Symantec Information Centric Analytics Symantec ICT Integration Guide Version 6.5
Symantec ICA Symantec ICT Integration Guide, powered by Bay Dynamics Product version 6.5 Documentation version: 1 This document was last updated on: July 3, 2018. Copyright 2018 Symantec Corporation. All rights reserved. BAY DYNAMICS is a registered trademark of Bay Dynamics, Inc. Other names may be trademarks of their respective owners. Symantec, the Symantec Logo, the Checkmark Logo, Enterprise Vault, Compliance Accelerator, and Discovery Accelerator are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ( Third Party Programs ). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Software file accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of
the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation, 350 Ellis Street, Mountain View, CA 94043 http://www.symantec.com
Contents Preface 6 Related Documentation 6 Style Conventions 6 Chapter 1: Overview of Symantec ICT Integration Pack 8 Chapter 2: Using the Integration Wizard 10 Task 1: Configuring a Data Source 11 Task 2: Creating a Query 12 Task 3: Creating a Data Integration 16 Task 4: Processing the Query Data 16 Appendix A: Integration Wizard Mappings for Symantec ICT Data 18 Required Symantec ICT Fields 18 Optional Symantec ICT Fields 18 Create and Associate Symantec ICT Fields 19 4
5
Preface This guide is for Symantec ICA administrators. It provides guidance about how to install, and configure the Symantec ICT integration pack. Related Documentation Style Conventions The following books provide additional information about Symantec ICA: Symantec ICA User Guide Symantec ICA Administration Guide Symantec ICA Dashboard Designer Guide Symantec ICA Integration Guide Symantec ICA Cube Reference Symantec ICA Release Notes Symantec ICA integration guides This guide uses the following style conventions: Element Bold Italic Monospace Italic Monospace NOTE Meaning Signifies user interface elements. Indicates the titles of books and other substantial publications, or a placeholder variable. Indicates placeholder sets that represent variables in code examples. Defines code and script samples, and characters typed exactly as shown, including commands, switches, and file names. Alerts the reader to supplementary information. 6
7
Chapter 1 Overview of Symantec ICT Integration Pack The Symantec ICA Symantec ICT integration pack pulls the Symantec ICT data directly from the relational database. The data is used by Symantec ICA to update relevant data in motion incidents data in the core logical data warehouse (LDW). The following process describes how the Symantec ICT data stored in the relational database server is transferred to the Symantec ICA database: NOTE: In this document, the relational database is a Microsoft SQL Server database. 1. The Symantec ICT data is collected in the Microsoft SQL Server database. 2. The Symantec ICA integration wizard queries data from the Microsoft SQL Server server using a client connection. Overview of Symantec ICT Integration Pack Page 8
Chapter 1: Overview of Symantec ICT Integration Pack 3. The integration wizard parses the data, and inserts it into the appropriate tables in the Symantec ICA relational database. 4. Symantec ICA uses the data as its source for data in motion incidents analysis. Page 9 Overview of Symantec ICT Integration Pack
Chapter 2 Using the Integration Wizard Symantec ICA pulls Symantec ICT data by integrating with Microsoft SQL Server by connecting directly to the Microsoft SQL Server instance for the purpose of extracting, incorporating, and federating data within Symantec ICA. This one-way pull of data allows for the Symantec ICT data to be used in connection to the data already collected by the Symantec ICA platform in order to provide additional context with advanced reporting and behavior analytics. This integration is a critical component for realizing the benefit of Symantec ICA for management and bulk remediation of user incidents as well as highlighting prioritized events and top offenders in your environment. Administrators use the Symantec ICA integration wizard to define integration packs for their environment. The wizard has one section for data sources, and one section for data integration mappings. The data source section defines how data is brought to Symantec ICA and loaded in a staging table. The data integrations section defines how the data is mapped from the staging table to a Symantec ICA logical data warehouse (LDW) table. There are tasks associated with each section, and all tasks must be completed to define an integration pack. The following tasks describe how to use the integration wizard: Task 1: Configuring a Data Source Task 2: Creating a Query Task 3: Creating a Data Integration Task 4: Processing the Query Data The following information should be collected before using the integration wizard: Microsoft SQL Server name: Name of the server. Microsoft SQL Server database name: Name of the database that has the data. Server port: HTTP port for Microsoft SQL Server. The default port is 1433 for Microsoft SQL Server. User name: User name to connect to Microsoft SQL Server. Password: Password associated to the user connecting to Microsoft SQL Server. Using the Integration Wizard Page 10
