Behavioral Analytics with Interset

Size: px

Start display at page:

Download "Behavioral Analytics with Interset"

Shannon Long
5 years ago
Views:

1 Behavioral Analytics with Interset McAfee Behavioral Analytics Administrator and User Guide

2 Copyright 2018 McAfee, LLC. Portions also subject to Copyright 2018 Interset Software, Inc. All Rights Reserved. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.

3 Document Revision History Version Date Revision Revision Class Document created and released to manufacturing. Major - 3 -

4 Contents Introduction 6 Supported Environments 6 Supported Data Sources 7 Intended Audience 8 Administer the McAfee Behavioral Analytics System 9 Manage Tenants 9 Create a New Tenant 9 Remove a Tenant 13 Manage Users 15 Configure New Users or Update Existing Users 15 Modify a User's Role 19 Configure Multi-tenant Authentication 22 Configure LDAP Authentication 25 Understanding Account Roles 25 Verify There s a Valid LDAP Account Provisioned for McAfee Behavioral Analytics 26 Connect to an SSL-enabled LDAP Server 26 Configure McAfee Behavioral Analytics to Use LDAP Authentication 27 Configure SAML Authentication 28 Edit the investigator.yml file to Enable SAML Authentication 29 Configure the AD FS Relying Party Trust (RPT) 29 Create the McAfee Behavioral Analytics Claim Rules 37 Restart Reporting 38 Configure Single Sign-on with SAML and Okta 39 Create a New Okta/SAML Application Integration 39 Edit the investigator.yml File 40 Restart Reporting 40 Configure a New Data Source 40 Configure Analytics 44 Configure Search 44 Configure New Action Mappings for Existing Data Sources 47 Resolve Multiple Entities in Source Data 48 Configure McAfee Behavioral Analytics to Ingest Universal Third-party Alerts 49 Use the API to Define and Map the Universal Alert Columns 49 Use McAfee Behavioral Analytics Workflow to Create Violations with Risk Weights 51 Update the Universal Alert Data Ingest Configuration Information 52 Administer McAfee Behavioral Analytics for End Users 54 Schedule Data Ingest 54 Create Workflows 54 Verify the Workflow Engine is Running 55 Configure Workflow for Different Data Sources 55 Workflow Scenarios 57 Workflow Notifications and Outcomes 57 Workflow Definitions 60 Scale Your Workflows 65 Manage Workflow Lists 66 Workflow Example 67 Workflow Violations 69 Manage Bot and Bot-like Users 69 Use McAfee Behavioral Analytics 72 McAfee Behavioral Analytics 72 Users and Other Entities

5 CSV Reports 83 PDF Reports 83 Explore Raw Events 83 Advanced Features 84 Workflows 84 Bots and Bot-like Users 85 Advanced Configuration Options 86 Enabling TLS for McAfee Behavioral Analytics Reporting 86 Custom Theme 86 Reset Theme to Default 90 Add Custom Text to the Interface Banner and Footer 91 Configuring Delimiters 93 User Accounts and Permissions 94 Interset Account 94 Ambari and HDP Accounts 94 Other Third-party Component Accounts 95 Appendix A: McAfee Behavioral Analytics Cluster Components 96 McAfee Behavioral Analytics Components 96 Third-party Components 96 Component Distribution 99 McAfee Behavioral Analytics Configuration 100 Appendix B: Explore McAfee Behavioral Analytics Using Sample Data 105 Create the Samples Tenant 105 Create an Administrator User for the Samples Tenant 110 Configure Search 119 Review Results 120 Appendix C: Security Best Practices 121 Changing Default Account Passwords 121 Ambari 121 Investigator/Workflow 124 Firewall Configuration for McAfee Behavioral Analytics Servers 128 Network Topology Recommendations 128 Enabling SSL for McAfee Behavioral Analytics Reporting 129 OS User Permissions and Patch Levels 129 MD5 / SHA1 / SHA256 Checksums 130 Index

6 Introduction This guide describes how to administer and configure the McAfee Behavioral Analytics system and its users. It also provides an overview of the McAfee Behavioral Analytics cluster requirements, dependencies, components, and best practices information. McAfee Behavioral Analytics uses data science and advanced analytics to identify the top risky entities and behaviors occurring in your organization. Using your organization's data, McAfee Behavioral Analytics establishes the normal behavior for your organizational entities and then, using advanced analytics, identifies the anomalous behaviors that constitute potential risks such as compromised accounts, insider threats, or other cyber threats. McAfee Behavioral Analytics' innovative user experience, true machine learning, and big data platform easily identify and prioritize high risk anomalies, allowing your security practitioners to instantly explore the underlying raw event data. The McAfee Behavioral Analytics analytical models apply risk scores to individual users to provide security teams with relevant, prioritized information quickly enough to stop the activity before data loss occurs. McAfee Behavioral Analytics is a server-based product that is deployed in a clustered configuration. This means that the software is distributed across multiple machines, where each machine (which can be a physical machine or a virtual machine running on a VM server such as VMware ESX) is called a node. The distribution of load and responsibilities across multiple nodes is what makes the McAfee Behavioral Analytics solution a scalable system that can handle large amounts of data: the more nodes in your deployment, the more data McAfee Behavioral Analytics can handle. Supported Environments McAfee Behavioral Analytics is supported in the following x86_64 environments: CentOS 6.9, 7.4 Red Hat Enterprise Linux 6.9, 7.4 McAfee Behavioral Analytics is supported with the following third party components: Ambari Elasticsearch HDP Stack McAfee Behavioral Analytics supports the following Web browsers: Microsoft Internet Explorer 11 Microsoft Edge Google Chrome 60 and above Mozilla Firefox 57 and above Apple Safari 10 and above - 6 -

7 Supported Data Sources McAfee Behavioral Analytics supports the following data sources. For.csv data sources, the delimiter can be customized. Active Directory Active Directory event logs stored in Splunk Active Directory event logs stored in HP Arcsight Logger Active Directory event logs stored in McAfee Enterprise Security Manager (ESM) Active Directory event logs stored in IBM QRadar Windows Security event logs (.csv) McAfee Behavioral Analytics-extracted Windows event logs (.csv) Universal Windows event logs (.csv) Windows Event Viewer-extracted event logs (.csv) Universal authentication logs Universal Alerts stored in third-party DLP systems (.csv) NetFlow Repository Version 5 Version 9 Version 10 (IPFIX) Perforce P4AUDIT logs Perforce Structured Server audit logs GitHub Enterprise audit logs Universal repository logs (.csv) Pluggable Authentication Module (PAM) AuditD logs (.csv) Printer logs Windows printer events stored in Splunk Windows event logs (.csv) Universal logs (.csv) Universal Web Proxy (.csv) Violations Expense Data Data - 7 -

8 Intended Audience This Guide assumes that you are an experienced system administrator with sound Unix skills and are familiar with your organization's server environment, security infrastructure, and data sources. You should also be familiar with the business needs of your organization. Important: The scripts and commands provided throughout the installation and configuration instructions are designed to be copied from this Guide to the command prompt in your console. However, you may experience that some scripts and commands don't copy correctly when using different PDF viewer applications. As a result, McAfee Behavioral Analytics recommends that, as you copy text to your command console, you quickly review it to ensure that it has copied correctly. Should you experience unexpected results or identify issues that are not addressed in this document, please contact your McAfee Behavioral Analytics support professional

9 Administer the McAfee Behavioral Analytics System This section describes how to administer McAfee Behavioral Analytics to ensure optimal system performance for end users. Manage Tenants McAfee Behavioral Analytics tenants and users are created and managed in Swagger, a language-agnostic interface for the Analytics API. When you install McAfee Behavioral Analytics, the first tenant, tenant 0 (ID zero) is created by default. The users admin and user are created in tenant 0, and configured with the login credentials admin/password and user/password. For more information about managing users, please see "Configure New Users or Update Existing Users" on page 15. Ideally, you would ingest data sources into the same tenant where the entity IDs are the same across the different data sources. You create both tenant records and user records on the Reporting node, as the McAfee Behavioral Analytics root user. Create a New Tenant 1. Log in to McAfee Behavioral Analytics as an Administrator. 2. Click Settings to open the Settings page. Note: If there is no data in your system, you will automatically be taken to the Settings page. 3. In the Settings page, click Access the API to open the API in Swagger. 4. Ensure that you are authenticated as the root user. The default password is root. Note: If you have configured LDAP for McAfee Behavioral Analytics authentication, you must log in to Swagger as the user you configured as the LDAP "rootuser". For more information, please see "Configure LDAP Authentication" on page 25. a. In the Swagger header, click Authorize. Figure 1: Swagger Authorization - 9 -

10 b. In the Available authorizations, Select OAuth2.0 Scopes dialog box, click Authorize. Figure 2: Available Authorizations If you are already authenticated as the root, this button will display Logout. If the Authorize button displays Logout, you can cancel out of this step. c. In the log in dialog box, enter your user credentials and then click Sign in. Figure 3: Log in Page

11 5. Click tenants to expand the section. The list of all Tenants commands appears. Figure 4: Tenant Commands 6. Click PUT /tenants/{tenantid} to expand the section. Figure 5: Expanding PUT /tenants/{tenantid}

12 7. Click the JSON code in the Example Value box in the lower right-hand corner to copy the schema into the body box that appears in the lower left. Important: The Response Class JSON code includes example values to assist you as you use the API to configure McAfee Behavioral Analytics. When saving new JSON code, ensure that you replace the example values with the appropriate information for your McAfee Behavioral Analytics cluster. Figure 6: PUT /tenants/{tenantid} section 8. In the tenantid box, type the ID of the new tenant you want to create. For the purpose of this example set the ID as int. Note: In McAfee Behavioral Analytics 5.5.2, we recommend that all tenant names contain lowercase characters. 9. In the body box, change the json values as shown below: "step": "paid" 10. Click Try It Out! to add the tenant. The new tenant parameters appear in the Response Body box. When the tenant has been successfully added, 200 appears in the Response Code box

13 Note: Any time you configure a tenant to include a new data source, you must also configure Search. For more information, please see "Configure a New Data Source" on page 40 and "Configure Search" on page 44. Remove a Tenant 1. Log in to McAfee Behavioral Analytics as an Administrator. 2. Click Settings to open the Settings page. Note: If there is no data in your system, you will automatically be taken to the Settings page. 3. In the Settings page, click Access the API to open the API in Swagger. 4. Ensure that you are authenticated as the root user. The default password is root. Note: If you have configured LDAP for McAfee Behavioral Analytics authentication, you must log in to Swagger as the user you configured as the LDAP "rootuser". For more information, please see "Configure LDAP Authentication" on page 25. a. In the Swagger header, click Authorize. Figure 7: Swagger Authorization

14 b. In the Available authorizations, Select OAuth2.0 Scopes dialog box, click Authorize. Figure 8: Available Authorizations If you are already authenticated as the root, this button will display Logout. If the Authorize button displays Logout, you can cancel out of this step. c. In the log in dialog box, enter your user credentials and then click Sign in. Figure 9: Log in Page

15 5. Expand the /tenants section. The list of all Tenants commands appears. Figure 10: Tenant Commands 6. Expand the Delete /tenants/{tenantid} section. 7. In the tenantid Value box, type the ID of the tenant you want to delete, and then click Try it out! When the tenant has been successfully deleted, the Response Body box displays "no content", and 204 is displayed in the Response Code box. Tip: To confirm that the tenant no longer exists, do the following: In the /tenants Tenants section, click Get Tenants. In the Response Class box, Swagger returns a list of all tenants. Review the list of tenants to ensure that the deleted tenant no longer appears in the tenant list. Manage Users McAfee Behavioral Analytics users are created and managed in Swagger, a language-agnostic interface for the Analytics API. Configure New Users or Update Existing Users When McAfee Behavioral Analytics is installed, a tenant is created by default, Tenant 0 (ID zero). The users admin and user are created in tenant 0, and are configured with the login credentials admin/password and user/password. Any references to TenantID in this section refer to Tenant 0. New users will normally be created in this default Tenant 0; however, if you create a new tenant and are adding a new user to that tenant, you will use that tenant in the steps below. For users to log into the I McAfee Behavioral Analytics user interfaces, they must have a user ID and password that can authenticate to the McAfee Behavioral Analytics system

16 The process to change a user's password is the same as creating a new user. Follow the instructions below as you would for creating a new user, however when entering the "userid" value, enter the value of a user that already exists. Steps 1. Log in to McAfee Behavioral Analytics as an Administrator. 2. Click Settings to open the Settings page. Note: If there is no data in your system, you will automatically be taken to the Settings page. 3. In the Settings page, click Access the API to open the API in Swagger. 4. Ensure that you are authenticated as the root user. The default password is root. Note: If you have configured LDAP for McAfee Behavioral Analytics authentication, you must log in to Swagger as the user you configured as the LDAP "rootuser". For more information, please see "Configure LDAP Authentication" on page 25. a. In the Swagger header, click Authorize. Figure 11: Swagger Authorization

17 b. In the Available authorizations, Select OAuth2.0 Scopes dialog box, click Authorize. Figure 12: Available Authorizations If you are already authenticated as the root, this button will display Logout. If the Authorize button displays Logout, you can cancel out of this step. c. In the log in dialog box, enter your user credentials and then click Sign in. Figure 13: Log in Page

18 5. In the Swagger user interface, expand the tenants section. The list of all tenants commands appears. Figure 14: Tenant Commands 6. Expand the PUT /tenants/{tenantid}/users/{userid} section. 7. Click the JSON code in the Model Schema box in the lower right-hand corner to copy the schema into the body box that appears in the lower left. Important: The Response Class JSON code includes example values to assist you as you use the API to configure McAfee Behavioral Analytics. When saving new JSON code, ensure that you replace the example values with the appropriate information for your McAfee Behavioral Analytics cluster. 8. In the tenantid box, type the ID of the tenant to which you will add the new user. 9. In the userid box, type the username for the new user. The userid field is the username that you will use to sign in to McAfee Behavioral Analytics. 10. Fill in the remaining parameters: userid the username used to view results Tip: Alternatively, you can delete the userid field altogether from the JSON code in the body box, as you defined this parameter in Step 7 above. If you choose to keep this field in the JSON code, ensure that the value you entered in Step 7 is the same that you enter in this step. name the user's full name role the role is either admin or user. The admin role can perform tasks such as configuring data sources, creating Workflows, and accessing the API, while the user role cannot. isactive this should be true password enter the user's password 11. After filling in the JSON document, click Try It Out! to add the user

19 The new user parameters appear in the Response Body box. When the new user has been successfully added to the tenant, 200 appears in the Response Code box. To enable user access to more than one tenant in the McAfee Behavioral Analytics cluster, please see "Configure Multi-tenant Authentication" on page 22. Modify a User's Role Any new user that logs in to McAfee Behavioral Analytics is created automatically in the Investigator server database. By default, any new user is assigned the user role, with the fewest privileges. You can modify the new user's role in the Analytics API using Swagger, when you are logged in to Swagger as the McAfee Behavioral Analytics root user. Tip: The McAfee Behavioral Analytics root user, which is automatically created upon startup, is specified in the investigator.yml configuration file in the /opt/interset/etc directory. Steps 1. Log in to McAfee Behavioral Analytics as an Administrator. 2. Click Settings to open the Settings page. Note: If there is no data in your system, you will automatically be taken to the Settings page. 3. In the Settings page, click Access the API to open the API in Swagger. 4. Ensure that you are authenticated as the root user: a. In the Swagger header, click Authorize. Figure 15: Swagger Authorization

20 b. In the Available authorizations, Select OAuth2.0 Scopes dialog box, click Authorize. Figure 16: Available Authorizations Tip: If you are already authenticated as the root user, this button will display Logout. If the Authorize button displays Logout, you can cancel out of this step. c. In the login dialog box, enter your user credentials and then click Sign in. Figure 17: Log in Page You are returned to the Swagger user interface

5. Under the /tenants section, expand GET /tenants/{tenantid}/users/{userid} Figure 18: GET /tenants/{tenantid}/users/{userid} 6. In the tenantid box, type the tenant ID.

21 5. Under the /tenants section, expand GET /tenants/{tenantid}/users/{userid} Figure 18: GET /tenants/{tenantid}/users/{userid} 6. In the tenantid box, type the tenant ID. For example, for Tenant 0, type In the userid box, type the ID of the user whose role you want to change. For example, for user jsmith, type jsmith. 8. Click Try it out!. The Response Body will contain a response similar to the following: { "userid": "jsmith", "name": "jsmith", "role": "user", "isactive": true, "password": "******", "created": , "persistentsessions": false } 9. Copy the Response Body output. 10. Expand PUT /tenants/ {tenantid}/users/{userid} 11. In the tenantid box, type the tenant ID. 12. In the userid box, once again, type the ID of the user whose role you want to change. 13. In the body box, paste the response body copied in Step In the "role" definition, type the new role for the user. For example, change the "role" definition from "user" to "admin". 15. Delete the password line, and then click Try it out!. A Response Code of 200 indicates success

22 Configure Multi-tenant Authentication To configure user access to more than one tenant in the McAfee Behavioral Analytics cluster, in Swagger, simply configure the user for each separate tenant. A user can have different roles for each tenant. Tips: Ensure that the user ID and password are the same for each tenant. If you're using LDAP for authentication, the user is automatically created in the default tenant specified in investigator.yml. You will need to use the API / Swagger to add each user to each additional tenant. Make sure to copy the complete user record (including the empty password field) to each additional tenant If you should enter different passwords for the same user when configuring access to different tenants, the password entered for the last tenant configured will apply for the user's access to all tenants. If a user has access to the data for only one tenant, when they log in to McAfee Behavioral Analytics, they will see the data for that tenant. If a user has access to the data for more than one tenant, when they log in to McAfee Behavioral Analytics, they will see the data for the first tenant configured for their user profile. The tenants to which the user has access will appear in a dropdown menu to the right of the Apps field. To switch between tenants, simply select the tenant from the dropdown menu. Figure 19: Switch Tenants Steps If a user with Administrator privileges switches to a tenant for which no data is available, the user will be redirected to the Settings page. If a user with User privileges switches to a tenant for which no data is available, the user will be logged out. 1. Log in to McAfee Behavioral Analytics as an Administrator. 2. Click Settings to open the Settings page. Note: If there is no data in your system, you will automatically be taken to the Settings page. 3. In the Settings page, click Access the API to open the API in Swagger. 4. Ensure that you are authenticated as the root user. The default password is root. Note: If you have configured LDAP for McAfee Behavioral Analytics authentication, you must log in to Swagger as the user you configured as the LDAP "rootuser". For more information, please see "Configure LDAP Authentication" on page

23 a. In the Swagger header, click Authorize. Figure 20: Swagger Authorization b. In the Available authorizations, Select OAuth2.0 Scopes dialog box, click Authorize. Figure 21: Available Authorizations If you are already authenticated as the root, this button will display Logout. If the Authorize button displays Logout, you can cancel out of this step

24 c. In the log in dialog box, enter your user credentials and then click Sign in. Figure 22: Log in Page 5. In the Swagger user interface, expand the tenants section. The list of all tenants commands appears. Figure 23: Tenant Commands 6. Expand the PUT /tenants/{tenantid}/users/{userid} section. 7. Click the JSON code in the Model Schema box in the lower right-hand corner to copy the schema into the body box that appears in the lower left

25 Important: The Response Class JSON code includes example values to assist you as you use the API to configure McAfee Behavioral Analytics. When saving new JSON code, ensure that you replace the example values with the appropriate information for your McAfee Behavioral Analytics cluster. 8. In the tenantid box, type the ID of the tenant to which you will add the new user. 9. In the userid box, type the username for the new user. The userid field is the username that you will use to sign in to McAfee Behavioral Analytics. 10. Fill in the remaining parameters: userid the username used to view results Tip: Alternatively, you can delete the userid field altogether from the JSON code in the body box, as you defined this parameter in Step 7 above. If you choose to keep this field in the JSON code, ensure that the value you entered in Step 7 is the same that you enter in this step. name the user's full name role the role is either admin or user. The admin role can perform tasks such as configuring data sources, creating Workflows, and accessing the API, while the user role cannot. isactive this should be true password enter the user's password 11. After filling in the JSON document, click Try It Out! to add the user. The new user parameters appear in the Response Body box. When the new user has been successfully added to the tenant, 200 appears in the Response Code box. 12. Repeat Steps 4 to 9 for each tenant the user will access. Configure LDAP Authentication By default, McAfee Behavioral Analytics uses an internal authentication database containing tenants and users. McAfee Behavioral Analytics can also be configured to authenticate using an external LDAP provider (such as a Microsoft Active Directory AD server) or an external SAML provider (such as Okta). Note: Only one authentication method can be used for McAfee Behavioral Analytics at a time. Therefore, you must choose whether to use LDAP or the McAfee Behavioral Analytics-provided authentication. Understanding Account Roles There are three types of user account roles in McAfee Behavioral Analytics 5.5.2: Root, Administrator, and User. A local account is created when a user successfully logs in to McAfee Behavioral Analytics via LDAP and will automatically be assigned the user role. User roles are given limited permissions by default

26 The root user is the McAfee Behavioral Analytics superuser and has API permissions to grant administrator role accounts. When LDAP is enabled, the root user must be manually assigned in /opt/interset/etc/investigator.yml. See "Configure McAfee Behavioral Analytics to Use LDAP Authentication" on the next page. Enabling LDAP will change default system behaviour. For assistance using the API, please contact your McAfee Behavioral Analytics support professional. Verify There s a Valid LDAP Account Provisioned for McAfee Behavioral Analytics McAfee Behavioral Analytics requires access to an LDAP service account so that it can query the LDAP server when McAfee Behavioral Analytics users try to login. We recommend that the LDAP service account: is used only by McAfee Behavioral Analytics; does not expire; has unthrottled search capabilities; and has read-only access to your LDAP server The credentials of this LDAP service account can optionally be verified by using a tool such as ldapsearch, for example ldapsearch -v -x -W -h ad.example.com -p 389 -D "CN=Bobby Clobber,OU=New York,OU=Example Users,DC=ad,DC=example,DC=com" -b "dc=ad,dc=example,dc=com" "(&(objectclass=user)(samaccountname=bclobber))" DN The source that provides the LDAP service account will also be able to provide (and explain) how to correctly set the bind user used to bind to the LDAP directory (-D in the command above, ldapsearchdn in the configuration file below) and the starting point for the directory search ( - b in the command above, ldapsearchbasedn in the configuration file below). Connect to an SSL-enabled LDAP Server 1. Add the LDAP server's certificate to the reporting node's Java keystore if your LDAP server is configured with SSL. You can check if the LDAP server has SSL enabled by making a certificate query using the following command: openssl s_client -connect ad.example.com:636 </dev/null 2>/dev/null sed -n '/^-----BEGIN/,/^-----END/p' If the preceding command does not return a result that contains the words BEGIN CERTIFICATE----- such as the following example, then SSL is not be setup on your LDAP server or there is a misconfiguration. Please contact the source that provided you the LDAP information if this issue occurs BEGIN CERTIFICATE----- MXIGFzCCBP+gXwIBAgITJQAAAAVZDMkXeqtEpwAAAAAABTANXgkqhkiG9w0BAQUX... If SSL is enabled: ---END CERTIFICATE Save and install the certificate with the following commands:

27 sudo openssl s_client -connect ad.example.com:636 </dev/null 2>/dev/null sed -n '/^-----BEGIN/,/^-----END/p' > $JAVA_HOME/jre/lib/security/cert.pem sudo keytool -import -file $JAVA_HOME/jre/lib/security/cert.pem -alias ldap -keystore $JAVA_ HOME/jre/lib/security/cacerts Note: If the Domain Controller LDAP certificate was issued from a private Certificate Authority, please ensure the issuing certificate chain is imported into the the java cacerts store. 3. When prompted for the store password, enter it. Tip: The default password is changeit 4. When prompted whether to trust this certificate or not enter yes. Trust this certificate? [no]: yes The response should be similar to the following: Certificate was added to keystore 5. Verify that the certificate was added correctly using the following command: sudo keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts grep ldap The response should be similar to the following: ldap, Jul 18, 2017, trustedcertentry, Configure McAfee Behavioral Analytics to Use LDAP Authentication To configure McAfee Behavioral Analytics to use LDAP authentication, you must modify the investigator.yml file. 1. Open /opt/interset/etc/investigator.yml, find the # LDAP Authentication section, and set the following variables to the LDAP information you verified at the beginning of this section: ldapsearchbasedn is the starting point for the LDAP directory search. ldapsearchdn is the LDAP service account s Distinguished Name (bind user). ldapsearchdnpassword is the plain text password of the LDAP service account. ldapurl is the LDAP server, such as ldaps://ad.example.com:636. If your LDAP server isn t configured to use SSL, use ldap://ad.example.com: Set the following parameters: Enabled to true, and rootuser to the username of the LDAP account that you want to be the McAfee Behavioral Analytics superuser. The McAfee Behavioral Analytics superuser is able to assign administrative privileges to other McAfee Behavioral Analytics accounts and should not be the LDAP service account (bind user). 3. To change the default tenant that McAfee Behavioral Analytics users are logged into, edit the variable "ldapdefaulttenantid" with the new tenant's ID. If you want to enforce membership in an LDAP group to restrict who can login to McAfee Behavioral Analytics, edit the variable "ldapsearchfilter". Notes: For example: (memberof=cn=<>,cn=<>,dc=example,dc=com))

28 The McAfee Behavioral Analytics superuser (rootuser) is restricted from logging into the McAfee Behavioral Analytics Web user interface. Any users with the role User are restricted from logging into the McAfee Behavioral Analytics Web user interface until the tenant(s) they are assigned to are configured by an Administrator user. 4. On the Reporting node, restart Reporting using the following command: For (EL6): service reporting restart For (EL7): systemctl restart reporting Note: Troubleshooting information is logged in /opt/interset/log/reporting.log Configure SAML Authentication If your organization uses SAML for authentication, you can use your SAML deployment for authentication to McAfee Behavioral Analytics. In McAfee Behavioral Analytics 5.5.2, you can configure SAML authentication only when your McAfee Behavioral Analytics cluster is limited to (1) tenant. If you have configured more than one tenant in your system, you must use the authentication provided by McAfee Behavioral Analytics and managed by the Analytics API using Swagger. For more information about using Swagger to manage users, please see "Modify a User's Role" on page 19. Only one authentication method can be used at a time. Therefore, you must choose whether to use your own SAML or the McAfee Behavioral Analytics-provided authentication. When you configure SAML authentication for your McAfee Behavioral Analytics system, your SAML application will manage authentication for McAfee Behavioral Analytics. However, the API will continue to manage the permissions assigned to each user. any new user that logs in to McAfee Behavioral Analytics is created automatically in the Investigator server database. By default, any new user is assigned the user role, the role with the fewest privileges. You can modify the new user's role in the API using Swagger, when you are logged in to Swagger as the rootuser configured in investigator.yml. Important: Upon initial installation and setup of the McAfee Behavioral Analytics cluster, only the SAML account defined in the investigator.yml file (located on the reporting node in /opt/interset/etc) as rootuser: will be able to log in and configure the system. Configuring SAML authentication for your McAfee Behavioral Analytics system involves: editing the SAML Authentication section of the investigator.yml file to enable SAML authentication; configuring an Active Directory Federation Services (AD FS) Relying Party Trust to create the connection between Active Directory and McAfee Behavioral Analytics;

29 creating the claim rules; and restarting Reporting. You can also configure single sign-on with SAML and Okta. Edit the investigator.yml file to Enable SAML Authentication 1. On the Reporting node, navigate to the /opt/interset/etc directory, and open the investigator.yml file. 2. Scroll to the SAML Authentication section, and update the saml-auth parameters as follows: enabled: true rootuser: <rootuser_ > defaulttenantid: <TID> relyingpartyidentifier: McAfee Behavioral Analytics_Investigator_identifier assertionconsumerserviceurl: metadataurl: 3. Save the updated investigator.yml file. Configure the AD FS Relying Party Trust (RPT) 1. Open Active Directory Federation Services. 2. In Server Manager, click Tools, and then select AD FS Management

30 3. In the Actions pane, click Add Relying Party Trust. This launches the Add Relying Party Trust wizard and opens the Welcome page. Figure 24: Welcome Page 4. On the Select Data Source page, select the Enter data about the relying party manually radio button, and then click Next

31 5. In the Specify Display Name page, in the Display name box, enter the value of the relyingpartyidentifier parameter you set in the investigator.yml file. Figure 25: Specify Display Name Page

32 6. On the Choose Profile page, select the AD ES profile radio button, and then click Next. Figure 26: Choose Profile Page 7. On the Configure Certificate page, accept the defaults, and then click Next

33 8. On the Configure URL page, select the Enable Support for the SAML 2.0 WebSSO protocol checkbox. Figure 27: Configure URL Page In the Relying party SAML 2.0 SSO service URL box, enter the value of the assertionconsumerserviceurl parameter you set in the investigator.yml file

9. On the Configure Identifiers page, in the Relying party trust identifier box, enter the value of the relyingpartyidentifier parameter you set in the investigator.

34 9. On the Configure Identifiers page, in the Relying party trust identifier box, enter the value of the relyingpartyidentifier parameter you set in the investigator.yml file, and then click Add. The new Relying Party Identifier appears in the Relying party trust identifiers box. Figure 28: Configure Identifiers Page 10. Click Next

35 11. On the Configure Multi-factor Authentication Now? page, select the I do not want to configure multi-factor authentication settings for this relying party trust at this time radio button, and then click Next. Figure 29: Configure Multi-factor Authentication Now? Page

36 12. On the Choose Issuance Authorization Rules page, select the Permit all users to access this relying party radio button, and then click Next. Figure 30: Choose Issuance Authorization Rules Page 13. On the Ready to Add Trust page, click Next

37 14. On the Finish page, select the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checkbox, and then click Close. The Edit Claim Rules wizard opens. Figure 31: Finish Page Create the McAfee Behavioral Analytics Claim Rules After the relying party has been created, you create the claim rules and update the trust with additional settings not configured in the wizard. 1. In the Edit Claim Rules dialog box, click Add Rule

2. On the Select Rule Template page, click the Claim rule template dropdown arrow, select Send LDAP Attributes as Claims from the list, and then click Next. Figure 32: Choose Rule Type Page 3.

38 2. On the Select Rule Template page, click the Claim rule template dropdown arrow, select Send LDAP Attributes as Claims from the list, and then click Next. Figure 32: Choose Rule Type Page 3. On the Configure Rule page, do the following: a. In the Claim rule name box, enter the value of the relyingpartyidentifier parameter you set in the investigator.yml file. b. In the Attribute store box, click the dropdown arrow and then select Active Directory from the list. c. In the Mapping of LDAP attributes to outgoing claim types section. d. In the LDAP Attribute column, click the dropdown arrow in the first row and then select SAM- Account-Name. e. In the Outgoing Claim Type column, click the dropdown arrow in the first row and then select Name ID. f. Click Finish. Restart Reporting On the Reporting node, restart Reporting using the following commands: For (EL6): service reporting restart

39 For (EL7): systemctl restart reporting Configure Single Sign-on with SAML and Okta Configuring single sign-on with SAML and Okta involves: creating a new Okta/ SAML application integration; editing the metadataurl parameter in the investigator.yml file restarting Reporting. Create a New Okta/SAML Application Integration 1. Log in to the Okta Administrator Dashboard. 2. In the upper-right section of the Dashboard, under Shortcuts, click Add Applications. 3. On the Add Application page, under Can't find an app?, click Create New App. 4. On the Create a New Application Integration page, do the following: a. In the Platform box, click the dropdown arrow and then select Web from the list. b. In the Sign on method section of the page, select the SAML 2.0 radio button. c. Click Create. 5. On the Create SAML Integration page, on the General Settings tab, enter the value of the relyingpartyidentifier parameter you set in the investigator.yml file, and then click Next. 6. On the Configure SAML tab, do the following: a. In the Single sign on URL box, enter the value of the assertionconsumerserviceurl parameter you set in the investigator.yml file. b. Enable the Use this for Recipient URL and Destination URL checkbox. c. In the Audience URI (SP Entity ID) box, enter the value of the assertionconsumerserviceurl parameter you set in the investigator.yml file. 7. Scroll to the bottom of the page, and click Next. 8. On the Feedback tab, do the following: a. Beside Are you a customer or partner?, select the I'm an Okta customer adding an internal app radio button. b. Optionally set the App type. 9. Click Finish. The application's Sign on dialog box appears. 10. Select and copy the URL in the yellow application metadata box. In the next section, you will copy it to the metadataurl parameter in the investigator.yml file

40 Edit the investigator.yml File 1. On the Reporting node, navigate to the /opt/interset/etc directory, and open the investigator.yml file. 2. Scroll to the SAML Authentication section, and replace the metadataurl parameter with the URL from the Okta yellow application metadata box copied in Step 10 above. enabled: true rootuser: <rootuser_ > defaulttenantid: <TID> relyingpartyidentifier: McAfee Behavioral Analytics_Investigator_identifier assertionconsumerserviceurl: metadataurl: 3. Update the logouturl parameter with the URL that you want users taken to when they click Sign out, <username> in the McAfee Behavioral Analytics user interface. For example, enter the logout URL configured in Okta. logouturl: <signout_destination_url> 4. Save and close the updated investigator.yml file. Restart Reporting On the Reporting node, restart Reporting using the following command: For (EL6): service reporting restart For (EL7): systemctl restart reporting Configure a New Data Source The typical McAfee Behavioral Analytics production installation includes one Stream node. Should your solution include more than one Stream node, you may need to configure more than one Ambari Flume Configuration Group for your data ingest. For each Data Ingest configuration that you upload to Ambari, an Ambari agent is created. The Data Configuration wizard is used to create the Data Ingest configuration information for use in Ambari. The Data Configuration wizard provides a user interface where you specify your data source and provide any further information required for Data Ingest. For each data source that you configure in McAfee Behavioral Analytics 5.5.2, you create a number of Data Ingest configurations. In most cases, the configuration information includes the following: one section that defines the ETL process from the source data to Avro-encoded events in Kafka; one section that defines the ETL process from the Avro-encoded events in Kafka to Elasticsearch; and one section that defines the ETL process from the Avro-encoded events in Kafka to HBase

41 Notes: To validate your McAfee Behavioral Analytics installation, you can configure a data ingest using sample data provided by McAfee Behavioral Analytics, and then run Analytics on the sample data to generate analytics. For more information, see Appendix B: Install and Configure the McAfee Behavioral Analytics Sample Data. Before you begin, note the server names and port numbers for your Elasticsearch and ZooKeeper instances. You will be required to provide this information as you use the Data Configuration wizard to configure your data source. When you are configuring more than one data source for a tenant, you must ensure that multiple entity names across the data sources are resolved. For example, your Active Directory dataset may contain a user named jsmith, while the same user is identified in your printer dataset as jsmith@yourcompany.com. For McAfee Behavioral Analytics Analytics to accurately associate behaviors with the correct entity, these multiple entities must resolved to one single entity. You can resolve multiple entities across your data sources by manipulating your data prior to ingest, or during ingest using Flume. For more information about resolving entities across multiple data sources, see "Resolve Multiple Entities in Source Data" on page 48. Set a unique data source instance ID (DID) for each additional data set of the same type. The default DID is 0; the DID value must be an integer between 0 and 127. For each additional dataset of the same type, simply increment the DID value by one (1). For example, if you have one (1) generic repository dataset and one (1) Web proxy dataset, they can both have the same DID, typically the default of 0. If, however, you want to add a second generic repository dataset, you should increment the DID value by one (1) for the new generic repository dataset you are adding to the system. By default, McAfee Behavioral Analytics expects the time data to be formatted in the ISO-8601 standard. If your time data is not formatted in the ISO-8601 standard, you can change the time format to that of your data by updating the time format field in the Data Configuration Wizard. Supported time formats include ISO- 8601, epoch, epoch_ milli, or any format using the Java DateTimeFormatter. After you create the Data Ingest configuration information using the Data Configuration wizard, you will copy and paste that information in the Flume Configuration Group in Ambari. If you plan to create Workflows, you will need to configure the rules.conf configuration file for the new data source. For more information, please see "Configure Workflow for Different Data Sources" on page 55. If you modify the Data Ingest configuration for your data source during data ingest in other words, while the configuration file is being read by Flume the data ingest may fail. As a result, you may experience data loss. To avoid this situation, do not modify your Data Ingest configuration file during the ingest process. If you must update the configuration file, suspend Flume operation while making the necessary changes. For more information about the Data Ingest configurations required for each of the supported data sources and the detailed parameters of each configuration, see the McAfee Behavioral Analytics Data Ingest Configuration Reference Guide. Steps 1. Open a Web browser, and log in to the McAfee Behavioral Analytics server as an Administrator

42 2. On the Overall Risk page, click Settings in the upper-right corner to open the Settings page. Note: If there is no data in your system, you will automatically be taken to the Settings page. 3. In the Settings page, click Configure a Data Source to launch the Data Configuration wizard. 4. On the Select Your Data Source page, click the Choose Your Data Type dropdown arrow, and then scroll through the list to select the data type you want to configure. For example, Authentication (Active Directory, AuditD, Universal). 5. Under Source, click the Choose Your Source dropdown arrow, and then scroll through the list to select the source of the data type to configure. For example, Universal Active Directory (CSV). 6. Enter the connection information for your data source. 7. To anonymize the data presented in the McAfee Behavioral Analytics user interface, select the Anonymize checkbox. 8. Click the Next arrow to continue. 9. To anonymize the data presented in the McAfee Behavioral Analytics user interface, select the Anonymize checkbox. 10. Click the Next arrow to continue. 11. If your source data is in.csv format, do the following: a. In the Map Your Columns page, click Browse to locate and then upload a sample data source file. When you upload a sample data source file, the column Header, column Sample Row, and schema Mapping appear. Tip: If you do not upload a sample data source file, you can optionally assign numerical values to the column order in which your data appears. For example, if the timestamp data in your source data appears in the third column, enter 3 in the Header Order field. b. Click the Next arrow to continue. c. Map the action values in your source data to values available in the schema: d. Click the Next arrow to continue. e. Map the action values in your source data to values available in the schema: If actions appear under Actions Found, click the Mapping dropdown arrow to map the action to the corresponding McAfee Behavioral Analytics action value. For example, if success appears under Actions Found, click the Mapping dropdown arrow and then select success. If your source data includes action values other than those available in the Mapping dropdown list, click Add, enter the action value under Actions Found, and then click the Mapping dropdown arrow to select the action value to which to map it. Tip: You can also choose to ignore action values in your source data by not mapping these actions to schema action values. When these action values are not mapped, they will not be analyzed by McAfee Behavioral Analytics and will therefore not factor into the Analytics results

43 12. Click the Next arrow to continue. 13. In the Configure Your Destination page, enter the tenant ID, the DID, and the Kafka, Elasticsearch, and ZooKeeper connection information. 14. Choose whether to configure violations by selecting the Violations checkbox. If this is not the first data source for this tenant, clear this box. 15. Click the Next arrow to continue. 16. Choose whether to configure violations by selecting the Violations checkbox. If this is not the first data source for this tenant, clear this box. 17. Click the Next arrow to continue. 18. On the Review Configuration page, verify the data source details. To modify the current information, click the Back arrow. You are returned to the previous page, where you can modify your entries. 19. When you are satisfied with the configuration information entered, click Copy to copy the information in the new Data Ingest you've just created. 20. In a Web browser, navigate to and log in to Ambari using your login credentials. 21. Select the Flume service, and then click the Configs tab. 22. Click the Group dropdown arrow, and then select your Flume Configuration Group. Figure 33: Flume Configuration Group

44 23. In the Flume agent Configs text box, paste the Data Ingest configuration information you created in Step 15, and then click Save. The new Data Ingest configuration contains all of the configuration information required to ingest your data: completing the ETL process first for Kafka, and then from Kafka to Elasticsearch and to HBase. 24. When prompted, click Restart All Affected Services. Configure Analytics An interset.conf file must be created for each tenant in your configuration. Questions about the setting of these values and the impacts that are not covered in the content of this document can be directed to your McAfee Behavioral Analytics support professional. Analytics In the Analytics section of the interset.conf file, you can configure each tenantid to reference a specific ZooKeeper instance. tenantid = 0 # Update 'localhost' below to correct zookeeper URL zkphoenix = localhost:2181:/hbase-unsecure Elasticsearch In the Elasticsearch section of the interset.conf file, you can configure each Elasticsearch cluster to reference a specific Elasticsearch host. # Elasticsearch cluster name esclustername=interset # Elasticsearch host eshost=localhost Spark Runtime The Spark Runtime controls the tuning settings that are applied to Spark for the Analytics jobs. These settings should not be changed unless you are advised to do so by your McAfee Behavioral Analytics support professional. # Number of spark tasks to split tasks by. Should be 2x - 3x cluster cores parallelism = 32 # How many executors to request numexecutors = 8 # How much RAM to request executormem = 4g # How many cores per executor executorcores = 2 Configure Search Any time you configure a tenant to include a new data source, you must also configure Search

45 Important: You cannot configure Search until data has been ingested. After running Analytics for a tenant for the first time, the search indices must be set up. This step needs to be done only once per tenant; however, it must be done after the first Analytics run. Setting up the Kibana indices will enable Search for the different data types. For this section, you need to know: Steps the tenant ID (TID, the default is 0) the data sources being used This will always include violations (from Workflow), and one or more of Active Directory event logs, or repository data. 1. Open a Web browser, and go to You will see a page like this: Figure 34: Configure Index Pattern Page 2. In the Index name or pattern box, enter the index name from the table below, replacing <tid> with your tenant ID. The <tid> value should be lower-case characters. Note: Interset_violations_<tid> will not exist unless a violation was triggered. If Kibana does not recognize the index pattern, do not create it at this time. Data Type Index Name Timestamp Field All interset_*_rawdata_<tid> timestamp Active Directory, auditd interset_a*d_rawdata_<tid> timestamp Printer interset_printer_rawdata_<tid> timestamp Repository interset_repo_rawdata_<tid> timestamp Web Proxy interset_webproxy_rawdata_<tid> timestamp Workflow Violations interset_violations_<tid> timestamp AuditD interset_auditd_rawdata_<tid> timestamp NetFlow interset_netflow_rawdata_<tid> timestamp

46 Data Type Index Name Timestamp Field Finance Expense interset_expense_rawdata_<tid> timestamp interset_ _rawdata_<tid> timestamp Universal Alert interset_violations_<tid> timestamp Figure 35: Enter Index Name or Pattern 3. In the Time-field name box, enter the appropriate Timestamp Field value from the table above. Figure 36: Enter Timestamp Field Value 4. Click Create. You will always need to add the Workflow entry, and one or more of the other data types. 5. For each subsequent data type, click Add New

47 Figure 37: Adding Data Type 6. After enabling Search for one or more data types, click Discover in the sidebar menu to begin searching. Figure 38: Discover Configure New Action Mappings for Existing Data Sources 1. Open a Web browser, and sign in to the McAfee Behavioral Analytics server as an Administrator. 2. On the Overall Risk page, click the Settings icon in the upper-right corner to open the Settings page. 3. On the Settings page, click Map Actions to launch the Action Mapping wizard. 4. On the Action Mapping page, under Add New Actions, click the Data Type dropdown arrow to select the data source type. 5. Under Action, enter the new data source action value you want to map. 6. Under Mapping, click the dropdown arrow to select the schema action value to which the new data source action will be mapped. 7. Click Add to continue adding and mapping new data source action values until your list is complete

48 Tip: To remove an existing mapped action, click Remove. 8. Click Add to save the new action mappings. For all future ingests of the selected data type, the new action mappings will be applied. Tip: You can update the data source action mappings by following these same steps. Resolve Multiple Entities in Source Data This section describes how to resolve entities when one user entity appears with more than one <username> value in your source data. For example, if John Smith registers in your source data as both jsmith and you will want to have the analytics for John Smith consolidated as one complete story, rather than as two separate ones. The resolution of these multiple entities representing the same user must occur prior to data ingest. Therefore, redefining these entities and mapping one to the other is carried out using Regular Expressions (Regex) in the data ingest configuration file. Steps 1. Open up your Ingest config group configuration within your Flume configuration in Ambari. 2. Locate the Interceptors (Transform) section. 3. In the Interceptors (Transform) section, do the following: In the following line, add findreplace: interset_auth_events_<did>_<tid>_csv.sources.dirsource.interceptors = logger findreplace deauthtoavro Add the following lines interset_auth_events_<did>_<tid>_csv.sources.dirsource.interceptors.findreplace.type = com.interset.flume.interceptor.dictionaryeventfindreplaceinterceptor$builder interset_auth_events_<did>_<tid>_csv.sources.dirsource.interceptors.findreplace.keys = <Key of the Value to do regex on> interset_auth_events_<did>_<tid>_csv.sources.dirsource.interceptors.findreplace.find = <regex expression> interset_auth_events_<did>_<tid>_csv.sources.dirsource.interceptors.findreplace.replace = <optional replace expression> # By default, we don't drop events that are missing the keys. #interset_auth_events_<did>_<tid>_csv.sources.dirsource.interceptors.findreplace.dropeventsmissingkey = false # By default, we drop events that don't match the regex. #interset_auth_events_<did>_<tid>_csv.sources.dirsource.interceptors.findreplace.dropeventsnotmatching = true 4. Save the updated configuration file. The next time your source data is ingested, for each user that has two discreet entities (in this example, jsmith and jsmith@yourcompany.com) the two values will be merged to create one user entity

49 Configure McAfee Behavioral Analytics to Ingest Universal Third-party Alerts When you ingest third-party Universal Alert data as violations, these alerts can then be analyzed by McAfee Behavioral Analytics in the context of the entirety of your organizational data. These Universal Alert violations are similar to other McAfee Behavioral Analytics violations, forming part of the hourly risk information and appearing as anomalies in the McAfee Behavioral Analytics user interface. Examples of supported third-party alert sources include DLP products, malware alerts, networking alerts, and so on. The third-party Universal Alert data must be in.csv format. Ingesting third-party Universal Alert data as violations involves: using the API to first define the columns in your third-party Universal Alert data, and then to map those columns to the schema; using Workflow to create violations based on conditions you define; and updating the Universal Alert Data Ingest Configuration information and ingest the third-party alerts. Important: When Universal Alert data is initially ingested, these alerts have a risk score of zero (0). To see these new Universal Alert violations and for them to reflect a risk score other than zero, you must create one or more Workflows to define new violations with an assigned severity. Use the API to Define and Map the Universal Alert Columns After your Universal Alert data has been exported to.csv format, you can use the API to identify the columns in your data; and then to map those columns to the schema upon ingest. McAfee Behavioral Analytics provides a number of predefined column definitions in the API, as identified below. If you require column definitions beyond those provided by McAfee Behavioral Analytics, you have the flexibility to add those definitions directly in the API. Column Heading Value Type Display user string user The user involved in the event. Description source string source The hostname, machine, and/or system from which the event was generated. destination string destination The resource the client is trying to access (eg. /assets/cat.gif). type string type The type of event. application string application The application associated with the event. action string action The outcome of the event (eg. success, failure). message string message The text of the message in the event. duration string duration The time spent servicing the event, in milliseconds filename string filename The name of the file associated with the event. severity string severity The severity of the associated event. signature string signature The windows event code associated with the event (eg. 4624). size number size Total size of the file associated with the event, in bytes. tag string tag Metadata associated with events or alerts

50 Column Heading Value Type Display Description vendorproduct string vendorproduct The reporting software. For example, McAfee DLP. status string status sourceip string sourceip The client IP associated with the event. The resolution status of the alert (for example. resolved, under investigation, false positive, etc). destinationip string destinationip The resource IP the client is trying to access (eg. /assets/cat.gif). Table 1: Column Definitions 1. In a Web browser, log in to the Reporting server as an Administrator. 2. On the Overall Risk page, click the Settings icon in the upper-right corner to open the Settings page. 3. On the Settings page, in the API section, click Access the API. 4. In Swagger, expand rules, and then expand Get /rules/config. 5. In the lower-left corner of the Response Class box, click Try it out! to explore the pre-defined Universal Alert data column definitions in the Response Body section. 6. To edit or extend the predefined column heading parameters to align them with the column headings of your organization's Universal Alerts, do the following: copy all of the text in the Response Body section to a text editor; in the text editor, update the parameter information as required; For example, if your Universal Alert data column heading is "username" instead of "user" as currently defined in the API, replace "user" with "username". If you have Universal Alert data column headings that do not appear in the predefined parameters, you can create a new mapping by creating a new JSON block. For example: { "name": "bus_unit", "type": "string", "display": "Business Unit" } The "name" represents the value of your Universal Alert data column heading as it is defined in your ingest configuration file. The "type" is either 'string' or 'number'. The "display" value is the name of your of your Universal Alert data column heading in the Workflow user interface. when you have finished updating the column heading parameters, while still in the text editor, scroll down to "ViolationsMapping" section, and update the schema mapping for each parameter that you modified; For example, if you changed "user" to "username", update the "userid" schema parameter from "user" to "username". copy all of the text from the text editor; in Swagger, expand the Post /rules/config section, and paste the copied text in the body text box in the bottom half of the page; Click Try it out! to save your changes

51 7. To verify your changes, expand the Get /rules/config section, and click Try it out! to view the updated Universal Alert column headings. Use McAfee Behavioral Analytics Workflow to Create Violations with Risk Weights 1. In the Settings page, in the Workflows section, click Configure a Workflow. 2. At the top right of the Current Workflows page, click the Add Workflow button to open the Add New Workflow page. 3. On the Add New Workflow page, in the Source section, select Universal Alert then click the icon. Note: The Universal Alert only has one Detect and Trigger option to choose from. When you click icon, these options will automatically be chosen for you and bring you to the Conditions sec- the tion. 4. On the Add New Workflow page, in the Conditions section, select your conditions, and then click the icon. Tip: The selection list contains the column headings you defined in the rules/conf section of the API in Swagger. 5. Confirm your selected conditions. To add more conditions, click Add Conditions. When you are satisfied with your conditions selection, choose whether you want ALL of these conditions are true or ANY of these conditions are true to apply. Then, click Next. 6. On the Add New Workflow page, in the Actions section, select flag as a violation. 7. In the Set severity to field, select the severity level you want applied to the violation from the drop down menu (Low, Medium, High, or Extreme) then, click the icon. This severity level will be attached to the risk score of the new violations. 8. On the Add New Workflow page, in the Source section, select Universal Alert then click the icon. Note: The Universal Alert only has one Detect and Trigger option to choose from. When you click icon, these options will automatically be chosen for you and bring you to the Conditions sec- the tion. 9. On the Add New Workflow page, in the Conditions section, select your conditions then, click the icon. Tip: The selection list contains the column headings you defined in the rules/conf section of the API in Swagger. 10. Confirm your selected conditions. To add more conditions, click Add Conditions. When you are satisfied with your conditions selection, choose whether you want ALL of these conditions are true or ANY of these conditions are true to apply. Then, click Next

52 11. On the Add New Workflow page, in the Actions section, select flag as a violation. 12. In the Set severity to field, select the severity level you want applied to the violation from the drop down menu (Low, Medium, High, or Extreme) then, click the icon. This severity level will be attached to the risk score of the new violations. 13. Confirm your selected actions. To add more actions, click Add Actions. When you are satisfied with your actions selection, click Next. 14. On the Add New Workflow page, in the Review section, review your Workflow and make any changes necessary. 15. When you are satisfied with your Workflow, enter the name of your Workflow in the Workflow Name field, then click Save. 16. To activate the Workflow, in the Activate column, click the Activate button that corresponds to your Workflow. Update the Universal Alert Data Ingest Configuration Information 1. In a Web browser, log in to the Reporting server as an Administrator. 2. On the Overall Risk page, click the Settings icon in the upper- right corner to open the Settingspage. 3. On the Settings page, click Configure a Data Source to open the Data Configuration wizard. 4. On the Configure a Data Source page, click the Choose Your Data Type dropdown arrow and then, from the list, select Alert (Universal). 5. Enter the connection details for your Universal Alert data, and then click Next. Tip: To anonymize the data, select the Anonymize checkbox. 6. In the Map Your Columns page, click Browse to locate and then upload a sample data source file. When you upload a sample data source file, the column Header, column Sample Row, and schema Mapping appear. Tip: If you do not upload a sample data source file, you can optionally assign numerical values to the column order in which your data appears. For example, if the timestamp data in your source data appears in the third column, enter 3 in the Header Order field. 7. Map the action values in your source data to values available in the schema: If actions appear under Actions Found, click the Mapping dropdown arrow to map the action to the corresponding action value. For example, if success appears under Actions Found, click the Mapping dropdown arrow and then select success. If your source data includes action values other than those available in the Mapping dropdown list, click Add, enter the action value under Actions Found, and then click the Mapping dropdown arrow to select the schema action value to which to map it

53 Tip: You can also choose to ignore action values in your source data by not mapping these actions to schema action values. When these action values are not mapped, they will not be analyzed by McAfee Behavioral Analytics and will therefore not factor into the Analytics results. 8. Click the Next arrow to continue. 9. Enter the tenant ID, the DID, and the Kafka, Elasticsearch, and ZooKeeper connection information. 10. If you want to configure violations, select the Violations checkbox. Tip: If this is not the first data source for this tenant, clear this checkbox. 11. Click Next to continue. 12. On the Review Configuration page, verify the data source details. 13. Save the updated configuration file locally. 14. In a Web browser, navigate to and then log in to Ambari using your credentials. 15. Select the Flume service, and then click the Configs tab. 16. Click the Group dropdown arrow, and then select your Flume configuration group. Figure 39: Select Configuration 17. At the bottom of the Flume agent config text box, paste the Universal Alerts data ingest configuration information, and then click Save. 18. When prompted, restart all affected services

54 Administer McAfee Behavioral Analytics for End Users There are many tasks that you can perform as the McAfee Behavioral Analytics Administrator to ensure that the Analytics end users have access to the information they need, when they need it. These tasks include: scheduling data ingest to meet your end user requirements creating Workflows for notifications, violations, and other actions managing bot and bot-like users Schedule Data Ingest To ingest log files on a specified schedule so that your end users have access to cumulative Analytics at midnight, you can create a cron job. For example, if the source machine is a Perforce server and the Samba share is mounted at /mnt/mba-incoming, you can use crontab e to edit the list of cron jobs. The command below copies all Perforce logs to the McAfee Behavioral Analytics server each day at midnight. 0 0 * * * cp /var/log/perforce/* /mnt/mcafee-incoming && sudo chown -R flume:hadoop /mnt/mcafee-incoming/ Create Workflows Workflows are an extremely valuable tool for ensuring that the McAfee Behavioral Analytics consumers, who rely on the data to identify the top risky entities and behaviors occurring in the organization, can be immediately aware of specific areas of potential concern and that appropriate, proactive measures may be undertaken in a timely manner. With Workflows, McAfee Behavioral Analytics Administrators can build custom use cases to highlight specific information for their end users, based on a wide range of criteria. When Workflows are configured and include or SMS notifications, and REST API calls, these notifications and corrective actions occur instantaneously, in real time. When Workflows include the creation of violations or changes in severity level, these outcomes are available the next time Analytics runs on the data. For example, a Security team may wish to be immediately notified, and have initial corrective measures put in place any time an individual inappropriately attempts to access a restricted project repository. By creating Workflows based on specific conditions, the Security team can easily configure real time notifications, and even control access privileges using REST APIs when those conditions are met. In the Workflow page, dropdown menus and dynamic options facilitate building the Workflow definitions. Only users with Administrator privileges can create workflows. When creating Workflows, there are a number of things you will want to learn: that the Workflow Engine is running how to configure Workflow for different data sources the criteria and/or conditions that warrant Workflows how to alert your end users to risky entities and behaviors

55 how to create effective Workflows how to scale your Workflows At the end of this Appendix, we've added some Workflow examples to guide you as you create your own Workflows. Verify the Workflow Engine is Running Before Administrators begin working with Workflows, you should confirm that the Workflow created for that tenant is running. 1. On the Master node, run the following status command as the interset user: /opt/interset/rules/bin/workflow.sh --status../conf/rules.conf The expected response includes information on Topology_name, STATUS, Num tasks, Num_workers, and Uptime-secs. Additional ways to verify that Workflows are processing data include: Creating a Workflow that includes setting a violation that is sure to be triggered, ingesting the data, and then running the following command on the Data node to see if messages are showing up in the Kafka topics: /usr/hdp/current/kafka-broker/bin/kafka-console-consumer.sh --from-beginning --max-messages 10 --zookeeper localhost: topic interset_violations_<tid> Using the following Phoenix console to confirm that data is being written to HBase: /opt/interset/analytics/bin/sql.sh --action console --dbserver <data node FQDM>:2181/hbase-unsecure and then run the following command: SELECT * FROM VIOLATIONS WHERE TID='<TID>' Tip: Workflows are configured on a per-tenant basis. When your configuration includes multiple tenants, each tenant must have its own Workflow engine and associated Workflow configuration file (for example, rules-tid-0.conf). Important: Do not delete any of the lines in the rules.conf files, even if they are not relevant to your tenant or Workflow. Configure Workflow for Different Data Sources To create Workflows for data sources other than Active Directory authentication, you will need to enable the Kafka Spout topic settings in the rules.conf configuration file. As long as a data source has been configured in the Flume Configuration Group and data has been ingested, the Kafka topic required for that data source will exist on the Stream node. However, if the data source has not yet been configured for McAfee Behavioral Analytics and data has not yet been ingested, you will need to manually create the Kafka topics

56 In addition, because Workflow runs against data as it is ingested, you cannot create Workflows on historical data. To ensure the Workflow results you want, ensure that the Kafka topics exist, and the Kafka Spout topics enabled, before ingesting your data. The Kafka and Kafka Spout topics required by McAfee Behavioral Analytics, along with the default tenant and data source IDs (tid, did), are listed in the table below. Data Source Type Kafka Topic Kafka Spout Topic Authentication events Default did Default tid interset_auth_events_<did>_<tid> #KafkaSpoutAdTopics = <kafka_topic> 0 0 Repository events interset_repo_events_<did>_<tid> #KafkaSpoutRepoTopics = <kafka_topic> 0 0 AuditD events Web Proxy events Windows Printer events interset_auditd_events_<did>_ <tid> interset_webproxy_events_<did>_ <tid> interset_printer_events_<did>_ <tid> #KafkaSpouAuditdTopics = <kafka_topic> 0 0 #KafkaSpoutProxyTopics = <kafka_topic> 0 0 #KafkaSpoutWindowsPrinterTopics = <kafka_ topic> 0 0 Violations interset_violations_<tid> n/a n/a 0 NetFlow Finance Expense interset_netflow_events_<did>_ <tid> interset_expense_events_<did>_ <tid> interset_ _events_<did>_ <tid> Universal Alert interset_alert_events_<did>_<tid> Table 1: Kafka Topics Steps #KafkaSpoutNetFlowTopics = <kafka_topic> 0 0 #KafkaSpoutExpenseTopics = <kafka_topic> 0 0 #KafkaSpout Topics = <kafka_topic> 0 0 #KafkaSpoutGenericAlertsTopics = <kafka_ topic> Navigate to the Stream node, and run the following command to list the Kafka topics created for your McAfee Behavioral Analytics cluster: /usr/hdp/current/kafka-broker/bin/kafka-topics.sh --zookeeper <master_node_server_name>: list The response returned will include all the existing Kafka topics. If the Kafka topic for your data source is returned, proceed directly to Step If the required Kafka topic is not returned, run the following command to create the Kafka topic: /usr/hdp/current/kafka-broker/bin/kafka-topics.sh --zookeeper <master_node>: create --topic \ "kafka_topic" --partitions 8 --replication-factor 1 Run the following command, this time to ensure the topic was created: /usr/hdp/current/kafka-broker/bin/kafka-topics.sh --zookeeper <master_node_server_name>: list The new Kafka topic will appear in the list. 3. On the Master node, navigate to /opt/interset/rules/conf/ and open the rules.conf file

57 4. Uncomment the relevant Kafka Spout topic for the data source by removing the hash (#) symbol: For example, to enable the Auditd Kafka Spout topic, change #KafkaSpoutAuditdTopics = interset_auditd_events_0_0 to KafkaSpoutAuditdTopics = interset_auditd_events_0_0 and then save the rules.conf file. 5. Kill the currently running Workflow topology, and then redeploy it using the following commands: /opt/interset/rules/bin/workflow.sh --kill /opt/interset/rules/conf/rules.conf /opt/interset/rules/bin/workflow.sh --deploy /opt/interset/rules/conf/rules.conf Use these same steps to enable other datasources for Workflow, such as repository, WebProxy, and so on. Workflow Scenarios Workflow offers a full range of criteria that you can apply to define the conditions to trigger a notification, a violation, or a REST API call to implement a corrective action. Working together with your organization's Security specialists, you define the circumstances that require Workflows: Workflows can be created and applied to the following types of data: Active Directory log, Linux Audit (autitd), Web Proxy, McAfee Behavioral Analytics, Printer, Repository log, NetFlow, Finance Expense, and Universal Alert. For example, specific project repositories may be highly sensitive and require that the Security team be alerted to activity by users not belonging to a particular work group. Or, Security team members may wish to be made aware of any user risk score above an identified threshold. These are ideal circumstances to implement a Workflow. Depending on the data source, a Workflow can be applied to the following entities: a user, a user's login, a machine, or a project. Isolating activity to a specific entity in a Workflow virtually allows your Security team to be alerted to, and corrective actions implemented when the defined criteria relative to that entity are met. For more information about Workflow entities and conditions, see the Workflow definition variables for your data source. Workflow action Triggers are specific to each data source. For example, for repository log data, you can select the Trigger retrieving data. For more information about Workflow Triggers, conditions, and characteristics, see the Workflow definition variables for your data source. For more information about defining the data source, entity, and triggers in Workflows, see "Workflow Example" on page 67. Workflow Notifications and Outcomes Working together with your organization's Security specialists, you can configure a number of different notifications and outcomes to occur when the criteria defined in the Workflow are met:

58 Flag as a violation Violations are special alerts designed to identify specific risky behaviors. When you include Flag as a violation as a Workflow outcome, you also define the associated severity of that violation. The violation and associated severity are then factored into the Analytics and appear in the Matrix of Anomalies & Violations the next time the Analytics are run. Flagging as a violation is not a supported outcome when the Analytics is the data source. This is because it could inappropriately create a circular dependency. When you create Workflows that include violations, you must configure Data Transport configuration information for these violations to be included the next time the Analytics are run. For more information about configuring Data Transport configuration information, see "Workflow Violations" on page 69 To flag a Workflow outcome as a violation, on the Actions page, select flag as a violation and then set the violation severity level. Change the importance Changing the importance of an entity is designed to make that entity more sensitive to anomalies. When two entities trigger the exact same anomaly, the entity with higher importance will end up with a higher risk score and higher risky hours scores than the entity with low importance. Changing the importance is not a supported outcome when McAfee Behavioral Analytics is the data source. This is because it could inappropriately create a circular dependency. To create a Workflow outcome that changes the importance of the entity, on the Actions page, select change the importance radio button. Then, specify the entity and the new level of importance. Send an Configure an to be sent to alert one or more recipients that the Workflow criteria were met. To create a Workflow outcome that sends an to one or more recipients, on the Actions page, select send an radio button. Then, complete the required fields to provide the information. Send an SMS Send a text message to alert one or more recipients that the Workflow criteria were met. To create a Workflow outcome that sends a text message, on the Actions page, select send an SMS. Then, complete the required fields to provide the SMS information. Note: When you complete the fields for SMS or notification, any backslash gets converted to a front slash when the fields get converted to outputs. This is to ensure that the formatting is maintained in the output. Call a REST API Call a REST API to implement an action when the Workflow criteria are met. For example, configure a Workflow to restrict access permissions when the risk score for any user with Administrator privileges is higher than 50. To create a Workflow outcome that calls a REST API, on the Actions page, select call a REST API. Then, complete the required fields to call the REST API. Send to McAfee DXL Send a notification to the McAfee Data Exchange Layer (DXL) to alert systems and/or applications that the Workflow criteria was met

59 To create a Workflow outcome that sends a notification to the McAfee DXL, on the Actions page, select send to DXL. Then, complete the required fields to send the notification to DXL. Export as CEF messages to an ArcSight syslog server Send a notification as a CEF export to ArcSight syslog servers to inform users that the Workflow criteria was met. To create a Workflow outcome that exports a CEF message to an ArcSight syslog server, on the Actions page, select send to CEF syslog. Then, complete the required fields to export the CEF message. Send to Splunk Send a notification to Splunk to alert systems and/or applications that the Workflow criteria was met. The Workflow engine must have been configured to send notifications to Splunk. For more information, in the "Configure Workflow" chapter of the McAfee Behavioral Analytics Installation and Configuration Guide, see "Configure Splunk". To create a Workflow outcome that sends a notification to Splunk, on the Actions page, select, select send to Splunk. Then, complete the required fields to send the notification to Splunk. Send to Phantom Send a notification to Phantom to alert systems and/or applications that the Workflow criteria was met. The Workflow engine must have been configured to send notifications to Phantom. For more information, in the "Configure Workflow" chapter of the McAfee Behavioral Analytics Installation and Configuration Guide, see "Configure Phantom". To create a Workflow outcome that sends a notification to Phantom, on the Actions page, select send to Phantom. Then, complete the required fields to send the notification to Phantom. For more information about defining outcome actions in Workflows, see "Workflow Example" on page

60 Workflow Definitions The Workflow definition variables are listed in the tables below, by data source. Active Directory Workflow Variables Workflow Data Source: Active Directory Detect Trigger Conditions Actions is / is not someone someone whose name is / is not <X> contains / does not contain <X> matches / does not match <X> 3 Variables 24 Variables contains / does not contain matches / doesnot match equals / is not equal to <X> (signature ID variable only) 20 Variables ALL of these Conditions are true / ANY of these Conditions are true 9 Variables Linux Audit (auditd) Workflow Variables Workflow Data Source: Linux Audit (auditd) Detect Trigger Conditions Actions someone someone whose login is / is not <X> contains / does not contain <X> matches / does not match <X> 3 Variables 85 Variables is / is not contains / does not contain matches / doesnot match 20 Variables ALL of these Conditions are true / ANY of these Conditions are true 9 Variables Web Proxy Workflow Variables

61 Workflow Data Source: Web Proxy Detect Trigger Conditions Actions is / is not contains / does not contain someone matches / does not match someone whose client IP is / is not <X> contains / does not contain <X> matches / does not match <X> done anything 15 Variables equals / is not equal to <X> (payload size, req payload size, and time spent variables only) is less than / is greater than <X> (payload size, req payload size, and time spent variables only) is less than or equal to / is greater than or equal to <X> (payload size, req payload size, and time spent variables only) 20 Variables ALL of these Conditions are true / ANY of these Conditions are true 9 Variables

62 McAfee Behavioral Analytics Workflow Variables Workflow Data Source: McAfee Behavioral Analytics Detect Trigger Conditions Actions a user is / is not <X> a user whose name contains / does not contain <X> matches / does not match <X> a machine a machine whose name is / is not <X> contains / does not contain <X> matches / does not match <X> done anything 2 Variables equals / is not equal to <X> is less than / is greater than <X> is less than or equal to / is greater than or equal to <X> ALL of these Conditions are true / ANY of these Conditions are true 7 Variables a project is / is not <X> a project whose name contains / does not contain <X> matches / does not match <X> Printer Workflow Variables Workflow Data Source: Printer Detect Trigger Conditions Actions is / is not contains / does not contain someone matches / does not match someone whose login is / is not <X> contains / does not contain <X> matches / does not match <X> 3 Variables 8 Variables equals / is not equal to <X> (file size and number of pages variables only) is less than / is greater than <X> (file size and number of pages variables only) is less than or equal to / is greater than or equal to <X> (file size and number of pages variables only) 20 Variables ALL of these Conditions are true / ANY of these Conditions are true 9 Variables

63 Repository Log Workflow Variables Workflow Data Source: Repository Detect Trigger Conditions Actions someone someone whose login is / is not <X> contains / does not contain <X> matches / does not match <X> 3 Variables 3 Variables is / is not contains / does not contain matches / does not match 20 Variables ALL of these Conditions are true / ANY of these Conditions are true 9 Variables NetFlow Workflows Workflow Data Source: NetFlow Detect Trigger Conditions Actions is / is not contains / does not contain matches / does not match someone done anything 49 Variables equals / is not equal to <X> (dtas, flows, inbytes inpkts, I4DstPort. I4SrcPort, outbytes, outpkts, srcas, totalbytesexp, totalflowsexp, and totalpktsexp variables only) is less than / is greater than <X> (dtas, flows, inbytes inpkts, I4DstPort. I4SrcPort, outbytes, outpkts, srcas, totalbytesexp, totalflowsexp, and totalpktsexp variables only) 20 Variables ALL of these Conditions are true / ANY of these Conditions are true 9 Variables is less than or equal to / is greater than or equal to <X> (dtas, flows, inbytes inpkts, I4DstPort. I4SrcPort, outbytes, outpkts, srcas, totalbytesexp, totalflowsexp, and totalpktsexp variables only)

64 Finance Expense Workflow Variables Workflow Data Source: Finance Expense Detect Trigger Conditions Actions is / is not someone contains / does not contain matches / does not match is empty / is not empty someone whose employee ID is / is not <X> contains / does not contain <X> done anything 20 Variables equals / is not equal to <X> (expense amount (USD) variable only) is less than / is greater than <X> (expense amount (USD) variable only) 20 Variables ALL of these Conditions are true / ANY of these Conditions are true 9 Variables matches / does not match <X> is less than or equal to / is greater than or equal to <X> (expense amount (USD) variable only) Workflow Variables Workflow Data Source: Detect Trigger Conditions Actions is / is not someone contains / does not contain someone whose sender address someone whose recipient address an attachment whose name is / is not <X> contains / does not contain <X> matches / does not match <X> done anything 5 Variables 6 Variables matches / does not match equals / is not equal to <X> (size of , number of attachments, and attachment size only) is less than / is greater than <X> (size of , number of attachments, and attachment size only) is less than or equal to / is greater than or equal to <X> (size of , number of attachments, and attachment size only) 20 Variables ALL of these Conditions are true / ANY of these Conditions are true 9 Variables

65 Universal Alert Workflow Variables Workflow Data Source: Universal Alert Detect Trigger Conditions Actions is / is not contains / does not contain something done anything 17 Variables matches / does not match equals / is not equal to <X> (size variable only) is less than / is greater than <X> (size variable only) 20 Variables ALL of these Conditions are true / ANY of these Conditions are true 8 Variables is less than or equal to / is greater than or equal to <X> (size variable only) Scale Your Workflows In the previous section, Workflow Definitions, the different Workflow definition variables were provided to help you define the criteria upon which to base your Workflow notifications. It is not practical, however, to expect that you would define one unique Workflow for each and every entity that you want to highlight. For example, if there were 20 users in your organization that you considered potential high risks, it is not realistic to expect that you would create 20 separate Workflows to track each one. To facilitate the implementation of Workflows that apply to multiple entities, McAfee Behavioral Analytics allows you to define multiple entities of the same type using a separate file. For example, rather than having 20 individual Workflows to highlight each time one of 20 administrator users fails to authenticate, you can now have one Workflow that uses the data uploaded from a text file that, in turn, lists the 20 administrator users. Similarly, you may want to create a Workflow in which a condition may have multiple values. For example, you want to be alerted whenever a specific user account accesses one of several destination IP addresses via Web proxy. Rather than having separate Workflows to identify each individual destination IP address, you can now have one Workflow that uses the destination IP addresses uploaded from one text file. Each of these Workflow list files must: be tenant-specific; reside in a location accessible to the McAfee Behavioral Analytics cluster; have no more than one entry per line; and contain data values that respect the format of the ingested data. In addition, the Workflow list file can: contain an unlimited number of entries (for example, users); and be updated with new information as required. You can create the following list types for use in your Workflows: adminlist

66 A list of administrator users. applicationlist A list of applications. fqdnlist A list of fully-qualified domain names. filelist A list of file names. hashlist A list of hashes. iplist A list of IPs. machinelist A list of machine names. pathlist A list of file paths. projectlist A list of projects. regexlist A list of regex matches. serverlist A list of server names. urllist A list of URLs. userlist A list of users. udflist1...udflist5 Up to five (5) lists that the user can define. Manage Workflow Lists Run the following command on the Master node where Analytics is installed to upload a Workflow list file for use in your Workflow: /opt/interset/rules/bin/workflow.sh --createlist /opt/interset/rules/conf/rules.conf <list_type> /tmp/<filename>.txt Run the following command to update an existing Workflow list file: /opt/interset/rules/bin/workflow.sh --updatelist /opt/interset/rules/conf/rules.conf <list_type> /tmp/<filename>.txt Run the following command to show all the Workflow list files for the tenant: /opt/interset/rules/bin/workflow.sh --showlists /opt/interset/rules/conf/rules.conf Run the following command to show the contents of a Workflow list file:

67 /opt/interset/rules/bin/workflow.sh --catlist /opt/interset/rules/conf/rules.conf <list_type> <list_file_ path> Workflow Example The following example is provided to guide you as you create your own Workflows. Workflow Example #1: Highlight Risk on a High Priority Project ABC Company has a highly sensitive, high priority project entitled Pilgrim. The Pilgrim project files are stored in a Perforce repository with access restricted to four (4) ABC Company employees. Because of the extreme sensitivity of the Pilgrim project, the ABC Company Security team has decided to create a Workflow to ensure that, on an ongoing basis, they are advised if any entity other than the four authorized users accesses the Pilgrim project files. In addition, they decide to include Workflow outcomes that result in the creation of a violation, with a severity level of Extreme when an unauthorized entity attempts to access Pilgrim files. Tips: Steps From the Current Workflowspage, on the right side, you can click the DRL button to reveal the Workflow code of a saved Workflow. All string comparison operators except contains are case sensitive. If you are creating workflows with criteria containing a backslash ('\'), you need to escape the character in order for the criteria to execute properly. To escape the backslash character, enter two backslashes instead of one. 1. At the top right of the Current Workflows page, click the Add Workflow button to open the Add New Workflow page. 2. On the Add New Workflow page, in the Source section, select Repository, then click the icon. 3. On the Add New Workflow page, in the Detect section, select someone, then click the icon. 4. On the Add New Workflow page, in the Trigger section, select done anything, then click the icon. 5. On the Add New Workflow page, in the Conditions section, select project, contains, string. In the Enter string... field, type Pilgrim, then click the 6. Click Add Condition to add another Condition. 7. In the Conditions section, select user, does not contain, string. In the Enter string... field, type Chelsea, then click the icon. Chelsea is one of the four ABC Company employees authorized to access the Pilgrim project files. icon. 8. Repeat Step 7 for the remaining three (3) ABC Company employees authorized to access the Pilgrim project files: Andrew, Satoru, and Priya

68 9. After creating the last user condition, in the Conditions section, select ALL of these Conditions are true, and then click NEXT. The Workflow is now configured to identify any user that accesses the Pilgrim files who is not authorized to do so. 10. On the Add New Workflow page, in the Actions section, select send an . In the To: field, type In the Subject: field, type Pilgrim In the Message: field, type Unauthorized activity in Pilgrim project. In the Insert a property: dropdown text box, select user, and then click the blue up arrow to load the unauthorized user information in the body of the message. In the Choose the frequency dropdown box, select daily. 11. Click the icon. 12. Click Add Action to add another Action. 13. In the Actions section, select flag as a violation, and then set the severity to Extreme. Important: Violations that have a severity level of extreme will, on their own, create high risk hours. Setting too many violations at this severity level may create more high risk hours than can be consumed. 14. Click the icon. 15. On the Add New Workflow page, in the Review section, review your Workflow and make any changes necessary. When you are satisfied with your Workflow, enter the name of your Workflow in the Workflow Name field, then click Save. The Workflow appears in the Workflow list. 16. To activate the Workflow, in the Activate column, click the Activate button that corresponds to your Workflow. Tip: If you have many Workflows, at the top right of the page, use the dropdown menu to sort them by Activated, Created, Last Modified, or Name. Result One month following the implementation of the Pilgrim Workflow, the following occurred: security@abccompany.com received an with the Subject Unauthorized activity in Pilgrim project. In the body of the , the user name Brittany appeared. The Security team immediately explored the risky hours and associated log files in McAfee Behavioral Analytics, and identified Brittany Smith as the user who had triggered the notification. Further investigation revealed that Brittany Smith was the user who had accessed the Perforce Pilgrim repository. The Security team placed immediate restrictions on Brittany Smith's user access, and began a further review of her activity:

69 In the Explore page, the Security team was able to review all of Brittany's past activity and identify some low to medium risky behaviors, including some unusual work hours. The Security team was able to establish, in consultation with Human Resources, that Brittany Smith was a disgruntled employee. Shortly following this event, Brittany Smith's employment at ABC Company was terminated. Workflow Violations You can create Workflows that include violations as an outcome. After Analytics is run, these violations become new alerts in McAfee Behavioral Analytics, and influence the risk score of the entities in your system. When you specify Flag as a violation as an outcome in the Workflow definition, you also define the associated severity for that violation: low, medium, high, or extreme. To leverage violations, in the Data Configuration wizard, select the Violations checkbox when configuring a data source. This selection must only be made once for each tenant. Manage Bot and Bot-like Users Internet bots, or Web robots, are software applications that run automated tasks. If your organization has system bot activity, this activity because of the exceptional speed with which the activity occurs will likely generate McAfee Behavioral Analytics Risky Hours in your Analytics. McAfee Behavioral Analytics identifies those system users it deems to be bots, and strips them from the Matrix of Anomalies & Violations. There is often very real difficulty identifying those system users that are bots and those that are live humans, based on the user activity alone. Your Security team should work with you to identify those system users that are truly bots, and those that are not. After the true bots are identified, you can configure McAfee Behavioral Analytics to remove these bots from the Analytics. Similarly, if bot-like users have been stripped from the Analytics but are not bots, you can configure McAfee Behavioral Analytics to ensure that these users remain in the Analytics. Steps 1. Log in to McAfee Behavioral Analytics as an Administrator. 2. Click Settings to open the Settings page. Note: If there is no data in your system, you will automatically be taken to the Settings page. 3. In the Settings page, click Access the API to open the API in Swagger. 4. Ensure that you are authenticated as the root user. The default password is root. Note: If you have configured LDAP for McAfee Behavioral Analytics authentication, you must log in to Swagger as the user you configured as the LDAP "rootuser". For more information, please see "Configure LDAP Authentication" on page

70 a. In the Swagger header, click Authorize. Figure 1: Swagger Authorization b. In the Available authorizations, Select OAuth2.0 Scopes dialog box, click Authorize. Figure 2: Available Authorizations If you are already authenticated as the root, this button will display Logout. If the Authorize button displays Logout, you can cancel out of this step

71 c. In the log in dialog box, enter your user credentials and then click Sign in. Figure 3: Log in Page 5. Expand the tuning{tenantid} section. 6. Scroll down, and then expand the row where PUT /tuning/{tid}/tags/{tag} appears. 7. Under Parameters, click the entitytype dropdown box and select users from the list of available parameters. 8. In the entityid box, type the username, or ID, for the user. To ensure that the user entityid is accurate, get this ID from the Explore page (if currently a user shown in the Analytics) or from the PDF Report (if currently reported as a bot). 9. In the tag box, do one of the following: If the entity is currently a user shown in the Analytics and you want to tag this entity as a bot, type FORCEBOT. If the entity is currently shown as a bot in the PDF Report and you want to tag this entity as a user, type NOTBOT. 8. Click Try it out! to enable the new entity tag

72 Use McAfee Behavioral Analytics This section describes how to use McAfee Behavioral Analytics and its user interfaces, and benefit fully from all the available features. McAfee Behavioral Analytics McAfee Behavioral Analytics uses advanced analytical models to measure behavior and to quantify risks. These models range from cluster models, which group together users and assets based on specific behavioral vectors, to volumetric anomaly models, rare activity models, and other higher-order models. Many different behavioral vectors are tracked and measured, which reduces the ability for malicious users or compromised accounts to "fake" normal behavior. The McAfee Behavioral Analytics models are true advanced behavioral models: they don't rely on binary rules or arbitrary thresholds. Rather, these models measure the probability that an observed action is truly anomalous and represents a true potential risk. Using this type of approach leads to a continuous, prioritized list of risks, and helps improve the efficiency of IT security teams and their tools. The use of McAfee Behavioral Analytics machine learning models means that you are not required to perform any additional configuration for the analytical models to execute. Through observation, McAfee Behavioral Analytics learns what constitutes normal behavior for the entities within your organization, and immediately begins to quantify abnormal behavior. There are no thresholds to set, no rules to author, and no configurations to undertake. McAfee Behavioral Analytics displays the results of the Analytics in an interface that provides at-a-glance actionable information on current risk, and flexible multi-entity historical data exploration. Users and Other Entities Entities are the foundation of McAfee Behavioral Analytics. Entities are the objects involved in behaviors. For example, if a user Philip accesses Fileshare A, then the event contains, at minimum, one behavior, and two entities. Philip's account and Fileshare A are the two entities, and the access is the behavior. Behaviors Behaviors are often thought of as single events. In the previous example, the access can be captured in one single event. If that event happens to be a malicious action, finding that one malicious event is virtually impossible. This is because there can be billions of these events, and the overwhelming majority of events are perfectly legitimate and normal behaviors. Accumulating Risk As behaviors occur, McAfee Behavioral Analytics processes these events and calculates that which is normal from dozens of behavioral perspectives. For example, McAfee Behavioral Analytics will count how many times Philip accesses Fileshare A each hour, how often his authentication attempts fail on Fileshare A, at what time of day, or which day of week he is normally active, etc. These metrics are all calculated using unsupervised machine learning. This means that the system identifies what is normal, rather than organizational security practitioners setting thresholds which may be reasonable for some, but completely inappropriate for others

73 As new observed behaviors occur, McAfee Behavioral Analytics determines whether the behaviors are normal, or unusual. When unusual, McAfee Behavioral Analytics calculates how unusual the behavior is. The more unusual the behavior, the higher the significance of the anomaly. When anomalies are identified, these anomalies influence the risk score of the entities that are involved in the behavior. The more an entity is involved in significant anomalies, the higher that entity's risk score. For example, if Philip accesses Fileshare A 100 times in an hour, and accesses 100 other fileshares that he's never accessed before, his risk score will spike, because the behavior simulates internal recon or lateral movement. In addition, because Fileshare A was involved in a significant set of anomalies, its risk score will also spike. This comprehensive reporting allows practitioners to explore the anomalies from different perspectives. In cases where multiple user accounts are accessing Fileshare A in an abnormal manner, the user behavior may not appear abnormal and therefore the risk scores may not spike significantly, however, Fileshare A would have a significant spike in its risk score, providing a signal to security practitioners that Fileshare A requires attention. As entities are involved in risky behaviors, their risk scores increase. The riskier the entity's behavior the more the risk increases. When the entity is not engaging in any activity, the risk score decays downward towards zero; as a result, when the entity goes a long time without registering any suspicious activities, its risk score will trend toward zero. Overall Risk Page When you first log in to McAfee Behavioral Analytics, you are taken to the Overall Risk page. This page allows you to see, at a glance, the overall risk status of your organization. For example, in the screenshot below, you immediately see: just over 4 million events were analyzed about 120 thousand anomalies and violations were found 8 active risky entities were identified the overall risk is extremely high and remaining constant the threat of Potential Lateral Movement is contributing to 48% to the overall risk the various streams of the graph indicate the potential threat types involved the types of entities involved and their risk counts the top five risky users When you click an entity type, the Current Risk page opens, where additional information for the selected entity type is displayed. When you click one of the Top 5 Riskiest Users, the Explore page opens, with the selected user's name applied to the anomalies and violations filter

Figure 1: Overall Risk page Current Risk Page The Current Risk page provides the entity risk scores, sorts the entities and their risk scores in descending order, and then also provides the trending

74 Figure 1: Overall Risk page Current Risk Page The Current Risk page provides the entity risk scores, sorts the entities and their risk scores in descending order, and then also provides the trending information, the entity name, the potential threat type, and the most relevant anomaly identified by McAfee Behavioral Analytics. Potential threat types are determined by the most relevant risky activity in the system. At the top of the Current Risk page, you can use the different entity tabs to explore the riskiest entities grouped by their type, such as Users, Projects or Servers, for example. Tabs in bold text represent entities that are present in the data. Typically, you will explore your list of users first. Note: You may see a difference between the number of entities that exist in your data, and the number of entities that appear in the McAfee Behavioral Analytics user interface. This is because: The entities that appear in the Current Risk page include only those entities with a current risk score greater than zero (0); and those entities that have a current risk score of zero (0), but for which anomalies were identified during the selected time period. Entities identified as BOTs do not appear in the user interface

75 Figure 2: Current Risk page Potential threat types are determined by the riskiest activity identified by McAfee Behavioral Analytics for that entity. For example, if the riskiest alert results from behaviors in which a user account is accessing unusual locations or assets, the potential threat type will appear as Potential Lateral Movement, and a summarized description of the anomaly will be shown on the right of the page. This provides immediate context for security practitioners, and enables them to more quickly determine whether further investigation is required. Explore Page When you select an entity, the Explore page opens, where the entity s name is filtered. Here, all Anomalies & Violations associated with that entity are shown within the established time range. To find or filter another entity, use the search filter at the top of the Explore page. The Explore page information allows you to use to determine the types of risky activities that are occurring within your organization. The Explore page features the Matrix of Anomalies & Violations, the Contribution to Risky by Threat graph, and the Top Risky Users and Anomalies & Violations panels, which are displayed by default

Figure 3: Explore page Matrix of Anomalies & Violations The Matrix of Anomalies & Violations is a visual representation of the Anomalies & Violations in your data set, displayed as squares,

76 Figure 3: Explore page Matrix of Anomalies & Violations The Matrix of Anomalies & Violations is a visual representation of the Anomalies & Violations in your data set, displayed as squares, color-coded to reflect their severity. Figure 4: Matrix of Anomalies & Violations You can change the time window for the Matrix of Anomalies & Violations to reflect a time period of specific interest. You can choose the following time periods: 24 Hours, 7 Days, 30 Days, Year, or you can set the time period to include All Data. To zoom in on a specific area of the matrix, click the + icon and then click and drag your cursor across the area of the matrix where you want to zoom in. To zoom out, click the - icon, or select one of the pre-defined time windows. To pan across the time window, click and drag your cursor across the matrix (zoom must not be enabled). As you zoom or pan, all aspects of the user interface update dynamically and accordingly. You can use the slider to the left of the matrix to filter alerts based on their risk level. This enables you to reduce the number of alerts displayed in a gradual manner, and as appropriate. You can also click one of the Risk squares below the graph to set the slider filter to that risk level. For example, if you wanted to view Medium Risk and above, you would click the yellow Medium Risk square. This would filter out all low risk alerts, as shown in the example below

77 In the Matrix of Anomalies & Violations timeline, you can filter the analytics on the associated entities displayed in Anomalies & Violations. For example, setting the project filter to: dev/rel3/kanga and setting the user filter to nell.bernstein, displays only Anomalies & Violations involving both the dev/rel3/kanga project and nell.bernstein. Periods of Risky Activity features an Overall Risk Trend which displays a baseline within the graph. When you add an entity filter to the Periods of Risky Activity graph, a new Risk Trend line based on that entity is created. This custom Risk Trend displays a baseline based on that entity s activity. You can have multiple Risk Trends displayed at once. You can also hide and show the Risk Trends by selecting the name of the Risk Trend

78 Contribution to Risk by Threat Below the Matrix of Anomalies & Violations is the Contribution to Risk by Threat graph. This graph organizes and displays potential threat types by their percentage of the overall risks. You can filter the graph by threat type by selecting the threat type name or square in the graph. For example, if you wanted to highlight the percentage that Potential Internal Recon represents in the graph, you would select the Potential Internal Recon name or square underneath the graph. To reveal/hide the Contribution to Risk by Threat graph, click the Contribution to Risk by Threat heading. Figure 5: Contribution to Risk Filter At the top of the page is the Type to filter anomalies and violations... field. From here you can apply filters by choosing a filter tag from the dropdown menu, or you can search for filter tags by typing the tag name. Depending on your data set, you are able to apply User, Server, Datasource, and User Defined filter tags for example. To disable a filter: At the top left of the page, under Type to filter anomalies and violations..., hover your cursor over the filter name and then click the checkbox on the left. Repeat this process to enable a disabled filter. To delete a filter: At the top left of the page, under Type to filter anomalies and violations..., hover your cursor over the filter name and click the X on the right

79 Anomalies & Violations Panel The Anomalies & Violations panel displays triggered activities in the form of a list. Each Anomaly or Violation has a time stamp, risk color, description, potential threat type, and associated entities attached to it. The Anomalies & Violations list can be sorted by Time (default) or by Risk. Figure 6: Anomalies & Violations Panel To sort the list: At the top left of the Anomalies & Violations panel, click the dropdown menu and then select Time or Risk. To apply filters based on an Anomaly or Violation: Below the description of the Anomalies or Violation, click the tags you wish to apply to the filter. To disable a filter: At the top left of the page, under Type to filter anomalies and violations..., hover your cursor over the filter name and then click the checkbox on the left. Repeat this process to enable a disabled filter. To delete a filter: At the top left of the page, under Type to filter anomalies and violations..., hover your cursor over the filter name and click the X on the right. When you click in an Anomaly or Violation box, a visualization is provided to enhance context and includes a description of the activity. From here you can choose to explore the raw events that triggered the Anomaly or Violation, For more information on exploring raw events, please see the Explore Raw Events section. Note: When you configure a Workflow to send a resulting , and you added new lines of text in the body when creating the Workflow, the notification received by the recipient will include a semicolon at the end of each text line. These semicolons do not impact Workflow functionality in any way, and can be ignored

80 Entity Details Panel When you select an entity, an Entity Details panel containing additional information on the entity you clicked opens. If you selected a User, entity for example, the Entity Details panel might display information regarding the Most Recent Risk Score, Maximum Risk score within the time frame, Read-only tags, User defined tags, Typical working hours, and Typical weekly activity. To download a PDF report on the entity, click the PDF icon beside the entity name. Figure 7: Entity Details Panel From the Entity Details you are able create and apply User defined tags. Important: Do not use bot, forcebot, or notbot as names for a User defined tag. To create a tag: 1. On the right side of User defined tags, click the icon. A + appears below the User defined tags section. 2. Click the + 3. In the dialog box, enter the name of the tag you want to create. 4. On the right side of User defined tags, click done to save the tag

81 To delete a tag: 1. On the right side of User defined tags, click the icon. 2. Click a tag to highlight it. 3. Press your Delete or Backspace key to delete the tag. 4. On the right side of User defined tags, click done to save your changes. Note: If you use the same tag for multiple entity types, the results of filtering may also return entities that are associated with entities of that tag. For example, filtering on a tag of "Boston" which has been applied to users and servers located in Boston may return users outside of Boston that have interacted with the servers with that tag. Authentications Panel The Authentications panel displays the total number of successful and failed authentication attempts, sorted by entities with the most failed attempts in descending order. To add the Authentications panel: Click the + symbol and then select Authentications. To remove the panel: Click the X symbol at the top right of the panel. Most Accessed Panel On the Explore page, you can view the Most Accessed entities of your whole dataset, or of specific entities. To add a Most Accessed panel: At the bottom of the page beside the leftmost tab, click the + symbol, select Most Accessed and then select a filter. Each Most Accessed filter displays a list of entities that have been interacted with, sorted in descending order. You can further explore the Most Accessed entities by selecting an entity to open the Entity Details panel. To remove the panel: Click the X symbol at the top right of the panel. Top Risky Panel On the Explore page, the Top Risky panel provides a list of the top risky entities by type, displaying the Top Risky Users by default. You can change the filter to display a different entity type by clicking Top Risky Users, selecting Top Risky, and then selecting an entity type. The Top Risky list can be sorted by Maximum Entity Risk (default) or by Current Entity Risk

82 Note: You may see a difference between the number of entities that exist in your data, and the number of entities that appear in the McAfee Behavioral Analytics user interface. This is because: Only entities with anomalies appear in the Top Risky list; entities without identified anomalies within the selected time range are filtered out. In addition, entities identified as BOTs do not appear in the user interface. When you select the all data timeframe, all entities that have ever had at least one identified anomaly will be shown. To sort the list: At the top left of the Top Risky panel, click the dropdown menu and then select Maximum Entity Risk or Current Entity Risk. To add a new Top Risky panel: At the bottom of the page beside the leftmost panel, click the + symbol, select Top Risky and then select an entity type. You can further explore the Top Risky entities by click in an entity box to open the Entity Details panel. To remove the panel: Click the X symbol at the top right of the panel. Most Exits By User Panel On the Explore Page, you can view the Most Exits By User. This panel provides a table list of users with the most Exit activity, sorted in descending order. Exit activity includes saves to USB, file uploads, print actions, and more. To add the Most Exits By User panel: At the bottom of the page beside the leftmost panel, click the + symbol and then select Most Exits By User. To remove the panel: Click the X symbol at the top right of the panel. Top Screen Capture Produces Panel On the Explore Page, you can view the Top Screen Capture Produces.This panel provides a table list of the users who produce the highest number of screen captures, sorted in descending order. Screen captures includes the standard methods of copying the active image, such as PrtScn, Alt+PrtScn, and the Windows Snipping Tool (PC); command+shift+3, command+shift+4, control+command+shift+3, and control+command+shift+4 (Mac); as well as Snagit, a third-party screen capture application. To add the Top Screen Capture Produces panel:

83 At the bottom of the page beside the leftmost panel, click the + symbol and then select Top Screen Capture Produces. To remove the panel: Click the X symbol at the top right of the panel. Top Users To Trigger Violations Panel On the Explore Page, you can view the Top Users To Trigger Violations. This panel provides a table list of the top users who have triggered Workflow violations, sorted in descending order. To add the Top Users To Trigger Violations panel: At the bottom of the page beside the leftmost panel, click the + symbol and then select Top Users To Trigger Violations. To remove the panel: Click the X symbol at the top right of the panel. CSV Reports CSV reports provide you with the raw data of the Anomalies & Violations. A CSV Report can provide you with further insight on how an entity is behaving. For example, a user entity CSV Report may contain information regarding country of origin, actions taken, user name and object type. To download a CSV report, click in the box of a Anomalyor Violations and then, on the right side of the visualization, click Download CSV. PDF Reports After an investigation has sufficient evidence to warrant an escalation, information can be exported to a PDF format so that incident response can begin immediately. To generate a PDF report for your organizational risk, on the Overall Risk page, next to the date at the top of the page, click the PDF icon. To generate a report for a user entity, from the Explore page, click a user entity name to open the Entity Details panel, and then click the PDF icon beside the entity name to download a PDF report. With this report, you can quickly share the findings of the investigation without having to manually create any additional documents. The report helps provide an understanding of what constitutes a risky an normal behavior for any entity. Explore Raw Events When you click in a Anomalyor Violations box, a visualization appears that enhances the context and includes descriptions of the risky activity. To see the actual events that triggered the risky activity in Kibana, at the right side of the visualization, click Explore Raw Events. This launches a pre- populated query in Kibana, where events can be explored freely in a faceted search paradigm

Figure 8: Kibana Query Kibana provides security practitioners with a quick way to explore the context around the raw events that triggered the anomaly.

84 Figure 8: Kibana Query Kibana provides security practitioners with a quick way to explore the context around the raw events that triggered the anomaly. This can include expanding the time range, changing filter options, or any other faceted search. Advanced Features In the McAfee Behavioral Analytics user interface, you can take advantage of a number of advanced features that allow you to manage the security of your organization more effectively. For example, you can: work with your McAfee Behavioral Analytics Administrator to create Workflows (real- time notifications and violations) work with your McAfee Behavioral Analytics Administrator to manage bot and bot-like users Workflows Workflows are an extremely valuable tool for ensuring that those who rely on McAfee Behavioral Analytics to identify the top risky entities and behaviors occurring in the organization, can be immediately aware of specific areas of potential concern and that appropriate, proactive measures may be undertaken in a timely manner. With Workflows, Administrators can build custom use cases to highlight specific information for their end users, based on a wide range of criteria

85 When Workflows are configured and include or SMS notifications, and REST API calls, these notifications and corrective actions occur instantaneously, in real time. When Workflows include the creation of violations or changes in severity level, these outcomes are available the next time McAfee Behavioral Analytics runs on the data. For example, a Security team may wish to be immediately notified, and have initial corrective measures put in place any time an individual inappropriately attempts to access a restricted project repository. By creating Workflows based on specific conditions, the Security team can easily configure real time notifications, and even control access privileges using REST APIs when those conditions are met. Only users with Administrator privileges can create Workflows. To learn more about creating Workflows, see "Create Workflows" on page 54. Bots and Bot-like Users Internet bots, or Web robots, are software applications that run automated tasks. If your organization has system bot activity, this activity because of the exceptional speed with which the activity occurs will likely generate anomalies in your Analytics. McAfee Behavioral Analytics identifies those system users it deems to be bots, and strips them from the Investigator matrix view. There is often very real difficulty identifying those system users that are bots and those that are live humans, based on the user activity alone. Your McAfee Behavioral Analytics Administrator will work with you to identify those system users that are truly bots, and those that are not. After the true bots are identified, your Administrator can configure McAfee Behavioral Analytics to remove these bots from the Analytics. Similarly, if bot-like users have been incorrectly tagged and stripped from the analytics, your administrator can configure McAfee Behavioral Analytics to ensure that these users remain in the Analytics. For more information about bots and bot-like users, see "Manage Bot and Bot-like Users" on page

86 Advanced Configuration Options After installing and configuring McAfee Behavioral Analytics in your environment, the following advanced configuration information may be useful. Enabling TLS for McAfee Behavioral Analytics Reporting McAfee Behavioral Analytics supports the use of TLS encryption, which can be implemented with a FIPS validated (NIST Certified with CMVP certificate) encryption system using the AES 256 algorithm. By default, McAfee Behavioral Analytics Reporting is configured to use 2048-bit TLS encryption with a selfsigned certificate. We strongly suggest the use of a properly signed certificate in a production scenario, which would be provided by your company. To update the configuration to use your specific certificate: 1. On the Reporting node, modify /etc/nginx/conf.d/interset.conf and change the ssl_certificate and ssl_certificate_key values to point to your certificate and key. 2. Restart Nginx using the following command: For (EL6): sudo service nginx restart For (EL7): Custom Theme sudo systemctl restart nginx The custom branding feature allows you to change the logos and the navigation bar colors of the McAfee Behavioral Analytics interface to reflect that of your business and organizational needs. Text references to McAfee Behavioral Analytics can also be changed to those of your company. You can reset the interface to the McAfee Behavioral Analytics default at any time. These changes are implemented on the Reporting node. After changes are saved, they will be applied to all tenants on the node. Note: Changes made to the NavBar Logo, Company Name, NavBar Color, Accent Color, Log In Page Gradients, and Font Color during this process are shown in the Sample Preview window. Changes to the Log In Logo and Enable Powered by Interset message cannot be seen until saved. Changes will not be implemented until you save them. To edit the theme of the McAfee Behavioral Analytics interface: 1. Open a Web browser, go to node_ fqdn>/dashboard and log in as an administrator

87 2. On the Overall Risk page, at the top right of the page, click the Settings icon to open the Settings page. Figure 1: Overall Risk page 3. On the Settings page, click CHANGE THEME. Figure 2: Change Theme The Theme Panel Page opens. 4. To change the Log In Logo:

88 a. Next to the Log In Logo input field, click Browse. Figure 3: Browse Log in Logo b. From your Explorer window, choose the graphic to upload as your Log In Logo and click Open. Note: The Log In Logo must be in the.png format, have a maximum dimension of 560px by 100px, and be no larger than 2MB in size. 5. To change the NavBar Logo:

89 a. Next to the NavBar Logo input field, click Browse. Figure 4: Browse NavBar Logo b. From your explorer window, choose the graphic to upload as your NavBar Logo and click open. Note: The NavBar Logo must be in the.png format, have a maximum dimension of 300px by 80px, and be no larger than 2MB in size. 6. To change the Company Name:

90 a. In the Company Name input field, enter the company name to be displayed. This changes/removes any text instances of McAfee Behavioral Analytics and changes them to the company name you entered. Figure 5: Company Name 7. To change the Log In Page gradients and NavBar colors, click the color box next to the field you want to change. You can change the colors of the following: Log In Page Gradient 1 Log In Page Gradient 2 NavBar Color Accent Color Note: Font colors will change automatically based on your color choices. 8. To save your theme, at the bottom right of the page, click Save Theme. Reset Theme to Default You can reset your theme to the default at any time by completing the following steps: 1. Open a Web browser and go to node_ fqdn>/dashboard and log in as an administrator

91 2. On the Overall Risk page, at the top right of the page, click on the Gears icon. 3. On the Settings page, click CHANGE THEME. 4. On the Theme Panel Page, at the bottom right of the page click Reset Theme. Add Custom Text to the Interface Banner and Footer To further customize the appearance of the McAfee Behavioral Analytics interface for your organization, you can add your own custom banner text that will appear over the NavBar Logo on the Log In Page and custom footer text that will appear on the bottom right of the Log In Page. To add custom text: 1. Open a Web browser, go to node_ fqdn>/dashboard, and then log in. 2. On the Overall Risk page, at the top right of the page, click the Settings icon to open the Settings page. Figure 6: Overall Risk page 3. On the Settings page, click CHANGE THEME. Figure 7: Change Theme The Theme Panel Page opens. 4. To change the Banner Label:

92 a. In the Banner Label input field, enter the banner text to be displayed. The Banner Label will appear at the top left of the screen above the NavBar Logo. Figure 8: Change Banner Label

93 b. To change the color of the Banner Label text, on the right hand side, next to the Banner Label input field, click the color box and then select a new color. Figure 9: Change Banner Label Text Color 5. To change the Footer Label: a. In the Footer Label input field, enter the footer text to be displayed. The Footer Label will appear at the bottom right of the login page. Figure 10: Change Footer Label Text 6. To display Powered by Interset at the bottom of the Log In Page, select the Enable Powered by Interset message checkbox. If enabled, this will replace any text in the Footer Label to Powered by Interset. 7. To save your changes, at the bottom right of the page, click Save Theme. Configuring Delimiters For data sources identified as.csv, the default delimiter is the comma. When using the Data Configuration Wizard, you can specify a variety of other delimiters, including the semicolon, pipe, tab, and space

94 If your data source uses a different delimiter, you can manually configure that delimiter in the Data Ingest Configuration file (at the end of this task) by editing the following parameter: agent.sources.dirsource.deserializer.csvseparatorcharacter User Accounts and Permissions The user accounts that appear in the tables below are created during the normal installation of McAfee Behavioral Analytics, Ambari, and HDP. None of these user accounts are required to run as root. Interset Account Service Component(s) Default User Account Interset McAfee Behavioral Analytics, Flow interset Ambari and HDP Accounts Service Component(s) Default User Account Accumulo Accumulo Tracer, Accumulo Monitor, Accumulo GC, Accumulo Master Ambari Ambari Server, Ambari Agent interset Ambari Metrics Metrics Collector, Metrics Monitor accumulo (HDP 2.2 or later) Atlas Atlas Metadata Server atlas (HDP 2.3 or later) ams Falcon Falcon Server falcon Flume Flume Agents flume HBase MasterServer RegionServer hbase HDFS NameNode SecondaryNameNode DataNode hdfs Hive Hive Metastore, HiveServer2 hive Kafka Kafka Broker kafka Knox Knox Gateway knox Mahout Mahout clients mahout (HDP 2.2 or later) MapReduce2 HistoryServer mapred Oozie Oozie Server oozie PostgreSQL PostgreSQL (with Ambari Server) Ranger Ranger Admin, Ranger Usersync ranger (HDP 2.2 or later) Ranger KMS Ranger KMS Server kms (HDP 2.3 or later) Spark Spark History Server spark (HDP 2.2 or later) Sqoop Sqoop sqoop Storm Masters (Nimbus, DRPC Server, Storm REST API, Server, Storm UI Server) Slaves (Supervisors, Logviewers) Tez Tez clients tez postgres (Created as part of installing the default PostgreSQL database with Ambari Server. If you are not using the Ambari PostgreSQL database, this user is not needed.) storm WebHCat WebHCat Server hcat YARN NodeManager ResourceManager yarn

95 Service Component(s) Default User Account ZooKeeper ZooKeeper zookeeper For more information about the Ambari and HDP service accounts, please go to docs.hortonworks.com/ and then use the Search box to locate the relevant topic. Other Third-party Component Accounts Service Component(s) Default User Account Cassandra Cassandra cassandra Elasticsearch Elasticsearch elasticsearch

96 Appendix A: McAfee Behavioral Analytics Cluster Components This section provides information about: the McAfee Behavioral Analytics components; the third-party components; and the recommended distribution for the Single- instance Node and Multi- instance Node production installations described in this Guide. McAfee Behavioral Analytics Components The McAfee Behavioral Analytics components, which will be installed on different nodes in the recommended configurations, include: McAfee Behavioral Analytics Analytics This component performs the vital task of determining individual behavioral baselines, and then discovering and ranking deviations from those baselines. McAfee Behavioral Analytics is installed on the Compute node(s). McAfee Behavioral Analytics Reporting This component provides the REST API, as well as the rich user interface that allows the analytics results and raw data to be explored visually. McAfee Behavioral Analytics Reporting is installed on the Reporting node. McAfee Behavioral Analytics Workflow This component applies user-defined rules to highlight specific events and trigger follow-up actions. These user-defined events contribute to the analytics. Workflow is installed on the Compute node(s). Third-party Components The McAfee Behavioral Analytics cluster third-party components, also distributed among multiple nodes in the recommended configurations, include: Apache Ambari server Apache Ambari metrics Apache Ambari client Apache HDFS Apache HBase Apache Storm Apache Spark Apache Flume Apache Kafka Apache Zookeeper Apache Cassandra Elasticsearch

97 Kibana Nginx Freetype Phantomjs Monit Apache Ambari Server The Apache Ambari project simplifies Apache Hadoop management with the development of software for provisioning, managing, and monitoring Hadoop clusters. Ambari provides an intuitive, central Hadoop management user interface backed by its REST APIs. Apache Ambari server is installed on the Ambari node. Apache Ambari Metrics The Ambari Metrics System (AMS) collects, aggregates, and serves up Hadoop and cluster metrics in Ambari-managed clusters. Apache Ambari Metrics is installed on the Ambari, Compute, Master, and Stream nodes. Apache Ambari Client An Ambari client is the node in the cluster that provides the client libraries for any services managed by Ambari, and supports installed client applications (such as McAfee Behavioral Analytics). Apache Ambari Client is installed on the Stream node(s). Apache HDFS The Hadoop Distributed File System (HDFS) is a distributed file system that provides high-throughput access to application data. All McAfee Behavioral Analytics data, residing in the HBase database, is stored in HDFS. Apache HDFS is installed on the Data node. Apache HBase HBase is a scalable, distributed database that supports structured data storage for large tables. HBase stores the Analytics data for the McAfee Behavioral Analytics cluster. Apache HBase is installed across the Compute and Master node(s). Apache Storm Apache Storm reliably processes unbounded streams of data, doing for real-time data processing what Hadoop does for batch processing. In a Single Instance Node configuration, Apache Storm is installed on the Master and Stream node. In a Multi-instance Node configuration, Apache Storm is installed on multiple Master nodes and the Stream node. Apache Spark Spark is a fast, general computing engine for Hadoop data. Spark executes the Analytics, providing a simple and expressive programming model to support a wide range of applications, including ETL, machine learning, stream processing, and graph computation

98 Apache Spark is installed on the Master node. Apache Flume Flume is a distributed, reliable, and available service for efficiently collecting, aggregating, and moving large amounts of log data. Flume is used for the McAfee Behavioral Analytics data ingest. Apache Flume server is installed on the Stream node. Apache Kafka Apache Kafka is a distributed publish-subscribe messaging system that is designed to be fast, scalable, and durable. In the McAfee Behavioral Analytics cluster, Kafka is used for data transport between Flume, HBase, and Elasticsearch. Apache Kafka server is installed on the Stream node. Apache ZooKeeper ZooKeeper is a high-performance coordination service for distributed applications. In the McAfee Behavioral Analytics cluster, ZooKeeper manages the coordination of the various component configurations. ZooKeeper is installed on the Master node(s). Elasticsearch Elasticsearch is an open source, broadly-distributable and easily-scalable enterprise-grade search engine. Elasticsearch houses all of the McAfee Behavioral Analytics raw events, and provides all of the data that drives the user interface. Elasticsearch is installed on the Search node. Kibana Kibana is an open source data visualization plugin for Elasticsearch. Kibana serves as the user interface and data exploration mechanism for Elasticsearch. Kibana is installed on the Reporting node. Nginx Nginx is a free, open-source, high-performance HTTP and reverse proxy server, as well as an IMAP/POP3 proxy server. Nginx is recognized for its high performance, stability, rich feature set, simple configuration, and low resource consumption. Nginx is installed on the Reporting node. FreeType FreeType is a public software library for rendering fonts. McAfee Behavioral Analytics uses FreeType when rendering PDF Reports. FreeType is installed on the Reporting node. Phantomjs PhantomJS is a console-mode WebKit scriptable with a JavaScript API. Phantomjs is installed on the Reporting node

99 Component Distribution The McAfee Behavioral Analytics production installation distributes the components across separate machines, or nodes, identified as follows: Ambari node Master node(s) Search node(s) Stream node(s) Compute node(s) Reporting node(s) Ambari node The Ambari node is where the Ambari Server is installed. The Ambari Server provides a convenient Web user interface that simplifies the deployment and management of the different components that make up the McAfee Behavioral Analytics solution. Master Node(s) The Master node(s) is used for various infrastructure components, and for starting the McAfee Behavioral Analytics Analytics process. Search Node The Search node(s) is used for the Elasticsearch cluster and, in turn, are used by the McAfee Behavioral Analytics Reporting components. Stream Node(s) The Stream node is used for ingesting data, moving data to the compute nodes for the Analytics, and later to the Search node(s) for McAfee Behavioral Analytics Reporting

100 Compute Node(s) The Compute node(s) are used during the McAfee Behavioral Analytics process to both store and analyze the ingested data. Reporting Node The Reporting node provides a Web interface for McAfee Behavioral Analytics Reporting, and for further exploring and investigating anomalies identified by McAfee Behavioral Analytics. McAfee Behavioral Analytics Configuration Your McAfee Behavioral Analytics configuration will depend primarily on the amount of data to be analyzed. McAfee Behavioral Analytics recommends two basic configurations: Single-instance Node Configuration In this configuration, there is only one instance of each node type. Multi-instance Node Configuration In this configuration, there are multiple instances of various node types, depending on your data volumes. The following diagram illustrates a simple McAfee Behavioral Analytics configuration in which there is one single instance of each node type. This configuration delivers the McAfee Behavioral Analytics cluster in a non-high availability (HA) environment

101 Figure 1: McAfee Behavioral Analytics Deployment - Single Instance Node

102 In this Single-instance Node configuration, the McAfee Behavioral Analytics and third-party components are distributed as follows: Ambari node Master Node Stream Node Compute Node Search Node Reporting Node Ambari Server ZooKeeper Metrics Monitor Metrics Monitor Elasticsearch Nginx MetricsMonitor Apache Flume Yarn Node Manager McAfee Behavioral Analytics Reporting (Kibana, Nginx, Reporting Config, Phantomjs) Metrics Collector Kafka Broker HBase RegionServer Yarn App Timeline Server Hadoop Client Components HDFS DataNode Yarn Resource Manager Ingest Jars for Streaming Storm Supervisor Yarn History Server HBase Master HDFS (S)NameNode Spark History Server Hadoop Client Components Storm DRPC Server Storm Nimbus Storm UI Server McAfee Behavioral Analytics (Workflow, Flume Ingest Configs)

To maximize redundancy in the infrastructure and performance of the overall cluster, McAfee Behavioral Analytics recommends the Multi-instance Node configuration

103 To maximize redundancy in the infrastructure and performance of the overall cluster, McAfee Behavioral Analytics recommends the Multi-instance Node configuration illustrated below. This configuration can also be set up as a high availability (HA) system. Figure 2: McAfee Behavioral Analytics Deployment - Multi-instance Node

104 In this multi- node configuration, the McAfee Behavioral Analytics and third- party components are distributed as follows: Ambari node Ambari Server Master Node 1 Master Node 2 Master Node 3 ZooKeeper ZooKeeper ZooKeeper Metrics Monitor Metrics Collector Hadoop Client Components HBase Master HDFS NameNode HDFS JournalNode ZooKeeperFC Storm DRPC Server Storm Active Nimbus Storm UI Server McAfee Behavioral Analytics (Workflow, Flume Ingest Configs) Metrics Monitor Hadoop Client Components Yarn App Timeline Server Yarn Resource Manager Yarn MapReduce2 History Server HDFS JournalNode HDFS NameNode ZooKeeperFC Spark History Server Table 1: Component Distribution - Multi-node Metrics Monitor Hadoop Client Components Yarn Resource Manager HBase Master HDFS JournalNode Storm Passive Nimbus Stream Node Metrics Monitor Apache Flume Kafka Broker Hadoop Client Components McAfee Behavioral Analytics Ingest Jars for Streaming Compute Node Metrics Monitor Yarn Node Manager HBase RegionServer HDFS DataNode Storm Supervisor Search Node Elasticsearch Reporting Node Nginx McAfee Behavioral Analytics Reporting (Kibana, Nginx, Reporting Config, Phantomjs) For information and assistance calculating the optimal McAfee Behavioral Analytics topology for your organization, please contact your McAfee Behavioral Analytics support professional

105 Appendix B: Explore McAfee Behavioral Analytics Using Sample Data This appendix provides an end-to-end introduction to McAfee Behavioral Analytics, using sample datasets. These tasks should only be performed after McAfee Behavioral Analytics has been installed and configured in your environment. For information about installing and configuring McAfee Behavioral Analytics, please see the McAfee Behavioral Analytics Installation and Configuration Guide. When you configure the sample data, you will: create a dedicated tenant for the sample data; configure Flume to ingest sample data from universal Active Directory logs, universal repository logs, and Web Proxy logs, all in.csv format; run McAfee Behavioral Analytics; and review the top risky users and their associated most significant anomalies and underlying events. The sample dataset includes three different data types (authentication, repository, and Web proxy) to demonstrate that McAfee Behavioral Analytics provides an integrated view of risk across multiple datasets. As McAfee Behavioral Analytics is designed to highlight the top risky entities, IT security team members can therefore prioritize their efforts and investigations. The sample datasets are small, to reduce any impact on the performance or storage requirements of your McAfee Behavioral Analytics production installation. Create the Samples Tenant By creating a separate Samples tenant, you reduce any impact to your deployment. This Guide uses int as the tenant ID (TID) but you may choose an alternate tenant ID. 1. Log in to McAfee Behavioral Analytics as an Administrator. 2. Click Settings to open the Settings page. Note: If there is no data in your system, you will automatically be taken to the Settings page. 3. In the Settings page, click Access the API to open the API in Swagger. 4. Ensure that you are authenticated as the root user. The default password is root. Note: If you have configured LDAP for McAfee Behavioral Analytics authentication, you must log in to Swagger as the user you configured as the LDAP "rootuser". For more information, please see "Configure LDAP Authentication" on page

106 a. In the Swagger header, click Authorize. Figure 1: Swagger Authorization b. In the Available authorizations, Select OAuth2.0 Scopes dialog box, click Authorize. Figure 2: Available Authorizations If you are already authenticated as the root, this button will display Logout. If the Authorize button displays Logout, you can cancel out of this step

107 c. In the log in dialog box, enter your user credentials and then click Sign in. Figure 3: Log in Page 5. Click tenants to expand the section. The list of all Tenants commands appears. Figure 4: Tenant Commands

108 6. Click PUT /tenants/{tenantid} to expand the section. Figure 5: Expanding PUT /tenants/{tenantid}

109 7. Click the JSON code in the Example Value box in the lower right-hand corner to copy the schema into the body box that appears in the lower left. Important: The Response Class JSON code includes example values to assist you as you use the API to configure McAfee Behavioral Analytics. When saving new JSON code, ensure that you replace the example values with the appropriate information for your McAfee Behavioral Analytics cluster. Figure 6: PUT /tenants/{tenantid} section 8. In the tenantid box, type the ID of the new tenant you want to create. For the purpose of this example set the ID as int. Note: In McAfee Behavioral Analytics 5.5.2, we recommend that all tenant names contain lowercase characters. 9. In the body box, change the json values as shown below: "step": "paid" 10. Click Try It Out! to add the tenant. The new tenant parameters appear in the Response Body box. When the tenant has been successfully added, 200 appears in the Response Code box

110 Create an Administrator User for the Samples Tenant For users to log in to McAfee Behavioral Analytics, they must have a username and password. Steps 1. In the Swagger user interface, expand the tenants section. The list of all tenants commands appears. Figure 7: Tenant Commands 2. Expand the PUT /tenants/{tenantid}/users/{userid} section. 3. Click the JSON code in the Example Value box in the lower right-hand corner to copy the schema into the body box that appears in the lower left. 4. In the tenantid box, type the ID of the tenant to which you will add the new user. 5. In the userid box, type the username for the new user. The userid field is the username that you will use to sign in to McAfee Behavioral Analytics. 6. Fill in the remaining parameters: userid the username used to view results Note: The userid is required in the filed and the Response Body Box. name the user's full name role the role is either admin or user. For the purposes of this exercise, type admin. The admin role can perform tasks such as configuring data sources, creating Workflows, and accessing the REST API, while the user role cannot. isactive this should be true password set a password

111 7. After filling in the JSON document, click Try It Out! to add the user. The new user parameters appear in the Response Body box. When the new user has been successfully added to the tenant, 200 appears in the Response Code box. Copy the McAfee Behavioral Analytics Sample Datasets The sample dataset includes three data types, each of which requires a separate data source configuration. In the McAfee Behavioral Analytics repository, locate the three sample datasets and copy them to a location that is accessible to the stream node(s). This location should have three directories, one for each dataset: /opt/interset/sampledata/authentication /opt/interset/sampledata/repository /opt/interset/sampledata/webproxy The sample datasets are in the sampledata directory of the McAfee Behavioral Analytics repository. On the Stream node, ensure that the top-level sampledata directory and all sub-directories and files are owned by flume:hadoop. If you have not done this, run the following command to change the ownership: sudo chown -R flume:hadoop /opt/interset/sampledata If you cannot access the repository, please contactyour McAfee Behavioral Analytics support professional

112 Configure the Samples Data Sources In McAfee Behavioral Analytics 5.5.2, you create the Data Ingest configuration information for use in Ambari using the Data Configuration wizard. The Data Configuration wizard provides a user interface in which you select your data type and provide the information required for Data Ingest. To configure the sample data sources using the Data Configuration wizard, please reference the following table: Data Type Data Source Dataset CSV Header Mapping Authentication (Active Directory, AuditD, Universal) Repository (Perforce, GitHub, Universal) Web Proxy (Universal) Table 1: Data Sources Universal Active Directory (CSV) Universal Repository (CSV) Universal Web Proxy (CSV) sample_auth_ data.csv sample_repo_ data.csv sample_webproxy_ data.csv user action signature_id dest object_type object_name calling_station_iden... country time timestamp user action project clientname timestamp agentstring clientip desthostname destip payloadsizeresponse payloadsizerequest httpresponsestatus httpmethod User Action Signature ID Destination Object Type Object Name Calling Station Identifier Country Timestamp Timestamp User Action Project Client Name Timestamp Agent String Client IP Destination Host Name Destination IP Payload Size Response Payload Size Request HTTP Response Status HTTP Method With the new Samples tenant and user created, you can now sign in to McAfee Behavioral Analytics as the new Samples tenant administrator. Steps 1. Open a Web browser, and go to 2. In the McAfee Behavioral Analytics login dialog box, enter the username and password for the user created in "Create an Administrator User for the Samples Tenant" on page

113 3. On the Overall Risk page, click the Settings icon in the upper-right corner to open the Settings page. Note: If there is no data in your system, you will automatically be taken to the Settings page. 4. In the Settings page, click Configure a Data Source to launch the Data Configuration wizard. 5. On the Select Your Data Source page, click the Choose Your Data Type dropdown arrow, and then scroll through the list to select the data type you need to configure. For example, Authentication (Active Directory, AuditD, Universal). 6. Under Source, click the Choose Your Source dropdown arrow, and then scroll through the list to select the source of the data type to configure. For example, Universal Active Directory (CSV). 7. Enter the path to the sample directory created when you copied the sample datasets (for example, sampledata/authentication/). 8. Click the Next arrow to continue. 9. On the Column Mapping page you can either manually map columns to the underlying column order of the CSVs, or click Browse to upload one of the files to the server to provide a wizard for column mapping. For example, with the sample_auth_data.csv file uploaded, the mappings would be: Figure 8: Column Mapping Page

114 If you want to manually map the columns without uploading the files, the correct mappings are provided in the following tables: Data Type Mapping Header Order Auth Action 2 Auth Timestamp 9 Auth Destination 4 Auth User 1 Auth Signature ID 3 Auth Object Type 5 Auth Object Name 6 Auth Calling Station Identifier 7 Auth Country 8 Table 2: Auth Mapping Note: Subcode for Authentication is not provided in the sample data. This field should be left blank. Data Type Mapping Header Order Repo Timestamp 1 Repo User 2 Repo Action 3 Repo Project 4 Table 3: Repo Mapping Note: IP Address and Size are not provided in the sample data. Their fields should be left blank. Data Type Mapping Header Order Proxy Client Name 1 Proxy Timestamp 2 Proxy Agent String 3 Proxy Client IP 4 Proxy Destination Host Name 5 Proxy Destination IP 6 Proxy Payload Size Response 7 Proxy Payload Size Request 8 Proxy HTTP Response Status 9 Proxy HTTP Method 10 Table 4: Proxy Mapping Note: Content Type, Destination Protocol, Destination Resource, HTTP Version, Referral URL, and Time Spent are not provided in the sample data. Their fields should be left blank. 10. On the Action Mapping page, click the Click the Next arrow to continue

115 11. On the Configure Destination page enter the following information: Tenant ID (TID) Data Type Data Instance ID (DID) 0 Kafka Brokers ElasticSearch Cluster Name ElasticSearch Hosts ZooKeeper Hosts int Mapping <stream_node_fqdn>:6667 interset <search_node_fqdn>:9300 <master_node_fqdn>: If this is the first data source for this tenant, choose whether to configure violations by clicking the Violations checkbox. Do not choose this option if this has already been done. Click the Next arrow to continue. 13. On the Review Configuration page, verify the data source details. To modify the current information, click the Back arrow. You are returned to the previous page, where you can modify your entries. 14. When you are satisfied with the configuration information entered, click the Copy to copy the information in the new Data Configuration file you've just created. The Data Configuration file contains all of the configuration information required to ingest your data: completing the ETL process first for Kafka, and then from Kafka to Elasticsearch and to HBase. 15. In a Web browser, navigate to and log in to Ambari using your login credentials

116 16. Select the Flume service, and then click the Configs tab. 17. Click the Group dropdown arrow, and then select your Flume Configuration Group. Figure 9: Flume Configuration Group

18. At the bottom of the Flume agent Configs text box, paste the data ingest configuration information. Note: You may need to click the + icon if there is no config present.

117 18. At the bottom of the Flume agent Configs text box, paste the data ingest configuration information. Note: You may need to click the + icon if there is no config present. Figure 10: Flume Agent Data Ingest Configuration 19. Return to the Data Configuration wizard, and click Create a New Configuration to create the next data source configuration. 20. Repeat Steps 3 to 19 until you have copied a configuration for each sample data source. 21. When you have copied the configuration for each sample data source from the Data Configuration wizard to Ambari, do the following: a. click Save and, if desired, enter a description of the change to the Config Group; b. click Save again, and then click OK;

118 c. click the Restart button; d. in the top right corner of the page, click Restart all affected services. Verify the Data Ingest To verify that the data ingest is complete, do the following: 1. On the Stream node, as the interset user, navigate to the directory path of the datasets (for example, /opt/interset/sampledata/authentication). 2. In each of the three sample dataset directories, list the directory contents and verify that ".COMPLETED" has been appended to the.csv filename (for example, sample_ auth_ data.csv.completed). Configure and Run McAfee Behavioral Analytics To explore the Analytics results for the sample datasets in McAfee Behavioral Analytics, you must configure and run Analytics on the Samples tenant. 1. On the Master node, as the interset user, navigate to the /opt/interset/analytics/conf directory. 2. Duplicate the interset.conf file using the following command: cp interset.conf interset-int.conf 3. Edit the interset-int.conf file and change the TID value from 0 to int. 4. Switch to the user, and start Analytics using the custom conf file. sudo su spark /opt/interset/analytics/bin/analytics.sh /opt/interset/analytics/conf/interset-int.conf 5. After the Analytics run is complete, Analytics finished will appear in the console. This process may take awhile to complete

Open a Web browser and go to https://<reporting_fqdn>/search You will see a page like this: Figure 11: Configure Index Pattern Page 2.

119 Configure Search After the Analytics run is complete, set up the Kibana indices in Search to view the raw data. This will have to be done once for each tenant. Steps 1. Open a Web browser and go to You will see a page like this: Figure 11: Configure Index Pattern Page 2. In the Index name or pattern box, enter the index name from the table below, replacing <tid> with your tenant ID, "int", which was created in previous steps. Data Type Index Name Timestamp Field All interset_*_rawdata_<tid> timestamp Figure 12: Enter Index Name or Pattern

3. In the Time-field name box, select "timestamp". Figure 13: Select Time-Field Name Value 4. Click Create. 5. After configuring the index name, click Discover in the top menu to begin searching.

120 3. In the Time-field name box, select "timestamp". Figure 13: Select Time-Field Name Value 4. Click Create. 5. After configuring the index name, click Discover in the top menu to begin searching. Figure 14: Discover Tip: If you do not see any results, adjust the time range to April 1, 2016 to May 31, Review Results After analytics has successfully completed, the results can be explored in the McAfee Behavioral Analytics user interface. 1. Open a Web browser, and navigate to 2. In the McAfee Behavioral Analytics login page, type your Administrator username and password for the int tenant and then McAfee Behavioral Analytics click Sign in... For a walkthrough of McAfee Behavioral Analytics, please see Use McAfee Behavioral Analytics

Appendix C: Security Best Practices This appendix will provide you with security information regarding: Changing Default Account Passwords Firewall Configuration for McAfee Behavioral Analytics

121 Appendix C: Security Best Practices This appendix will provide you with security information regarding: Changing Default Account Passwords Firewall Configuration for McAfee Behavioral Analytics Servers Network Topology Recommendations Enabling SSL for McAfee Behavioral Analytics Reporting OS User Permissions & Patch Levels MD5 / SHA1 / SHA256 Checksums Changing Default Account Passwords The McAfee Behavioral Analytics system contains default accounts on Ambari, and Investigator/Workflow. The following section will outline the accounts, location they are configured, use, and the impact of changing their credentials. Ambari By default, the Ambari management admin account username and password is set to admin. To change the password for the admin account, you can do either of the following sets of steps. To change the password using Ambari: 1. Log in to Ambari as Admin (or another administrator user if one is configured). 2. Click admin to reveal the dropdown menu, and then select Manage Ambari. Figure 1: Manage Ambari

122 3. On the Welcome Page, click Users. Figure 2: Welcome Page 4. On the Users page, click the admin user. Figure 3: Users Page

123 5. On the Users/admin page, click Change Password. Figure 4: Change Password 6. In the Your Password box enter the current password. The default password is admin. 7. In the New User Password box, enter your new password, and then confirm the password. 8. Click OK to save the new password. To change the password using a shell script: 1. On the Ambari node, run the following command: /opt/interset/bin/sysprep/scripts/update_passwords.sh 2. Choose option Enter the Ambari Server URI, including the port (for example, 4. Enter the existing admin password. 5. Enter the new password desired for the admin user. If the password change is successful the following response will appear: Password successfully changed! Changing the Ambari password will have no impact on other parts of the product. Note: Ambari can also integrate with your existing LDAP. For more information about integrating Ambari with LDAP, please go to and then use the Search box to locate the relevant topic

124 Investigator/Workflow Multiple Investigator/Workflow accounts are configured by default throughout the course of the McAfee Behavioral Analytics installation. These accounts are: root admin user Workflow_0 Any of these accounts can be managed through the update_passwords.sh tool, or through Swagger as outlined in this guide. To update these accounts via update_passwords.sh, do the following: 1. On the Ambari node, run the following command: /opt/interset/bin/sysprep/scripts/update_passwords.sh 2. Choose option Enter the Reporting Server URI, including protocol (e.g Enter the existing root password. 5. Enter the Tenant ID of the user you wish to update. Note: root exists in the adm tenant. 6. Enter the name of the user for which you wish the change the password. 7. Enter the new password for the user noted in Step 6. If the password change is successful the following response will appear: Password successfully changed! Note: If you have configured a multi-tenant environment, ensure that the user IDs and updated passwords are the same for each tenant. Please refer to the "Configure Multi-tenant Authentication" on page 22 section for the instructions on multi-tenant environment configuration. By modifying the Workflow_0 account, a new authorization token will need to be generated and used in the /opt/interset/rules/conf/rules.conf file on the Master node where Analytics is installed. To get a new authorization token: 1. In an incognito window, log in to McAfee Behavioral Analytics as an Administrator. 2. Click Settings to open the Settings page. Note: If there is no data in your system, you will automatically be taken to the Settings page. 3. In the Settings page, click Access the API to open the API in Swagger

4. In the Swagger header, click Authorize. Figure 5: Swagger Authorization 5. In the Available authorizations, Select OAuth2.0 Scopes dialog box, click Authorize.

125 4. In the Swagger header, click Authorize. Figure 5: Swagger Authorization 5. In the Available authorizations, Select OAuth2.0 Scopes dialog box, click Authorize. Figure 6: Available Authorizations 6. In the log in dialog box, enter the Workflow user credentials with the updated Workflow user password from the previous set of steps

126 Figure 7: Log in Page 7. Click info to expand the section. Figure 8: Swagger info 8. Click GET /info/session to expand the section. Figure 9: Expand GET /info/session