensor example .............................................................................. 101
Figure 125: Multiple Device Host Sensor example ................................................................... 102
Figure 126: Device Detail Screen with Surveys tab selected ................................................... 102
Figure 127: Device Detail tabs .................................................................................................. 102
Figure 128: All Surveys for Device ............................................................................................ 103
13
Figure 129: Survey Details for Selected Target ........................................................................ 104
Figure 130: Failed Survey Warning tab .................................................................................... 104
Figure 131: Baseline Survey Results screen ............................................................................ 105
Figure 132: Baseline Survey results if no Host Sensor installed .............................................. 105
Figure 133: Device Detail Screen with IP History tab selected ................................................. 106
Figure 134: Device Detail Screen with Sensor tab selected ..................................................... 106
Figure 135: Device Action Drop-down List ................................................................................ 107
Figure 136: Edit Device Screen ................................................................................................ 107
Figure 137: Confirmation Delete Screen ................................................................................... 107
Figure 138: Add Device Screen ................................................................................................ 108
Figure 139: Host Sensor Download window ............................................................................. 109
Figure 140: Host Sensor Download confirmation ..................................................................... 109
Figure 141: Survey History View Pane ..................................................................................... 110
Figure 142: Survey Type Filter Example ................................................................................... 110
Figure 143: Survey Details Window .......................................................................................... 111
Figure 144: Survey Details ........................................................................................................ 111
Figure 145: Run Survey form .................................................................................................... 112
Figure 146: Survey Limit Example ............................................................................................ 112
Figure 147: Device Details for Limited Survey Data – Warnings tab ........................................ 113
Figure 148: Survey Schedules View Pane ................................................................................ 113
Figure 149: Schedule Survey Screen ....................................................................................... 114
Figure 150: Edit Scheduled Survey Screen .............................................................................. 117
Figure 151: Delete Survey Confirmation Screen ...................................................................... 117
Figure 152: Quick Survey Example .......................................................................................... 118
Figure 153: Quick Survey Incident Example ............................................................................. 118
Figure 154: Quick Survey Results Example ............................................................................. 119
Figure 155: Quick Survey Process Details ............................................................................... 119
Figure 156: Basic Dynamic Survey Example ............................................................................ 120
Figure 157: Basic Dynamic Survey Incident Example .............................................................. 120
Figure 158: Basic Dynamic Survey Details ............................................................................... 121
Figure 159: Basic Dynamic Survey Network Address Detail Example ..................................... 121
Figure 160: Basic Forensic Survey Example ............................................................................ 122
Figure 161: Basic Forensic Survey Incident Example .............................................................. 122
Figure 162: Basic Forensic Survey Results Example ............................................................... 123
Figure 163: Basic Forensic Survey File Detail Example ........................................................... 123
Figure 164: Advanced Forensic Survey Example ..................................................................... 124
Figure 165: Advanced Forensic Survey Incident Example ....................................................... 124
Figure 166: Advanced Forensic Survey Incident Example details ............................................ 125
Figure 167: Advanced Forensic Survey Registry Detail Example ............................................ 125
Figure 168: Red Hat Quick Survey Example ............................................................................ 126
Figure 169: Red Hat Quick Survey Incident Example ............................................................... 126
Figure 170: Red Hat Quick Survey Results Example ............................................................... 127
Figure 171: Red Hat Quick Survey Process Details ................................................................. 127
Figure 172: Red Hat Basic Dynamic Survey Example .............................................................. 128
14
Figure 173: Red Hat Basic Dynamic Survey Incident Example ................................................ 128
Figure 174: Red Hat Basic Dynamic Survey Details ................................................................. 129
Figure 175: Red Hat Basic Dynamic Survey Network Address Detail Example ....................... 129
Figure 176: Red Hat Basic Forensic Survey Example .............................................................. 130
Figure 177: Red Hat Basic Forensic Survey Incident Example ................................................ 130
Figure 178: Red Hat Basic Forensic Survey Results Example ................................................. 131
Figure 179: Red Hat Basic Forensic Survey File Detail Example ............................................. 131
Figure 180: Red Hat Advanced Forensic Survey Example ....................................................... 132
Figure 181: Red Hat Advanced Forensic Survey Incident Example ......................................... 132
Figure 182: Red Hat Advanced Forensic Survey Incident Example details .............................. 133
Figure 183: Red Hat Advanced Forensic Survey Process Detail Example............................... 133
Figure 184: Survey Templates View Pane ................................................................................ 134