Task 1: Configuring a Data Source API Server: Name of the SQL Server API server. API Port: API port for SQL Server. Proxy: HTTP connection proxy, if it used in the environment. API Login: Log-in name for the SQL Server API connection. API Password: Password associated to the user connecting to Microsoft SQL Server. Task 1: Configuring a Data Source A data source is a database or API source that can connect to the Symantec ICA database. Configuration of a data source involves first identifying the source, and then writing a query to pull data. A data source can be associated to more than one query, however a query can only be related to one data source. When designing the query for the data source do the following: Ensure the query compiles and runs against the data source. Cast the data types as follows: Integer data types to int data type, such as SELECT CAST (EP.EPEventID as int) as SourceEventID NVARCHAR data types to NVARCHAR data type, such as SELECT CAST (DIP.Name as nvarchar(100)) as \ DestinationIPAddress DATETIME data types to date, such as SELECT CAST (EP.EventDate as datetime) as EventDate Include a date and event identifier in the query. To configure the data source for an integration pack, do the following: 1. Ensure that the server name, database name, port, log in name, and password for the data source are available. 2. Ensure that the query that will run on the data source is available, and returns the correct results. 3. In the Symantec ICA administration console, select Integration, and then select Data Sources. 4. Click Create Data Source. 5. Select SQL Server IW. 6. Enter the data source label. The data source label is displayed in the integration wizard. It does not affect the data integration. Page 11 Using the Integration Wizard
Task 2: Creating a Query 7. Enter the following information based on the SQL Server source: Server Name: Name of the Microsoft SQL Server. SQL Database Name: Name of the Microsoft SQL Server database that has the source data. Server Port: HTTP port, if different from the default port of 1433. Authentication mode. Options are Windows/Activity Directory and User/Pass. If User/Pass is selected, then enter the following: Username: User name for the Microsoft SQL Server connection. Password: password for the Microsoft SQL Server user. 8. Click Save to save the data source. Task 2: Creating a Query To create a query to pull data from a Microsoft SQL Server table, do the following: 1. Right-click the data source, and select Create Query. 2. Enter the query name and description. 3. Enter the query statement. The following is an example of an Symantec ICT query: WITH EmailAtt AS ( SELECT EmailAttachments.emailatt_fileName, EmailAttachments.emailatt_id, EmailAttachments.emailatt_guid, EmailAttachments.classification_id, EmailLogs_ EmailAttachments.emaillog_id FROM INNER JOIN ON EmailLogs_EmailAttachments EmailAttachments EmailAttachments.emailatt_id = EmailLogs_ EmailAttachments.emailatt_id LEFT JOIN Classifications ON EmailAttachments.classification_id = Classifications.classification_id ), EmailRecipientList AS ( SELECT EmailLogs.emaillog_id,EmailAddresses_TO.emailaddr_address as RecipientIdentifier FROM INNER JOIN ON INNER JOIN EmailToAddresses EmailLogs EmailToAddresses.emaillog_id = EmailLogs.emaillog_id EmailAddresses EmailAddresses_TO Using the Integration Wizard Page 12
Task 2: Creating a Query ON EmailAddresses_TO.emailaddr_id = EmailToAddresses.emailaddr_id UNION ALL SELECT EmailLogs.emaillog_id,EmailAddresses.emailaddr_address as RecipientIdentifier FROM EmailLogs INNER JOIN EmailCcAddresses ON EmailCcAddresses.emaillog_id = EmailLogs.emaillog_id INNER JOIN EmailAddresses EmailAddresses ON EmailAddresses.emailaddr_id = EmailCcAddresses.emailaddr_id UNION ALL SELECT EmailLogs.emaillog_id,EmailAddresses.emailaddr_address as RecipientIdentifier FROM EmailLogs INNER JOIN EmailBCcAddresses ON EmailBCcAddresses.emaillog_id = EmailLogs.emaillog_id INNER JOIN EmailAddresses EmailAddresses ON EmailAddresses.emailaddr_id = EmailBCcAddresses.emailaddr_id ) SELECT DISTINCT LogEntries.logentry_id as SourceIncidentID, LogEntries.logentry_clientDate as OccurredDate, LogEntries.logentry_serverDate as IncidentDate, EmailLogs.logentry_id as SourceAuditLogID, EmailLogs.emaillog_ subject as MessageSubject, EmailLogs.emaillog_fromAddress as SenderEmailAddress, EmailLogs.emaillog_fromAddress as SenderAccountName, EmailRecipientList.RecipientIdentifier as RecipientEmailList, EmailLogs.classification_id as SourcePolicyID, EmailLogs.classification_id as SourceRuleID, EmailLogs.prev_ classification_id as PreviousSourcePolicyID, Plugins.plugin_id as SourceAgentTypeID, Plugins.plugin_name as AgentType, (convert(nvarchar(20),pluginversions.pluginversion_major) Page 13 Using the Integration Wizard
Task 2: Creating a Query + '.' + convert(nvarchar(20),pluginversions.pluginversion_ minor) + '.' + convert(nvarchar(20),pluginversions.pluginversion_subminor)) as AgentVersion, Classifications.classification_fullName as SourcePolicyName, Classifications.classification_fullName as SourceRuleName, Classifications.classification_configID as SourcePolicyVersionID, Classifications.classification_confOrder as SourceSeverityID, Classifications.classification_levelName as SeverityName, AppliedRules.ruletype_id as SourceActionID, AppliedRuleTypes.ruletype_description as SourceActionName, EmailAtt.emailatt_fileName as [FileName], EmailAtt.emailatt_id as FileID, EmailAtt.emailatt_guid as SourceFileGuid,'SMTP ' as ProtocolName,'Tagging' as ChannelName, 1 as MatchCount,'New' as StatusName FROM EmailLogs INNER JOIN EmailRecipientList ON EmailRecipientList.emaillog_id = EmailLogs.emaillog_id INNER JOIN LogEntries ON LogEntries.logentry_id = EmailLogs.logentry_id INNER JOIN Plugins ON Plugins.plugin_id = LogEntries.plugin_id INNER JOIN PluginVersions ON PluginVersions.pluginversion_id = LogEntries.pluginversion_id LEFT JOIN EmailCcAddresses ON EmailCcAddresses.emaillog_id = EmailLogs.emaillog_id LEFT JOIN EmailAddresses EmailAddresses_CC ON EmailAddresses_CC.emailaddr_id = EmailCcAddresses.emailaddr_id Using the Integration Wizard Page 14
Task 2: Creating a Query LEFT JOIN Classifications ON Classifications.classification_id = EmailLogs.classification_id LEFT JOIN ON LEFT JOIN ON LEFT JOIN ON WHERE AppliedRules AppliedRules.rule_id = EmailLogs.rule_id AppliedRuleTypes AppliedRuleTypes.ruletype_id = AppliedRules.ruletype_id EmailAtt EmailAtt.emaillog_id = EmailLogs.emaillog_id EmailLogs.classification_id IS NOT NULL 4. Enter a name for the staging table. The name should include thestg_ prefix, and identify the client and entity, such as Stg_<ClientName><EntityName>. If the table name field is left blank, then a number is generated for the table name, such as stg_11. 5. (Optional) Test the query, and review the results, as follows: a. Click Test Query. b. Enter the sample size and timeout value. c. Click Run. The query runs or returns an error. If the query runs, then the results are shown in the Query Results field. d. Adjust the query and run it again, if needed. e. When the query meets your requirements, click Use Query. Any changes to the original query are transferred to the Data Source Query Editor. The updated query is not saved until Save is clicked. 6. Enter the timeout interval in seconds. 7. Click Save. Clicking Save runs the query and creates the table. The Watermarking/Scheduling page opens. 8. Enter the watermark column and value. The watermark is used by the integration wizard to pull records that have a value greater than the value provided for the given field. The watermark should be a unique, incremental value. Not specifying the watermark field causes all data to be queried and uploaded each time the query is run. 9. Set the initial run for a date and time. 10. Set the frequency of the query. Data source processing is separate from the nightly job processing. Bay Dynamics recommends setting the processing interval to Daily. 11. Click Save. Page 15 Using the Integration Wizard
Task 3: Creating a Data Integration Task 3: Creating a Data Integration A data integration pulls specific data from a data source, and maps the data to Symantec ICA fields. First, an integration pack is created, then an import rule is defined, and then the rule is mapped to fields in a Symantec ICA LDW table. To create a data integration using the integration wizard, do the following: 1. In the Symantec ICA administration console, select Integration. 2. Select the Data Integrations tab. 3. Click Create Integration Pack. 4. Enter a name and description for the pack, and click Save. 5. Right-click the integration pack, and select Create Import Rule. 6. Enter a name and description for the rule. 7. (Optional) Create additional import rules, as needed. 8. Right-click the import rule, and select Create Import Rule Mapping. 9. Enter or set the following items: Mapping Name: Name of the mapping. Description:Description of the mapping. Data Source: Data source. Available data sources are listed in the field. Query: Query associated with the data source. Available queries are listed in the field. Symantec ICA Processing Watermark: Leave this field blank. Run Intra-day: Select Yes or No. This field refers to the nightly processing job. Run Order: Order of the import process compared to other processes. Entity Type: Select DIM Incidents. Create Entities: Select Yes to create new entities. If set to No, then select the entity key. 10. Map the source fields to the listed Symantec ICA fields. The listed fields are specific to the entity type. The required fields must be mapped. Additional fields can be set in the Source to Symantec ICA Entity Mappings section. See Also: Refer to the mapping tables in the appendix for mapping information. 11. Click Save. Task 4: Processing the Query Data The query data must be processed using the nightly job after creating the data integration. Until the nightly processing job is run, the data is not imported to Symantec ICA. To run the nightly processing job, do the following: Using the Integration Wizard Page 16
Task 4: Processing the Query Data 1. Log in to Microsoft SQL Server, and connect to Database Engine. 2. Expand SQL Server Agent, and then expand Jobs. 3. Process the Symantec ICA processing job as follows: a. Right-click the Symantec ICA Processing job, and select Start Job at Step. b. Select Step 1 of the Symantec ICA Processing Job, and click Start. This process takes some time to complete. Wait until the process finishes before continuing this procedure. This job performs daily processing on several cubes. 4. Close the job processing window. 5. Double-click Job Activity Monitor. 6. Use the refresh option to view the progress of the job. Page 17 Using the Integration Wizard
Appendix A Integration Wizard Mappings for Symantec ICT Data The following tables list the required and optional fields for mapping data from Symantec ICT source table to Symantec ICA staging table. Required Symantec ICT Fields The following fields are required when mapping from Symantec ICT: Entity Column Format Type Value Incident Date DATETIME Source Column IncidentDate MatchCount BIGINT (19,0) Source Column matchcount RecipientIdentifier NVARCHAR (4000) Source Column recipientidentifier SenderIdentifier NVARCHAR (4000) Source Column senderidentifier SourceIncidentID NVARCHAR (36) Source Column SourceIncidentID SourcePolicy NVARCHAR (100) Source Column sourcepolicyid SourcePolicyName NVARCHAR (100) Source Column SourcePolicyName SourceRuleID NVARCHAR (100) Source Column sourceruleid SourceRuleName NVARCHAR (100) Source Column sourcerulename Optional Symantec ICT Fields The following fields are optional when mapping from Symantec ICT: Entity Column Format Type Value AgentName NVARCHAR (50) Source Column AgentType NVARCHAR (50) Source Column AgentVersion NVARCHAR (50) Source Column DocumentType NVARCHAR (20) Source Column FileName NVARCHAR (4000) Source Column filename Integration Wizard Mappings for Symantec ICT Data Page 18
Create and Associate Symantec ICT Fields Entity Column Format Type Value FileSize BIGINT (19,0) Source Column IsArchived BIT Source Column OccurredDate DATETIME Source Column SourceAgentID NVARCHAR (36) Source Column SourceComputerKey NVARCHAR (36) Source Column Source MessageID BIGINT (19,0) Source Column SourcePolicyDescription NVARCHAR (200) Source Column SourceRuleDescription NVARCHAR (2000) Source Column Create and Associate Symantec ICT Fields The following fields are optional when mapping from Symantec ICT: OBject Entity Column Format Type Value IP Addresses DestinationIPAddress NVARCHAR Source (100) Column IP Addresses SourceIPAddress NVARCHAR Source (100) Column Users SourceAccountName NVARCHAR Source SourceAcountName (256) Column Users SourceNetBIOSDomain NVARCHAR Source SourceNetBIOSDomain (256) Column Computer SourceHostName NVARCHAR Source Endpoints (256) Column DIM Incident Channels DIM Incident Protocols DIM Incident Severities DIM Incident Statuses Associate Message Subjects Computer Endpoint Connection Statuses ChannelName ProtocolName SeverityName StatusName MessageSubject NVARCHAR Source channelname (50) Column NVARCHAR Source protocolname (256) Column NVARCHAR Source severityname (50) Column NVARCHAR Source statusname (50) Column NVARCHAR Source (1024) Column SourceComputerEndpointConnectionStatus NVARCHAR Source (15) Column Page 19 Integration Wizard Mappings for Symantec ICT Data