McAfee Enterprise Security Manager Authentication Content Pack Documentation Content Pack Version: 1.2.0 ESM Version: 9.5.0 August 9, 2016 Authentication Content Pack Page 1 of 16
Contents 1 Introduction 3 2 Included Components 4 2.1 Alarms 4 2.2 Correlation Rules 4 2.3 Reports 4 2.4 Variables 4 2.5 Views 4 2.6 Watchlists 4 3 Prerequisites 5 3.1 Add data sources and forward events 5 4 Post-Installation Information and Configuration 6 5 Use Case(s) 7 5.1 Successful Host Logons 7 5.2 Failed Windows Logons 8 6 Appendix A View Details 11 Authentication Content Pack Page 2 of 16
Introduction Some of the most common events occurring on a network are those of device and user authentication events. The difficulty becomes determining which logon events are legitimate, and which ones are not welcome. In large environments these events can become very challenging to sift through and determine welcomed authentication events versus unwelcomed events. There can be a lot of value in keeping track of these events. A common misconception is that authentication events are only useful for identifying failed attempts. However, keeping track of successful authentication events can hold value as well. The Authentication Content Pack was created to monitor successful authentication events in addition to failed events. This includes any kind of device that has monitored authentication services, as well as focusing on specific services and protocols. Authentication Content Pack Page 3 of 16
Included Components 2.1 Alarms This content pack does not contain any alarms. 2.2 Correlation Rules This content pack does not contain any correlation rules. 2.3 Reports This content pack does not contain any reports. 2.4 Variables This content pack does not contain any variables. 2.5 Views The views included within the content pack were designed to assist in monitoring successful and failed authentication events from devices that have monitored authentication services. All views are located within the folder titled Authentication Content Pack Views. Upon installation, this folder appears at the root of the view dropdown list. Administrator Logon Overview Detailed Administrator Logons Failed Host Logons Failed Services Logons Successful Host Logons Successful Services Logons 2.6 Watchlists This content pack does not contain any watchlists. Authentication Content Pack Page 4 of 16
Prerequisites Since this content pack is using normalization to populate views, very little pre-configuration will be needed. 3.1 Add data sources and forward events In order to display authentication events within the included components, it is important to make sure that any device or host that needs to be monitored is configured to have its events forwarded to the McAfee ESM. For Microsoft Windows devices make sure to configure the Windows Audit Policy to audit desired logon events in addition to adding applicable Windows data sources. Authentication Content Pack Page 5 of 16
Post-Installation Information and Configuration There are no additional steps necessary to preform to begin using this content pack. Authentication Content Pack Page 6 of 16
Use Case(s) The following use cases will go through examples of how the components provided in this content pack may be used. A use case for both successful and failed authentication events will be shown in the sections that follow. 5.1 Successful Host Logons For the first use case, viewing abnormal or interesting successful logon activity will be shown. There are several views that can be useful depending on the type of events being analyzed. In this example, the Successful Host Logons view will be examined. In image 5.1.1, the first window displays a list of rule messages. The different event categories will be shown with the ability to filter down to the individual corresponding events. In this case, the message A logon was attempted using explicit credentials will be examined. This message typically indicates that a user has connected to another device using alternate credentials. By using this view, more details are displayed involving this event. It can be observed that a rule message was selected, showing that this has appeared on several different devices/hosts. In this example, ubuntu-server has been selected revealing a source user frank. This particular event was within the mcafee-intel domain, and the events are shown at the bottom of the view. Image 5.1.1 From here, the details option has been selected within the Events From Devices pane. This is shown below in image 5.1.2. Authentication Content Pack Page 7 of 16
Image 5.1.2 The Details tab provides a little more insight into these events. In image 5.1.2, it can be seen that while the source user is frank, the destination user is root. This appears to show an event where a Windows user, who was logged in as frank, logged into an Ubuntu server as root successfully. A bit more information can be received by looking at the Custom Types tab next. Image 5.1.3 Image 5.1.3 shows the Source_Logon_ID assigned by the Windows operating system, which can be helpful to correlate other events if needed. 5.2 Failed Windows Logons For the second use case the focus will be on failed logon events. The Failed Host Logons view presents a window that displays a list of rule messages relating to failed host logons. Here, different event categories can be looked through, with the ability to drill down to the individual corresponding events. In this case, the message Bad Username or Password will be examined. Authentication Content Pack Page 8 of 16
Image 5.2.1 Looking at image 5.2.1, several failed logon events are showing up in the first pane. After selecting Bad Username or Password, devices and source users relating to that message will be filtered below. In this case, these events have all occurred on a host named xp-box, and users on that host are listed in the next pane to the right. When a user is selected, the domain(s) will be listed to the side, and the events are listed below. Once the events have been filtered, more information can be viewed by selecting the details option within the events window. In image 5.2.2, below, the event details can be viewed. Image 5.2.2 The first and last time, the Signature ID, and the Normalized ID of the event are shown. More information can be seen within the other tabs, such as the Custom Types tab, shown in image 5.2.3. Authentication Content Pack Page 9 of 16
Image 5.2.3 The image above shows the Logon_Type of type 2, indicating that this was a failed logon attempt at the console of a host. With this information, you are now able to investigate the events further. Authentication Content Pack Page 10 of 16
Appendix A View Details 6.1 Administrator Logon Overview This view filters on any event that is normalized as Admin Login or Database Admin Login with an event subtype of Success, Trusted, or Pass. Looking at the view, the top half is simply starting with any devices that are showing an administrator logon. Once selected, the source users will filter on the right. A distribution graph is provided to indicate spikes and drops in activity. The bottom half of this view begins filtering on domains to help filter devices within a domain. Image 6.1.1 Authentication Content Pack Page 11 of 16
6.2 Detailed Administrator Logons This view filters on any event that is normalized as Admin Login or Database Admin Login with an event subtype of Success, Trusted, or Pass. This view has the same filters as the Administrator Logon Overview, but focuses on the source user. As familiarity is gained within the network, names and patterns that indicate abnormal behavior should become noticeable. A graph has been included to help indicate spikes and drops in activity. Image 6.2.1 Authentication Content Pack Page 12 of 16
6.3 Failed Host Logons This view is filtered for any event that is normalized as Host Login, Domain Login, Remote Access Login, or Network Login that has an event subtype of Failure, Reject, Denied, or Untrusted. The first section displays events related to logon failures. When a message is selected, the devices will be filtered, followed by the source user. Domains, if applicable, will be displayed beneath the distribution graph. Image 6.3.1 Authentication Content Pack Page 13 of 16
6.4 Failed Services Logons This view is filtered for any event that is normalized as Mail Login, Misc Login, Samba Login, Telnet Login, SSH Login, Identity Management Login, FTP Login, Web Login, Share Login, Database Login, or VoIP Login that has an event subtype of Failure, Reject, Denied, or Untrusted. The first section displays events related to logon failures. When a message is selected, the devices will be filtered, followed by the source user. If applicable, domains will be displayed beneath the distribution graph. Image 6.4.1 Authentication Content Pack Page 14 of 16
6.5 Successful Host Logons This view is filtered for any event that is normalized as Host Login, Domain Login, Remote Access Login, or Network Login that has an event subtype of Success, Pass, or Trusted. The first section displays events related to successful logons. When a message is selected, the devices will be filtered, followed by the source user. Domains, if applicable, will be displayed beneath the distribution graph. Image 6.5.1 Authentication Content Pack Page 15 of 16
6.6 Successful Services Logons This view is filtered for any event that is normalized as Mail Login, Misc Login, Samba Login, Telnet Login, SSH Login, Identity Management Login, FTP Login, Web Login, Share Login, Database Login, or VoIP Login that has an event subtype of Success, Pass, or Trusted. The first section displays events related to successful service logons. When a message is selected, the devices will be filtered, followed by the source user. Domains, if applicable, will be displayed beneath the distribution graph. Image 6.6.1 Authentication Content Pack Page 16 of 16