Figure 185: Add Template screen #1 ........................................................................................ 135
Figure 186: Add Template screen #2 ........................................................................................ 135
Figure 187: Walk Directory “Quick Add” drop-down menu ....................................................... 136
Figure 188: Walk Directory walk depth drop-down list .............................................................. 136
Figure 189: Add Template screen #3 ........................................................................................ 137
Figure 190: Add Template screen #4 – Template Summary .................................................... 137
Figure 191: Network Sensor View Pane – CYBERCON levels ................................................ 138
Figure 192: Network Sensor detail tabs .................................................................................... 139
Figure 193: Network Sensor Policy tab ..................................................................................... 139
Figure 194: Network Sensor Configuration tab ......................................................................... 140
Figure 195: HGNS In-Line change error message ................................................................... 141
Figure 196: Network Sensor Content Extraction tab ................................................................. 141
Figure 197: Network Sensor Statistics tab ................................................................................ 142
Figure 198: BotTrap Policy view pane ...................................................................................... 142
Figure 199: Accounts View Pane .............................................................................................. 143
Figure 200: Refresh Accounts button ....................................................................................... 144
Figure 201: Account Details window ......................................................................................... 144
Figure 202: Account Delete Confirmation ................................................................................. 145
Figure 203: Add Account Screen .............................................................................................. 145
Figure 204: Credentials View Pane .......................................................................................... 146
Figure 205: Credential Detail Screen ........................................................................................ 146
Figure 206: Delete Administrator Confirmation ......................................................................... 147
Figure 207: Add Credentials Screen ......................................................................................... 147
Figure 208: Credential Asset Example ..................................................................................... 148
Figure 209: Remove Credentials Screen .................................................................................. 148
Figure 210: Domain View Pane ................................................................................................ 149
Figure 211: Edit Domain View Pane ......................................................................................... 150
Figure 212: Remove Domain Confirmation ............................................................................... 150
Figure 213: Add Domain Screen ............................................................................................... 151
Figure 214: Groups View Pane ................................................................................................. 152
Figure 215: Group Host Sensor tab .......................................................................................... 153
Figure 216: Group Host Sensor Configuration tab .................................................................... 154
15
Figure 217: Add Group Screen, Accounts type ........................................................................ 155
Figure 218: Add Group Screen, IP Subnet type ....................................................................... 155
Figure 219: Add Group Screen, Device type ............................................................................ 156
Figure 220: Edit Group Screen for Accounts ............................................................................ 156
Figure 221: Edit Group Screen for IP subnet ............................................................................ 157
Figure 222: Delete Group Confirmation Screen ........................................................................ 157
Figure 223: Sync Group Icon .................................................................................................... 158
Figure 224: Sync Group Confirmation ...................................................................................... 158
Figure 225: Unsync Group ........................................................................................................ 158
Figure 226: Unsync Group Confirmation .................................................................................. 158
Figure 227: Refresh Data and Icon ........................................................................................... 159
Figure 228: Host Sensor Configuration ..................................................................................... 159
Figure 229: Host Sensor Download confirmation ..................................................................... 160
Figure 230: Age Off for Quarantined Files Information window ................................................ 160
Figure 231: Age Off for Quarantined Files Drop down list ........................................................ 160
Figure 232: MD5 Threat List View Pane ................................................................................... 161
Figure 233: Add MD5 Threat Window ....................................................................................... 162
Figure 234: Import MD5 Threats window .................................................................................. 162
Figure 235: MD5 Threat Details ................................................................................................ 163
Figure 236: MD5 Threat Removal Confirmation ....................................................................... 163
Figure 237: MD5 Whitelist Threat Confirmation ........................................................................ 163
Figure 238: Whitelist (Inactive) MD5 Threat example ............................................................... 164
Figure 239: Re-add MD5 Threat Confirmation .......................................................................... 164
Figure 240: Manage Threat List – Network View Pane ............................................................ 165
Figure 241: Add Threat Window ............................................................................................... 166
Figure 242: Add Threat Type Selections .................................................................................. 167
Figure 243: Active Threat Detail View ....................................................................................... 167
Figure 244: Inactive Threat Detail View .................................................................................... 167
Figure 245: Network Threat Whitelist example ......................................................................... 167
Figure 246: Whitelist Network Threat Confirmation window ..................................................... 168
Figure 247: Network Threat Re-Add example .......................................................................... 168
Figure 248: Re-add Network Threat Confirmation window ....................................................... 168
Figure 249: Build Threat Feed refresh ...................................................................................... 168
Figure 250: Operator Audit Log view pane ............................................................................... 169
Figure 251: Exclusion Parameter Changed .............................................................................. 170
Figure 252: Operator Audit Trail CYBERCON Modified ........................................................... 170
Figure 253: Audit Log Filter selections ...................................................................................... 170
Figure 254: Component Heath view pane ................................................................................ 171
Figure 255: Trouble Component Detail Screen ........................................................................ 171
Figure 256: Incidents View Pane (Last 30 days) ...................................................................... 173
Figure 257: Column Filter Selection Example ........................................................................... 173
Figure 258: Incidents Filter Selections ...................................................................................... 174
Figure 259: Threat Sync Date Range Drop-down Menu ........................................................... 174
Figure 260: Search Box ............................................................................................................ 175
16
Figure 261: Search Results for "csr" ......................................................................................... 175
Figure 262: Search box example .............................................................................................. 175
Figure 263: Host Detail Pop Up window ................................................................................... 176
Figure 264: Incident Details ...................................................................................................... 176
Figure 265: Baseline Survey Popup Window ............................................................................ 177
Figure 266: Device with Prior Host Sensor Installed ................................................................. 178
Figure 267: Reinstall Host Sensor Confirmation ....................................................................... 178
Figure 268: Incidents detail Show Timeline .............................................................................. 179
Figure 269: Incidents detail Timeline ........................................................................................ 179
Figure 270: Incident Details for a Device .................................................................................. 180
Figure 271: Incident Bulk Action Window ................................................................................. 180
Figure 272: Hostname display .................................................................................................. 181
Figure 273: Score Description .................................................................................................. 181
Figure 274: Multiple Outcomes tooltip ...................................................................................... 183
Figure 275: Machine Guided Actions window ........................................................................... 183
Figure 276: Machine Guided Actions with expanded items ...................................................... 184
Figure 277: Action in Progress message .................................................................................. 184
Figure 278: Incident details example ........................................................................................ 185
Figure 279: Indicator Column filter choices ............................................................................... 185
Figure 280: Score fx filter .......................................................................................................... 186
Figure 281: Action Requested/Outcome example .................................................................... 186
Figure 282: Machine Guided Actions “Retry” example ............................................................. 187
Figure 283: Machine Guided Actions “Quarantine File” example ............................................. 187
Figure 284: Addition File Information for Incident ..................................................................... 188
Figure 285: Addition Process Information for Incident .............................................................. 188
Figure 286: Addition Registry Information for Incident .............................................................. 189
Figure 287: Indicators with the same hash ............................................................................... 189
Figure 288: Heuristic Threat Detail window .............................................................................. 190
Figure 289: Addition Palo Alto Network Information for Incident .............................................. 190
Figure 290: Addition BotTrap Information for Incident .............................................................. 190
Figure 291: Host Ransomware Prevention Indicator – Prevent mode ...................................... 191
Figure 292: Host Ransomware Additional Info – Prevent mode ............................................... 191
Figure 293: Host Ransomware Additional Info – Prevent Details ............................................. 192
Figure 294: Host Ransomware Prevention Indicator – Detect Mode ........................................ 192
Figure 295: Host Ransomware Additional Info – Detect Mode ................................................. 193
Figure 296: Host Ransomware Additional Info – Detect Details ............................................... 193
Figure 297: Indicator View Pane ............................................................................................... 194
Figure 298: Score Filter Selections ........................................................................................... 195
Figure 299: HawkEye G Host Sensor Source Indicator full data information ........................... 196
Figure 300: Addition Registry Indicator Information .................................................................. 197
Figure 301: Threat Details for a Registry Indicator ................................................................... 197
Figure 302: Addition File Indicator Information ......................................................................... 198
Figure 303: Threat Details for a File Indicator ........................................................................... 198
Figure 304: File Indicators with the same hash ........................................................................ 198
17
Figure 305: Addition Process Indicator Information .................................................................. 199
Figure 306: Threat Details for a Process Indicator ................................................................... 199
Figure 307: HawkEye G Network Sensor Source example ...................................................... 200
Figure 308: FireEye Source example ....................................................................................... 200
Figure 309: Palo Alto Networks Source example ..................................................................... 200
Figure 310: Additional Palo Alto Networks Information ............................................................. 200
Figure 311: Indicator Status Filter Selections ........................................................................... 201
Figure 312: Host/IP Indicator Filter example ............................................................................. 201
Figure 313: Action Log for Failed action ................................................................................... 202
Figure 314: Action Log for No Policy action .............................................................................. 202
Figure 315: Palo Alto Networks Wildfire indicator ..................................................................... 203
Figure 316: Indicators with Files filter applied ........................................................................... 204
Figure 317: Indicators selected for action ................................................................................. 205
Figure 318: Quarantine Confirmation Window .......................................................................... 205
Figure 319: Action Drop Down List Example ............................................................................ 206
Figure 320: Indicator Bar chart ................................................................................................. 207
Figure 321: Bar Category choices ............................................................................................ 207
Figure 322: Number of Bars choices ........................................................................................ 207
Figure 323: Bar details .............................................................................................................. 208
Figure 324: Export Indicator Bar Chart window ........................................................................ 208
Figure 325: Indictor Pie chart .................................................................................................... 209
Figure 326: Indicator Stacked Time Series chart ...................................................................... 210
Figure 327: Configuration of Lastline API settings .................................................................... 212
Figure 328: Configuration of DNS servers for use by the Network Sensor ............................... 214
Figure 329: Configuration of custom proxy server settings for use by the Network Sensor ..... 215
Figure 330: Configuration of content extraction policy for the Network Sensor ........................ 217
Figure 331: Network Sensor CLI output showing default gateway configured ......................... 218
Figure 332: Network Sensor CLI output showing default gateway configured ......................... 219
Figure 333: Verifying the Network Sensor is able to resolve the Lastline FQDN ...................... 220
Figure 334: Network Sensor failure to resolve FQDN for Lastline ............................................ 220
Figure 335: Verifying network connectivity to third-party malware analysis system or customer
HTTP proxy ............................................................................................................................... 221
Figure 336: Server Supported Operating Systems ................................................................... 222
Figure 337: Workstation Support Operating Systems ............................................................... 222
18
1. HawkEyeG
1.1 Introduction
This guide provides operational instructions and guidelines to allow a user to interact with
HawkEye G.
HawkEye G began based on the need for commercial entities to be able to defend and protect
against malicious code and sophisticated adversaries, such as Advanced Persistent Threats
(APTs), within their enterprise environment. Hexis Cyber Solutions, Inc., via partnership and
relationships, discovered that numerous commercial entities were at a disadvantage for
protecting themselves against sophisticated adversaries. Unlike their government counterparts,
these commercial entities lacked the threat knowledge, personnel, training, and equipment to
successfully deal with these advanced persistent threats. Additionally, these commercial
corporations lacked the large budgets often guaranteed to government agencies.
HawkEye G was designed as a proactive cyber defense solution that acts as a rapid detection
and containment solution. HawkEye G is a force multiplier and automates the incident response
actions of numerous personnel via controlled countermeasures. HawkEye G was designed to
be flexible by incorporating and leveraging the common and existing security technologies of
many organizations.
Hexis Cyber Solutions welcomes you to this innovative technology. Together, we will defend
your network.
19
1.2 WhatisHawkEyeG?
HawkEye G is Hexis Cyber Solutions’ commercial network security solution, founded on over 10
years of offensive security experience. HawkEye G attempts to minimize the consequences of
data breaches and penetrations through early detection and automated remediation of
advanced persistent threats.
1.2.1 Features
Features include:
Deep packet inspection via the Hawkeye G Network Sensor (HGNS) device
Log collection and correlation via Hexis’ Event Data Warehouse (EDW)
Botnet traffic trapping
Automated and manual countermeasures
Host interrogation for malicious indicators with persistent host sensors
Advanced analytics
Centrally managed and highly scalable distributions
1.2.2 OperationalPrinciples
HawkEye G secures an enterprise by leveraging a customer’s existing network and
management assets, and by adding components such as the HawkEye G Network Sensor
(HGNS) within the network that provide for IP redirection and DNS injection. Thus, HawkEye G
was designed to be flexible enough to integrate into common infrastructure devices and
networks.
Most of the HawkEye G components reside within their own private network that is completely
isolated from the customer’s network. The component diagram in Figure 1 depicts a typical
deployment of HawkEye G. Supported Host Sensor operating systems are listed in Section 4.
20
Figure 1: HawkEye G Component Diagram
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225

Watchguard HawkEye G User guide

Type
User guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI