McAfee Enterprise Security Manager. Authentication Content Pack Documentation

Similar documents
McAfee Security Connected Integrating epo and MFECC

Table of Contents Chapter 1: Upgrading to Observer v Index...8

Configuring Remote Access using the RDS Gateway

Internet Access: Wireless WVU.Encrypted Network Connecting a Windows 7 Device

WMI log collection using a non-admin domain user

CKHS VPN Connection Instructions

DS2 Support. DS2 / inet System Installation Scenario 2. Scenario 1: - Windows 2003 Server - Utilizing an External SQL Server

Installation Guide. Mobile Print for Business version 1.0. July 2014 Issue 1.0

Manual Ftp Windows 7 Server Iis Manager. Connect Remote >>>CLICK HERE<<<

MULTI FACTOR AUTHENTICATION USING THE NETOP PORTAL. 31 January 2017

Integrate Citrix Access Gateway

SEMS SOFTWARE SUITE INSTALLATION WHERE TO DOWNLOAD THE INSTALLERS

2012 Peer Small Business Data

Configuring WPA2 for Windows XP

Backup using Quantum vmpro with Symantec Backup Exec release 2012

Installing the WinSCP Secure FTP Client

Manual UCSFwpa Configuration for Windows 7

NBC-IG Installation Guide. Version 7.2

XIA Configuration Server

Click Studios. Passwordstate. Remote Session Launcher. Installation Instructions

Secure Mobile Access Module

Password Reset Server Installation

Integrate Palo Alto Traps. EventTracker v8.x and above

Support Backups and Secure Transfer Server Changes - i-cam

SECURE FILE TRANSFER PROTOCOL. EventTracker v8.x and above

WORKSHARE PROFESSIONAL 9 DOWNLOADING AND LICENSING GUIDE

AAA and the Local Database

3M Molecular Detection System Software Upgrade/Installation Instructions

Pastel Evolution BIC Web Reporting User Guide

Integrate Akamai Web Application Firewall EventTracker v8.x and above

Using vrealize Operations Tenant App as a Service Provider

Installing the Sentry Power Manager (SPM) Management Pack for the Microsoft System Center Operations Manager (SCOM)

Firewall Enterprise epolicy Orchestrator

Configuring SAP Targets and Runtime Users

10ZiG Technology. Thin Desktop Quick Start Guide

Freshservice Discovery Probe User Guide

Getting Started Guide. This document provides step-by-step instructions for installing Max Secure Anti-Virus and its prerequisite software.

McAfee Enterprise Security Manager. Data Source Configuration Guide. Data Source: Microsoft Windows Event Log - WMI.

Content Matrix. Evaluation Guide. February 12,

Alchemex. Web Reporting. Learning Services Alchemex Web Module

Table of Contents Chapter 1: Migrating NIMS to OMS... 3 Index... 17

Instructions for connecting to winthropsecure

LepideAuditor for File Server. Installation and Configuration Guide

Lasso Continuous Data Protection Lasso CDP Client Guide August 2005, Version Lasso CDP Client Guide Page 1 of All Rights Reserved.

Log Data: A Source of Value. Nagios Enterprises LLC Nagios Enterprises 2017 Logs: A Source of Value // 1

Contents. Introduction To CloudSync. 2. System Requirements...2. Installing CloudSync 2. Getting Started 4

Quick Start Guide. Remote Console Manager

Can Delete Shared Folder Windows 7 In User. Password >>>CLICK HERE<<<

Configuring Cross Platform Monitoring Using System Centre Operation Manager 2007 R2

Perform Backup and Restore

Connect to eduroam WiFi

Configuring Role-Based Access Control

Protecting SugarCRM with SafeNet Authentication Manager

Integrating Cyberoam UTM

Building Block Installation - Admins

Assessment - OMS Gateway and Data Collection Machine Setup. Prerequisites

VMware AirWatch Database Migration Guide A sample procedure for migrating your AirWatch database

FUJITSU Cloud Service S5 Setup and Configuration of the FTP Service under Windows 2008/2012 Server

Defendpoint for Mac 4.2 Getting Started Guide. Defendpoint for Mac. Getting Started Guide version 4.2

Lasso CDP. Lasso. Administration Tool Guide. August 2005, Version Lasso CDP Administration Tool Guide Page 1 of All Rights Reserved.

Securewireless Windows 7 Setup Guide

Managing Complex SAS Metadata Security Using Nested Groups to Organize Logical Roles

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

USER GUIDE WWPass Security for (Thunderbird)

Deploying HP SIM 6.x on MSCS Clusters on Windows 2008 with SQL Server 2005 White Paper

ForeScout CounterACT. Assessment Engine. Configuration Guide. Version 1.0

Integrate VMware ESX/ESXi and vcenter Server

Prognosis Essentials Lab

Mobility Management Platform from AT&T

High Availability Configuration Guide

Installation Guide. EventTracker Enterprise. Install Guide Centre Park Drive Publication Date: Aug 03, U.S. Toll Free:

Deploying HP SIM 6.x on MSCS clusters on Windows 2008 with SQL Server 2008 SP1 White Paper

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

Arbor Networks Pravail

Integrate Check Point Firewall. EventTracker v8.x and above

Integrate WatchGuard XTM. EventTracker Enterprise

User Profile Central Management Center User guide User Profile Central - User guide for remote backup and restore of user profiles.

Part 1: Connecting to HawkNET on your Windows XP PC

Privileged Identity App Launcher and Session Recording

Welcome to the e-learning course for SAP Business One Analytics Powered by SAP HANA: Installation and Licensing. This course is valid for release

Kernel Migrator. for SharePoint. Configuration Guide

WebEx Integration User Guide. Cvent, Inc 1765 Greensboro Station Place McLean, VA

Integrate Microsoft ATP. EventTracker v8.x and above

The Balabit s Privileged Session Management 5 F5 Azure Reference Guide

Wireless for Windows 7

Symantec Backup Exec Quick Installation Guide

Integrate HP ProCurve Switch

Automated Background Check System (ABCS)- Approving Access Guide. April 2018

HPE Security ArcSight Connectors

Configuring Microsoft Windows Shared

Data Insight Feature Briefing Box Cloud Storage Support

USER GUIDE. Enterprise Calendar. Event Management 8/1/2017 ENTERPRISE CALENDAR USER GUIDE 2

1. Prerequisites. Page 1 of 29

Lab Configuring and Verifying Extended ACLs Topology

CRA Wiz and Fair Lending Wiz: Installation Instructions NEW Installation

Partner Information. Integration Overview Authentication Methods Supported

Perform Backup and Restore

Sticky Notes for Cognos Analytics by Tech Data BSP Software

MANAGEMENT AND CONFIGURATION MANUAL

Configure Wireless for Windows 7

Transcription:

McAfee Enterprise Security Manager Authentication Content Pack Documentation Content Pack Version: 1.2.0 ESM Version: 9.5.0 August 9, 2016 Authentication Content Pack Page 1 of 16

Contents 1 Introduction 3 2 Included Components 4 2.1 Alarms 4 2.2 Correlation Rules 4 2.3 Reports 4 2.4 Variables 4 2.5 Views 4 2.6 Watchlists 4 3 Prerequisites 5 3.1 Add data sources and forward events 5 4 Post-Installation Information and Configuration 6 5 Use Case(s) 7 5.1 Successful Host Logons 7 5.2 Failed Windows Logons 8 6 Appendix A View Details 11 Authentication Content Pack Page 2 of 16

Introduction Some of the most common events occurring on a network are those of device and user authentication events. The difficulty becomes determining which logon events are legitimate, and which ones are not welcome. In large environments these events can become very challenging to sift through and determine welcomed authentication events versus unwelcomed events. There can be a lot of value in keeping track of these events. A common misconception is that authentication events are only useful for identifying failed attempts. However, keeping track of successful authentication events can hold value as well. The Authentication Content Pack was created to monitor successful authentication events in addition to failed events. This includes any kind of device that has monitored authentication services, as well as focusing on specific services and protocols. Authentication Content Pack Page 3 of 16

Included Components 2.1 Alarms This content pack does not contain any alarms. 2.2 Correlation Rules This content pack does not contain any correlation rules. 2.3 Reports This content pack does not contain any reports. 2.4 Variables This content pack does not contain any variables. 2.5 Views The views included within the content pack were designed to assist in monitoring successful and failed authentication events from devices that have monitored authentication services. All views are located within the folder titled Authentication Content Pack Views. Upon installation, this folder appears at the root of the view dropdown list. Administrator Logon Overview Detailed Administrator Logons Failed Host Logons Failed Services Logons Successful Host Logons Successful Services Logons 2.6 Watchlists This content pack does not contain any watchlists. Authentication Content Pack Page 4 of 16

Prerequisites Since this content pack is using normalization to populate views, very little pre-configuration will be needed. 3.1 Add data sources and forward events In order to display authentication events within the included components, it is important to make sure that any device or host that needs to be monitored is configured to have its events forwarded to the McAfee ESM. For Microsoft Windows devices make sure to configure the Windows Audit Policy to audit desired logon events in addition to adding applicable Windows data sources. Authentication Content Pack Page 5 of 16

Post-Installation Information and Configuration There are no additional steps necessary to preform to begin using this content pack. Authentication Content Pack Page 6 of 16

Use Case(s) The following use cases will go through examples of how the components provided in this content pack may be used. A use case for both successful and failed authentication events will be shown in the sections that follow. 5.1 Successful Host Logons For the first use case, viewing abnormal or interesting successful logon activity will be shown. There are several views that can be useful depending on the type of events being analyzed. In this example, the Successful Host Logons view will be examined. In image 5.1.1, the first window displays a list of rule messages. The different event categories will be shown with the ability to filter down to the individual corresponding events. In this case, the message A logon was attempted using explicit credentials will be examined. This message typically indicates that a user has connected to another device using alternate credentials. By using this view, more details are displayed involving this event. It can be observed that a rule message was selected, showing that this has appeared on several different devices/hosts. In this example, ubuntu-server has been selected revealing a source user frank. This particular event was within the mcafee-intel domain, and the events are shown at the bottom of the view. Image 5.1.1 From here, the details option has been selected within the Events From Devices pane. This is shown below in image 5.1.2. Authentication Content Pack Page 7 of 16

Image 5.1.2 The Details tab provides a little more insight into these events. In image 5.1.2, it can be seen that while the source user is frank, the destination user is root. This appears to show an event where a Windows user, who was logged in as frank, logged into an Ubuntu server as root successfully. A bit more information can be received by looking at the Custom Types tab next. Image 5.1.3 Image 5.1.3 shows the Source_Logon_ID assigned by the Windows operating system, which can be helpful to correlate other events if needed. 5.2 Failed Windows Logons For the second use case the focus will be on failed logon events. The Failed Host Logons view presents a window that displays a list of rule messages relating to failed host logons. Here, different event categories can be looked through, with the ability to drill down to the individual corresponding events. In this case, the message Bad Username or Password will be examined. Authentication Content Pack Page 8 of 16

Image 5.2.1 Looking at image 5.2.1, several failed logon events are showing up in the first pane. After selecting Bad Username or Password, devices and source users relating to that message will be filtered below. In this case, these events have all occurred on a host named xp-box, and users on that host are listed in the next pane to the right. When a user is selected, the domain(s) will be listed to the side, and the events are listed below. Once the events have been filtered, more information can be viewed by selecting the details option within the events window. In image 5.2.2, below, the event details can be viewed. Image 5.2.2 The first and last time, the Signature ID, and the Normalized ID of the event are shown. More information can be seen within the other tabs, such as the Custom Types tab, shown in image 5.2.3. Authentication Content Pack Page 9 of 16

Image 5.2.3 The image above shows the Logon_Type of type 2, indicating that this was a failed logon attempt at the console of a host. With this information, you are now able to investigate the events further. Authentication Content Pack Page 10 of 16

Appendix A View Details 6.1 Administrator Logon Overview This view filters on any event that is normalized as Admin Login or Database Admin Login with an event subtype of Success, Trusted, or Pass. Looking at the view, the top half is simply starting with any devices that are showing an administrator logon. Once selected, the source users will filter on the right. A distribution graph is provided to indicate spikes and drops in activity. The bottom half of this view begins filtering on domains to help filter devices within a domain. Image 6.1.1 Authentication Content Pack Page 11 of 16

6.2 Detailed Administrator Logons This view filters on any event that is normalized as Admin Login or Database Admin Login with an event subtype of Success, Trusted, or Pass. This view has the same filters as the Administrator Logon Overview, but focuses on the source user. As familiarity is gained within the network, names and patterns that indicate abnormal behavior should become noticeable. A graph has been included to help indicate spikes and drops in activity. Image 6.2.1 Authentication Content Pack Page 12 of 16

6.3 Failed Host Logons This view is filtered for any event that is normalized as Host Login, Domain Login, Remote Access Login, or Network Login that has an event subtype of Failure, Reject, Denied, or Untrusted. The first section displays events related to logon failures. When a message is selected, the devices will be filtered, followed by the source user. Domains, if applicable, will be displayed beneath the distribution graph. Image 6.3.1 Authentication Content Pack Page 13 of 16

6.4 Failed Services Logons This view is filtered for any event that is normalized as Mail Login, Misc Login, Samba Login, Telnet Login, SSH Login, Identity Management Login, FTP Login, Web Login, Share Login, Database Login, or VoIP Login that has an event subtype of Failure, Reject, Denied, or Untrusted. The first section displays events related to logon failures. When a message is selected, the devices will be filtered, followed by the source user. If applicable, domains will be displayed beneath the distribution graph. Image 6.4.1 Authentication Content Pack Page 14 of 16

6.5 Successful Host Logons This view is filtered for any event that is normalized as Host Login, Domain Login, Remote Access Login, or Network Login that has an event subtype of Success, Pass, or Trusted. The first section displays events related to successful logons. When a message is selected, the devices will be filtered, followed by the source user. Domains, if applicable, will be displayed beneath the distribution graph. Image 6.5.1 Authentication Content Pack Page 15 of 16

6.6 Successful Services Logons This view is filtered for any event that is normalized as Mail Login, Misc Login, Samba Login, Telnet Login, SSH Login, Identity Management Login, FTP Login, Web Login, Share Login, Database Login, or VoIP Login that has an event subtype of Success, Pass, or Trusted. The first section displays events related to successful service logons. When a message is selected, the devices will be filtered, followed by the source user. Domains, if applicable, will be displayed beneath the distribution graph. Image 6.6.1 Authentication Content Pack Page 16 of 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback