Administrator Guidance Instructions. Version rd March, 2018

Transcription

1 Administrator Guidance Instructions Version rd March, 2018

2 1. Document Introduction 1.1 Evaluated Products 1.2 Acronyms 2. Evaluated Capabilities 3. MATD Configuration 3.1 Accessing MATD 3.2 User Management 3.3 Date and Time Management 3.4 DNS Settings 4. Security Settings 4.1 Uploading CA certificate to trusted CA bundle 4.2 Uploading Web server certificate 4.3 Configuring Syslog server 4.4 Enabling Common Criteria Mode 4.5 Cryptographic Module Identification 4.6 Certificate Signing Request 4.7 Reference Identifier 4.8 Supported Ciphers 4.9 Audit Logs 4.10 Audit Server Configuration 4.11 Login Banner 4.12 Password Recommendations 4.13 User Account Lockout 4.14 Self-Test 4.15 Recover TLS Session 4.16 Secure Software Update 5. Appendix A : MATD Audit Event Logs Page 2 of 94

3 1. Document Introduction This guide includes procedures for configuring Common Criteria on McAfee Advanced Thread Defense (MATD) version Evaluated Products The evaluated product is McAfee Advanced Threat Defense (MATD) MATD is an on premise appliance that facilitates detection and prevention of malware. MATD provides protection from known, near-zero day, and zero-day malware without compromising on the quality of service to your network users. MATD has the added advantage of being an integrated solution. In addition to its own multi-level threat detection capabilities, its ability to seamlessly integrate with other McAfee security products protects your network against malware and other Advanced Persistent Threats (APTs). Any software capable of being involved in hostile activities with respect to a computer, application, or network can be termed as malware. MATD is designed for detecting file-based malware. The software identification for the evaluated product is as follows: McAfee Advanced Threat Defense Acronyms Advanced Persistent Threats - APTs McAfee Advanced Threat Defense - MATD Advance Malware Analysis System - AMAS Page 3 of 94

4 2. Evaluated Capabilities The Common Criteria configuration adds support for many security capabilities. capabilities include the following: Protected Audit Data Remote Administration Session Management Some of those Page 4 of 94

5 3. MATD Configuration This section will guide/enable admin user to configure different features and functionalities of MATD. 3.1 Accessing MATD Before accessing MATD CLI or UI, admin need to configure IP address, network mask and default gateway. Use below set of commands to assign or modify IP network parameters: 1. set appliance ip <IP address> <netmask> 2. set appliance gateway <gateway> 3. set appliance name <hostname> To access MATD UI, type address of MATD> in the browser. To access MATD CLI: 1. connect serial console to MATD appliance and configure the HyperTerminal with below settings: Baud rate 9600 Number of Bits 8 Parity None Stop Bits 1 Control Flow None 2. User can do SSH to MATD on port 2222 using SSH client. In Common Criteria mode of operation SSH to port 2222 will be disabled. Use below default credentials for login with administrative privilege: 1. For UI console access use default credentials as username: admin and password: admin Page 5 of 94

6 2. For CLI console access use default credentials as username: cliadmin and password: atdadmin To log out current session: 1. For UI console click the Log Out button on the upper left corner to terminate or logoff current UI session 2. For CLI console use exit command to terminate or logoff current CLI session. 3.2 User Management MATD allows admin user to create new users or modify existing ones. For creating new users follow below steps: 1. Log on to the Advanced Threat Defense web interface. 2. Click Manage >>ATD Configuration>> ATD Users, then click New. 3. Configure all mandatory fields (marked with *) at the minimum to create a user successfully. 4. Configure the user options, then click Save. Page 6 of 94

7 For changing user password or other user properties follow below steps: 1. Log on to the Advanced Threat Defense web interface. 2. Click Manage >>ATD Configuration>> ATD Users, then select user and click Edit button. 3. Change the user properties or password, then click Save. 3.3 Date and Time Management Configure the date and time MATD uses the date and time that you configure for all its functional and display purposes. The date and time displays on the MATD web interface, reports, log files, and CLI. You can either manually specify the date and time or configure Network Time Protocol (NTP) servers as the time source for MATD. If you specify NTP servers, you can configure up to 3 Network Time Protocol (NTP) servers. MATD acts as an NTP client and synchronizes with the highest priority NTP server that is available. Page 7 of 94

8 By default, synchronization with NTP servers is enabled in MATD and set to pool.ntp.org as the default NTP server. The default time zone is Pacific Standard Time (UTC-8). Follow below steps to configure or change date and time settings: Using NTP: 1. Log on to the Advanced Threat Defense web interface. 2. Click Manage >> ATD Configuration >> Date & Time. 3. Configure/Modify the Date and Time Settings, then click Submit. Using manual setting: 1. Log on to the Advanced Threat Defense web interface. 2. Click Manage >> ATD Configuration >> Date & Time. 3. Disable NTP by deselecting Enable Network Time Protocol. 4. Set date and time under Date and Time Setting section. 5. Sumit the changes. Time zone can be set to desired one under section Time Zone Settings and applicable for both methods. Page 8 of 94

9 3.4 DNS Settings To configure DNS server, follow below steps: 1. Log on to the McAfee Advanced Threat Defense web interface. 2. Click Manage >> ATD Configuration >>DNS. 3. In DNS Setting, complete these settings, then click Apply. Domain Type your domain name Preferred DNS Server Type IP address of the primary DNS server Alternate DNS Server Type IP address of the secondary DNS server. 4. In Malware DNS Setting, type IP address of the DNS server to use for malware analysis in the sandbox environment, then click Apply. Page 9 of 94

10 4.0 Security settings Admin can configure multiple security settings and enforce Common Criteria mode on MATD. Below sections will guide how to configure these important settings. 4.1 Uploading CA certificate to trusted CA bundle MATD validates web server and syslog server certificate chain and validation will pass only if root CA is trusted by MATD. MATD maintains a trusted CA bundle for this purpose and admin can add a new root CA before using end server certificate. To upload certificates in Trusted CA bundle: 1. Login to MATD UI. 2. Go to Manage tab. 3. Click on the Security drop down to the left of this page. 4. Click on Manage Certificates. 5. In this page, admin can upload trusted CA certificates in the Trusted CA Certificate field. Make sure to upload root CA certificate before uploading any sub CA certificate. Upload CA certificates individually instead of chain certificates. All certificate will be validated for below checks: a. Expiry date and time. b. CA flag if not end certificate. c. Certificate key size should be greater or equal to 2048 d. Certificate signature methods: sha256, sha384, sha512 e. Certificate presented identifier (hostname/ip) should match an entry in SAN or CN (if match not found in SAN) (Refer section: 3.4 Reference identifier for further details) f. Wildcard validation of SAN or CN filed for presented identifier, it should be in the left-most domain level and there shouldn t be more than one wildcard in any of the entries g. Certificate chain validation. Root CA must be trusted by MATD. h. Certificate revocation check using OCSP. Authority information access (AIA) URL is must for checking revocation status, MATD accepts only HTTP URL in AIA. i. X509v3 Extended Key Usage for purpose like server authentication, client authentication, certificate signing and OSCP signing. Page 10 of 94

11 4.2 Uploading Web server certificate MATD runs secure web server for interaction with user and other integrated McAfee products. Admin can upload custom certificates to be used by MATD web server. Follow below steps to upload web server certificate in MATD: 1. Upload root CA and sub CA (if any) of web server certificate to Trusted CA bundle as mentioned in Section 4.1 Uploading CA certificate to trusted CA bundle 2. Navigate to MATD UI, Manage>>Security>>Manage Certificates>>Web Certificate Upload. 3. Click Browse button and select the web server certificate to be uploaded. Make sure certificate must be in PEM format and appended with private key also. Uploaded web server certificate will be validated/checked for all criteria as mentioned in Section 4.1 with title All certificate will be validated for below checks:. 4. On successful validation of web server certificate, web service of MATD will restart to make use of new certificate. In case of any certificate validation failure a pop-up message will be displayed showing failure reason. Admin will get the opportunity to accept the risk and continue uploading web server certificate like below. There are some mandatory checks for which certificates will be rejected without giving any option to admin user. Page 11 of 94

12 4.3 Configuring Syslog server MATD can be configured for sending syslog events/audits/logs to remote Syslog server for monitoring purpose. MATD supports syslog messages over UDP, TCP and TCP with TLS protocols. For CC mode of operation Syslog must use TCP/TLS Encryption protocol only. Steps to configure remote syslog server settings: a. Navigate to Manage>> ATD Configuration>>Syslog tab. b. Select Enable Logging and configure valid IP address/hostname, protocol as TCP/TLS Encryption and port number (default is 6514) as shown below. c. Validate Syslog Server Certificate should be checked for CC mode of operation. This will enable MATD to validate syslog server certificate presented at the time of connection establishment. Make sure the root CA of syslog server certificate is uploaded to Trusted CA bundle of MATD else trust establishment will fail. Refer to section 4.2 Uploading CA certificate to trusted CA bundle for more details. d. Using Test Connection button, admin can check reachability to syslog server. If connection test is successful, a Success pop-up message will be shown as below: Page 12 of 94

13 e. Check Audit Log checkbox, it is a mandatory step for enabling Audit function for Common Criteria of operation. By default, this setting will be enabled. f. Click Submit button. g. In case of syslog server certificate validation failure, MATD will display a pop-up message providing the details of the validation failures/errors. Below is one such example. There are some mandatory checks for which certificates will be rejected without giving any option to admin user. 4.4 Enabling Common Criteria Mode MATD supports Common Criteria mode of operation. Admin can enable or disable Common Criteria mode by changing configuration. Please note that on enabling Common Criteria mode port 2222 will get disabled automatically which is used for SSH to MATD. Steps to Enable Common Criteria mode: 1. Enable remote logging with syslog server configured to use TCP/TLS Encryption protocol, enable Validate Syslog Server Certificate and enable Audit Log. For more details check section 4.3 Configuring Syslog Server 2. Upload a valid web server certificate to MATD. Check section 4.2 Uploading web server certificate for more details. 3. Navigate to Manage>>Security>>Advanced Security Settings. Page 13 of 94

14 4. Check Common Criteria Mode checkbox, and the MATD system will check the Common Criteria eligibility. 5. If not eligible, a failure pop-up message box will show the failure reason(s). Admin user can either accept the risk and continue with the certificates having not met the requirements or can click on cancel button to stop the process. Below is one such example of pop-up message: Page 14 of 94

15 6. Click on Save button. 4.5 Cryptographic Module Identification McAfee OpenSSL FIPS Object Module (#2969) 4.6 Certificate Signing Request Generating a Certificate Signing Request: Advanced Threat Defense allows you to generate a certificate signing request (CSR) from the web interface. To generate a CSR, you need to enter your organization details, and the key size. You can then generate your CSR, export it, and submit it to a certificate signing authority to get it signed. Steps for CSR generation: 1. Log on to the Advanced Threat Defense web interface. 2. Click Manage >> Security >> CSR Generation. 3. Fill the CSR Generation fields with your organization details. Common Name [CN] Enter the domain name of your organization. Organization Name [O] Enter your organization name. Organization Unit [OU] Enter the organization unit that is ordering the certificate City/Town [L], State/Province [ST], Country [C] Enter the address of your organization. Id [ea] Enter the address to contact your organization. Hash Function Select a hash function for your certificate. Key Size (in bits) Select a key size for your certificate in bits. Page 15 of 94

16 4. Click Generate to generate your CSR. Your CSR is now listed in the Certificate Singing Request Message section. You can use the icon in the Action column to Export or Remove your CSR. Once the certificate is singed, you can upload it as Web Certificate from the Manage Certificate page. 4.7 Reference Identifier MATD validates the presented hostname, IP Address and FQDN as referenced identifier for Syslog and Web server certificates. In the case of Syslog, MATD takes the IP Address or FQDN configured in IP Address/Hostname field available in Manage >> ATD Configuration >> Syslog page. In the case of Web certificate, MATD uses the IP address or the hostname/fqdn set for the device as referenced identifier. First configured IP address is tried for match in SAN/CN field of certificate and then hostname/fqdn. The comparison of the hostname happens against the entries in Subject Alternative Name field of the respective server certificate and if no match is found, we look for a match with CN field of the certificate. 4.8 Supported Ciphers MATD support below list of Ciphers when Common Criteria mode is enabled. TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA Page 16 of 94

17 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_ SHA Audit Logs See complete list of Audit logs/events in the Appendix A. The audit logs corresponding to the events are simultaneously sent to the external syslog server and local store. MATD rotates local audit log file regularly on basis of threshold size which is 20MB and keeps maximum of 5 rotated logs Audit Server Configuration Please refer to section 4.3 Configuring Syslog Server for configuring the audit syslog server. Note: Check HTTPS Session Log only if it is mandatory because this will flood syslog server with lot of HTTPS session related audits. By default, this will be disabled Login Banner MATD allows admin user to set login banner (welcome message) for both web UI and CLI interfaces. Step to configure Login Banner: a. Go to Manage>> Security>>Advance Security Settings tab. b. Check Display Login Banner checkbox. c. Put Banner Message. d. Save the changes by clicking the Save bottom. Page 17 of 94

18 4.12 Password Recommendations Password should meet requirement of minimum password length as per setting available at Manage>> Security>>Advance Security Settings tab When setting a password, you should select a password that: Minimum 5 characters long. At least 1 uppercase character. At least 1 number. At least 1 supported special character: ' # $ % ^ & *. Cannot be as same as username Note: Password policy remains same for both UI and Console 4.13 User Account Lockout If a user provides wrong credentials for more than the configured threshold allowed during login, the user would be prevented from accessing MATD (through UI and through CLI) for the duration configured for account lockout. This is applicable to all local user accounts. To configure user account lock out settings, go to Manage>> Security>>Advance Security Settings tab a. Duration of lock out can be set between 3 to 15 mins. b. Maximum invalid login attempts can be set between 3 to 5. The default account lockout duration is 180 seconds (3 min) and the default value for maximum login retries is 3. Also, if the user is inactive for the duration configured for UI timeout, the user s UI session would be terminated and the user would have to later log in to ATD again. The default UI timeout duration is 600 seconds (10 min). It can be updated using CLI command set uitimeout < >. Use show ui-timeout command to list out the current UI timeout value. Page 18 of 94

19 4.14 Self-Test All MATD processing (sample acceptance, analysis and reporting) is coordinated by Advance Malware Analysis System (AMAS). When this core component starts up, it checks the sanity of the openssl library, using the fipscheck binary on /lib64/libcrypto.so.10. In case of failure AMAS would refuse to start. If someone has changed the library of openssl from what has been provided with MATD then Amas would not start and a message Fips check fails shutting down Amas would appear in the UI Syslog page and send to remote syslog server if configured. If the check passes, the Fips Check Passed message is displayed in the UI Syslog page as well. If the remote syslog server is configured, then the above message would appear in remote syslog server as well. To fix this issue the administrator or technician needs to revert the changes and then can either start Amas from CLI or reboot the box. At the time of booting process and when the Amas service starts up, FIPS library checks are done. In case of failure, Amas service will not be available making whole system un-usable Recover TLS Session To recover a TLS session if the session is unintentionally broken: For the admin connection if the administrative connection is inadvertently lost, re-establish a session. For the syslog connection if the connection is lost to the syslog server, the connection will be automatically re-established. Audit logs are kept on the local server and sent to the syslog server when the connection is re-established Secure Software Update MATD allow admin user to upgrade/update MATD system software. Steps to update MATD system software: 1. Download MATD software from McAfee download portal. 2. Using SFTP (use atdadmin user account for this purpose), upload these files to the Advanced Threat Defense: Installation file, system x.xx.xxxx.msu Default password for atdadmin account is atdadmin 3. Use the below steps to upgrade the McAfee Advanced Threat Defense software a. Log on to the McAfee Advanced Threat Defense web interface as the admin. Page 19 of 94

20 b. Click Manage >> Image & Software >> Software. c. From the System Software, drop-down list, select the installation file. d. Make sure that Reset Database is deselected, then click Install. e. On the installation Status message, click OK. The installation takes a minimum of 20 minutes. Once installation completes, the MATD restarts automatically. 4. Once the McAfee Advanced Threat Defense Appliance is restarted, log on to the CLI and verify the software version using show command. 5. Log on to the McAfee Advanced Threat Defense web interface and verify the following. Software version All data and configuration settings are retained. The upgrade logs, path and version history can be seen/verified using below: a. Log on to the McAfee Advanced Threat Defense web interface. b. Click Manage >> Logs >> Upgrade. Validation of System update packages are in place and it verifies package signing details. If validation fails it throws below error like below: Page 20 of 94

21 Appendix A: MATD Audit Event Logs User login and logout from UI 1. Audit log when user logs in through UI. This may vary for all audit logs depending on the hostname configured for the device T23:56: :00 localhost ATD2ESM[3728]: {"Type":"Audit","MsgId":"L-LG-04-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"Session Login","Description":"Successful user login - admin"} 2. Audit log when user logs out through UI T23:56: :00 localhost ATD2ESM[3730]: {"Type":"Audit","MsgId":"L-LG-05-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"Session Logout","Description":"Successful user logout: admin"} 3. Audit log when user is logged out due to session timeout T22:05: :00 localhost ATD2ESM[1674]: {"Type":"Audit","MsgId":"L-LG-05-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"Sessio n Logout","Description":"Logout: admin due to timeout"} 4. Audit log when the username provided is not in the list of users T09:40: :00 localhost ATD2ESM[3662]: {"Type":"Audit","MsgId":"L-LG-04-1","Result":"Failure","User":"test","Category":"User","Client":" ","Action":"Session Login","Description":"Login failed (User - test): User doesn't exist. Please contact your ATD Administrator"} 5. Audit log when user provides invalid credentials T08:52: :00 localhost ATD2ESM[3670]: {"Type":"Audit","MsgId":"L-LG-04-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"Session Login","Description":"Invalid user name - admin, Invalid Credentials"} 6. Audit log when user fails to login within the number of allowed attempts to login and gets locked out. Here the name of the user is admin T09:42: :00 localhost ATD2ESM[3668]: {"Type":"Audit","MsgId":"L-LG-04-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"Session Login","Description":"Unsuccessful login attempt reached for admin, Origin of attempt is IP User - admin is blocked for 4 minutes "} Page 21 of 94

22 Dashboard page 7. Audit log when modifications are made (add/delete monitors) and saved on Dashboard frommatdui T23:59: :00 localhost ATD2ESM[3715]: {"Type":"Audit","MsgId":"D-DA-01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"Dashbo ard Setting Modification","Description":"Dashboard display settings modified successfully."} Analysis page Analysis Status 8. Audit log when a Search configuration is modified and saved on Analysis Status frommatdui T01:19: :00 localhost ATD2ESM[3727]: {"Type":"Audit","MsgId":"A-AS-01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"Analysi s status Modification","Description":"Search criteria on analysis status page modified successfully."} 9. Audit log when a single sample/multiple samples is(/are) cancelled on Analysis status page frommatdui T22:53: :00 localhost ATD2ESM[3815]: {"Type":"Audit","MsgId":"A-AS-02-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"Analysi s status Delete","Description":"Selected pending sample(s) has(ve) been successfully cancelled."} 10. Audit log when single sample/multiple samples is(/are) cannot be cancelled T22:53: :00 localhost ATD2ESM[3815]: {"Type":"Audit","MsgId":"A-AS-02-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"Analysi s status Delete","Description":" Selected pending sample(s) has(ve) could not be cancelled."} Analysis Reports 11. Audit log when a Search configuration is modified and saved on Analysis Reports from MATD UI T01:19: :00 localhost ATD2ESM[3715]: {"Type":"Audit","MsgId":"A-AR-01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"Analysi s reports Modification","Description":"Search criteria on analysis reports page modified successfully."} 12. Audit log when a sample is downloaded on Analysis Reports page from MATD UI T01:21: :00 localhost ATD2ESM[3740]: {"Type":"Audit","MsgId":"A-AR-09-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"Analysi s reports Download","Description":"Sample has been successfully downloaded."} 13. Audit log when a sample is added to "File/URL whitelist" on Analysis Reports page from MATD UI T01:21: :00 localhost ATD2ESM[3717]: {"Type":"Audit","MsgId":"M-WL- 08-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"Whiteli sting Samples Upload","Description":"Chemistry_moles_problem.docx whitelisted successfully."} Page 22 of 94

23 14. Audit log when a sample is added to "Digital Signature" on Analysis Reports page from MATD UI T01:26: :00 localhost ATD2ESM[3719]: {"Type":"Audit","MsgId":"M-WL- 08-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"Whiteli sting Samples Upload","Description":"vcredist_x86.exe whitelisted successfully."} Policy page VM Profile 15. Audit log when a new VM profile creation is initiated T02:17: :00 localhost ATD2ESM[3732]: {"Type":"Audit","MsgId":"P-VP-00-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Creation","Description":"VM is saved successfully in database and VM creation is started. VM Name: win7sp1x64"} 16. Audit log when VM profile creation is complete T02:24: :00 localhost ATD2ESM[981]: {"Type":"Audit","MsgId":"P-VP ","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Creation","Description":"vmcreator completed."} 17. Audit log when VM profile is modified T02:39: :00 localhost ATD2ESM[3740]: {"Type":"Audit","MsgId":"P-VP-01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Modification","Description":"Successfully modified VM profile - win7sp1x64 in database"} 18. Audit log when VM profile is deleted T22:27: :00 ATD_2U_17 ATD2ESM[4988]: {"Type":"Audit","MsgId":"P-VP- 02-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Delete","Description":"Successfully deleted VM profile - win10p0x64_ from database."} 19. Audit log when an image is activated. Here name of the image is win10p0x64 net_4_6_2.img T23:54: :00 localhost ATD2ESM[3845]: {"Type":"Audit","MsgId":"P-VP-18-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Activate-Image","Description":"Successfully activated VM - win10p0x64 net_4_6_2"} 20. Audit log when an invalid OS name is specified for VM profile creation T20:31: :00 localhost ATD2ESM[3836]: {"Type":"Audit","MsgId":"P-VP-00-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Creation","Description":"Invalid OS Name - win7"} 21. Audit log when license count limit is exceeded for a VM profile. Page 23 of 94

24 T20:32: :00 localhost ATD2ESM[3840]: {"Type":"Audit","MsgId":"P-VP-00-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Creation","Description":"License count limit exceeded, VM Name: win7sp1x64"} 22. Audit log when an invalid license number is specified in VM profile page T20:32: :00 localhost ATD2ESM[3126]: {"Type":"Audit","MsgId":"P-VP-00-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Creation","Description":"Invalid Number of License, VM Name: win7sp1x64"} 23. Audit log when a specified VM profile already exists T20:36: :00 localhost ATD2ESM[3838]: {"Type":"Audit","MsgId":"P-VP-00-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Creation","Description":"VM profile already exists. VM Name: win7sp1x64"} 24. Audit log when VM profile creation fails T20:37: :00 localhost ATD2ESM[3854]: {"Type":"Audit","MsgId":"P-VP-00-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Creation","Description":"VM creation failed. VM Name: win7sp1x64"} 25. Audit log when we delete a VM profile successfully T20:51: :00 localhost ATD2ESM[3823]: {"Type":"Audit","MsgId":"P-VP-02-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Delete","Description":"Successfully deleted VM profile - win7sp1x64 from database."} 26. Audit log when we try to delete a VM profile that is being used by an analyzer profile T20:46: :00 localhost ATD2ESM[3826]: {"Type":"Audit","MsgId":"P-VP-02-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Delete","Description":"VM profile(win7sp1x64) is being used by analyzer profile"} 27. Audit log when we fail to delete a VM profile T20:51: :00 localhost ATD2ESM[3564]: {"Type":"Audit","MsgId":"P-VP-02-1","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Delete","Description":"Failed to delete VM profile - $osname from database."} 28. Audit log when we try to modify a VM profile with invalid license count T20:43: :00 localhost ATD2ESM[3546]: {"Type":"Audit","MsgId":"P-VP-01-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Modification","Description":"Failed to modify VM profile - win7sp1x64. Invalid Number of License."} 29. Audit log when we try to modify a VM profile with a license count that exceeds limits T20:44: :00 localhost ATD2ESM[3841]: {"Type":"Audit","MsgId":"P-VP-01-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Modification","Description":"Failed to modify VM profile - win7sp1x64. License count limit exceeded."} Page 24 of 94

25 30. Audit log when we try to modify a VM profile with a license count that exceeds limits T20:51: :00 localhost ATD2ESM[3823]: {"Type":"Audit","MsgId":"P-VP-02-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Delete","Description":"Successfully deleted VM profile - win7sp1x64 from database."} 31. Audit log when we try to modify a VM profile with a license count that exceeds limits T20:51: :00 localhost ATD2ESM[3843]: {"Type":"Audit","MsgId":"P-VP-02-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Delete","Description":"Successfully modified VM profile - win7sp1x64 in database."} 32. Audit logs when we fail to validate an image T02:09: :00 localhost ATD2ESM[3709]: {"Type":"Audit","MsgId":"P-VP-17-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Validate","Description":"Validating - win7sp1x64 "} T02:10: :00 localhost ATD2ESM[869]: {"Type":"Audit","MsgId":"P-VP ","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Validate","Description":"win7sp1x64 administrator: The image validation failed"} 33. Audit log when you click on the Check status hyperlink which appears when image validation is in progress T03:20: :00 localhost ATD2ESM[3731]: {"Type":"Audit","MsgId":"P-VP-19-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile View-Log","Description":"Retrieving - /vedata/temp/validatewin10p0x64_redstone2_11on11.log "} 34. Audit log when image validation is successful T03:21: :00 localhost ATD2ESM[1257]: {"Type":"Audit","MsgId":"P-VP ","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"VM Profile Validate","Description":"win10p0x64_Redstone2_11on11 administrator: The image has been validated successfully"} Analyzer Profile 35. Audit log when a new analyzer profile is created. In the description, test is the name of the analyzer profile T01:37: :00 localhost ATD2ESM[3739]: {"Type":"Audit","MsgId":"P-AP-00-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"Analyz er Profile Creation","Description":"Analyzer Profile - test is created successfully"} 36. Audit log when an existing analyzer profile is modified. In the description, Analyzer Profile 1 is the name of the analyzer profile T01:37: :00 localhost ATD2ESM[3715]: {"Type":"Audit","MsgId":"P-AP-01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"Analyz er Profile Modification","Description":"Analyzer Profile - Analyzer Profile 1 updated successfully."} 37. Audit log when an existing analyzer profile is deleted. Page 25 of 94

26 T01:38: :00 localhost ATD2ESM[3735]: {"Type":"Audit","MsgId":"P-AP-02-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"Analyz er Profile Delete","Description":"Analizer Profile - test deleted successfully"} Logs like the ones below are also seen when you modify an existing analyzer profile. 38. Audit log when we specify a name for an analyzer profile which has one of these characters:, &, <, > which are not allowed T21:04: :00 localhost ATD2ESM[3831]: {"Type":"Audit","MsgId":"P-AP-01-1","Result":"Failure","User":"admin","Category":"User","Client":" ","Action":"Analyzer Profile Modification","Description":"Analyzer Profile must not contain any of the following characters ' & < >"} 39. Audit log when we specify a name that already belongs to an existing analyzer profile T21:06: :00 localhost ATD2ESM[2124]: {"Type":"Audit","MsgId":"P-AP-00-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"Analyzer Profile Creation","Description":"Analyzer Profile name exists. Please select different name!"} 40. Audit log when we specify an analyzer profile name that is longer than 64 characters T21:07: :00 localhost ATD2ESM[3838]: {"Type":"Audit","MsgId":"P-AP-00-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"Analyzer Profile Creation","Description":"Maximum length of Analyzer Profile name is 64 characters"} 41. Audit log when we create an analyzer profile with none of the Analyze options in Analyzer profile page selected T21:08: :00 localhost ATD2ESM[3824]: {"Type":"Audit","MsgId":"P-AP-00-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"Analyzer Profile Creation","Description":"At least one analyze option should be selected"} 42. Audit log when we enable Automatically select OS option but don t choose a default 32 bit and 64 bit VM profile T21:41: :00 localhost ATD2ESM[3839]: {"Type":"Audit","MsgId":"P-AP-00-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"Analyzer Profile Creation","Description":"Please select default windows 32-bits and 64-bits VM Profiles"} 43. Audit log when Archive password field is blank T21:47: :00 localhost ATD2ESM[3832]: {"Type":"Audit","MsgId":"P-AP-00-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"Analyzer Profile Creation","Description":"Archive Password is blank."} 44. Audit log when Confirm password field is blank T21:46: :00 localhost ATD2ESM[3820]: {"Type":"Audit","MsgId":"P-AP-00-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"Analyzer Profile Creation","Description":"Confirm Password is blank."} 45. Audit log when Archive password and Confirm password fields mismatch. Page 26 of 94

27 T21:48: :00 localhost ATD2ESM[3819]: {"Type":"Audit","MsgId":"P-AP-00-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"Analyzer Profile Creation","Description":"Archive Password and Confirm Password are not same."} 46. Audit log when we choose a VM profile that does not exist T21:48: :00 localhost ATD2ESM[3932]: {"Type":"Audit","MsgId":"P-AP- 00-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"Analyzer Profile Creation","Description":"VM profile doesn't exist: name=win7sp1x64"} 47. Audit log when we try to delete an analyzer profile that is being used by a user T22:04: :00 localhost ATD2ESM[3842]: {"Type":"Audit","MsgId":"P-AP-02-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"Analyzer Profile Delete","Description":"Cannot delete Analyzer Profile - Analyzer Profile 1 as it is being used by user"} Manage page MATD Users 48. Audit log when a new user is created T01:29: :00 localhost ATD2ESM[3732]: {"Type":"Audit","MsgId":"M-UR-00-0","Result":"Success","User":"admin","Category":"User","Client":" ","Action":"User Management Creation","Description":"Create a new user - test with Type - STAND_ALONE and Privilege - Non-Admin"} 49. Audit log when existing user is modified. Here the user name is admin, type is STAND_ALONE (other possible values: TIE, NSP, MEG, MWG) and user privilege is Admin (other possible value: Non-Admin) T23:45: :00 localhost ATD2ESM[3737]: {"Type":"Audit","MsgId":"M-UR-01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"User Management Modification","Description":"Update a user - admin with Type - STAND_ALONE and Privilege - Admin"} 50. Audit log when an existing user is deleted T01:39: :00 localhost ATD2ESM[3731]: {"Type":"Audit","MsgId":"M-UR-02-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"User Management Delete","Description":"Deleted user - test"} 51. Audit log when a non-admin user tries adding/deleting/modifying user profiles T22:12: :00 localhost ATD2ESM[3819]: {"Type":"Audit","MsgId":"M-WC- 08-1","Result":"Failure","User":"nsp","Category":"User","Client":" ","Action":"Manage Certificate Upload","Description":"Admin privelege is requried to perform this operation"} Similar logs as below are also seen when we update an existing user profile. 52. Audit log when we specify a user name which has colon( : ). Page 27 of 94

28 T22:15: :00 localhost ATD2ESM[3831]: {"Type":"Audit","MsgId":"M-UR-00-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"User Management Creation","Description":"Colon (:) is not allowed in username"} 53. Audit log when password is not qualified T22:16: :00 localhost ATD2ESM[3827]: {"Type":"Audit","MsgId":"M-UR-00-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"User Management Creation","Description":"Password is not qualified"} 54. Audit log when value in confirm password field does not match password T22:17: :00 localhost ATD2ESM[3830]: {"Type":"Audit","MsgId":"M-UR-00-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"User Management Creation","Description":"password doesn't match"} 55. Audit log when specified username corresponds to a user who already exists T22:20: :00 localhost ATD2ESM[3821]: {"Type":"Audit","MsgId":"M-UR-00-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"User Management Creation","Description":"Username is not available"} Date & Time 56. Audit log when a new NTP server is added and submitted T21:02: :00 localhost ATD2ESM[1663]: {"Type":"Audit","MsgId":"M-NT-01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"NTP Server Setting Modification","Description":"Network Time Protocol setting was modified successfully and NTP server settings is enabled.."} 57. Audit log when an NTP server is deleted and changes are submitted T21:04: :00 localhost ATD2ESM[1679]: {"Type":"Audit","MsgId":"M-NT-01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"NTP Server Setting Modification","Description":"Network Time Protocol setting was modified successfully and NTP server settings is enabled.."} 58. Audit log when Enable Network Time Protocol checkbox is disabled T21:07: :00 localhost ATD2ESM[1652]: {"Type":"Audit","MsgId":"M-NT-01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"NTP Server Setting Modification","Description":"Network Time Protocol setting was modified successfully and NTP server settings is disabled.."} 59. Audit log when we manually configure date and time that will be displayed in UI, reports, log files and CLI T21:07: :00 localhost ATD2ESM[1654]: {"Type":"Audit","MsgId":"M-DT-01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"DateT ime Setting Modification","Description":"Date and Time are updated from '03/23/ :09:52' to '03/23/2017 9:07:12 PM' successfully"} Page 28 of 94

29 60. Audit logs when we change the timezone T22:31: :00 localhost ATD2ESM[3824]: {"Type":"Audit","MsgId":"M-TZ-01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"Timezone Setting Modification","Description":"Time-zone is changed from 'America/Los_Angeles' to 'Asia/Kolkata' successfully."} Syslog service is restarted T22:31: :00 localhost ATD2ESM[2113]: {"Type": "Audit", "MsgId": "S-SL- 01-1", "Result": "Success", "User": "admin", "category": "Admin", "Client": "localhost","action": "Syslog TLS session", "Description": "Syslog service stop"} T11:01: :30 localhost ATD2ESM[2139]: {"Type": "Audit", "MsgId": "S-SL- 01-0", "Result": "Success", "User": "admin", "category": "Admin", "Client": "localhost","action": "Syslog TLS session", "Description": "Syslog service start"} 61. Audit logs when we fail to change the timezone T22:31: :00 localhost ATD2ESM[3654]: {"Type":"Audit","MsgId":"M-TZ-01-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"Timezone Setting Modification","Description":"Time-zone update Failed."} DNS 62. Audit log when we modify DNS settings, test the connection in UI and the test is successful T21:26: :00 localhost ATD2ESM[1662]: {"Type":"Audit","MsgId":"M-DN- 03-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"DNS Setting Test-Connection","Description":"Test connection is successful."} 63. Audit log when we modify DNS settings, test the connection in UI and the test fails T21:27: :00 localhost ATD2ESM[1534]: {"Type":"Audit","MsgId":"M-DN- 03-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"DNS Setting Test-Connection","Description":"DNS is not configured correctly."} 64. Audit log when we modify DNS settings and submit the changes in UI T21:28: :00 localhost ATD2ESM[1665]: {"Type":"Audit","MsgId":"M-DN- 01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"DNS Setting Modification","Description":"Update DNS setting: Domain - nai.org"} 65. Audit log when testing the specified Malware DNS fails T21:29: :00 localhost ATD2ESM[1654]: {"Type":"Audit","MsgId":"M-DN- 03-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"DNS Setting Test-Connection","Description":"Malware DNS is not configured correctly."} 66. Audit log when the specified Malware DNS is tested successfully T21:30: :00 localhost ATD2ESM[1435]: {"Type":"Audit","MsgId":"M-DN- 03- Page 29 of 94

30 0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"DNS Setting Test-Connection","Description":"Test connection is successful."} 67. Audit log when Malware DNS is configured successfully from UI T21:41: :00 localhost ATD2ESM[1664]: {"Type":"Audit","MsgId":"M-DN- 01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"DNS Setting Modification","Description":"Update Malware DNS IP setting: "} 68. Audit log when you specify an invalid domain T11:42: :30 localhost ATD2ESM[3832]: {"Type":"Audit","MsgId":"M-DN- 01-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"DNS Setting Modification","Description":"Invalid domain"} 69. Audit log when specified Preferred DNS Server is invalid T11:43: :30 localhost ATD2ESM[3841]: {"Type":"Audit","MsgId":"M-DN- 01-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"DNS Setting Modification","Description":"Preferred DNS Server is invalid"} 70. Audit log when specified Alternate DNS Server is invalid T11:45: :30 localhost ATD2ESM[2126]: {"Type":"Audit","MsgId":"M-DN- 01-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"DNS Setting Modification","Description":"Alternate DNS Server is invalid"} 71. Audit log when you specify same DNS server as both preferred and alternate T11:46: :30 localhost ATD2ESM[3821]: {"Type":"Audit","MsgId":"M-DN- 01-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"DNS Setting Modification","Description":"DNS addresses must be different"} 72. Audit log when you fail to submit a DNS setting T21:29: :00 localhost ATD2ESM[1312]: {"Type":"Audit","MsgId":"M-DN- 01-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"DNS Setting Modification","Description":"Data Not set"} epo Login/DXL 73. Audit log when Enable Threat Event Publisher checkbox is enabled T03:02: :00 localhost ATD2ESM[3737]: {"Type":"Audit","MsgId":"M-EP-01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"ePO Login Modification","Description":"ePO settings modified successfully: epo Login is enabled, DXL setting is disabled, Threat event publisher is enabled, All threat events are sent "} 74. Audit log when Enable Threat Event Publisher checkbox is disabled T02:56: :00 localhost ATD2ESM[3722]: {"Type":"Audit","MsgId":"M-EP-01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"ePO Page 30 of 94

31 Login Modification","Description":"ePO settings modified successfully: epo Login is enabled, DXL setting is disabled, Threat event publisher is disabled, "} 75. Audit log when Threat Event Severity level is changed T03:03: :00 localhost ATD2ESM[3729]: {"Type":"Audit","MsgId":"M-EP-01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"ePO Login Modification","Description":"ePO settings modified successfully: epo Login is enabled, DXL setting is disabled, Threat event publisher is enabled, Malicious (medium to very high) threat events are sent "} In this case, the severity of the samples has been changed to malicious from all samples. When we choose all samples where it is malicious earlier, in that case you ll see the appropriate description. 76. Audit log when test connection fails for DXL T21:14: :00 atd-6100 ATD2ESM[3929]: {"Type":"Audit","MsgId":"M-DX-03-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"DXL Setting Test-Connection","Description":"Test to DXL Broker failed"} 77. Audit log when test connection to DXL is successful T21:14: :00 atd-6100 ATD2ESM[4102]: {"Type":"Audit","MsgId":"M-DX-03-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"DXL Setting Test-Connection","Description":"Test DXL connection successful"} 78. Audit log when the checkbox Enable Active Response is enabled T22:09: :00 vatd ATD2ESM[3583]: {"Type":"Audit","MsgId":"M-EP-01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"ePO Login Modification","Description":"ePO settings modified successfully: epo Login is enabled, DXL and MAR settings are enabled, Threat event publisher is disabled, "} Global Settings 79. Audit log when we modify and save Global settings successfully T03:22: :00 localhost ATD2ESM[3713]: {"Type":"Audit","MsgId":"M-CC-01-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"Global Settings Modification","Description":"Global Settings saved successfully"} 80. Audit log when Global settings can t be saved succesfully T03:23: :00 localhost ATD2ESM[3311]: {"Type":"Audit","MsgId":"M-CC-01-1","Result":"Failure","User":"admin","Category":"Admin","Client":" ","Action":"Global Settings Modification","Description":"Invalid parameter"} LDAP 81. Audit log when we click on Test Connection and the test is successful T02:19: :00 localhost ATD2ESM[3921]: {"Type":"Audit","MsgId":"M-LD-24-0","Result":"Success","User":"admin","Category":"Admin","Client":" ","Action":"LDAP Configuration - LDAP Test Connection","Description":"LDAP Test Connection successful"} 82. Audit log when we click on Test Connection and the test fails. Page 31 of 94