HP User Behavior Analytics€¦ · Step 2: Installation and Configuration The HP UBA Installation...

HP User Behavior Analytics of 210 Powered by Securonix Confidential

HP User Behavior Analytics HP UBA Version 1.1

Powered by

Administration Guide

August 31, 2015


HP User Behavior Analytics 1.1 of 210 Powered by Securonix Confidential

Table of Contents Chapter 1: Introduction .................................................................................................................................. 6

Chapter 2: Deployment Steps ....................................................................................................................... 7

Chapter 3: Post Installation Activities ............................................................................................................ 9

Starting, Stopping and Restarting the Application .................................................................................... 9

Access the Application .............................................................................................................................. 9

Post Installation Tasks .............................................................................................................................. 9

Set Up System Time Zone and SMTP Server ........................................................................................ 9

Configure Logging ................................................................................................................................ 11

Setting up Single Sign-On (SSO) ......................................................................................................... 13

Setting up LDAP Authentication ........................................................................................................... 17

Chapter 4: Importing Data ........................................................................................................................... 20

Types of Data – Overview ....................................................................................................................... 20

Types of Connectors/Collectors .............................................................................................................. 20

Importing Resource Metadata ................................................................................................................. 21

Steps to Import Resource Metdata ....................................................................................................... 21

Importing Resources ............................................................................................................................... 22

Importing User Data ................................................................................................................................ 23

Importing User Data from Files ............................................................................................................. 23

Importing User Data from Active Directory ........................................................................................... 32

Importing User Data from Oracle Identity Manager (OIM) ................................................................... 36

Importing User Data from Oracle Identity Analytics (OIA) .................................................................... 37

Importing User Data from Waveset IDM .............................................................................................. 39

Importing User Data from SailPoint ...................................................................................................... 40

Importing User Data from Aveksa ........................................................................................................ 42

Importing User Data from Database ..................................................................................................... 43

Job Chaining ......................................................................................................................................... 45

Importing Access Data ............................................................................................................................ 46

Creating Correlation Rules for Access Data Import ............................................................................. 46

Importing Access Data from Files......................................................................................................... 50

Importing Access Data from Active Directory ....................................................................................... 56

Importing Access Data from SailPoint .................................................................................................. 59

Importing Access Data from Aveksa .................................................................................................... 59

Importing Access Data from Database ................................................................................................. 63



Importing Access Data from Oracle Identity Manager (OIM) ............................................................... 66

Importing Access Data from Oracle Identity Analytics (OIA) ................................................................ 67

Importing Activity Data (Events) .............................................................................................................. 69

Creating Correlation Rules for Activity Import ...................................................................................... 69

Importing Events from HP ArcSight ...................................................................................................... 71

Importing Events from Log Files ........................................................................................................... 78

Importing Events using Syslog ............................................................................................................. 83

Importing Events from Other SIEM Solutions ....................................................................................... 85

Importing Events from a Database ....................................................................................................... 87

Importing Events from Splunk .............................................................................................................. 89

Chapter 5: Exporting Data........................................................................................................................... 94

Exporting User Identity Data ................................................................................................................... 94

Extract to Flat File from Imported Jobs................................................................................................. 94

Exporting Violations ................................................................................................................................ 96

CEF Output via Syslog ......................................................................................................................... 96

Configure HP UBA CEF Output to ArcSight ......................................................................................... 99

Exporting Consolidated Threat Intel Feed .............................................................................................. 99

Chapter 6: Peer Groups ............................................................................................................................ 102

Why use Peer Groups? ......................................................................................................................... 102

Defining Peer Groups Manually ............................................................................................................ 102

Adding Peer Groups using Peer Creation Rules .................................................................................. 103

Adding Peer Groups Manually .............................................................................................................. 105

Chapter 7: Organizations .......................................................................................................................... 107

Creating Organizations ......................................................................................................................... 107

Creating Organization Manually ......................................................................................................... 107

Creating Organizational Units Based on a User Attribute Rule .......................................................... 108

Creating Organizational Units Based on a Resource Attribute Rule .................................................. 109

Granular Access Control Using Organizations ................................................................................... 109

Chapter 8: Policies .................................................................................................................................... 110

Creating New Policies ........................................................................................................................... 110

Action>Create Rule Based Policy ...................................................................................................... 111

Action>Create Rule Based Policy with Direct HQL ............................................................................ 114

Action>Create Behavior Based Policy ................................................................................................ 117

Action>Create Composite Policy ........................................................................................................ 118

Action>Create TIER2 Policy ............................................................................................................... 121



Action>Create TIER2 Policy with Direct HQL..................................................................................... 121

Directives ............................................................................................................................................ 121

Executing Policy .................................................................................................................................... 122

Viewing Policy Violations ...................................................................................................................... 124

Chapter 9: Reports .................................................................................................................................... 126

Creating a Report .................................................................................................................................. 126

Running a Report .................................................................................................................................. 128

Ad hoc Reporting .................................................................................................................................. 129

Chapter 10: Administration........................................................................................................................ 132

Using the Configure Menu .................................................................................................................... 132

Jobs .................................................................................................................................................... 133

Access Control .................................................................................................................................... 142

Connection Types ............................................................................................................................... 155

Email Templates ................................................................................................................................. 156

Metadata ............................................................................................................................................. 157

Auditing ............................................................................................................................................... 159

Clustering ............................................................................................................................................ 159

Universal Forwarder ........................................................................................................................... 159

Workflows ........................................................................................................................................... 159

Threat Modeler ................................................................................................................................... 164

Settings ............................................................................................................................................... 167

Tweaking Event Import Performance .................................................................................................... 180

The Event Import Job ......................................................................................................................... 180

Backup and Restore .............................................................................................................................. 181

Folder Backup ..................................................................................................................................... 181

Restoring the Application (Folder Restore) ........................................................................................ 183

Archiving................................................................................................................................................ 183

Introduction to Archiving ..................................................................................................................... 183

Setting up Activity Data Archiving....................................................................................................... 184

Supervising Jobs ................................................................................................................................... 184

System Health Monitoring .................................................................................................................. 186

Chapter 11: Webservices .......................................................................................................................... 189

Available web services .......................................................................................................................... 189

Using the HP UBA REST API ............................................................................................................... 189

Securing RESTful Web Services .......................................................................................................... 190



Getting Started with Web Services ....................................................................................................... 190

How to Use Web Services .................................................................................................................... 190

Web services sample application ....................................................................................................... 195

Appendix A: Files in securonix_home ....................................................................................................... 199

Appendix B: Policy Templates .................................................................................................................. 201



Chapter 1: Introduction Use the Administration Guide to learn how to perform administrative tasks on the application.

In this guide, you can find:

• Deployment steps

• How to start and stop the application·

• Perform post-installation tasks

• Importing data (identity, access and activity)

• Using peer groups, organizations and policies

• Reporting

• Using the Configure menu

• Logging

• Backup and Restore

• Webservices



Chapter 2: Deployment Steps The key to implementing a successful enterprise project is a detailed project plan. The high level tasks involved in a project plan are given below. These are based on best practice deployment methodologies that our team has gathered over several medium and large scale deployments. The size and complexity of your project should dictate the need for these tasks.

Step 1: Requirements, Analysis, Architecture and Design Review HP User Behavior Analytics architecture and the Requirements sections to understand the system architecture, capacity planning, minimum hardware, OS and browser requirements and communication ports for your deployment.

Step 2: Installation and Configuration The HP UBA Installation Guide provides complete information on how to install HP UBA in your environment.

Step 3: Import User Identity Data Refer to the Chapter 4: Importing User Data for instructions on how to import user identity data into the HP UBA solution in your environment.

Step 4: Import User Access Privileges Refer to the Chapter 4: Importing Access Data for instructions on how to import access privileges into HP UBA in your environment. The guide also explains how to correlate access privileges to user identities in order to get a single view of who has access to what in the enterprise.

Step 5: Import Activity/Event Data Refer to the Chapter 4: Importing Activity/Event Data for instructions on how to import activities from resources into the HP UBA solution in your environment.

Step 7: Detect Anomalies Refer to the HP UBA User Guide/Run Behavior Profiles for instructions on how to generate behavior profiles.

Refer to HP UBA User Guide /Run Activity Outliers to detect activities conducted by suspicious users.

Step 8: Run Security Policy Scans Refer to Chapter 8: Policies for instructions on how to create your own security policies for continuous controls. See HP UBA User Guide/Run/Policy Violations for details on running policy scans.

Step 9: Set Up Access Control Refer to Chapter 10: Administration for instructions on controlling access for users within the application.



Step 10: Set Up Dashboards and Reports The HP UBA User Guide has information about configuring and modifying application dashboards and how to configure and run reports.



Chapter 3: Post Installation Activities

Starting, Stopping and Restarting the Application Use the command-line interface (CLI)

To start the application: $ HPUBA11/bin/securonix.sh start

To stop the application: $ HPUBA11/bin/securonix.sh stop

To stop and start the application: $ HPUBA11/bin/securonix.sh restart

Access the Application http://hostname:port/Profiler or https://hostname:port/Profiler

Use whatever host and port you chose during installation (http or https depending on your installation choice.) Use the username “admin” and the password entered during the installation of the application.

Post Installation Tasks You can use the “Task Assistant” to go through all the initial configuration tasks to set up your new HP UBA application.

• System Configuration

• Import Users

• Run Policy Scans

• Create Peer Groups

• Import Access Entitlements

• Import Activities

• Run Behavior Profiles

• View Dashboard

Set Up System Time Zone and SMTP Server

Time Zone Navigate to Configure>Settings

In the General Settings area change the settings for the following:

• Application time zone: The time zone for the application server

• Database time zone: The time zone for the database server

• Date format: Select from multiple date/time formats from the drop-down box

• Session timeout: Enter a timeout period for sessions in seconds

SMTP Server



The mail server is used by the application for the following:

• Send email notification on a violation

• Send job success/failure notifications

• Send emails on user lifecycle changes (new, updated and terminated users)

• Send emails for case-related notifications

• Receive emails to add as comments to existing cases

Adding an SMTP Server

To set up a new SMTP server:

Navigate to Configure>Settings Click SMTP Server Settings in the left panel. Click the down arrow next to “default” to see the default settings Mail box name: leave as “default” or provide a name of your choice.

Host: Host name for the mail server

Port: Outgoing port

From email: Email account used for sending emails

SSL enabled?: Toggle switch to enable or disable SSL communication

Authentication required: Toggle switch to yes if the mail server requires authentication

User name & password: If authentication is set as Yes, enter the username and password



More Settings, click the arrow next to More Settings to adjust the following from the defaults:

Font name: Default font is Arial

Font size: Default font is 2

Batch size: Number of mails sent in a batch, default is 25

Interval: Number of seconds for retrial, default is 10

Process in batch: Process sending emails in batches, default is Yes

Stop when done: Stop sending emails when all mails in queue are completed, default is Yes

When done, you can just save the settings, save settings and send a test email, or test the SMTP server using choices at the bottom of the Mail Server Settings screen:

Configure Logging

Setting up Logging to securonix.log File The HP User Behavior Analytics application logs the errors and the debug statements to a log file. Conveniently named securonix.log, the log file is located in the <TOMCAT_HOME>/logs directory.

You can change the location of the securonix.log file to any desired folder.

To specify the location of the log file:

1 Navigate to <TOMCAT_HOME>/WEB-INF/classes.



2 Search for a file called log4j.properties.

3 Open the file with a text editor.

4 To specify the location of the logs file, search for the following line under the # File Appender heading log4j.appender.file.file=.../securonix.log

Note: To begin logging to the new location, you must restart the HP User Behavior Analytics application.

Changing log format

By default, the securonix log file does not have the date on which the log was written. This is because of the following directive in log4j.properties:

log4j.appender.file.layout.ConversionPattern=%d{ABSOLUTE} %-5p [%c{1}] %m%n

Example from securonix.log: 09:37:26,744 DEBUG [LoginController] auth Getting license information...

If you want to change this setting to have the date, you can use the format below

log4j.appender.file.layout.ConversionPattern==%d{dd MMM yyyy HH:mm:ss,SSS} %-4r [%t] %-5p %c{1} %x - %m%n

Log Levels

ERROR: The ERROR level designates error events that might still allow the application to continue running.

FATAL: The FATAL level designates very severe error events that will presumably lead the application to abort.

OFF: Turn off logging WARN: The WARN level designates potentially harmful situations. INFO: The INFO level designates informational messages that highlight the progress of the

application at coarse-grained level. ALL: The ALL has the lowest possible rank and is intended to turn on all logging. DEBUG: The DEBUG Level designates fine-grained informational events that are most useful to debug

an application. TRACE: The TRACE Level designates finer-grained informational events than the DEBUG

Changing Logging Levels

Logging can be changed for each module within the HP User Behavior Analytics application. To change the logging levels, perform the following steps:

1 Navigate to Configure>Settings.

2 Click Logging on the left sidebar menu.

3 Change the log level for the desired module.

4 Click Update.



Change Log Levels for Modules

The modules available for logging are:

• Imports – logging for User Import and Glossary Import actions.

• Manage – Users, Resources, Peers, Organizations, Application.

• Detect – Detect Behavioral Analytics, Anomaly Detection.

• Reports – Running and rendering reports.

• Configure – All actions available under the configure menu.

• Respond – Incidents, Activity Review.

• UI Utilities – Analytical Activities, Applications, Dashboard, Incidents, Organizations, Peer, Resource, Detect, Transaction, User, Utility Impl, Token, Common UI Utilities, Workbench Util.

Log Level Choices

All modules have the same log level choices. The default setting for each, however, is different. Choices are:

• All: All has the lowest possible rank and is intended to turn on all logging.

• Debug: Designates fine-grained informational events that are most useful to debug an application.

• Error: Designates error events that might still allow the application to continue running.

• Fatal: Designates very severe error events that will presumably lead the application to abort.

• Info: Designates informational messages that highlight the progress of the application at a coarse-grained level.

• Off: Off has the highest possible rank and is intended to turn off logging.

• Trace: Designates finer-grained informational events than debug.

• Warn: Designates potentially harmful situations.

Setting up Single Sign-On (SSO) End users have several credentials that they need to remember to access the hundreds of applications they need to do their work effectively. This often leads to high help desk costs and security weaknesses as users may write passwords in unsafe locations or use weaker passwords that are easy to remember.

In order to help enterprises get over these challenges, HP UBA provides multiple options for simplified single sign-on.



Use of Enterprise Single Sign-on products

Use of SAML IdP Providers

LDAP authentication

Pre-requisites A Single Sign-on application (Example: SiteMinder).

Configuration The application stores all the configuration settings for SSO authentication in application-context.xml.

Change the following xml tags in application-context.xml:

• SSO Authentication = true

• Hostname = domain for which SSO is enabled

Specify the logout URL.

<sso_application_name enabled=“true” hostname=“application_name.com” logouturl=“http://www.sso_application_name.com“>

SSO Setup Instructions Login to the application: http://hostname:portnumber/Profiler/. Navigate to: http://Hostname:portnumber/Profiler/metadata. Generate metadata each time there is a restart of Tomcat.



Click Generate Metadata:

Copy the ‘Identity Provider’ metadata in \webapps\Profiler\WEB-INF\classes\security folder in the idp-local file.

The generated metadata from HP UBA is to be forwarded to the Identity Provider Admin. Test SSOlogin using :

http://HostName:PortNumber/Profiler/saml/login?idp=https://authqa.corelogic.com/CoreLogic_SAML_20_EntityID

SAML authentication URL : HTTP-POST" Location=http://hostname:portnumber/Profiler/saml/SSO/alias/hostname.

SiteMinder Authentication CA SiteMinder provides Single-on capability by intercepting requests being sent to the web server and forwarding those requests to the SiteMinder policy server for authentication. Once the end user logs in to the SiteMinder portal, the sign in token is sent to the HP UBA application as part of the header. The HP UBA application can be set up to accept this authentication token and perform automated login to the HP UBA application.

The SM Web Agent installed on the Web Server is designed to intercept all traffic and checks to see if the resource request is:

Protected by SiteMinder

If the User has a valid SMSESSION (i.e. is Authenticated)

If 1 and 2 are true, then the WA checks the Siteminder Policy Server to see if the user is Authorized to access the requested resource.

To ensure that you don't have HTTP Header injections of user info, the SiteMinder WebAgent will rewrite all the SiteMinder specific HTTP Header information. Essentially, this means the HP UBA application can "trust" the SM_ info the WebAgent is presenting about the user since it is created by the Web Agent on the server and not part of the incoming request.

Prerequisite for Setting up SiteMinder Authentication

The SiteMinder web agent is installed on the server running the HP UBA application.



Verify the SM_USER is the header variable given by SiteMinder. Logout URL to make sure that when user logs out of the HP UBA application, it will terminate the

Siteminder session.

Steps to Configure SSO

Navigate to Configure>Settings Under Application Settings, navigate to Single Sign-on. Toggle the Enable Single Sign-on switch to Yes. Provide the name of the host registered on the SiteMinder Policy server. Enter the logout URL that will end the session of the user.

(Example:https://www.abc.com/logoff.jsp?referrer=http://myapp.com).

SAML Authentication SAML, or Security Assertion Markup Language, is the leading SSO protocol today and is a valuable standard to understand in order to comprehend fully how single sign-on works. SAML is an attribute exchange through the creation of trust relationships between IdPs (Identity Provider) and SPs (Service providers).

Here is a basic example of a SAML assertion:

A user opens their web-browser and goes to http://securonixapp.com. HP UBA doesn't handle authentication itself. To authenticate, the user HP UBA constructs a SAML Authnrequest, signs it, optionally encrypts it and encodes it. It then redirects the user's web browser to the Identify Provider (IdP) in order to authenticate. The IdP receives the request, decodes it, decrypts it if necessary and verifies the signature.

With a valid Authnrequest the IdP will present the user with a login form in to enter their username and password.

Once the user has logged in, the IdP generates a SAML token that includes identity information about the user (such as their username, email, etc.) The IdP takes the SAML token and redirects the user back to the service provider (http://securonixapp.com).

HP UBA verifies the SAML token, decrypts it if necessary and extracts identity information about the user, such as who they are and what their permissions might be. HP UBA now logs the user into its system.

At the end of the process the user can interact with http://securonixapp.com as a logged in user. The user's credentials never passed through HP UBA, only through the Identity Provider.

HP UBA is a Service Provider and relies on the customer having an Identity Provider to perform the authentication.

Identity Provider (Authorization Server) – this server owns the user identities and credentials. The IdP is WHO the user actually authenticates with.

For steps to configure SAML Authentication, see Chapter 10: Administration (SAML Settings).



Setting up LDAP Authentication

Prerequisites

• LDAP account should have read permissions for the organizational unit against which that the application authenticates.

• Identify the DN (Distinguished Name) for the account. Example:

cn=svc_[DN];OU=ServiceAccounts;DC=[DN];DC=com

Identify the following additional parameters that will be required for AD authentication

• The IP address/hostname of the domain controller.

• The OU (organizational units) containing the different users that should be authenticated.

Understanding the Configuration By default the application authenticates against the local MySQL data store. However, this can be changed to authenticate the users against Active Directory.

Note: The authorization for the users is still done based on roles assigned locally.

• managerDn = <the username used for authenticating against AD>

• managerPassword = <the password used for authenticating against AD>

• grails.plugins.springsecurity.ldap.context.server = <ldap url=““>(ex:ldap://xx.xx.xx.xx:389 or ldaps://xx.xx.xx.xx:636)

• grails.plugins.springsecurity.ldap.authorities.groupSearchBase = <group search base>

• grails.plugins.springsecurity.ldap.search.base = <user search base>

Add the following line to the ldap-config.properties file:

grails.plugins.springsecurity.ldap.authorities.groupSearchFilter=member={0}

Add the userid (same as AD login) in the application, and provide the appropriate access controls.

By default, the system uses the sAMAccountName for authentication. This can be changed by changing the value for:

grails.plugins.springsecurity.ldap.search.filter=sAMAccountName={0} from sAMAccountName to cn, dn or other distinguishable value as per requirement

If local user authentication has to be enabled, comment the following line, else authentication will only be against AD.Uncomment it to authenticate only against AD.

grails.plugins.springsecurity.providerNames = ldapAuthProvider

To debug the errors faced make the following changes to the log4j.properties files:

log4j.logger.org.springframework.security=DEBUG

Note: If there are multiple domains to be configured, create a virtual directory which has the entire list of users. Use the credentials of the virtual directory in the ldap-config.properties files.



Configure LDAP Go to $ HPUBA11/securonix_home/conf/. Open the file: ldap-config.properties. Make following changes. grails.plugins.springsecurity.providerNames = ldapAuthProvider

grails.plugins.springsecurity.ldap.context.managerDn = The path of LDAP

grails.plugins.springsecurity.ldap.context.managerPassword = Password

grails.plugins.springsecurity.ldap.context.server = ldap://master server ip

grails.plugins.springsecurity.ldap.authorities.ignorePartialResultException = true

grails.plugins.springsecurity.ldap.search.searchSubtree = true

grails.plugins.springsecurity.ldap.authorities.ignorePartialResultException = true

grails.plugins.springsecurity.ldap.search.searchSubtree = true

grails.plugins.springsecurity.ldap.search.base = dc=oracledemo,dc=com

grails.plugins.springsecurity.ldap.authorities.groupSearchFilter=member(0)

In the application, navigate to Configure>Settings, then select LDAP Authentication

Set the switch for Enable LDAP authentication to Yes. Fill in the details:



Server: Enter the IP address of Active Directory (ldap://[ip]:[port]/).

Base: Enter the base directory to start the search, usually something like dc=mycompany,dc=com].

Manager DN.

Manager Password.

Retrieve Database Roles: Checkbox, whether to retrieve additional roles from the database using the User/Role many-to-many.

Retrieve Group Roles: Checkbox, whether to infer roles based on group membership.

Group Search Base: The base DN from which the search for group membership should be performed.

Group Search Filter: The pattern to be used for the user search. {0} is the user’s DN.

Group Role Attribute: The ID of the attribute which contains the role name for a group.

Click Save.



Chapter 4: Importing Data

Types of Data – Overview HP User Behavior Analytics consumes different types of data, correlates it and detects abnormalities indicative of different types of threats. Data consumed by the application is normalized and correlated to enable context-aware monitoring and analyzed using advanced algorithms to identify threats.

In particular the following broad categories of data are normally consumed by the application:

• User identity data

• Resource (or system) metadata

• User access privileges

• Resource (or system) activity data

• Application transactions

• Security events

• Threat intelligence feeds

• Geolocation data

HP User Behavior Analytics not only consumes the data but also normalizes and correlates the data so that all user related activities, access and risk are attributed to the right user and all resource-(system) related activities, security events and accounts are attributed to the appropriate resource (or system). This attribution is a fundamental building block provided by the application and allows it to perform deeper analytics on the collected data.

HP User Behavior Analytics is able to import live streaming or historical data sets (security events, activity logs, transactions, network flows, etc.) and batched or static data (user identity data, vulnerability scan results, DLP data at rest results, access privileges, risk scores, etc.) HP User Behavior Analytics provides out of the box parsers and content.

Types of Connectors/Collectors The HP User Behavior Analytics application provides several types of collectors/connectors for rapid integration in organizations. It is able to integrate with data sources that themselves may be data aggregators (SIEM, Loggers, etc.) or directly to systems which provide identity and access data (Active Directory, LDAP, etc.).

Broadly speaking, the data collectors fall into the following categories:

• File based collector (log files, Syslog, CEF)

• Database based collector (some DLP applications, application audit logs)

• API-based collector (McAfee ESM, etc.)

• LDAP-based collector (active directory access privileges)



Importing Resource Metadata Organizations may have a detailed list of their existing assets that they want to import in to HP UBA and utilize for additional context on the resources and even use the metadata in the policy engine.

HP UBA provides the capability to import these assets as resources. Additionally, any asset information can be imported against the resource as metadata:

Resource, Resource Type, owner, decommissioned, targetip, criticality, disabled, customfield1, customfield1, customfield2, customfield3, customfield4, customfield5, customfield6, customfield7, customfield8, hierarchy, hostname, colorcode, Name=Value, Name=Value, Name=Value

When resources are imported and a resource type is mapped as one of the fields, the HP UBA application will attempt to map to an existing Resource Type in the configresourceparsers table. If the resource type matches, it will use the configurations defined to generate the attributes, parsers, reports etc. automatically

If there is no existing Resource type, the HP UBA application will create a new resource type in the resourcetypeid table and configresourceparsers table and make sure that the resource is matched to that new resource type

The HP UBA application will validate that the criticality is in set (Critical, High, Medium and Low.) The application will validate that the value of decommissioned is either 1 or 0 The application will validate that the value of owner is available in the sec_user table and set the

ownerid as the id from sec_user table The application will validate that length of target IP is 45 alphanumeric. The application will validate that the colorcode is hexadecimal valid color code or set one up

automatically.

Steps to Import Resource Metdata Navigate to Configure>Jobs, then Actions>Import>Activities. Click Add New Datasource. Enter the Datasource name and the IP address of the device. Example: For Device Type, choose sumologic (if existing), else click Create a new type. Add a new connection for Sumologic Import. Enter a name for the connection.

Select Connection Type (SumoLogic in this case).

Enter the URL, Username and Password.

Click Save and Close.

Configure the Import

Click the radio button next to the name of the Datasource you created. Click Preview to preview the data. Click Save and Next. On the Select Events to Import screen, click Add Filter.

Specify a name for the filter.



Select JSON/XML fields as the value for How do you want to split columns for each line?

Use comma (,) as delimiter (the default.)

Use equals sign (=) for Key Value Separator (the default).

On the Specify Regular Expression tab, specify the regular expression in the box. (This is used to filter the events from the input source). In order to consider all the events, use the regular expression dot-asterisk (.*).

Click Save and Next, then Save and Close.

Click Save and Next. Set correlation rule if needed. Click Save and Next. Click Save and Next on the Create Threat Group(s) tab. Run the job.

Importing Resources First, create a connection type for importing resources.

Navigate to Configure>Connection Types, then Action>Add New Connection. Give your new connection a name. Select Resources for the Connection Type for field. Select the Connection type from the dropdown. Save when satisfied with your settings.

Now configure the import:

Navigate to Configure>Jobs then Action>Import>Resources. Select the connection type you just created and click Next.

Fill in the Selection Criteria on the next screen. If your data has a column delimiter, be sure to enter

the delimiter character (examples: comma [,], semi-colon [;], pipe [|]). Click Next when done.



Provide the Run Job details: job name, description, notification selections, schedule (if wanted), and

click to save the job or run it immediately.

Importing User Data User identity data is information about the user such as first name, last name, department, division, title, manager, etc. HP User Behavior Analytics uses the user identity data to add context to events and activities. Additionally, this information is used during analytics to identify suspicious activities. The user details from one or more identity data sources can be fed to the application. HP User Behavior Analytics provides connections to several different identity stores including directories, databases, delimited files, identity management systems and identity governance technologies.

In this section, you will see how to configure identity data import from the following:

• File • Active Directory • Oracle Identity Manager (OIM) • Oracle Identity Analytics (OIA) • Waveset IDM • SailPoint

Importing User Data from Files In this section we will see how to import the data to HP User Behavior Analytics application from a delimited (comma or pipe separated) file.

To begin the process of importing users navigate to Configure>Jobs, then Actions>Import>Users.



Step 1: Select or Create New Connection Select Create New in Connection drop-down. Select a Connection Type: Select File as the source of the user data from the drop-down. Connection Name: Specify a unique name for this connection. Upload File: If your import file is not already located in the import folder

(securonix_home/import/in), use the Upload File option to place your import data file in the import folder.



File Name: Specify the name of the file. Column Delimiter: Provide the delimiter used to separate user attributes in file. For example, enter a

comma (,) for a csv file. Column Identifier: If each user field in the file is enclosed by any symbol, provide this value in the

Column Identifier text box or leave it blank. (Example: If a feed appears like “E10001”,”first name”,”last name”,department” then provide " as the column identifier)

To preview user data click the Preview button. Click Save and Next.

Location of the File

Click the down arrow to drop-down the More Settings section. By default, HP User Behavior Analytics expects the file to be in the $securonix_home/import/in

folder. If the input file is located in another location, provide the location of the folder by editing the Source Folder text box.

After the import is completed, HP User Behavior Analytics compresses the file and moves it to the $securonix_home/import/success folder.

If the file fails to import, the HP User Behavior Analytics compresses the file and moves it to the $securonix_home/import/failed folder.



Excluding Headers in File

Exclude Header: To exclude header lines from being imported, set switch to Yes and enter a value (example: 1) in Number of Lines to Ignore.

Click Save and Next.

Step 2: Configure User Import In this step, map the fields in the file to the attributes available in the application. Based on the Preview window shown at the bottom of the page, map the column numbers to the

available attributes in the application. Note: Skip a field by not including the corresponding column number and the column name.



Map the field column positions appearing in the file to the appropriate user attributes available in the application. You can map fields like employeeid, firstname, department, division, manageremployeeid, hiredate and so on. Note: Date formatted fields (hiredate, sunrise, sunset, terminationdate) expect a date format. Select the date format from the drop-down. (Example: MM/dd/YY = 10/25/13, MM/dd/yyyy = 10/25/2013, MMM dd, yyyy for Oct 25, 2013), or type the date format you want to use.

Maintain Change History: The application can maintain old values for user identity attributes when they change. Set the switch in the Maintain Change History column to Yes on fields that you want to track.

Additional Settings

Additional Settings has a series of pull out configuration areas, click the down arrow by each area to access and change settings. Configuration areas under Additional Settings:

User Lifecycle Changes.

White List.

Pre and Post Actions.

User Timezone.

Merge Imported Data?

Notifications/Alerts.



User Lifecycle Changes

Select conditions to indicate user termination

When a user is terminated from the organization, the user record may be deleted from the source identity system or it may be flagged. HP User Behavior Analytics identifies user identities that have been terminated, based on the value provided under Select conditions to indicate user Termination. The choices are:

Do nothing.

User not present in input source: Choose this option if the user record is deleted from the input file.

User status flag set to terminate.

User-status description rule: Different HR systems use different nomenclature for capturing the status of employees within the organization. By mapping the status field from the user identity file to the status description field within HP User Behavior Analytics, you can specify rules to ensure that HP User Behavior Analytics marks these users as Active or Inactive. Example: HR file has a field with values Term, Furlough, Departed, Fulltime. Map the column position where these values appear to the statusdescription field and set up User Status values as Term=0, Furlough=0, Departed=0, Fulltime=.1

Select conditions to indicate user transfer

When a user is transferred, their HR record changes. In most cases there is a change to the user’s department, division, manageremployeeid, jobcode, costcentercode, etc.

Select the fields that will indicate User Transfer. Example: Choose title, department and division fields to indicate user transfer. Use the Condition switch (“and” or “or”) to set whether any or all of the selected fields must change to indicate a transfer.



White List

Set the switch to Yes to add imported users to a White List automatically.

Pre and Post Actions

Create actions, such as an SQL query, to run before or after the user import.

User Timezone

Defaults to No. If enabled, you can configure rules to set a user’s timezone based on their location, using the location field, for example.

Merge Imported Data?

There might be scenarios where the user data is coming in from two different sources (e.g.; PeopleSoft and LDAP). In this case, you might want to merge the data from the two sources in order to avoid duplicate users. To accomplish this, use the Merge Imported Data.

For example, you have user data from PeopleSoft but some fields, like employee manager and last logon date, are not present. These fields are available from Active Directory so simply merge the import from the Active Directory with the PeopleSoft import. You can merge the user data on any attribute (e.g.; employeeid).

Merge Imported Data defaults to No. If enabled, set which file to merge imported data with, whether to import new users, and data fields to use to decide whether to merge data (i.e.; merge if employeeid matches.)

Notifications/Alerts

Add email notifications for selected lifecycle changes, using an existing email template or by creating a new one (select Create New Email Template from the Email Template Select drop-down menu.)



When you have finished setting all import configuration options, click Save and Next.

Step 3: Run the Job Enter a job name and description. By default, these are already filled in the text box based on date-

time. You may enable notifications, if wanted, and set a scheduled time for the job to run, or accept the default of Now. Click Save and Run.

Step 4: Review Imported User Data This screen will show the status of the job while it is running. Click Refresh at the top of the job

status-indicator column to see the job update on the screen.

Actions you can take from the Job screen:



Edit: Edit all the settings for the job and rerun it or save for a future run.

Show Job Details: Check if there were any errors present while importing user data from the file and the view statistics about imported users.

Rerun job: rerun the job without changes.

Delete job.



Importing User Data from Active Directory This section covers how to import data to the HP User Behavior Analytics application from Active Directory. HP User Behavior Analytics can connect to Active Directory using an LDAP or LDAP over SSL connection. HP User Behavior Analytics uses an LDAP search to query the directory for the appropriate data. It requires an account with read permissions to perform the search on the Active Directory. Follow the steps below to establish a connection, query Active Directory and import user identity data.

To begin the process of importing users navigate to Configure>Jobs then Actions>Import>Users.

Step 1: Configure New Connection



Select Create New in Connection drop-down. Connection Type: Select Active Directory as the source of the user data For Connection Details supply the following: SSL? Toggle to Yes if LDAP connection requires SSL.

To enable SSL connections, add the appropriate CA cert to the existing Java keystore. For instructions on implementing this, please refer to the end of this section.

Hostname: Enter the IP address of the machine that holds the LDAP accounts.

LDAP Username: Enter LDAP username with privileges to search the OU structure where the user records are present. The default format is the domain\username.

LDAP Password: Specify the password for the Active Directory account.

Base Context: Enter the Base Context for Active Directory. This is usually the location in the AD tree structure where the search will start. The search is always downwards the tree structure not upwards.

Example: Base context can be DC=hp,DC=com

Filter: Active Directory contains service accounts, user accounts, computer accounts and other accounts. Not all accounts are required by HP User Behavior Analytics. HP User Behavior Analytics restricts the search by specifying filters to extract user identity details.

Example: (&(objectCategory=person)(objectClass=User)). This could vary depending on the client configuration of the Active Directory.

Click Test Connection to check the credentials provided are correct and you are able to connect to Active Directory without any issues.

Click Save and Next. Before moving to the next screen, the solution provides an option to use Active Directory as the source for Access Entitlements. If you want to evaluate Active Directory group memberships, click Yes. If you don’t want to import group memberships, click No.



Adding Certificates to Java Keystore for Enabling SSL Connections:

From the terminal, get the location of JAVA_HOME using the command echo $JAVA_HOME. Invoke the keytool utility (found in the $JAVA_HOME/bin/ folder) to import the new certificate to the existing keystore.

To import the new CA certificate, run the following command: sudo $JAVA_HOME/bin/keytool -import -alias [alias] -file [file location of the new certificate] -keystore $JAVA_HOME/jre/lib/security/cacerts

The default password for the keystore is changeit. Type Yes to the question Trust this certificate? The Certificate was added to keystore message indicates the successful import of the new certificate.

Restart Tomcat to reflect the changes.

Step 2: Configure user input The attributes will be mapped for you by default. Maintain Change History: The application can maintain old values for user identity attributes when

they change. Set the switch in the Maintain Change History column to Yes on fields that you want to track.



For details on the Additional Settings section, see Additional Settings under Importing User Data from Files.


Step 3: Run the Job Enter a job name and description. By default, these are already filled in the text box based on date-

time. You may enable notifications, if wanted, and set a scheduled time for the job to run, or accept the default of Now. Click Save and Run.

Check the progress of the job by clicking the refresh button at the top of the job status column.

Step 4: Review Imported User Data Follow the steps listed under Importing User Data from Files: Step 4: Review Imported User Data.



Importing User Data from Oracle Identity Manager (OIM) This section describes how to import from OIM. To begin the process of importing users navigate to Configure>Jobs then Actions>Import>Users.

Step 1: Select or Create New Connection

Select Create New in Connection drop-down. Select a Connection Type: Select Oracle IDM as the source of user data from the drop-down Connection Name: Specify a unique name for this connection. Enter the IDM details such as Host Name, Port, Username and Password.

Details such as Naming Context Factory and Provider are preloaded with the connector. If different from default values, please update the configuration as required.


Step 2: Configure User Import In this step, map the fields in the file to the attributes available in the application. Fields are

automatically populated from the query. Map the fields to the available attributes in the application. For details on the Additional Settings section, see Additional Settings under Importing User Data from Files.


Step 3: Run the Job Follow the steps listed under Importing User Data from Files: Step 3: Run the Job.




Importing User Data from Oracle Identity Analytics (OIA) This section describes how to import from OIA. To begin the process of importing users navigate to Configure>Jobs then Actions>Import>Users

Part 1: Select or Create New Connection

Select Create New in Connection drop-down. Select a Connection Type: Select Oracle Identity Analytics as the source of user data from the

drop-down. Connection Name: Specify a unique name for this connection. Select the database type that hosts OIA. It could be MySQL, Oracle or others. Enter the IDM details such as JDBC URL, Driver Class, DB username and password. Enter the SQL query to execute in order to extract the user data from the database.

Note: The SQL query should be specified without a semi colon. Click Save and Next.





Importing User Data from Waveset IDM This section describes how to import from Waveset IDM. To begin the process of importing users:

Navigate to Configure>Jobs then Actions>Import>Users.


Select Create New in Connection drop-down. Select a Connection Type: Select Waveset IDM as the source of user data from the drop-down. Connection Name: Specify a unique name for this connection. Enter the IDM details such as URL, Username and Password. Details such as User Request Filter, User Object Class and Request Batch Size are preloaded with

the connector. If different from default values, please update the configuration as required. Click Save and Next.








Importing User Data from SailPoint SailPoint provides streamlined access reviews, improves audit performance and reduces the cost of compliance. It also provides access certification, centralized IAM certification across all systems and acts as an access provisioning engine.

HP User Behavior Analytics has the ability to detect and score rogue access privileges using advanced peer-group analysis techniques. It also reduces the burden and rubber stamping during access certifications by providing only high risk access privileges for review. HP User Behavior Analytics improves the access request process by ensuring appropriate approvals for high risk access.

To begin the process of importing users navigate to Configure>Jobs then Actions>Import>Users.


Select Create New in Connection drop-down. Select a Connection Type: Select Sailpoint as the source of user data from the drop-down Connection Name: Specify a unique name for this connection. Select MySQL as the database type. Enter the MySQL details. Click Save and Next.


automatically populated from the query. Map the fields to the available attributes in the application.



For details on the Additional Settings section, see Additional Settings under Importing User Data from Files.






Importing User Data from Aveksa Aveksa is an access governance product provided by RSA to perform tasks like access certification, role management and access auditing. Customers have deployed Oracle identity analytics to aggregate identity data and correlate access entitlements in order to get a single view to who has access to what across their environment.

HP UBA integrates directly with the Aveksa product to collect identity and access privileges and perform analysis on the access privileges to detect abnormal privileges assigned to users. Additionally, customers can use the Aveksa product to perform access certifications only on the suspicious access detected by the HP UBA application.

Prerequisites for importing users from Aveksa Prior to importing data from Aveksa, make sure to have the following information:

JDBC URL to connect to the Aveksa application (IP Address or host name, port number, Database name and type)

Credentials to establish the connection

Step 1: Select or Create New Connection Navigate to Configure>Jobs the Action>Import>Users. Select Create New from the Connection drop down and provide a name. Example: Aveksa. Select the Connection Type Aveksa. Select the Database Type (Oracle) Enter the JDBC URL and provide the user name and password Enter this query to get all users from the Aveksa database.

select FIRST_NAME, USER_ID,DEPARTMENT,LAST_NAME,LOCATION,TITLE, CASE WHEN (is_terminated=1) THEN 'Yes' ELSE 'No' END AS Terminated from AVUSER.T_MASTER_ENTERPRISE_USERS tmeu

Note: Choose the fields that you have populated in Aveksa by viewing all available fields in the T_MASTER_ENTERPRISE_USERS table


Step 2: Configure User Import Map the database columns to the HP UBA fields. Choose additional settings like User Lifecycle Changes, Whitelist, Merge and Notification options. Click Save and Next.





Importing User Data from Database This section shows how to import data from a database (MySQL, MSSQL Server, Oracle, etc.)

To begin the process of importing users:

Navigate to Configure>Jobs then Actions>Import>Users


Select Create New in Connection drop down. Select a Connection Type: Select Database as the source of user data from the drop down Connection Name: Specify a unique name for this connection. Database type: Select from drop down. Provide database details (HP UBA will prepopulate these fields with suggested formats): JDBC URL

Driver Class

Database username and password



Enter the SQL query to be executed to extract the user data Note: The SQL query should be specified without a semi colon.

Click Preview to see the data Click Save and Next








Job Chaining Configuring job chaining allows you to create peers and organizations automatically during user import. Follow these steps to configure job chaining on any user import jobs:

Navigate to Configure>Jobs then Action>Import>Users Select Connection Configure User Import following directions for user import types outlined above On the Run Job tab, select the peer and organization creation rules to be chained to the user import

Run the job, check status and review job completion details as with other import jobs described in

earlier sections.



Importing Access Data Access-related data for employees can be imported from different log files generated by different vendor tools. The Access Scanner can pull in these access files and import the data. Before we perform an access data import we need to understand the meaning of terms such as resource type, resource group and resource:

• Resource Type refers to applications, operating systems, server hosts, desktops, proxy servers, etc. The resource type may also represent the vendor name/product/version whose device is being monitored (example: Bluecoat Proxy Server, Microsoft Windows 2008, IBM AIX5.1 etc.)

• Resource Group refers to the source of the event data; and Resource Groups can be used to group resources together.

• Resource refers to the actual device itself.

In this section, you learn how to configure access data import from the following:

• Files

• Active Directory

• SailPoint

Creating Correlation Rules for Access Data Import One of the steps in creating every Access import job is to select or add a correlation rule. The HP UBA application provides a comprehensive and feature rich correlation engine with the following features:

Ability to specify multiple correlation rules: Many organizations have different conventions for creating account IDs for users on different applications. The HP UBA correlation engine allows for the specification of multiple correlation rules. The correlation rules are evaluated in the order in which they are specified. When the account ID is matched to a user identity within the organization, the correlation rule engine stops processing the other rules

Ability to specify multiple operations on the identity data: The Correlation engine allows the following operations to be performed on any identity attribute. The identity attribute generated after the operator is applied can be concatenated with other identity attributes Trim Left

Trim Right

Prefix

Postfix

Substring

Prefix and Postfix

Example: An application uses the convention of first initial of first name + first 2 initials of lastname + employeeid

In the HP UBA Correlation engine this rule can be constructed by:

Perform substring operation on first name with 1,1 (start from first character and extract the first character)



Perform substring operation on last name with 1,2 (start from first character and extract the first 2 characters)

Concatenate with Employee ID

Ability to request for suggested matches: The HP UBA application utilizes special comparators that perform the following types of matches: Phonetics: The comparator provides results for words that sound like each other.

Character Swapping: The comparator provides results by swapping characters (Sean misspelled to Saen will match.)

Closest Match: jsmith01 and jsmith02 will match to jsmith.

To create correlation rules, follow these steps (from the 2: Configuration) screen.)

Click Add Correlation Rule.



1: General Information

Provide a name for the rule. If you want to prioritize the rules (see More Settings on the Configuration screen), give this one a

weight. Click Next.

2: Select Attribute

Select the attribute to use in correlating accounts. Click Next.

3: Specify conditions for User attributes

For Relation choose EXACT MATCH or CONTAINS from the drop-down. Specify conditions for User attributes (The HR attribute which would be correlated to the Activity

attribute. Example, employeeid). Note: More than one correlation rule can be specified if required. All user attributes are available to select from



This is where you set up such operations as trimming left or right, utilizing substrings, pre- or post-fixes

The Parameter field changes depending on what operation is selected:

o None – Parameter is blank

o Trim Left/Right – Parameter is used for number of characters to trim

o Pre-/Post-fix – Parameter is used for the pre/post fix string.

o Substring – Parameters for the start position and length of the substring.

o Pre and Postfix – Parameters to set the pre and postfix strings.

Condition AND applies if additional user attribute conditions are configured.

Separator – if checked, enter a value for a separator character.

Add/Delete user attribute conditions using the +/- buttons.

Click Next. 4: Provide Suggested Matches

Enable Comparators: configure for suggesting correlation matches. Set thresholds (Min/Max) and Weight

Enable individual comparators and set a “discredit value”:

Alphanumeric Comparator: Looks at the similarity in a range of characters at the beginning of the strings. Use: Ideal for alphanumeric account IDs, identities derived from SSN, birth dates.

CondensedString Comparator: Handles special diacritical characters. (A diacritical is a glyph added to a letter, or basic glyph. Some diacritical marks, such as the acute ( ´ ) and grave ( ` )



are often called accents. Diacritical marks may appear above or below a letter, or in some other position such as within the letter or between two letters).

o Takes into account misspelled characters as well as visual memory errors.

Effective for both alphabetical and alphanumeric strings. Use: Effective for datasets containing special characters.

Transpose Comparator: Transpose given pair of strings and find distances amongst strings.

Handles transposition of strings and accounts for misspelled string. Use: Effective for user identities derived from first name, last name and account ID.

Bigram: A Bigram algorithm compares two strings using all combinations of two consecutive characters within each string. For example, the word “bigram” contains the following bigrams: “bi”, “ig”, “gr”, “ra”, and “am”. Bigrams handle minor typographical or 'fat fingering'. Use: More efficient in alphabetical comparison

Click Save to complete the rule.

Importing Access Data from Files For this example we will import IBMs AIX files.

Navigate to Configure>Jobs, then Action>Import>Access Entitlements.



1: Select Datasource Click Add New Datasource.

Under Step 1: Provide Data Source Details, provide the following: Data Source Name: IBM-AIX.

Select Device Type: Choose Create a new type from the drop-down.

Enter IBM for Add Data Source Vendor.

Leave Data Source Functionality blank.

Enter AIX for Data Source Type.

Click Save. In the Connection Details area, select Create a new connection from the drop-down and

give it a unique name.



Select File Import from the Connection type drop-down.

File Prefix: Specify file name prefix. All files matching this prefix will be imported. Example: AIX_

Specify the Column Delimiter, such as a comma (,) or pipe (|).

The details in the More Settings area (expand by clicking the arrow) contain default file locations ($ HPUBA/securonix_home/import/). Unless you’ve made changes to these, there is no need to do anything in this section.

Click Save and Next to move to Step 2: Define Access/Activity Attributes.

Click Add Attributes button under the Access Attributes section. Based on the column headers present in the AIX_acccounts file, create four attributes: AccountName

PrimaryGroups

SecondaryGroups

home

Enable Use in Outliers Detection for the attribute PrimaryGroup. When an access outlier analysis is run for this resource, the analysis is performed based on this field.

Ignore the Activity Attributes section for now, click Save and Next. At Step 3: Default Configuration, just click Finish. Back at the Step 1: Configure Data Source screen, click the radio button by your new IBM-AIX data

source and you’ll see a preview of the data:




2: Configuration In the Attribute Mapping section, map input file columns to data source attributes. Specify numerical

values for column positions starting from 1. In this example: First position is AccountName (and IS the Account Name, so slide the switch to Yes).

Second position is PrimaryGroup – it is multi-valued and uses a comma delimiter.

Third position is the SecondaryGroup – also multi-valued as above.

Fourth position is home.

See Creating Correlation Rules for Access Data Import, at the beginning of this section. Under More Settings on the Configuration screen, set slide switches to modify how correlations will

be handled. If you make changes, click Save.



Click Save and Next when done with configuration options.

3: Run Job The configuration summary on the Run Job screen will show the Access Attributes and Correlation

Rules that you configured. Provide a unique job name and description.

You can schedule the job to run at a later time, or

Click Save and Run to run the import job immediately.

Check the progress of the job by clicking the refresh button at the top of the job status column.

Back on the Jobs screen, review the correlated users by clicking on Show Correlation Results and

then the Correlated Users tab.



To view users who have similar access, click the User ID, select the Monitor Access tab.

Next, click Account Name and then the View Access Details icon to view user who have similar access.

For Uncorrelated Accounts, review one by one and click Confirm where the confidence percentage is high enough to accept that these accounts belong together. It is also possible to correlate accounts manually.



Importing Access Data from Active Directory Navigate to Configure>Jobs, then to Actions>Import>Access Entitlements.

1: Select Datasource Click Add New Datasource.

In Step 1: Provide Datasource Details, under General Details:

In Datasource Name provide a name that uniquely identifies this data source.

Optional: enter an IP address.

In Select Device Type select from the list of drop-down or create a new device type.

Under Archive Activity Data you can leave the fields blank or set up archiving periods.



Under Access Connection Details, provide the following details: Connection Name: the connection used to pull in access entitlements for the data source.

To create a new connection click Create New Connection from the drop-down and then provide a unique name to identify the connection.

Connection Type: Active Directory. SSL?: Set to Yes if the connection uses SSL.

Host Name: Enter host name and port for AD.

LDAP User Name: User name used to connect to AD.

LDAP Password: Credentials to connect to AD.

Base Context: Provide the base context for this AD connection to pull in access entitlements.

Filter: The query used to fetch results from AD.

Click Test Connection to confirm the entries are correct.

Click Save and Next. In the Access Attributes section, a pre-populated list of attributes to be pulled in from AD will be

displayed.



Add new attributes clicking Add Attributes or to delete existing attributes select the attribute (check

box) and click Remove Attributes. In the Activity Attributes section, keep default selections. Include in Peer Group Based Activity Outliers? set switch to Yes for attributes to be used in outlier

detection analysis. Click Save and Next to go to Step 3: Default Configuration. Select reports (if any) that are associated to this data source and then click Finish.

Back at the 1 Select Datasource screen, select the datasource you just created. You will see a preview of the data to be imported; click Save and Next.

2: Configuration Follow the steps in Importing Access Data from Files/2: Configuration.

3: Run Job Follow the steps in Importing Access Data from Files/3: Run Job.



Importing Access Data from SailPoint This section describes how to import access entitlements from SailPoint:

Navigate to Configure>Jobs then Actions>Import>Access Entitlements.

1: Select Datasource Select the SailPoint datasource, created in Importing User Data from SailPoint.



Importing Access Data from Aveksa Aveksa’s products are built to manage the user access lifecycle, including initial access request, approval, fulfillment, review, certification and remediation. Aveksa Compliance Manager provides visibility of entitlements across applications, platforms and data sources in the enterprise, and manages the overall process for compliance reviews.

HP UBA integrates with Aveksa Compliance Manager to import user and access entitlements. HP UBA analyzes the access entitlements assigned to each user and detects rogue access privileges. These rogue access privileges can be sent for certification by using Aveksa Compliance Manager reducing the



workload for certifiers since they only need to certify the access privileges that are outliers and suspicious.

Prerequisites Create a service account with read only privileges to the Aveksa database. Collect the JDBC URL for the connection to the Aveksa database (IP Address or hostname,

Database name, Port number, SID). Database Type: Oracle11g

Driver: oracle.jdbc.driver.OracleDriver

URL: jdbc:oracle:thin:@servername:1521:aveksadb

Username (example: aveksadbuser)/Password

1: Select Datasource Navigate to Configure>Jobs then Action>Import>Access Entitlements. Select a Resource Type or Create a new Device Type for Aveksa.

Provide a datasource name (example:AveksaDB).

Device Type: Database.

Connection name will be filled in for you (example: Aveksa_ACCESS).

Connection type: Database.

Enter the SQL query below Select Application_Name, User_ID, Full_Name, Entitlement_Type, Entitlement_Name from (select nvl( app.ALT_NAME, app.NAME ) AS Application_Name, tmeu.USER_ID as User_ID, tmeu.LAST_NAME ||','|| tmeu.FIRST_NAME As Full_Name, xue.ENTITLEMENT_TYPE as Entitlement_Type, ar.NAME as Entitlement_Name from AVUSER.T_AV_EXPLODEDUSERENTITLEMENTS xue join AVUSER.T_MASTER_ENTERPRISE_USERS tmeu on tmeu.id=xue.entitled_id join AVUSER.T_ENTITLEMENT_GROUPS ar on ar.id=xue.entitlement_id join AVUSER.T_APPLICATIONS app on app.id=xue.APPLICATION_ID join AVUSER.T_DATA_COLLECTORS dc on dc.ID = xue.DC_ID left outer join AVUSER.T_AV_BUSINESS_UNITS BU ON BU.ID = app.BUSINESS_UNIT_ID left outer join AVUSER.T_AV_ACCOUNTS acc on acc.id=xue.ENTITLED_DERIVED_FROM_ID and xue.ENTITLED_DERIVED_FROM_TYPE='account' left outer join (select distinct entitlement_id from



( select entitlement_id from AVUSER.t_av_explodeduserentitlements x where entitlement_type='app-role' and entitled_type='user' and (entitlement_derived_from_type not in ('explicit') or entitled_derived_from_type not in ('explicit','account')) and x.deletion_date is null union all select entitlement_id from AVUSER.V_AV_INROLEENTITLEMENTS where entitlement_type='app-role' )) model on model.entitlement_id = xue.entitlement_id where xue.ENTITLED_DERIVED_FROM_TYPE in ('explicit','account') and xue.ENTITLEMENT_DERIVED_FROM_TYPE in ('explicit') and xue.entitlement_type='app-role' and xue.entitled_type='user' and xue.deletion_date is null and model.entitlement_id is null and app.classification = 'APPNAME' Union all select nvl( app.ALT_NAME, app.NAME ) AS Application_Name, tmeu.USER_ID as User_ID, tmeu.LAST_NAME ||','|| tmeu.FIRST_NAME As Full_Name, xue.ENTITLEMENT_TYPE as Entitlement_Type, (RESOURCE_NAME || ' : ' || ACTION_NAME) as Entitlement_Name from AVUSER.T_AV_EXPLODEDUSERENTITLEMENTS xue join AVUSER.T_ENTITLEMENTS ent on ent.id=xue.entitlement_id join AVUSER.T_RESOURCES res on res.id=ent.RESOURCE_ID join AVUSER.T_APPLICATIONS app on app.id=xue.APPLICATION_ID join AVUSER.T_DATA_COLLECTORS dc on dc.ID = xue.DC_ID join AVUSER.T_MASTER_ENTERPRISE_USERS tmeu on tmeu.id=xue.entitled_id left outer join AVUSER.T_AV_BUSINESS_UNITS BU ON BU.ID = app.BUSINESS_UNIT_ID left outer join AVUSER.T_AV_ACCOUNTS acc on acc.id=xue.ENTITLED_DERIVED_FROM_ID and xue.ENTITLED_DERIVED_FROM_TYPE='account' left outer join (select distinct entitlement_id from ( select entitlement_id from AVUSER.t_av_explodeduserentitlements x where entitlement_type='ent' and entitled_type='user' and (entitlement_derived_from_type not in ('explicit') or entitled_derived_from_type not in ('explicit','account')) and x.deletion_date is null union all select entitlement_id from AVUSER.V_AV_INROLEENTITLEMENTS where entitlement_type='ent' )) model on model.entitlement_id = xue.entitlement_id where xue.ENTITLED_DERIVED_FROM_TYPE in ('explicit','account') and xue.ENTITLEMENT_DERIVED_FROM_TYPE in ('explicit') and xue.entitlement_type='ent' and xue.entitled_type='user' and xue.deletion_date is null and model.entitlement_id is null and app.classification = 'APPNAME')

Database Type: Oracle Thin

JDBC URL: jdbc:oracle:thin:@servername:1521:aveksadb

Driver Class: oracle.jdbc.OracleDriver

Database user name (Example: aveksadbuser) and Password



Click Save and Next. In 2: Define Access/Activity Attributes map fields to HP UBA. Click Save and Next. In 3: Default Configuration add reports as needed. Click Finish.

Back at the Select Datasource screen, select your new Aveksa datasource using the radio button. Click Save and Next.





Importing Access Data from Database

1: Select Datasource Navigate to Configure>Jobs, then Action>Import>Access Entitlements. Click select Database if already created or click Add New Datasource. In 1: Provide Datasource Details, specify Data Source Name: AccessDBImport (a unique name to

identify the datasource) IP Address: can be blank Click the magnifying glass next to the drop down by the Select Device Type field and select: Data Source Vendor: Select the vendor from the list available

You can leave the Functionality field blank.

For Device Type select Create New Device and name it AccessDB

In the Access Connection Details area, enter a Connection Name to identify this data source (or accept the default.)

Enter Database for Connection type SQL Query: Enter the SQL query to be executed to extract the access data from the database Enter other database connection details such as database type, JDBC URL, DB username and

password



Click Save and Next to move to Step 2: Define Access/Activity Attributes. Click on the Add Attributes button under Access Attributes. For example, add three columns from a

sample database: accessvalue1

accessvalue2

AccountName

Enable Use in Outliers Detection for the attributes accessvalue1 and accessvalue2. When an access outlier analysis is run for this resource, the analysis is performed based on this field.



Click Save and Next to move to Step 3: Default Configuration. If needed, configure and add Dashboard, Resource and User Reports Click Finish. Back at the datasource selection screen, select the DB Import you just set up. (The data preview box

will confirm that your connection works.) Click Save and Next.





Importing Access Data from Oracle Identity Manager (OIM) Oracle Identity Manager is an identity management product provided by Oracle that provides the capability of performing automated provisioning, de-provisioning, password management and access governance. Organizations import user identity and access privileges into Oracle Identity manager. HP UBA integrates with Oracle Identity Manager to provide comprehensive identity and access intelligence capabilities needed to detect rogue access privileges.

Perform the following steps to import the access data from OIM.

Step 1: Create a connection Navigate to Configure>Connection Types then Action>Add New Connection. Provide the following information:

Connection name: Provide a name to identify the connection (Example: Oracle_IDManager_RG2)

Connection Type for: Resources Connection Type: Oracle IDM Enter Connection Details: Host Name: Provide the host name or IP Address

Port: Provide the port (Example: 7001)

User Name: Enter the user name to connect (Example:xelsysadm)

Password: Enter the password (Example:Welcome1)

Login Config

OIM Home: Set this to the Xellerate installation in your environment (Example:c:\\oracle\\OIM\\xellerate)

Step 2: Create a New Datasource Navigate to Configure>Jobs, then Action>Import>Access Entitlements Click Add New Datasource. Provide Datasource Details:

Data Source Name: AccessDBImport (This needs to be a unique name to identify the datasource)

IP Address: Enter the IP Address of the device Select Device Type: You can select from an existing Device Type or create your own device

by selecting the Create New Device option Enter a Connection Name that would identify this data source. Provide Connection type as “Database”. SQL Query: Enter the SQL query that needs to be executed to extract the access data from

the database. Enter other database connection details such as JDBC URL, DB username and password.

Click Save and Next. Click Add Attributes button under Access Attributes and add appropriate fields. For example, three

columns from a sample database: AccountName

accessvalue1



accessvalue2

Enable Use In Outliers Detection for the attributes accessvalue 1 & 2. When an access outlier analysis is run for this resource, the analysis is performed based on this field.

Click Save and Next, then Finish.

Step 3: Configuration Back on the 1: Select Datasource screen, select the datasource you just created. Click Save and

Next. In 2: Configuration, in the Attribute Mapping section, Map input file columns to Datasource

attributes. Specify numerical values for column positions starting from 1. In this demo, AccountName is present in the first position,the accessvalue1 is present in the second position, accessvalue2 in the third position. accessvalue1 & 2 can be multivalued if it is separated by ( , ).

Correlation Rules: See Creating Correlation Rules for Access Data Import.

Step 4: Run Job Submit the Access Import Job by providing a Job name and Job Description. Click on Save and Run. Review the correlated users by clicking on Show Correlation Results.

Importing Access Data from Oracle Identity Analytics (OIA) Oracle Identity Analytics is an identity and access governance product provided by Oracle that provides the capability of performing access certifications, access auditing and role management. Organizations typically import user identity and access privileges into Oracle Identity Analytics for automating the access certification process. HP UBA integrates with Oracle Identity Analytics to provide comprehensive identity and access intelligence capabilities needed to detect rogue access privileges. By automating the process of scanning the millions of user to entitlement combinations, the HP UBA product reduces the access governance workload by over 90%. These rogue access privileges can then be sent for certification using the HP UBA product or the Oracle Identity Analytics product.

HP UBA can import all available applications, users and access entitlements from the Oracle Identity Analytics product.

Perform the following steps to import the access data from OIA.

Step 1: Create a Connection To establish a connection to the Oracle Identity Analytics (OIA) solution, you must provide HP UBA with the details to the database server housing the OIA data. You will need valid credentials to the OIA database with read only permissions to the database.

Navigate to Configure>Connection Types then Action>Add New Connection. Provide the following information:

Connection name: Provide a name to identify the connection (Example: Oracle_Identity_Analytics – no spaces.)

Connection Type for: Resources Connection Type: Oracle Identity Analytics Enter Connection Details:



Database Type: Oracle or MySQL or MSSQLServer

JDBC URL: jdbc:mysql://localhost:3306/srm5

User Name: Enter the user name to connect (Example:rbacxservice)

Password: Enter the password (Example:rbacxservice)

Click Save.

Step 2: Import Available Applications Navigate to Configure>Jobs, then Action>Import>Resources. Select Oracle_Identity_Analytics for Connection Type and click Next. A list of all available applications will be extracted from Oracle Identity Analytics and shown. Choose

the ones that you want to import into HP UBA and click Next. Provide a name for the Job and click Run.

Step 3: Import Access Entitlements Navigate to Configure>Jobs, then Action>Import>Access Entitlements You will see the list of applications that were imported in the step 2 above. Select from the list and click Save and Next. View the attributes that were automatically created in Step 2. Correlation Rules: See Creating Correlation Rules for Access Data Import. Run the job.



Importing Activity Data (Events) This section describes how to import activity data (events) into HP User Behavior Analytics to perform various analytical techniques and detect abnormal user activities and behaviors.

HP User Behavior Analytics supports a bi-directional integration with ArcSight components, such as ArcSight ESM, ArcSight Logger and ArcSight SmartConnectors. The bi-directional integration includes:

• Forwarding activity data (events) from ArcSight SmartConnectors and ArcSight Loggers to HP User Behavior Analytics

• Forwarding policy violation events from HP User Behavior Analytics to ArcSight ESM

• Performing drill-downs from the ArcSight Console to HP User Behavior Analytics using integration commands

In this section, you will be able to see how to configure HP User Behavior Analytics from which to import activity data:

• HP ArcSight

• File

• Syslog

• Other SIEM vendors

Creating Correlation Rules for Activity Import One of the steps in creating every Activity/Event import job is to select or add a correlation rule. The HP UBA application provides a comprehensive and feature rich correlation engine with the following features:

Ability to specify multiple correlation rules: Many organizations have different conventions for creating account IDs for users on different applications. The HP UBA correlation engine allows for the specification of multiple correlation rules. The correlation rules are evaluated in the order in which they are specified. When the account ID is matched to a user identity within the organization, the correlation rule engine stops processing the other rules

Ability to specify multiple operations on the identity data: The Correlation engine allows the following operations to be performed on any identity attribute. The identity attribute generated after the operator is applied can be concatenated with other identity attributes Trim Left

Trim Right

Prefix

Postfix

Substring

Prefix and Postfix

Example: An application uses the convention of first initial of first name + first 2 initials of lastname + employeeid.

In the HP UBA Correlation engine this rule can be constructed by:

Perform substring operation on first name with 1,1 (start from first character and extract the first character)



Perform substring operation on last name with 1,2 (start from first character and extract the first 2 characters)

Concatenate with Employee ID

Ability to request for suggested matches: The HP UBA application utilizes special comparators that perform the following types of matches: Phonetics: The comparator provides results for words that sound like each other.

Character Swapping: The comparator provides results by swapping characters (Sean misspelled to Saen will match.)

Closest Match: jsmith01 and jsmith02 will match to jsmith.

To create correlation rules, follow these steps (from the 3: Define Identity Correlation Rule(s) screen.)

Click Add Correlation Rule.

Specify the values for the correlation rule fields. Select Event Field (the Activity Attribute which will be used, such as UserID).

For Relation choose EXACT MATCH or CONTAINS from the drop-down.



Specify conditions for User attributes (The HR attribute which would be correlated to the Activity attribute. Example, employeeid). Note: More than one correlation rule can be specified if required. All user attributes are available to select from

This is where you set up such operations as trimming left or right, utilizing substrings, pre- or post-fixes

The Parameter field changes depending on what operation is selected:

o None – Parameter is blank

o Trim Left/Right – Parameter is used for number of characters to trim

o Pre-/Post-fix – Parameter is used for the pre/post fix string.

o Substring – Parameters for the start position and length of the substring.

o Pre and Postfix – Parameters to set the pre and postfix strings.

Condition AND applies if additional user attribute conditions are configured.

Separator – if checked, enter a value for a separator character.

Add/Delete user attribute conditions using the +/- buttons.

Enable Comparators: configure for suggesting correlation matches. Set thresholds (Min/Max) and Weight

Enable individual comparators and set a “discredit value”:

Alphanumeric

CondensedString

Transpose

Bigram: A Bigram algorithm compares two strings using all combinations of two consecutive characters within each string. For example, the word “bigram” contains the following bigrams: “bi”, “ig”, “gr”, “ra”, and “am”. Bigrams handle minor typographical or 'fat fingering'.

Click Save and Close to complete the rule.

Importing Events from HP ArcSight HP User Behavior Analytics can import events directly from an ArcSight SmartConnectors, or from an aggregated source (such as ArcSight Logger). Please refer to additional ArcSight documentation to set up SmartConnectors and/or Loggers to send events to HP User Behavior Analytics using a CEF syslog destination.

Configure HP User Behavior Analytics to Import ArcSight Events

Part 1: Creating the Datasource

Navigate to Configure>Jobs, then to Action>Import>Activities. Click Add New Datasource. In General Details:

Specify a Datasource Name (usually the hostname of the agent which sends the syslog messages).

Select Arcsight-[device type]-CEF from the Device Type drop-down.



Specify time zone as GMT, unless the default time zone in the ArcSight configuration have been modified.

In Connection Details: Specify the file name as (example) messages-20150805

Specify the file prefix as messages-.

Under More Settings: Keep the default values for the Source, Success and Failed folders.

In Specify staging folder, enter the path to the Syslog location to where CEF files are being written.




Part 2: Configuring and Running the Job

The data source is now created and ready to be fetched. The line filters and attribute mappings are loaded by default with the connector. Update the mappings, if any custom fields should be used in analysis.

Step 1: Select a Datasource Select the ArcSight data source that was created earlier and click Save and Next.

Step 2: Select Events to Import. Expand More Settings and toggle Use CEF Parser? to Yes. Specify the CEF Properties File Name as arcsight.properties.


Step 3: Define Identity Correlation Rules

Click Add Correlation Rule. (See detail above). Click Save and Next



Step 4: Create Threat Group(s) Set Would you like to run real time policies?to Yes if you want to run checks in real time.

Setting the switch to Yes brings up the policy selection screen Enable selected policies using the slide switch(es), reorder them by dragging and dropping

into desired sequence.

Click Save and Next. Step 5: Run the Job Click Save and Run to run the job immediately or set up a schedule.

Understanding ArcSight Properties The majority of ArcSight critical fields are mapped to the application by default in arcsight.properties.

Note: If ArcSight custom fields are mapped with critical fields that are required for analysis, update the application mapping to map the custom fields to analyzable fields. By default, they are mapped to custom strings in the application, which cannot be used for analysis.

Use the following three properties to send messages to Arcsight

• protocol=udp

• host=

• port=

HP User Behavior Analytics parses CEF formatted Arcsight file using this property file. Use the rawFileNameRegEX property to provide the name of the input file generated by Arcsight. You can use regular expressions here.

rawFileNameRegEx=2013-06-20-03-10-03.cef

The first five values extracted by HP User Behavior Analytics are mapped to Resource Name, Resource Type, Account name, IP Address and DateTime. The <attributenamePreference> signifies the order in which HP UBA attempts to map fields. If the first value is missing from Arcsight, HP UBA attempts to map the next value in the comma separated list. If none of the values attempted are detected, HP UBA directly uses the value assigned to the <attribute>.

Example: HP User Behavior Analytics attempts to create a Resource with the name provided in the dhost value from Arcsight. If this is missing, it uses the dvchost value and so on.

ResourceNamePreference=dvchost,deviceVendor ResourceGroupName=ArcSight DeviceTypePreference=deviceProduct



DeviceType=ArcSightDevice DeviceTypeExclude=ForeFront,ArcSight,ArcSightDevice,CiscoRouter,Device Monitor,DHCP Server,DNS Capture,ESX,ePolicy Orchestrator,IAS,Informer,IronPort,NIOS,NT syslog,Profiler,Proxy SG,Script Logging,Security,SystemMonitor,System Monitor,YARA AccountNamePreference=suser,duser,suid,duid AccountName=ArcSightAccount # custom # note if there is a space in resource type, please remove the space # resource type is case insensitive NetscreenVPN_AccountNamePreference=suser MicrosoftWindows_AccountNamePreference=suser,duser Unix_AccountNamePreference=duser,suser DNSServer_AccountNamePreference=src PIX_AccountNamePreference=dst #SecurOSFACE_AccountNamePreference=cn1 WAC_AccountNamePreference=suid IPAddressPreference=src,dst,dvc IPAddress=Unknown # custom # note if there is a space in resource type, please remove the space # resource type is case insensitive NetscreenVPN_IPAddressPreference=src,dvc,dvchost MicrosoftWindows_IPAddressPreference=src,dst,dvc,dvchost Unix_IPAddressPreference=src,deviceInboundInterface,dst WebGateway_IPAddressPreference=dhost,dst DNSServer_IPAddressPreference=dhost,dst PIX_IPAddressPreference=src SourcefireManagementConsoleeStreamer_IPAddressPreference=src TimePreference=rt,art MessagePreference=message,categoryBehavior+categoryOutcome,categoryBehavior,categoryOutcome WebGateway_MessagePreference=message,categoryBehavior+categoryOutcome DNSServer_MessagePreference=categoryOutcome PIX_MessagePreference=categoryBehavior Unix_MessagePreference=categoryOutcome Unix_Message2Preference=categoryBehavior ## Flexibility to specify IF/OR/AND conditions for account,message,ipaddress preferences #MicrosoftWindows_Message4Preference=cn1 ONLYIF MicrosoftWindows_MessageValue EQUALS "An account was successfully logged on." OR cn2 ONLYIF MicrosoftWindows_MessageValue EQUALS "An account was Deleted." #MicrosoftWindows_AccountNamePreference=cn1 ONLYIF MicrosoftWindows_AccountNamePreference EQUALS "An account was successfully logged on." OR cn2 ONLYIF MicrosoftWindows_MessageValue EQUALS "An account was Deleted." #MicrosoftWindows_IPAddressPreference=cn1 ONLYIF MicrosoftWindows_IPAddressPreference EQUALS "An account was successfully logged on." OR cn2 ONLYIF MicrosoftWindows_MessageValue EQUALS "An account was Deleted."



Microsoft Windows Message Settings MicrosoftWindows_MessagePreference=message MicrosoftWindows_Message2Preference=categoryBehavior MicrosoftWindows_Message3Preference=categoryOutcome MicrosoftWindows_Message4Preference1=cn1 ONLYIF MicrosoftWindows_MessageValue EQUALS "An account was successfully logged on." MicrosoftWindows_Message5Preference=dproc MicrosoftWindows_Message6Preference=filePath ONLYIF MicrosoftWindows_MessageValue EQUALS "A network share object was accessed." MicrosoftWindows_Message6Preference=fname ONLYIF MicrosoftWindows_MessageValue EQUALS "An attempt was made to access an object." #MicrosoftWindows_Message6Preference1=cn1 ONLYIF MicrosoftWindows_MessageValue EQUALS "An account was successfully logged on." #MicrosoftWindows_Number1Preference=art #MicrosoftWindows_Number2Preference=art #MicrosoftWindows_Number3Preference=art #MicrosoftWindows_Number4Preference=art #MicrosoftWindows_Number5Preference=art Change Auditor For Exchange Message Settings ChangeAuditorforExchange_MessagePreference=message ChangeAuditorforExchange_Message2Preference=categoryBehavior ChangeAuditorforExchange_Message3Preference=categoryOutcome Exclusion By device Type Unix_ExcludeFields=message DNSServer_ExcludeFields=request PIX_ExcludeFields=shost Exclude message value RealSecureServerSensor_ExcludeMessageValue=User_logout,User_login

The Attributes defined below are parsed from the CEF input file. These values are present as name=value pairs in CEF formatted file. If additional attributes are needed from Arcsight CEF file, simply add additional cefxx attributes below. The HP User Behavior Analytics parser generates a pipe separated file with column position 17 onwards below.

#Column 17,CEF 1 cef1=act

#Column 45,CEF 29 cef29=cat

#Column 72,CEF 56 cef56=art

#Column 99,CEF 83 cef83=deviceEventClassId

#Column 18,CEF 2 cef2=app

#Column 46,CEF 30 cef30=deviceDnsDomain

#Column 73,CEF 57 cef57=rt

#Column 100,CEF 84 cef84=deviceVendor

#Column 19,CEF 3 cef3=cnt

#Column 47,CEF 31 cef31=deviceTranslatedAddress

#Column 74,CEF 58 cef58=categorySignificance

#Column 101,CEF 85 cef85=deviceVersion

#Column 20,CEF 4 cef4=dvc

#Column 48,CEF 32 cef32=deviceMacAddress

#Column 75,CEF 59 cef59=categoryDeviceGroup

#Column 102,CEF 86 cef86=flexDate1

#Column 21,CEF 5 cef5=dvchost

#Column 49,CEF 33 cef33=desitnationDnsDomain

#Column 76,CEF 60 cef60=categoryObject

#Column 103,CEF 87 cef87=fn1

#Column 22,CEF 6 cef6=dst

#Column 50,CEF 34 cef34=dntdom

#Column 77,CEF 61 cef61=deviceSeverity

#Column 104,CEF 88 cef88=fn2

#Column 23,CEF 7 cef7=dhost

#Column 51,CEF 35 cef35=dhost

#Column 78,CEF 62 cef62=sntdom

#Column 105,CEF 89 cef89=fs1

#Column 24,CEF 8 cef8=dmac

#Column 52,CEF 36 cef36=dpt

#Column 79,CEF 63 cef63=cn1

#Column 106,CEF 90 cef90=fs2

#Column 25,CEF 9 cef9=dntdom

#Column 53,CEF 37 cef37=dproc

#Column 80,CEF 64 cef64=categoryTupleDescription

#Column 107,CEF 91 cef91=start

#Column 26,CEF 10 cef10=dpt

#Column 54,CEF 38 cef38=duid

#Column 81,CEF 65 cef65=catdt

#Column 108,CEF 92 cef92=end

#Column 27,CEF 11 cef11=dproc

#Column 55,CEF 39 cef39=dpriv

#Column 82,CEF 66 cef66=dpid

#Column 109,CEF 93 cef93=deviceProduct

#Column 28,CEF 12 cef12=duid

#Column 56,CEF 40 cef40=duser

#Column 83,CEF 67 cef67=dvcpid

#Column 110,CEF 94 cef94=message



#Column 29,CEF 13 cef13=dpriv

#Column 57,CEF 41 cef41=deviceDirection

#Column 84,CEF 68 cef68=eventId

#Column 111,CEF 95 cef95=file.name

#Column 30,CEF 14 cef14=duser

#Column 58,CEF 42 cef42=deviceInboundInterface

#Column 85,CEF 69 cef69=spid

#Column 112,CEF 96 cef96=file.size

#Column 31,CEF 15 cef15=fname

#Column 59,CEF 43 cef43=deviceOutboundInterface

#Column 86,CEF 70 cef70=sproc

#Column 113,CEF 97 cef97=file.md5.hash

#Column 32,CEF 16 cef16=fsize

#Column 60,CEF 44 cef44=deviceProcessName

#Column 87,CEF 71 cef71=fileCreateTime

#Column 114,CEF 98 cef98=alias.ip

#Column 33,CEF 17 cef17=in

#Column 61,CEF 45 cef45=externalId

#Column 88,CEF 72 cef72=fileModificationTime

#Column 115,CEF 99 cef99=client

#Column 34,CEF 18 cef18=msg

#Column 62,CEF 46 cef46=filePath

#Column 89,CEF 73 cef73=deviceCustomDate1

#Column 116,CEF 100 cef100=payload

#Column 36,CEF 20 cef20=proto

#Column 63,CEF 47 cef47=oldFilename

#Column 90,CEF 74 cef74=deviceCustomDate2

#Column 117,CEF 101 cef101=packets

#Column 37,CEF 21 cef21=request

#Column 64,CEF 48 cef48=oldfilePath


#Column 118,CEF 102 cef102=tcp.srcport

#Column 38,CEF 22 cef22=src

#Column 65,CEF 49 cef49=fileType


#Column 119,CEF 103 cef103=action

#Column 39,CEF 23 cef23=shost

#Column 66,CEF 50 cef50=oldfileType

#Column 93,CEF 77 cef77=cs1

#Column 120,CEF 104 cef104=ip.src

#Column 40,CEF 24 cef24=smac

#Column 67,CEF 51 cef51=oldfsize


#Column 121,CEF 105 cef105=tcp.dstport

#Column 41,CEF 25 cef25=spt

#Column 68,CEF 52 cef52=requestClientApplication


#Column 122,CEF 106 cef106=threat.category

#Column 42,CEF 26 cef26=spriv

#Column 69,CEF 53 cef53=requestMethod


#Column 123,CEF 107 cef107=sessionid

#Column 43,CEF 27 cef27=suid

#Column 70,CEF 54 cef54=categoryOutcome


#Column 124,CEF 108 cef108=directory

#Column 44,CEF 28 cef28=suser

#Column 71,CEF 55 cef55=categoryBehavior


#Column 125,CEF 109 cef109=ip.dst

In the above arcsight.properties, if any arcsight fieldname is missing in the map (cefxx=fieldname), add the new field at the end of the file in the following format (the column-number and cef-number are incremental from the previous numeric value).

#Column <column-number>,CEF <cef-number> cef<cef-number>=ip.dst



Importing Events from Log Files

Part 1: Creating the Datasource Navigate to Configure>Jobs then Action>Import>Activities. In Step 1: Select Datasource click Add New Datasource.

Enter a name for this datasource. Select or create a new device type. (Selecting existing resource types automatically creates the fields

needed to store the event attributes and the parsers to normalize the events. You may also create custom resource type by selecting the Create New Type option.)

In Connection Details, provide a unique Connection Name or use Default. For the Connection Type, choose File Import.



The source file can be uploaded using the tool itself or can be placed manually in the source folder (default is $ HPUBA11/securonix_home/import/in) or point the source folder to the location of the files (for example: incoming syslog folder).

Specify the name of the file from which data will be imported (Example: AD-DC-001.csv). Specify the File Prefix and the File Postfix if there are multiple files, to let application identify the

files to be imported. Use slide switch to indicate whether files are in JSON format.


Part 2: Configuring and Running the Job Step 1: Select Datasource

Back at Select Datasource screen, choose the datasource just created. Click Save and Next.

Step 2: Select Events to Import.

On this tab, choose what events you are interested in importing. New filters can be added or the existing ones can be used in order to filter the events. In order to create a new filter, click on Add Filter.

On the first tab – Step 1: Filter Events specify a name for the filter.

Select the filtering method, there are four available:

o Capturing groups (regular expressions).

o Delimited fields (used when the fields are separated by a delimiter).

o Fixed length fields.

o JSON/XML fields.



On the second tab – Step 2: Extract Fields you will see the list of event fields, their mappings, formats, selections for including in analysis and “Peer Group Based Activity Outliers”, selection for displaying the field in the UI, the field position and display order.

When done configuring and selecting filters, click Save and Close to close the filter creation/editing screen.

Back on the main Select Events to Import screen, drop down More Settings to enable storing data for correlation with another data source.



If you set the store IP Address switch to Yes, you’ll get the following edit screen:

If Yes was already selected, the switch will have an Edit button to click to make changes:



Click Add Correlation Rule. (See detail above). Click Save and Next

Step 4: Create Threat Group(s). Set slide switch to Yes to enable Suspect Checks (run real time policies) then create new or enable

existing policies.

Click Save and Next



Step 5: Run Job. Enter a Job Name and Job Description. By default, a job name is already filled in based on

date/time. Click Save and Run to run the job now, or set up a schedule to run it later.

Review Job Status

Actions you can take from the Job screen:

• Edit: Edit all the settings for the job and rerun it or save for a future run.

• Show Job Details: Check if there were any errors present while importing user data from the file and the view statistics about imported users.

• Show Correlation Results: Only on jobs that have a correlation component.

• Rerun job: rerun the job without changes.

• Delete job.

Click Show Job Details to check for errors present while importing user data from the file and review the number of users imported.



Importing Events using Syslog The HP User Behavior Analytics application can get the events through Syslog. By default, Syslog-ng server is set up with HP User Behavior Analytics with the appropriate configurations. The Syslog-ng server will listen to the incoming events on UDP port 514. If the end user would like to use a different syslog listener than Syslog-ng, configurations have to be made on the service to write the incoming events to separate folders per source.

Verify that the Syslog-ng service is installed on your server. Go to the shell prompt on the server. Enter the following command to get server status. If Syslog-ng is not installed, the system will return

an “unrecognized service”. service syslog-ng status @version:3.2 # syslog-ng configuration file. options { flush_lines (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (yes); chain_hostnames(off); dir_perm(0775); perm(0775); }; source s_sys { file ("/proc/kmsg" program_override("kernel: ")); unix-stream ("/dev/log"); internal(); # }; # Capture incoming events on port 514 source s_net{udp(port(514));}; # Specify the destinations destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/$HOST/messages-$YEAR$MONTH$DAY"); }; destination d_auth { file("/var/log/$HOST/secure"); }; destination d_mail { file("/var/log/$HOST/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/$HOST/spooler"); }; destination d_boot { file("/var/log/$HOST/boot.log"); }; destination d_cron { file("/var/log/$HOST/cron"); }; destination d_kern { file("/var/log/$HOST/kern"); }; #destination d_mlal { usertty("*"); }; #destination d_all { file("/var/log/$HOST/"); };



# Specify the filters filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); }; filter all { not (facility(kern) or facility(mail) or facility(authpriv) or facility(uucp) or facility(news) or facility(local7) or facility(cron)) } # Specify the logging #log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); source(s_net); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; #log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); }; # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et

Note: The configuration filters all debug messages and facilities (mail, authpriv and cron).

The Syslog server is configured to listen on port 514. By default, the application is configured to receive the event logs into the /var/log folder. A folder with the Hostname/IP is created when the data starts coming in. The file rotation is set by default to daily. If the log volume is huge, set the rotation to hourly by changing messages-$YEAR$MONTH$DAY to messages-$YEAR$MONTH$DAY$HOUR.

Once the appliance starts receiving events, the configuration is similar to file import. The source location in the connection details have to be pointed to the /var/log/<host> (the syslog location of the device being configured).



Importing Events from Other SIEM Solutions HP User Behavior Analytics can also import events from other SIEM solutions, such as Splunk, McAfee, IBM. You can use the steps for Splunk, below, as a guide for other SIEMs.

Importing Events from Splunk The application supports out-of-box integration with Splunk. Configuring integration between HP User Behavior Analytics and Splunk involves following basic components:

• Set up saved searches in Splunk.

• Configure the application to connect to Splunk using a service account that has the authority to execute saved searches.


Navigate to Configure>Jobs then Action>Import>Activities. Click Add New Datasource. In General Details, specify the following:

A unique data source name.

Splunk for Device Type.

The time zone for the logs.

In Activity Connection Details:

Select Create New Connection and specify a unique name for the connection.



In the Connection Type drop-down, select Splunk.

Specify the URL, Username, Password, Host, Port and App.

Select saved search that will be used to pull in activities from the Available Splunk Searches drop-down menu.

Click Save and Close to create the data source.


Step 1: Select Datasource

Select the data source that was created earlier and click on Save and Next.

Step 2: Select Events to Import

Select events to import by adding or creating event filters. Click Save and Next.


Define correlation rules (see detail above). Click Save and Next.

Step 4: Create Threat Group(s)

Set Would you like to run real time policies? to Yes if you want to run checks in real time. Click Save and Next.



Step 5: Run the Job

Click Save and Run on the last screen to run the job, or configure options to run the job later or on a schedule.

Importing Events from a Database


Navigate to Configure>Jobs then Action>Import>Activities. Click Add New Datasource.

In General Details

Specify a unique datasource name identify the source.

Choose Create a new type for Device Type.

Specify the time zone for the logs.

Skip Archive weeks and months entries.

Connection Details

Select Create New Connection and specify a unique name for the connection.

In the drop down for Connection Type, select Database.

Specify the query that is required to fetch the events from the target database server.

By default, the buffer type is set to Memory. If you want to change the buffer type, select from the drop down menu (choices are Memory, System and File.)

Toggle Incremental to Yes to do continuous import.

Select the incremental field name from the drop down list.

Select the type of the incremental field from the drop down.

Specify the format of the field, if the type is Time.

Specify the incremental condition if the following format (replace fieldname with actual incremental fieldname) where fieldname > "${fieldname}"

Batch size and Error count to terminate job are loaded by default.

Select the Database Type from the drop down.

Specify the JDBC URL to connect to the database server.

The Driver Class is preloaded based on the database type selected.

Specify the Username and Password for the database account that has privileges to fetch the events.



Step 1: Select Datasource



Select the data source that was created earlier and click Save and Next. Step 2: Select Events to Import

Click Add Filter. In Step 1: Filter Events, specify the Event Filter Name

Select Delimited Fields as the split columns.

Specify “,” as the delimiter.

Click the Regular Expression Builder tab

Drag and drop appropriate filters to import specific lines.

o To selected all lines, drag and drop Special Characters

o Leave first drop down choice as Not Applicable,

o For Value, the second drop down, select Non Whitespace,

o Select May or May not Occur in the Occurrence drop down


In Step 2: Extract Fields, click Add Event Field to create attributes for each of the fields in the select statement.

Specify the attribute name of each field in the select statement

From the Mapped Attribute drop down, map the appropriate HP UBA field.

Toggle switches for Do you want to include this attribute in analysis, Tpi Enabled?, Display on UI? and Include in Peer Group Based Activity Outliers? as required.

Specify the column position of the field.

Click Create Attribute.

Repeat for each attribute

When finished, click Save and Close.



Click Add Correlation Rule. (See detail above). Click Save and Next.

Step 4: Create Threat Group(s)



Step 5: Run Job

Click Save and Run to run immediately, or set up a schedule.



Importing Events from Splunk Note: Firewall rules must allow connection from Master and Child nodes that will collect from Splunk – not just the child node collecting from Splunk.

HP UBA supports out-of-box integration with Splunk. Configuring integration between HP UBA and Splunk involves following basic components:

• Set up saved searches in Splunk.

• Configure HP UBA to connect to Splunk using a service account that has the authority to execute saved searches.

Part 1: Creating the Datasource Navigate to Configure>Jobs, then Actions>Import>Activities. Click Add New Datasource. In General Details Give the datasource a unique name.

Choose Splunk for Device Type.

Specify the timezone for the logs.

In Connection Details. Select Create New Connection and specify a unique name for the connection.

In the drop down of Connection Type, select Splunk.

Specify the URL, Username, Password, Host, Port and App.

Select saved search that will be used to pull in activities from Available Splunk Searches drop down menu.


Part 2: Configuring and Running the Job Step 1: Select Datasource

Click on the radio button next to the name of the datasource you just created (this will also pull up preview data)


Step 2: Select Events to Import

Click Add Filter. In Step 1: Filter Events, specify a name for the filter.

Click Save and Next. To move to Step 2: Extract Fields. Add event fields (e.g. date, time, IP address, userID, transaction, etc.) by clicking Add Event

Field. Make sure field mappings and formats for Date and Time are correct.

Since the data is in key-value pair, enter the key to which the data fields are mapped

Click Save and Close to exit filter set up.





Click Add Correlation Rule. (See detail above). Click Save and Close.

Step 4: Create Threat Groups


Step 5: Run Job

Click Save and Run to run the job immediately or schedule as preferred

Sample Splunk Queries

Windows Events

index=server host=*domc* sourcetype="WinEventLog:*" sourcetype="WinEventLog:Security" EventCode NOT (512 OR 513 OR 516 OR 518 OR 519 OR 551 OR 593 OR 594 OR 596 OR 600 OR 601 OR 602 OR 613 OR 614 OR 615 OR 616 OR 617 OR 618 OR 619 OR 623 OR 669 OR 670 OR 672 OR 673 OR 674 OR 675 OR 676 OR 677 OR 678 OR 679 OR 680 OR 681 OR 682 OR 683 OR 684 OR 694 OR 695 OR 696 OR 697 OR 806 OR 807 OR 808 OR 809 OR 848 OR 849 OR 850 OR 853 OR 854 OR 855 OR 856 OR 857 OR 858 OR 859 OR 860 OR 861 OR 1100 OR 1101 OR 1104 OR 1105 OR 1108 OR 4608 OR 4609 OR 4610 OR 4611 OR 4612 OR 4614 OR 4615 OR 4618 OR 4621 OR 4622 OR 4626 OR 4646 OR 4647 OR 4650 OR 4651 OR 4652 OR 4653 OR 4654 OR 4655 OR 4665 OR 4675 OR 4689 OR 4691 OR 4692 OR 4693 OR 4694 OR 4695 OR 4696 OR 4698 OR 4699 OR 4700 OR 4701 OR 4702 OR 4706 OR 4707 OR 4709 OR 4710 OR 4711 OR 4714 OR 4715 OR 4716 OR 4717 OR 4718 OR 4765 OR 4766 OR 4768 OR 4769 OR 4770 OR 4771 OR 4772 OR 4773 OR 4774 OR 4775 OR 4776 OR 4778 OR 4779 OR 4780 OR 4790 OR 4792 OR 4793 OR 4802 OR 4803 OR 4816 OR 4818 OR 4819 OR 4820 OR 4821 OR 4822 OR 4823 OR 4824 OR 4864 OR 4868 OR 4869 OR 4870 OR 4871 OR 4872 OR 4873 OR 4874 OR 4875 OR 4876 OR 4877 OR 4878 OR 4879 OR 4880 OR 4881 OR 4882 OR 4883 OR 4884 OR 4885 OR 4886 OR 4887 OR 4888 OR 4889 OR 4890 OR 4891 OR 4892 OR 4893 OR 4894 OR 4895 OR 4896 OR 4897 OR 4898 OR 4899 OR 4900 OR 4902 OR 4904 OR 4905 OR 4906 OR 4661 OR 4907 OR 4908 OR 4909 OR 4910 OR 4911 OR 4912 OR 4913 OR 4928 OR 4929 OR 4930 OR 4931 OR 4932 OR 4933 OR 4934 OR 4935 OR 4936 OR 4937 OR 4944 OR 4945 OR 4946 OR 4947 OR 4948 OR 4949 OR 4951 OR 4952 OR 4953 OR 4954 OR 4956 OR 4957 OR 4958 OR 4960 OR 4961 OR 4962 OR 4963 OR 4964 OR 4965 OR 4976 OR 4977 OR 4978 OR 4979 OR 4980 OR 4981 OR 4982 OR 4983 OR 4984 OR 4985 OR 5024 OR 5025 OR 5027 OR 5028 OR 5029 OR 5030 OR 5031 OR 5032 OR 5033 OR 5034 OR 5035 OR 5037 OR 5038 OR 5039 OR 5040 OR 5041 OR 5042 OR 5043 OR 5044 OR 5045 OR 5046 OR 5047 OR 5048 OR 5049 OR 5050 OR 5051 OR 5056 OR 5057 OR 5062 OR 5063 OR 5064 OR 5065 OR 5066 OR 5067 OR 5068 OR 5069 OR 5070 OR 5071 OR 5120 OR 5121 OR 5122 OR 5123 OR 5124 OR 5125 OR 5126 OR 5127 OR 5145 OR 5146 OR 5147 OR 5154 OR 5155 OR 5156 OR 5158 OR 5159 OR 5168 OR 5378 OR 5440 OR 5441 OR 5442 OR 5443 OR 5444 OR 5446 OR 5447 OR 5448 OR 5449 OR 5450 OR 5451 OR 5452 OR 5453 OR 5456 OR 5457 OR 5458 OR 5459 OR 5460 OR 5461 OR 5462 OR 5463 OR 5464 OR 5465 OR 5466 OR 5467 OR 5468 OR 5471 OR 5472 OR 5473 OR 5474 OR 5477 OR 5478 OR 5479 OR 5480 OR 5483 OR 5484 OR 5485 OR 5632 OR 5633 OR 5712 OR 5888 OR 5889 OR 5890 OR 6144 OR 6145 OR 6272 OR 6273 OR 6274 OR 6275 OR 6276 OR 6277 OR 6278 OR 6279 OR 6280 OR 6281 OR 4658 OR 6400 OR 6401 OR 4634 OR 6402 OR 6403 OR 6404 OR 6405



OR 6406 OR 6407 OR 6408 OR 6409 OR 514 OR 515 OR 4662 OR 4672)| convert timeformat="%H:%M:%S %Y-%d-%m" ctime(_time) AS C_time | eval Account_Domain=mvindex(Account_Domain,0) | eval Account_Name=mvindex(Account_Name,0) | eval AccountDomain=replace(Account_Domain,"[\n\r]","") | eval AccountName=replace(Account_Name,"[\n\r]","") | eval AccountDomain_Target=replace(dest_nt_domain,"[\n\r]","") | eval AccountName_Target=replace(user,"[\n\r]","") | eval AccountName=if(isnull(AccountName),AccountName_Target,AccountName) | eval AccountDomain=if(isnull(AccountDomain),AccountDomain_Target,AccountDomain) | eval AccountName=if(AccountName="-",AccountName_Target,AccountName) | eval AccountDomain=if(AccountDomain="-",AccountDomain_Target,AccountDomain) | eval login_match=case(Logon_Process=="Kerberos" AND match(AccountName,".*\$"),"1") | where isnull(login_match)| eval nw_match=case(EventCode=="5140" AND match(AccountName,".*\$"),"1") | where isnull(nw_match) | eval AccountName=if(EventCode=="4624" AND match(AccountName,".*\$"),AccountName_Target,AccountName) | table C_time ComputerName AccountDomain AccountName RecordNumber Source_Address Source_Port EventCode CategoryString EventCodeDescription Logon_Process Logon_Type Destination_Address Destination_Port Source_Name Group_Domain Group_Name Caller_Process_Name Object_Name Object_Server Object_Type Operation_Type Process_Name Protocol Failure_Reason Share_Path AccountName_Target AccountDomain_Target Authentication_Package Accesses Access_Reasons

ResourceType: Windows 2008 (Splunk)

Simply map the field positions corresponding to the following order: C_time ComputerName AccountDomain AccountName RecordNumber Source_Address Source_Port EventCode CategoryString EventCodeDescription Logon_Process Logon_Type Destination_Address Destination_Port Source_Name Group_Domain Group_Name Caller_Process_Name Object_Name Object_Server Object_Type Operation_Type Process_Name Protocol Failure_Reason Share_Path AccountName_Target AccountDomain_Target Authentication_Package Accesses Access_Reasons

Windows

index=idx_winevents sourcetype="WinEventLog:Security" (EventCode="4624" Logon_Type="2" OR Logon_Type="10" OR Logon_Type="11") OR EventCode="4720" OR EventCode="4625" OR EventCode="4722" OR EventCode="4723" OR EventCode="4724" OR EventCode="4725" OR EventCode="4726" OR EventCode="4740" OR EventCode="4767" OR EventCode="4781" OR EventCode="4794" OR EventCode="4741" OR EventCode="4727" OR EventCode="4728" OR EventCode="4729" OR EventCode="4730" OR EventCode="4731" OR EventCode="4732" OR EventCode="4733" OR EventCode="4734" OR EventCode="4735" OR EventCode="4754" OR EventCode="4756" OR EventCode="4757" OR EventCode="4758" OR EventCode="4764" OR EventCode="4739" OR EventCode="4657" OR EventCode="4907" OR EventCode="4715" OR EventCode="4719" OR EventCode="4673" OR EventCode="4674" OR EventCode="1102" | convert timeformat="%H:%M:%S %Y-%d-%m" ctime(_time) AS C_time | eval Account_Domain=mvindex(Account_Domain,0) | eval Account_Name=mvindex(Account_Name,0) | eval AccountDomain=replace(Account_Domain,"[\n\r]","") | eval AccountName=replace(Account_Name,"[\n\r]","") | eval AccountDomain_Target=replace(dest_nt_domain,"[\n\r]","") | eval AccountName_Target=replace(user,"[\n\r]","") | eval AccountName=if(isnull(AccountName),AccountName_Target,AccountName) | eval AccountDomain=if(isnull(AccountDomain),AccountDomain_Target,AccountDomain) | eval



AccountName=if(AccountName=="-",AccountName_Target,AccountName) | eval AccountDomain=if(AccountDomain="-",AccountDomain_Target,AccountDomain) | eval NetworkAddress =if(isnull(Network_Address),Source_Network_Address,Network_Address) | eval SourcePort=if(isnull(src_port),Source_Port,src_port) | table C_time AccountDomain AccountName AccountName_Target AccountDomain_Target Authentication_Package ComputerName dest dest_nt_host EventCode EventCodeDescription EventType Logon_Type NetworkAddress Object_Name Object_Server Object_Type Process_Name RecordNumber source SourcePort sourcetype Target_Server_Name Workstation_Name Group_Name Logon_Process Process_Name

Windows

index=windows EventCode != 102 EventCode != 103 EventCode != 210 EventCode != 213 EventCode != 220 EventCode != 221 EventCode != 223 EventCode != 224 EventCode != 225 EventCode != 300 EventCode != 301 EventCode != 482 EventCode != 515 EventCode != 538 EventCode != 552 EventCode != 576 EventCode != 615 EventCode != 672 EventCode != 673 EventCode != 674 EventCode != 675 EventCode != 676 EventCode != 677 EventCode != 680 EventCode != 700 EventCode != 701 EventCode != 702 EventCode != 703 EventCode != 704 EventCode != 705 EventCode != 835 EventCode != 836 EventCode != 837 EventCode != 1000 EventCode != 1002 EventCode != 1004 EventCode != 1006 EventCode != 1008 EventCode != 1083 EventCode != 1126 EventCode != 1173 EventCode != 1206 EventCode != 1226 EventCode != 1311 EventCode != 1314 EventCode != 1481 EventCode != 1566 EventCode != 1643 EventCode != 1644 EventCode != 1646 EventCode != 1865 EventCode != 1869 EventCode != 1925 EventCode != 1955 EventCode != 2041 EventCode != 4634 EventCode != 4648 EventCode != 4656 EventCode != 4661 EventCode != 4662 EventCode != 4672 EventCode != 4674 EventCode != 4675 EventCode != 4689 EventCode != 4709 EventCode != 4710 EventCode != 4768 EventCode != 4769 EventCode != 4770 EventCode != 4771 EventCode != 4773 EventCode != 4776 EventCode != 4821 EventCode != 4928 EventCode != 4929 EventCode != 4931 EventCode != 4932 EventCode != 4933 EventCode != 5014 EventCode != 5136 EventCode != 5137 EventCode != 5139 EventCode != 6002 EventCode != 6102 EventCode != 4723 EventCode != 551 EventCode != 5446 EventCode != 5447 EventCode != 5448 EventCode != 5444 EventCode != 5442 EventCode != 5033 EventCode != 4945 EventCode != 4956 EventCode != 5441 EventCode != 5440 EventCode != 1128 EventCode != 5004 EventCode != 1079 EventCode != 4647 EventCode != 4902 EventCode != 4610 EventCode != 4622 EventCode != 4793 EventCode != 4698 EventCode != 593 EventCode != 697| table EventCode, LogName, RecordNumber, Type,Username,_raw,_time,hostname,login_failure,message_reason,message_type,severity_id,src,src_ip,user

Websense Query

sourcetype="websense_ss" AND (category_name="Security" OR category_name="Job Search" OR category_name="Non-HTTP" OR category_name="Entertainment" OR category_name="Productivity" OR category_child_name="Web Hosting" OR category_child_name="Uncategorized" OR category_child_name="MP3 & Audio Download Services" OR category_child_name="File Download Servers" OR category_child_name="Freeware & Software Download") | convert timeformat="%H:%M:%S %Y-%d-%m" ctime(_time) AS C_time | table C_time action bytes_in bytes_out category_child_name category_name dst_host dst_ip dst_port disposition_description Domain host http_content_type http_method http_proxy_status_code http_response httpstatus_description http_status_type http_user_agent OU policy product product_version proxy_status_description proxy_status_type severity SID source src_host src_port sourcetype Status url user

Resource Type: Websense Proxy (Splunk)



BRO IDS FTP Connections

index=idx_bro sourcetype=bro_ftp | convert timeformat="%Y-%d-%m %H:%M:%S" ctime(_time) AS C_time | eval event=C_time." "._raw | table event

Ironport

index=idx_ironport MID | convert timeformat="%Y-%d-%m %H:%M:%S" ctime(_time) AS C_time| stats values(C_time) values(SCX_SENDER) as Email_Sender values(SCX_RECIPIENT) as RICIPNTS first(SCX_SUBJECT) values(SCX_SRCIP) values(SCX_CATEGORY) by SCX_MID| makemv delim="," RICIPNTS |where Email_Sender NOT NULL

Lieberman

index=idx_lieberman SCX_MSG!="*JOB*" | eval AccountName=if(isnull(AccountName),AccountName_Source,AccountName) | eval AccountName=if(isnull(AccountName),duser,AccountName) | eval AccountName=if(isnull(AccountName),suser,AccountName) | table SCX_TIME SCX_MSG AccountName duser cs1 cs2 cs3 cs4 cs6 dhost dntdom

Perforce

index=idx_perforce| convert timeformat="%Y-%d-%m %H:%M:%S" ctime(_time) AS C_time |eval message=_raw.",".C_time | table message

Unix

index=idx_unix process="ftpd" OR process="groupadd" OR process="login" OR process="mount" OR process="passwd" OR process="psuedo" OR process="sshd" OR process="su" OR process="sudo" OR process="user*" |table _raw

Cisco ASA (VPN

index=idx_firewalls eventtype="cisco_vpn*"|table _raw



Chapter 5: Exporting Data

Exporting User Identity Data HP UBA provides three methods for exporting user identity data.

Web services API (preferred method)

Direct database connection

Extract to flat file from imported jobs

Extract to Flat File from Imported Jobs Navigate to Configure>Jobs. Select a successful user data import job.

Click the job details icon.

The Job Details screen shows details such as: Total Records Imported, Total Records Available, Total New Users, etc. Click on any of the fields highlighted in blue such as Total Records Imported or Total New Users.



The screen expands to show a listing of records imported of the type selected.

Click on the Export button and select a file format from the list.

Save the file and use it as required.



Exporting Violations Policy violations can be exported from HP UBA. The following options are available in the last step while creating policies:

Send output to SIEM

CEF Output (ArcSight)

Database Output

Syslog Output

File Output

CEF Output via Syslog The first step is to create a connection type to forward logs in CEF format via syslog. Navigate to

Configure>Connection Types and then to Actions>Add New Connection.

If you set the Generate Token? switch to Yes, the following pop up appears for confirmation:



Enter the following details:

Connection Name: Provide a name to identify the connection uniquely.

Connection Type for: Choose ‘Export Policy Violations’ from the drop down list

Connection Type: Choose ‘CEF Format from the drop down

Protocol: Choose the protocol (UDP/TCP) to transfer data via syslog

Host: Mention the host to which the violators need to be forwarded

Port: Choose the port number on which the data has to be sent

In the final step of creating or running a policy, set the Output to Arcsight ESM option to Yes and select the CEF_Export Connection from the drop down.

Click Output Field Mapping to select and map the fields to be sent out in CEF format via syslog and click Save.



Configure HP UBA CEF Output to ArcSight Edit the CEFExport Connection Type (Navigate to Configure>Connection Types then CEFExport)

and provide IP address of the system where Syslog Connector that will send policy violations back to ESM is installed.

Exporting Consolidated Threat Intel Feed HP UBA consolidates the threat intelligence feeds collected from different sources and aggregates the context information in case an IP address, hostname or any malicious entity is present across multiple sources. In these cases, the criticality of that malicious entity becomes the highest criticality of that entity across all the data sources.

The threat intelligence data can be exported in CEF or CSV formats. The CEF output format can be configured using the ‘TpiExportCefFormat.properties’ file in the ‘$SECURONIX_HOME/conf/’ folder.

The default configuration provided in this is file can be seen in the screenshot below. The attribute mapping can be configured as necessary.

To enable the consolidated feed export perform the following steps:

Navigate to Configure>Jobs, then Actions>Run>Export Third Party Intelligence Data.



Click Add New Connection to create a syslog connection to the destination host (ESM) for this data

Enter the following connection details: Connection Name: ThreatIntelExport

Connection Type For: Resources

Connection Type: Syslog

Protocol: UDP

Host: xstm1541vdap.stm.swissbank.com (for the example above)

Port: 515

Facility: User-level messages

Click Save. Select the connection you just created. Select CEF as the export type. Click Next.

On the 2: Run Job screen, you can set a schedule to run the job later, or just click Run to run immediately.



Chapter 6: Peer Groups A Peer Group in HP User Behavior Analytics is defined as a grouping of users that perform similar job functions. For example, you can group users based on department, job code, location and reporting manager. HR user attributes are typically used for this purpose. You can also derive peer groups based on resources to which users have access. Any number of peer groups can be defined based on business requirements. There is no limit on the number of peer groups or number of users assigned to peer groups.

Why use Peer Groups? Peer Groups are created to manage Access Outliers, access and activity logs of the users that belong to a particular Peer Group. Users are assigned to one or multiple Peer Groups based on their identity attributes. Each Peer Group that the user belongs to have other set of users with access privileges assigned to them. Each access privilege held by a user is compared across the members of each Peer group to determine the number of users that hold the same access privilege. The greater the number of users that hold the same entitlement, the less the probability of the access privilege being an outlier. The entitlement is determined to be an outlier if it crosses a threshold. Each user within the Peer Group may have one or multiple access privileges that are outliers. The more the number of access privileges that are outliers the higher the overall Access Risk for the user.

Defining Peer Groups Manually Create a new Peer Group by navigating to Configure>Jobs and then choosing Action>Run>Peer Creation Rules.

There are three options for creating Peers and assigning Users to Peer Groups

Create Peers Manually: create a new Peer Group and assign users to the group individually. Peer Creation Rule: create Peer Groups using HR attributes and assign users based on selection

criteria. Peer Assignment Rule: This option assigns users to the appropriate Peer Groups based on the

criteria specified.



Use the Peer Creation Rule feature if you want to use any of the existing user identity attributes for forming the Peer and assigning the users to these Peers automatically.

The only time when you would create peer groups manually is if your user identity attributes do not match the attributes on which you want to generate peer groups. The Peer Assignment Rule feature can be used in conjunction with Create Peers Manually to assign users to the right peer group depending on the assignment criteria specified. The Peer Assignment Rule feature can help maintain user to peer group assignments periodically and when new users are on-boarded into the organization.

Example: Create a peer group called “Financial Analyst” and assign all users with title "Associate Financial Accountant" to the Financial Analyst Peer Group.

Solution: This can be achieved by creating a Peer Group called Financial Analyst manually and using the Peer Assignment Rule feature to assign all users with the title “Associate Financial Accountant” to this Peer Group

Example: Create Peer Groups based on JobCode, Department and the combination of JobCode and Department. Assign users to these Peer groups depending on their jobcode and department.

Solution: Use the Peer Assignment Rule feature to create and assign users to the appropriate Peer Groups

Adding Peer Groups using Peer Creation Rules Peer groups can be created automatically using any user identity attribute. All unique values of the user identity attribute may be used to generate the peer groups. The users will be assigned automatically to these peer groups if they match the criteria.

To add peer groups using Peer Creation Rules, perform the following steps:

Navigate to Configure>Jobs then Action>Run>Peer Creation Rules. Step 1: Select Rule Type defaults to Peer Creation Rules, so just click Next. In Step 2: Rules, select User attributes from the Create Peers using attributes for drop-down. Under Rules, select an existing peer group type from the drop-down, or select Create New Peer

Type and give it a name. Select the attribute for this group type from the drop down. For example: ‘Department’ in the screen

shot below. Click Add Rule if you would like to create additional Peer groups based at the same time. Each rule corresponds to one peer group type. Example: To create peer groups based on user's title

attribute, create a new Peer Group Type called Title and select title from Attribute drop-down.



Click Next. In Step 3: Run Job enter a rule name and description, use the default of Now to run the job right

away, or run the job at a later time by configuring the scheduling options (Minutes, Hourly, Daily, Weekly, Monthly, Specify Date).

Click Save and Run. Once the job completes, the Peer Groups are created and users automatically assigned to them. You can view the results of the job by clicking the link on the job status pop up:

Alternatively, navigate to Manage>Peers and select a peer group type from the left side menu.

Manage existing peer groups or add and populate peer groups manually from the Manage>Peers screen.



Adding Peer Groups Manually You can create peer groups manually and add members using search criteria. To add peer groups manually, perform the following steps:

Navigate to Manage>Peers. Under Actions select Create Peer Manually.

Give the group a name, add an owner if wanted, set the criticality and select the type from the drop-down. If you want to create a group with sub-groups, make each group the same type.

Example: If you have three geographic regions, East, West and Midwest and want to see them all organized under Region, create each group and create or select Region for the type for each. After creating the group or groups add users by following these steps:

Click the peer group type from the left side of the Manage Peers screen.

Click the Peer Name.

Click the Members tab and then the Add Members button.



Enter the criteria for membership in the group and click Search. Example: employees who are located in Los Angeles will be placed in the “West” regional group, so search the location field for Los Angeles.

Select users from the list that match your criteria and click Add User(s). Note: if you want to add all of the users that match the criteria at once, select All from the drop-down to show x records per page, click the check box at the top of the left column to select all, scroll to the bottom of the page and click Add User(s).



Chapter 7: Organizations Organizations are used by the HP User Behavior Analytics application for three primary purposes:

• Reporting risk scores for each organization.

• Viewing activities by organization (Investigation Workbench and Manage Organization views).

• Granular Access Control: Restrict access to certain users and resources assigned to organizations.

Creating Organizations You can choose to create new organizations manually or create them automatically based on some rule.

Example: The application has user identity data with the department, division, company code and other HR related attributes populated. The distinct values available as departments can be used to generate organizational units.

Creating Organization Manually Navigate to Manage>Organizations then Action>Create New Organization.

Required fields are marked with a red asterisk (*)

Name* – unique identifier for the new organization.

Owner – user that will own the organization.

Criticality – affects the risk score of the organization – low, medium or high.

Type* – select from drop-down or create a new type.

Parent organization.

When done, click Save to create the new organization.



Creating Organizational Units Based on a User Attribute Rule Navigate to Configure>Jobs then Actions>Run>Organization creation rules.

In Step 1: Select Rule Type choose Organization creation rules (creates organizations and

assigns users to organizations) or Organization assignment rules (only assigns users to existing organizations; does not create new organizations).

Click Next. In Step 2: Rules, choose the user attribute to use to generate new organizations.

Under Selection criteria, choose Users (choices are Users or Resources).



Parent Organization: Choose a parent organization under which all the new organizations will be created.

Choose attributes for the User object. Click Next. In Step 3: Run Job enter a rule name and description, use the default of Now to run the job right

away, or run the job at a later time by configuring the scheduling options (Minutes, Hourly, Daily, Weekly, Monthly, Specify Date)

View and manage your organizations by navigating to Manage>Organizations.

Creating Organizational Units Based on a Resource Attribute Rule If you have imported access data for resources, the access entitlement values can be used to generate organizations.

Example: If OrganizationRole is an attribute of access privileges being imported, we can use the distinct values of OrganizationRole to generate new organizations.

Navigate to Configure>Jobs then Actions>Run>Organization creation rules.

In Step 1: Select Rule Type choose Organization creation rules (creates organizations and assigns users to organizations) or Organization assignment rules (only assigns users to existing organizations; does not create new organizations).

Click Next.

In Step 2: Rules choose the resource attribute on which to generate new organizations. Under Selection criteria, choose Resources. Choose a parent organization under which all the new organizations will be created.

Click Next. In Step 3: Run Job enter a rule name and description, use the default of Now to run the job right

away, or run the job at a later time by configuring the scheduling options (Minutes, Hourly, Daily, Weekly, Monthly, Specify Date).

Click Save and Run.

Granular Access Control Using Organizations If you need to control access by HP UBA application users to view only a subset of users and resources, enable granular access control. With granular access control, the application will use the organizational role assigned to the user and determine the screens and modules the user is able to view.

For more detail see Chapter 10/Settings/Granular Access Control.



Chapter 8: Policies Policies are predefined set of rules. They are risk boosters. HP User Behavior Analytics provides a very flexible policy engine that can be used to run checks against Identity, Access, Activity, Events, Resources and Organization data. Uses for policies:

• Checking for known bad signatures (rules).

• Separation of duty checks.

• Business-specific rules.

• Compliance and regulatory requirements.

When a user performs an action that is in contradiction to a policy, it is considered a violation.

Creating New Policies To create a new policy, navigate to Run>Policy Violations then Actions>Create Policy.

The following options are available:

Create Rule Based Policy: This option is selected to create policies using a built-in template. Templates store the underlying joins to facilitate the execution of policy.

Create Rule Based Policy with Direct HQL: This option is selected if the HQL to be executed is directly provided to run the policy.

Create Behavior Based Policy: This option is selected to flag specific set of checks like (first time usage, frequency of activity higher etc.). The list of available suspect checks is available as a drop-down list.

Create Composite Policy: This option is selected, if a child policy has to be executed before the main policy.



Create TIER2 Policy.

Create TIER2 Policy with Direct HQL.

Action>Create Rule Based Policy

Step1: Enter Policy Details: Fill in the following details:

Policy Name: Name of the policy to be executed.

Description: Explanation for the policy.

Criticality: Move the slider to choose low/medium/high indicating the importance of the rule. Depending on the criticality, the risk score assigned to the violator varies – higher the criticality, higher the risk score. In addition, high risk policies will displayed at the top of the User Defined Policies section on the Security Dashboard.

Select Violation Entity: Define the entity to which the policy applies. Options:

Users – Returns the list of users violating the policy; Orphan accounts (Uncorrelated accounts) will be ignored.

Access Accounts – Returns the list of access accounts (both correlated and uncorrelated) violating the policy.

Activity Accounts – Returns the list of activity accounts (both correlated and uncorrelated) violating the policy.

Resources – Returns the list of resources violating the policy.



Data source: choose from a list of data sources.

Note: If Users or Activity Account is chosen under Violation Entity, the following two options are displayed.

Would you like to use this policy in real time on events being imported? (Y/N – default No).

Would you like to Aggregate Risk Score on Each Run? (Y/N – default Yes).

Owner (if configured, only the owner can run policy).

Remediator (who will remediate).

Stop when violations are greater than (default 10000) Specify a number to put a limit on the number of violations flagged by the policy.

Under Define Risk and Threat:

Category: for the dashboard widget; choose from drop-down or create new Threat Indicator: Select from drop-down or create new to show that violations detected

are indicative of threat.

Click Next at the bottom of the screen. Step 2: Select Policy Template: Select the template to use for this policy from the list; you can filter

the longer list based on available objects by checking boxes in the top selection area. For a complete list of Policy Templates, the filtering options and objects contained within each, see Appendix B: Policy Templates.



Click Next at the bottom of the screen. Step 3: Provide Conditions: drag attributes from the available objects panel and drop them on the

canvas area. Next select the attribute of that object followed by the condition and the value for that attribute.

Use Post Process Functions?: Enable this option if additional checks (like Third Party Intelligence)

are to be performed while executing the policy. Post Process options are listed with check boxes. You can select as few or as many as you like. Each one has specific options to set based on the check being performed:

Click Preview HQL to see the query that will run based on your selections.

See Directives (below) for details on configuring this post-processing option.

Click Next after configuring all conditions. Step 4: Choose Action for Violation Results: provide the following to describe action to be taken

on the violations flagged by the policy:



Do you want to generate cases for policy violators? Set to Yes to generate a case for each policy violator. Cases can also be created manually from the Security Dashboard.

Select workflow to trigger when generating cases: If the above option is selected, specify the name of the workflow used to generate the case.

Send Notification: (Y/N).

Use as default Policy for selected Data source Type? (Y/N).

Add Policy Violators to the Watch List? Select from the list of available watch lists or create a new watch list can by clicking Create New Watch List.

Send output to SIEM: (Y/N) Forward violators of the policy to a SIEM.

CEF Output: (Y/N) Forward violators of the policy in CEF format.

Database Output: (Y/N) Send violators to a database.

Syslog Output: (Y/N) Send out violators using syslog.

File Output: (Y/N) Write violators to an output file.

Click Save.

Action>Create Rule Based Policy with Direct HQL Step1: Enter Policy Details: Fill in the following details:

Note: Screen is the same as shown for Create Rule Based Policy with one addition: Return Entity (which may generate additional parameters to be set, depending on selection.)



Is it a child policy? The default is No. Select Yes if the policy is to be executed as a composite policy. Child policies cannot be executed separately.

Criticality: Move the slider to choose low/medium/high indicating the importance of the rule. Depending on the criticality, the risk score assigned to the violator varies – higher the criticality, higher the risk score. In addition, high risk policies will displayed at the top of the User Defined Policies section on the Security Dashboard.



Select Violation Entity: Define the entity to which the policy applies. Options:

Users – Returns the list of users violating the policy; Orphan accounts (Uncorrelated accounts) will be ignored.

Access Accounts – Returns the list of access accounts (both correlated and uncorrelated) violating the policy.

Activity Accounts - Returns the list of activity accounts (both correlated and uncorrelated) violating the policy.

Resources – Returns the list of resources violating the policy.

Data source: choose from a list of data sources. Note: If Users or Activity Account is chosen under Violation Entity, the following two options are displayed.

Would you like to use this policy in real time on events being imported? (Y/N – default No).

Would you like to Aggregate Risk Score on Each Run? (Y/N – default Yes).

Return Entity: Used to specify the details associated with the violation.

Owner (of the policy). Remediator (who will remediate).

Stop when violations are greater than (default 10000) Specify a number to put a limit on the number of violations flagged by the policy.

Is this a watch list based policy? (Y/N – default No). Under Define Risk and Threat. Category: for the dashboard widget; choose from drop-down or create new. Risk Threat Indicator: Select from drop-down or create new; indicates what threat a

violation indicates.

Click Next at the bottom of the screen. Step 2: Provide HQL: Specify the direct HQL used to execute the policy. Use Post Process Functions?: Enable this option if additional checks (like Third Party Intelligence)

are to be performed while executing the policy. Post Process options are listed with check boxes. You can select as few or as many as you like. Each one has specific options to set based on the check being performed:



See Directives (below) for details on configuring this post-processing option.

Click Next Step 3: Choose Action for Violation Results: provide the following to describe action to be taken

on the violations flagged by the policy: Do you want to generate cases for policy violators? Set to Yes to generate a case for each

policy violator. Cases can also be created manually from the Security Dashboard.

Select workflow to trigger when generating cases: If the above option is selected, specify the name of the workflow used to generate the case.

Send Notification: (Y/N).

Use as default Policy for selected Data source Type? (Y/N).

Add Policy Violators to the Watch List? Select from the list of available watch lists or create a new watch list can by clicking Create New Watch List.

Export to McAfee SIEM: (Y/N) Forward violators of the policy to McAfee SIEM. (You’ll be to select or create a connection.)

Output to Arcsight ESM: (Y/N) Forward violators of the policy in Arcsight ESM format.

Database Output: (Y/N) Send violators to a database.

Syslog Output: (Y/N) Send out violators using syslog.

File Output: (Y/N) Write violators to an output file.

Click Save.



Action>Create Behavior Based Policy Step1: Enter Policy Details: Fill in the following details:



Select suspect check you want to configure: Select from drop-down.

Criticality: (Defaults to High) Move the slider to choose low/medium/high indicating the importance of the rule. Depending on the criticality, the risk score assigned to the violator varies – higher the criticality, higher the risk score. In addition, high risk policies will displayed at the top of the User Defined Policies section on the Security Dashboard.

Category: for the dashboard widget; choose from drop-down or create new. Threat Indicator: Select from drop-down or create new; indicates what threat a violation

indicates.

Data source: choose from a list of data sources. Sigma Value (defaults to 0.85) set slide from 0 to 1. (Sigma value defines the deviation of the

activity performed by the user from its baseline.) Click Save.



Action>Create Composite Policy In 1: General Information provide the following:



Select Violation Entity: Defaults to Activity Account.

Return Entity – Used to specify the details associated with the violation; select from drop-down.

Define Risk and Threat section

Category: for the dashboard widget; choose from drop-down or create new. Threat Indicator: Select from drop-down or create new; indicates what threat a violation

indicates.

Create or add Child Policies. Select from existing child policies or create new ones by clicking Add child policies.



To add, in 1: Enter Policy Details, provide a unique policy name, select a violation entity from the drop-down and select a datasource.

Click Next.

In 2: Select Policy Template filter the list or select from the entire template list, then click Next. For a complete list of Policy Templates, the filtering options and objects contained within each, see Appendix B: Policy Templates.



In 3: Provide Conditions, drag and drop available objects to configure criteria, click Preview HQL to view the query created by your selections, and click Save.

Click Next In 2: Add rules, set conditions based on the selected child policies, click Next.

In 3: Choose Actions for Violation Results provide the following:



Generate cases for violations – Yes/No.

Select workflow to trigger.

Send notifications – Yes/No.

Use as default policy – Yes/No.

Add violations to a watchlist.

Export to McAfee ESM– Yes/No.

Export to Arcsight ESM– Yes/No.

Database Output– Yes/No.

Syslog Output– Yes/No.

Click Save when done.

Action>Create TIER2 Policy The steps and screens are the same as for Create Rule-based Policy.

Action>Create TIER2 Policy with Direct HQL The steps and screens are the same as for Create Rule Based Policy with Direct HQL.

Directives Directives are post process functions available for Rule Based Policies and Rule Based Policies with Direct HQL. Directives are policies that run on network time data. They let you specify the count and duration of the events that are to be flagged as violations.

For example – 4 logon failures in 2 minutes and a logon successful event immediately after that within next 1 minute.

Configure directives when creating these two policy types in Step 3: Provide Conditions.

Below the Objects section and before the HQL preview box, click the slide switch for Use Post Process Functions?

Click the white icon with the green arrow, enter the Directive details, and click Save.



Executing Policy Navigate to Run>Policy Violations to view all existing policies, filter the lists and run selected policies. The default view is All Policies, with the By Datasource master filter expanded to show all datasources.

You can further filter the listing of policies within the main categories by using the Add Filter dropdown.

In the example above, you can add filters to the selected datasource to filter for Criticality, Policy Type, Return Entity and Category.

If you are viewing policies through a master filter (on the left sidebar menu), such as Type, the Add Filter list will offer all other filter types.



In the screen above, the Policy Type sub-filter is not offered because you are viewing the list already filtered by type.

To search for a keyword in a policy name, use the Search Box at the top right side of the screen:

The search defaults to All (*).

Start typing a search term into the box and the application will pop up a list of policies that include the term:

Or, to have the list of policies shown include all policies with a keyword (in this case “recent”), use the all indicator (asterisk - *) before and after the term, i.e.; *recent*.

Once you have selected the policy you want, click Play to run it.



Other actions available from the buttons for each listed policy are:

Create new policy using this policy.

Delete policy.

Delete policy violations.

Viewing Policy Violations To view the policy violations, navigate to Dashboard>Security Dashboard.

Select the user defined polices from the left side panel, and if any policy has been violated, the violators will be displayed on the right side panel.



Chapter 9: Reports

Creating a Report Navigate to Reports>By Categories.

Select Add Category.

Enter a name for the new category and click Save.

You’ll see a success confirmation pop up.



Click Create New Report and fill in the report details. Note fields with a red asterisk (*) are required.

Report Name*

Description

Category

Module: Security Dashboard area for this report to appear

File Name*: Name of the JRXML file along with the extension (Add the file to the securonix_home/reports)

Owner

(optional) Resource type

Fill in the Parameters section if needed

Click Save.



Running a Report The options available on the report screen (as icons on the right) are as follows:

Edit – Make changes to an existing report. You’ll see the same screen as for setting up a new report. Change options as needed and click Save at the bottom.

Save – A variant of Run Now; choose the report format and parameters for immediate run.

Run Now – Run (or re-run) a report that has already been created. (Not available for all reports.)

Schedule – Access the scheduling screen to save the report to run at a selected date/time.

Delete – Delete the selected report (a confirmation screen will pop up.)



Ad hoc Reporting To create and save custom reports, navigate to Reports>Ad-hoc Reports. Previously created reports will be listed, available to run and configure or delete.

Select Actions>Create New Ad-hoc Report.

In 1 General Details

Provide a report name, description, and select an owner from the report from groups or users:



You can scroll through the entire list of available templates, or filter the list by clicking on available objects.

For a complete list of Policy Templates, the filtering options and objects contained within each, see Appendix B: Policy Templates.

Select the template to use for this report, then click Next. In 2 Select Objects:

Drag and drop object (based on the selected template) into the criteria area, then configure selection criteria for the object(s)

When done, click Next. In 3 Export Settings:

The Query field will be populated, based on the objects and criteria configured in the previous step.



Select report detail columns to show and define column headers.

Select the report format from the drop-down – choices are: csv, xml, pdf and rtf.

Click Save and Generate.



Chapter 10: Administration

Using the Configure Menu Much of the “behind the scenes” work of the HP UBA application is handled from the Configure menu. Some of these tasks are performed in the post-installation jobs (See Installation Guide/Chapter 4: Post installation activities.) Here is a reference of all actions that can be performed through the Configure menu.

All Configuration tasks are accessed from the Configure Menu. The following submenu items are available under the Configuration menu:

Jobs: The Jobs screen shows a list of the jobs which have been completed or which are still running, and lets you set up and run new. Access Control: The Access Control screen can be used to control the users and the roles performed by them on the application. The sidebar contains items for Manage Users, Manage Roles, Manage Groups and Password Control. The Actions button provides access to Create User, Create Role and Create Group.

Connection Types: The Connection Types screen provides access to create and manage connection type for various imports (User, Resource, Glossary, Certification). The sidebar displays a list of existing connectors, while the Actions button let you Add New Connection, Upload File or Download Files

Email Templates: This screen lets the user create templates for the system or a user to use to send out emails. A full listing of existing email templates is shown, you can create a new template based on an existing one, or use the Actions>Create New Email Template option to design a completely new template.

Metadata: set criticality values for users, peer groups, resources, activity accounts and transactions, access accounts and access attribute values by setting conditions for selection criteria.

Criticality: The Criticality screen lets you set the criticality of a user, peer group, resources, activities to high, medium or low.

Auditing: Auditing screen displays all the activities performed on the application. These actions include user logging in or logging out, running jobs and others. Audit logs may be exported from this screen, and you can check for tampered logs with the Actions>Check Log Tampering option.

Clustering: Clustering can be used for load balancing. Slide switches on the screen configure Auto Update and Enabling Clustering. You can register new nodes on the clustering screen by clicking Actions>Register New Node.

Universal Forwarder: Lists existing Hosts, Application URLs and Actions. User Actions>Register Universal Forwarder to configure new forwarders.

Threat Modeler: This screen lets the user decide on when would a user, resource or organization would be marked as High Risk. Values can be set to calculate the cumulative risk score.

Settings: Settings can be used for setting up SMTP server properties, privacy settings and setting up holiday profiles across the platform. Options on the Settings screen: Application Settings

UI Preferences

DNS Servers



Holidays

Housekeeping Jobs

Manage License

Logging

Safe Domains

SMTP Server Settings

LDAP Authentication

Syslog Settings

SAML Settings

Application Logs

Jobs The new job options accessed by clicking the Actions button are:

Import: Users, Activities, Access Entitlements, Glossary, Resources, Third Part Intelligence, Geolocation/Network Map, Account Metadata, Watch List, Lookup Data.

Run: Activity Geolocation, Archive Activity Data, Peer Creation Rules, Organization Creation Rules, Index Activity Transactions, Event Summarization Job.

Configure: Glossary Import, Resource Import. Importing users, activities, and access entitlements are discussed in the Importing Data section of this guide.

Jobs/Actions/Import

Import: Glossary

Navigate to Action>Import>Glossary to set up a job to import glossary files for datasources in your system. Configuration works like any other import job. You can start from the Import function, or use Action>Configure>Glossary Import. Specify a glossary file for the datasource, map the attributes and run the job.

Import: Resources

Navigate to Action>Import>Resources to configure the import resources jobs. In Step 1 select the connection type for the resources you’re importing. In Step 2, provide file information and attribute mappings. In Step 3, give the job a name and run immediately or at a scheduled date/time.

Import: Third Party Intelligence

Download the latest reported malicious IP addresses and domains from selected intelligence vendors. To add a new third party intelligence source, use the Configure>Connections options. Select the source, edit attribute mapping if necessary, select a connection type, give the job a name and run or schedule the job. To import a new threat intel feed into HP UBA, follow these steps:

Navigate to Configure>Jobs then Actions>Import>Third Party Intelligence.



On screen 1: Select TPI Source, select an existing connection or click Add New Connection.

Enter Connection details (Example: importing Scoutvision Domains) Sample below is a Scoutvision file at UBS.

Connection name: Scoutvision_Domains

Connection Type for: Third Party Intelligence

Connection Type: File (choices are File, Hadoop, Maxmind and Web.)



Depending on the connection type, a Connection Details area will be displayed with additional fields to configure Filename or Pattern: domains (should match the input filename/pattern.)

Third Party Intelligence Parser: TPI File Tokenized Parser

Separator: , (in this example, the input file is a comma separated file.)

Token positions: 1 (enter the position of the IP addresss/domain name in the input file.)

Core: Click Add New TPI Source. For this example provide ‘ScoutvisionDomains’ as the core name and set criticality to ‘Medium’ (choices are High/Medium/Low.)



Under more settings, provide the location of the input file. For this example, the file is in /securonix/scoutvision/data.

Click Save when done configuring the connection. Select the new connection. Click More Settings to add additional context attributes to be imported. In the case of the Scoutvision

domains, column 2 from the input file provides a short description on why the domain was malicious.

A threat intelligence feed might provide criticality for each malicious entity. If so, the normalization of criticality can be configured as shown below. HP UBA sets criticality ratings at: 0.01=Low

0.2=Medium

1=High

Example 1: Criticality is provided as a string

In this case, the application would set the appropriate criticality for each of the criticality string conditions provided.



Example 2: Criticality is provided as a numerical value.

In this case, if the input file has criticality ratings from 0-10. The configuration below would normalize the criticality rating to ‘Low’ if the score is 0-3, ‘Medium’ if the score is 4-6 and ‘High’ if the score is 7-10.

Click Next when finished in the More Settings area. On the 2: Run Job screen, you can set a time to run the job later, or just click Run to run

immediately.



Import: Geolocation/Network Map Data

Geolocation data represents the location information for IP addresses (city, state, country, etc.) The Network map represents the zone for the IP addresses (example: LAN, DMZ, VPN, WIFI – contiguous IP addresses). The application indexes the geolocation/network map data and uses it to enrich event data. By inserting the geolocation/network map information in every event, the application is able to use this data for threat detection, reporting and alerting. Geolocation data is typically imported from Maxmind (GeoIPCityLite DB), normalized and indexed into the ipmapping core.

This import can be run as a scheduled job to get the latest available geolocation data from Maxmind.

The Network Map is imported from a comma delimited flat file. The application supports CIDR (Classless Inter-Domain Routing) formatted IP addresses and even IP ranges (from—to).

Importing Geolocation Data from MaxMind

In order to import geolocation data from MaxMind, follow the steps below:

Navigate to Configure>Jobs then Action>Import>Geolocation/Network Map.



In 1 Select source type: Available configurations: select MaxMind from the drop-down.

If MaxMind is not present, select Create new configuration to create a new connection.

Configuration name: MaxMind.

Select source type: MaxMind.

Attribute Mapping: set Country Code (Position 3), IP From (Position 1), IP To (Position 2).

Connection: MaxMind.

Set slide switch for Convert IP to Yes.

Click Save and Next. In 2 Run Job: enter a job name, description if wanted, enable or disable notifications for this job and

select a schedule for the job.

How the Import Works

The application connects to the MaxMind geolocation site (http://geolite.maxmind.com/download/geoip/database/GeoLiteCity_CSV/GeoLiteCity-latest.zip) and downloads the latest geolocation mapping. That zip file contains the following two files:

GeoLiteCity-Blocks startIpNum,endIpNum,locId "16777216","16777471","17" "16777472","16778239","49"

GeoLiteCity-Location 127083,"US","CA","Etna","96027",41.4158,-123.0274,813,530 127084,"US","WA","Ritzville","99169",47.0796,-118.4705,881,509

The application merges these two files to get the location information in the following format startIpNum,endIpNum,location

Importing Network Map Data from a Delimited File

A network zone represents a contiguous block of IP Addresses that are provided a name. Generally, the network zones are provided in a CIDR notation. Example: The block 192.168.100.0/22 represents the 1024 IPv4 addresses from 192.168.100.0 to 192.168.103.255. The same information may be provided in the form of IP From, IP To, location. This format is supported as well.

In order to import data from a delimited file, follow the steps below:

Navigate to Configure>Jobs then Action>Import>Geolocation/Network Map.



In 1 Select source type: Available configurations: select Create new configuration from the drop-down.

Configuration name: Provide a name for the configuration.

Select source type: Network Classification.

Source Folder: Provide the path where the file is located example: $ HPUBA11/securonix_home/import/in.

Source file: Provide the name of the delimited file to import (example: cidr.csv).

Attribute mapping: CIDR field (Position 1), Location (Position 2).

Set slide switch to keep or delete old network classification. (Default: No)

Click Next. In 2 Run Job, enter a job name, description if wanted, enable or disable notifications for this job and

select a schedule for the job. Click Save and run.

Import: Account Metadata

Select a connection to use for importing metadata, select Access or Activity and select properties to be included. Provide a job name and run or schedule. See Metadata, below, for more information.

Import: Watchlist

1 Configuration: Select or create a new configuration, select a connection, provide a file name and file info (delimiter, batch size and number of header lines.)

2 Mapping: Select the type of members for this watchlist, choices are Users. Access Account or Activity Account. Set switch for “Import Watch List Members Only?” (Default: No) and configure field mappings.

3 Run Job: Give the job a name and run or schedule to run later.



Import: Lookup Data

1 Select Connection: Select or create a connection, select connection type, provide connection information based on type selected.

2 Configure Attribute Mapping: map attributes based on position in the file. 3 Run Job: Give the job a name and run or schedule for a later date/time.

Jobs/Actions/Run

Run: Activity Geolocation

Update the geolocation information from selected sources (configured in Import>Geolocation/Network map above).

Run: Archive Activity Data

See Archiving for details.

Run: Peer Creation Rules

See Chapter 6: Peer Groups.

Run: Organization Creation Rules

See Chapter 7: Organizations.

Run: Index Activity Transactions

1 Select Resource Group(s): select one or more datasources to index. 2 Run Job:

Name the job

Provide job description

Check Indexing For options

Accounts

Network Address

Transaction

Optional Settings:

Clear previous data? (Default No)

Database read batch size (default 100000).

Start and end dates.

Set notifications as needed and run job now or schedule for later.

Run: Event Summarization Job

1 Event summarization settings: Select datasources to be summarized: Choose All datasources or Selected datasources

Select job mode: Choose all data, incremental or manual date range selection.

2 Run Job: give the job a name, enable notifications as needed, run job or schedule for later.



Run: Export Third Party Intelligence Data

See Chapter 5: Exporting Data/Exporting Consolidated Threat Intel Feed.

Access Control Configure Role-based access control from the Configure>Access Control screen. Administrators can restrict access to authorized users based on roles. Roles are created based on job functions with access to data restricted based on the roles assigned to analysts.

Some of the roles:

• Administrator: Can perform all functions in HP UBA.

• Operator: Can perform account/group management and view all configuration and reports. Should not be able to schedule or run any jobs or modify any resource groups, connections, etc. Should be able to view all audit logs and view all screens/configuration.

• Security Analyst: Can view all data for his/her business, from all screens.

• Access Reviewer: Only this role can launch certifications.

• Privacy master: Only this role can unmask the data to which he/she has access.

• Investigator: Takes action on cases generated.

Based on the roles assigned to analysts, administrators can restrict access to selected screens in the UI.

Set Up Access Control over Capabilities Accessible to Users

To begin setting up access control, determine the roles and capabilities to be assigned to each role. Additionally, decide which users to assigned to each role

Setting up access control is a two-step process.

Create roles and assign capabilities to roles. Create users and assign them to roles.

[Optional] Create groups and assign users to groups.

Note: Security groups make it easier to manage users by allowing for bulk actions. Permissions assigned to groups are inherited by all members within the group.

Create Users Analysts can be granted access to the application and assigned certain privileges. To create a new analyst and grant privileges:

Navigate to Configure>Access Control and click Actions>Create User.

Step 1: Enter User Information

Provide the following details: User Name.

Password: To authenticate the login.

First Name, Last Name and Email Address.

Set the Enabled? switch to Yes.



Click Next.

Step 2: Assign roles to the user.

Select the roles to assign to this analyst. Access will be restricted to certain screens in the UI based on role.

Click Next.

Step 3: Assign groups to the user

Based on groups selected, analysts will only be able to view/take actions on cases assigned to this group. Admin users can view all cases, regardless of the group to which the case is assigned.

Click Next. Note: Assigning organization access is optional.

Step 4: Assign organization access



In the final step, configure granular access control.

Select the organization(s) to which the analyst has access. Only users belonging to the selected organization can be viewed by the analyst.

In the same screen, click on the organization name. All users belonging to the selected organization (users that the analyst has access to) will be displayed.

Click Next to continue past Step 1, or click the Step 2 button at the top.

Step 2: Assign Resources – click Add Resources, select the resources to which the analyst has access, click the Add Resource(s) button at the bottom of the screen.



Back at the Step 2: Assign Resources screen, select which resources will be granted Administrative Access using the slide switches. Access can also be restricted at the resource group level. Click Restrict Resource Groups, choose the resource group to restrict access to (use the Add Resource Group(s) button as needed), click Finish.

Back at Create User/Step 4: Assign Organization Access screen, click Save.



Create Roles Roles with meaningful names (Example: Auditors, security operations, forensics, investigators) makes it easier to perform access control. You can assign multiple capabilities to Roles. These capabilities allow users to access certain modules of the application.

To create a new role, follow these steps:

Navigate to Configure>Access Control then Actions>Create Role.

Provide the following details and click Save: Role Name: Enter the name for the role.

Description: Brief description about the privileges granted to the role.

Privileges: Grant privileges to the role (areas include: Dashboard, Manage, Detect, Respond, Reports, Configure and Access Request).

For this example we will grant this role all Dashboard privileges:



Scroll to the bottom of the Create Role screen and click Save. Privileges are grouped based on the module. Example: dashboard, manage, detect, respond, reports

and configure. Select the required privileges under each group and add them to the role by clicking the > button. Once all the required privileges are assigned, save the role by clicking Save.

Typical Roles included in the application:

ROLE_ACCESSCERTIFIER: certify the access

ROLE_AUDITOR: IT Auditor

ROLE_ADMIN: Admin of the application

ROLE_LICENCEMANAGER: Performs license management

ROLE_PRIVACYMASTER: Gives permissions to decrypt the data.

Create Groups By creating groups and assigning users to them, you have more control over user permissions. You can directly assign roles to groups and even organizations to groups. All users belonging to the group will inherit the roles and organizations assigned to the groups.

To create a new group, follow these steps:

Navigate to Configure>Access Control then Actions>Create Group.

Provide the group details like name, type, email, mailbox and parent group. Click Next. Add users to the group, or click Next to bypass.



Assign roles to the groups, or click Next to bypass. Assign organizations to the groups (optional). Click Save.

Manage Users, Groups and Roles From the Configure>Access Control screen, the options on the left sidebar menu allow you to edit settings for users, roles and groups as well as set password control options.



Manage Users

Available actions from icons on the right side of each user listing are:

• Change password

• Edit user

• Delete user

Manage Roles

Available actions are edit role (click the edit icon or click the role name) and delete role.

Manage Groups

Available actions are edit group (click on the group name) and delete.

Password Control In the left sidebar menu in the Access Control area, set switch to Yes to manage password settings.



Configuration options are:

Parameter Description Minimum Length The minimum number of characters used in a password. Maximum Length The maximum number of characters used in a password. Minimum Upper Case Letters

The minimum number of upper case letters required in a password.

Minimum Lower Case Letters

The minimum number of lower case letters required in a password.

Numbers Allowed? By default, numbers are allowed in passwords. Toggle to No to disallow numbers in passwords.

Minimum Numbers The minimum count of numbers required in a password. Special Characters Allowed

This option only appears if Numbers Allowed? is set to Yes. By default, special characters are allowed in a password. Toggle to No to disallow special characters in a password.

Lock after ‘n’ login failures

The number of login attempts that will result in account lockout.

Password expiration period

The number of days before a password change is required.

Granular Access Control Access can be further restricted at the following levels:

• Organization

• Resource

• Resource group

Analysts have access only to users belonging to assigned organizations and can only view accounts (access/activity) on those resources for which access has been provisioned.

At the resource level, access can be restricted to:

• Admin level access: Complete access to accounts (access/activity) on the resource, even for accounts owned by users not belonging to organizations for which the analyst has been granted access.

• Non-admin level access: Access only to those accounts (access/activity) on resources that are owned by users belonging to the organizations for which the analyst has been granted access.

• Resource-group level access: Access can be controlled at the data source level. If a resource is part of multiple resource groups, access can be restricted to accounts (access/activity) belonging to specific resource groups. For instance, if a resource is part of Windows Events and DLP: access can be restricted only to the DLP stream.

How Granular Access Control Works

The application looks at the roles and organizations associated with a user to make only other associated users and resources visible to that user.

>User logs into the application.

>check for roles associated with logged in user.

>check for organizations associated with logged in user.



>check for users associated with the organization.

>check for resources associated with the organization.

• The capabilities of the logged in user is based on the role assigned to the user.

• The list of users the logged in user ca see is limited based on organization users.

• The list of resources the logged in user can access is limited based on organization resources.

Set Up Granular Access Control

Follow the steps below to enable granular access control:

Navigate to Configure>Settings. Click Application Settings. Under Granular Access Control Settings, Set Enable Data & Resource level Access Control to

Yes. Prerequisite: The steps below require organizations to be set up. You can create organizations by following the steps in Chapter 7: Organizations.

Restrict Access to View a Subset of Users

To restrict the users that are visible to a logged in user, assign the logged in user to an organization to which those users belong.

Follow the steps below to restrict access to certain users:

Navigate to Configure>Access Control. Click Manage Users (to apply to a single user) or Manage Groups (to apply to a group of users). Select the user or group to restrict the access. Skip to Step 4: Assign organization access.

From the list of available organizations, select the organization to which you want to restrict the view and set the slide switch to Yes.

If you want to see details about the organization, click the name. You can view the users that belong to the organization or add users to the organization.



Before setting access control (note Department list)



After setting access control (Department only Data Services)

Restrict Access to View a Subset of Resources

In order to restrict the resources that are visible to a logged in user, you must assign the logged in user to an organization with ownership over those resources. Follow the steps below to restrict access to certain resources:

Navigate to Configure>Access Control. Click Manage Users (to apply to a single user) or Manage Groups (to apply to a group of users). Select the user or group to restrict the access. Skip to Step 4: Assign organization access. From the list of available organizations, select the organization to which you want to restrict the view. Click on the organization and view the resources that belong to the organization or Add Resources to

the organization.



Restrict Access to View All Events on a Resource

Some organizations have “Resource Owners” who have a requirement to view all events on a particular resource regardless of the users that are assigned to their organization.

Example: James Owen is the technical owner of DLP. He needs to view all violations of DLP irrespective of the fact that those users are not part of James’s organization. For other resources, we need to limit James’s view to only the users that belong to James’s organization.

Follow the steps below to set up Resource Administrators:

Navigate to Configure>Access Control. Click on Manage Users (to apply to a single user) or Manage Groups (to apply to a group of users). Select the user or group to restrict the access. Skip to Step 4: Assign organization access. From the list of available organizations, select the organization to which you want to restrict the view. Click on the organization and view the resource that belong to the organization or Add Resources to

the organization. Make sure that Administrative Access is toggled to Yes.

(See screenshot above)

Connection Types Configure and manage connection types. You can usually configure a new connection type as part of an import job, but if you need to edit an existing connection, or create a new one outside of another job, use the Configure>Connection Types screen.

The Actions drop-down give you four options:

• Add new connection

• Upload file

• Download files

• Register connectors

You can view and edit details on any existing connector by clicking the connector name on the left side of the screen.



Email Templates

These templates are used when notifications are configured for specific job types. You can create your own email templates by clicking Actions>Create New Email Template and filling in the fields. There is a GUI editor for previewing and changing how your message will appear, including the ability to edit the HTML used behind the scenes for the templates. You can also create new templates from existing ones by clicking the icon at the far right on the template entries.

Email templates that are in the application “out of the box:”

Template Name Used For Functionality/Screen Access Outlier Alert on the detection of rogue Access privileges Detect Access Outliers Access Certification Email Alert on the detection of rogue Access privileges Detect Access Outliers Policy Violations – Access Alert sent when an access related policy violation is

detected Detect – Policy Violations

Policy Violations-User Alert sent when a user related policy violation is detected

Detect – Policy Violations

Policy Violations Alert sent when a policy violation is detected Detect – Policy Violations Real Time Check notification Alert sent when any check fails during the real time

import of events Suspect Checks on Import Activity Screen

Activity Outlier Alert on the detection of abnormal Events Detect Activity Outliers Review Template Alert sent when a activity review job is triggered Respond Activity Reviews Case Assignment Alert sent when the case is assigned Create Case Case Management Alert sent when an action is taken on a case On taking an action on a case User Notification Template Template used when the violator is sent an email

from the case management screen Notify violator on case management screen

Job Status – Failed Alert sent when a job fails to execute Job Runs (User/Access, Activity Import and others)

Job Status – Successful Alert sent when a job executes successfully Job Runs (User/Access, Activity Import and others)

User Import- new users notification

Notification sent when new users are detected during a user import job

Import users Job Runs

User Import- new hired users notification

Notification sent when new hires are detected during a user import job


User Import- terminated users notification

Notification sent when terminated users are detected during a user import job




Template Name Used For Functionality/Screen User Import- transferred users notification

Notification sent when transferred users are detected during a user import job


User Import- updated users notification

Notification sent when updated users are detected during a user import job


Metadata

Available data management tasks The following options are available for setting up metadata on different objects:

• User

• Peer Groups

• Resources

• Activity Accounts

• Activity Transaction

• Access Accounts

• Access Attribute Values

Setting Criticality, Activity and Access Account Types for Users, Peer Groups and Resources You can set criticality level and the type of activity or access account users, peer groups or resources will be assigned based on selection criteria.

Navigate to Configure>Metadata. Choose Users, Peer Groups or Resources in left panel (see above). Provide selection conditions for this object, the system defaults to the object type selected in the left

menu. Example: Set criticality=High for all users that have a title containing “Administrator”).

You can click any of the other 3 buttons to set other user account metadata: Activity Account type (choices are regular, service, system, shared, firecall and high privileged).

Access Account type (same choices).

Access and Activity type (same choices, but use this to set both at once to the same value.)



Click Next when done. Enter a name for the job, select to run now or at a later date/time. Click Save and Run.

The same options are show for the three objects (users, peer groups or resources.)

Setting Criticality and Activity Account Types for Activity Accounts and Activity Transactions You can set criticality level and the type of activity account to be assigned based on selection criteria.

Navigate to Configure>Metadata. Choose Activity Accounts or Activity Transaction in left panel (see above). Provide selection conditions for this object, the system defaults to the object type selected in the left

menu. You can click the other button to set account metadata: Activity Account type (choices are regular, service, system, shared, firecall and high privileged)


Setting Criticality and Access Account Types for Access Accounts and Access Attribute Values You can set criticality level and the type of activity account to be assigned based on selection criteria.

Navigate to Configure>Metadata. Choose Activity Accounts or Activity Transaction in left panel (see above). Provide selection conditions for this object, the system defaults to the object type selected in the left

menu. You can click the other button to set account metadata: Access Account type (choices are regular, service, system, shared, firecall and high privileged)




Auditing The application provides an Auditing option under the Configure menu. This section stores all the activities performed by a user from logging into the application to logging out, storing all activities performed by the logged in user. Click the Actions drop-down to get to a view of suspected log tampering events.

Clustering See Installation Guide: Deploy HP UBA in a Master/Child Architecture

Universal Forwarder

Workflows HP UBA installs several default workflows to handle incident/case management. It is possible to create custom workflows for specific needs, or to make changes to the existing workflows.

On the Workflows screen you can see both “User Defined” and “System” workflows, and create new workflow from the Actions drop down.

Workflows can be configured to generate cases against high risk users once they are identified by the HP UBA platform. HP UBA provides out-of-the-box capabilities to configure highly customizable workflows.



To configure workflows perform the following steps:

Navigate to Configure>Workflows, then Actions>Create New Workflow.

On the General Details screen, enter a name for the workflow. You can select one or all of the Assign to options (Group, User and Other). The order in which the

options are selected will be the order in which the application will try to assign the case. For instance, if the order is Group followed by User, HP UBA will try to assign the case to the group. If the group isn't available, then the case gets assigned to the individual selected.

In the Default Assign to area, you can reorder the three options by dragging and dropping.

With each assignment option, there will be choices: For selected Group:

For selected User:



For assigning to Other:

Select from existing email notification templates, or create a new one:

Click Save and Next. In 2: Configure Workflow Case Step(s), the Open step is already in place. Add actions to the step

by clicking + Add Action.



The Add Action screen has configuration options for assigning the case, executing pre-defined functions, changing the case status, sending notifications, popping up a user input form and updating SLAs.

If you set Show User Import Form? to Yes, you are given options for setting up an input screen that will be displayed to the user on taking this action. Fields that can be added to an input screen include text, dropdown menu choices, rich text and assignment option, date and file upload. You can add fields all in one section or create new screen sections. Input can be required by setting the slide switch as needed.



Add Workflow steps by clicking + Add Workflow Step. Note in the screen below, we created a step for closing the workflow and changing the status to Completed, which in turn, created the Completed step.

When you’re done configuring steps and actions, your new workflow will be available in the left sidebar menu:

Add JIRA Ticketing Integration to Workflows Select a workflow to which you want to add JIRA ticketing. In 2: Configue Workflow Case Step(s) under whichever workflow step you want the Jira ticketing to

happen, click Add Action. Enter the action name and select the function called Create JIRA Issue. Toggle Show User Input Form Now click on Design New Screen. Enter field labels for Description and Summary. (Note: these two labels are required.) Set the Description field to rich text, set dimensions for the field and toggle Required to Yes. Set the Summary field to text, Required will be toggled to yes already. Click Save. Click the radio button on your JIRA screen. Click Save to save changes to the Action.



Navigate to Respond>Incidents to see cases with JIRA tickets. You click on the Ticket number to be redirected to the actual ticket.

The following code is needed to poll JIRA for status updates. The job can be enabled by putting the following entry in application-context.xml under <StartupJobs> tag-

<job name="JiraPollJob" enabled="true" forceReschedule="false" frequency="<as desired>" interval="<as desired>" />

Note: Assignee must be present in both sec_user and JIRA.

Threat Modeler Single events seldom detect threats but are indicators of compromise. A combination of multiple indicators of compromise will highlight true threats. Risky behavior can be found by watching for new or unusual events:

• Never before seen transactions (interactive login on a domain controller, payment authorization, accessing files never before used).

• Never before used host (new IP).

• High volume of transactions (high number of failed logons, high number of TCP firewall denies, transfers of $0.01 a billion times, accessing 1,000 patient/client/customer records).

• High total amounts (10GB firewall transfer, $50,000 payment).

The threat modeling capability lets users decide what combination of violations constitute a bigger threat than a single violation being repeatedly performed. Some example scenarios:

• Consider a user who has had a bad performance review. Suddenly that user starts visiting career-related websites, over an extended period. Visiting such websites alone does indicate an insider threat.

• A user with a bad performance review starts going to career-related websites (again, not a threat by itself.) In addition, he also starts downloading documents to his local machine and going to external upload sites. Email sent from his inbox have attachments and are being sent to his personal account.

Which of the above scenarios would be considered a serious threat? It would be the second one.

We see that an employee who is not happy in the company has started downloading and sending out documents, which is a case of Data Exfiltration. HP UBA has the capability to create combinations of rules and provide weights (scores) to each individual rule in order to flag high risk threats.

Configuring Threat Models Threat modeling combines threats into policies. To start Threat Modeling, we need to create the individual policies to combine into threat models. See Chapter 8: Policies for the details on creating individual policies. A typical policy screen looks like the one below:



Follow these steps to configure a threat model:

Navigate to Configure>Threat Modeler then Actions>Create Threat Model Specify the parameters shown on the screen:

Threat Model Name.

Policy Category (Select from drop-down menu).

Weight Type.

o Static Risk Scoring will set a static score for all Users based on the weight selected. Example: If Weight selected is 10, all Users will have a score of 10.

o Weight Multiplier calculates risk score as a multiplier of the weight and criticality of the selected policies.

Weight: use the slide bar to set from 0 to 10.

Add rules and select policies that are violated.

Once all the desired rules are set, click Save.



In order to run the Threat Modeler, click Play .

Once the job completes, the results can be reviewed by clicking on the highlighted icon on the right side.

Threat model results screen



Settings Navigate to Configure>Settings for access to application customization options

Application Settings

General Settings

• Application time zone: The time zone for the application server.

• Database time zone: The time zone for the database server.

• Date format: Select from multiple date/time formats from the drop-down box.

• Session timeout: Enter a timeout period for sessions in seconds.

• Web services

The application provides a RESTful web services API. To get more information about the RESTful API, refer to Chapter 11: Web Services

Web services: Enable or disable the RESTful Webservices API.

Token authentication required for web services? The RESTful Webservices API can be secured by using a token. If enabled, each web services call must be made using the assigned token.

Data Import Settings

The application is multithreaded. Each event file is processed by spawning multiple threads. Each thread simultaneously parses the event log file, performs correlation and inserts the processed log into the database. Configure settings for various activities in this section.

• Multithreading: Use the Yes/No switch to enable or disable parallel processing in the application. If Yes is selected, configure the following areas, as well:

for Activity Import

Maximum Threads: The number of threads that are spawned during the import of activities/events. (default: 20).

Maximum Lines per Thread: The number of lines provided that are processed by each thread. (default: 10000).

Each user file is processed by spawning multiple threads. Each thread simultaneously parses the user file, checks for identity lifecycle changes and inserts the processed data into the database.

for User Import

Maximum Threads: The number of threads that are spawned during the import of users. (default: 20).

Maximum Lines per Thread: The number of lines provided that are processed by each thread. (default: 10000).

• Preview data refresh interval: Specify the number of minutes for which the preview data is cached. During this period, if the Preview button is clicked again, the application retrieves preview data from cache, otherwise refreshes from the data source.



• Save events after each file Imported (Yes/No): Enable this setting if you wish to save the events after each file is processed. If this is set as no, all the files matching the file pattern will be processed prior to saving to the database.

• Split input event file into smaller files (Yes/No): Use this setting to split the input file to smaller chunks for processing. If an extremely large file is encountered (> 1 GB), you can split the file to increase the processing speed.

• Clear correlation (Yes/No): Makes the disabled access account (disabled during access import) an orphan and removes the past correlation.

• Clear attributes (Yes/No): Removes all access attributes from the disabled access account (disabled during access import).

• Ignore Account Name Case (Yes/No): Imports all accounts as all upper case. If the same account name is encountered with lower case and upper case, this setting prevents duplicate account names.

• Archiving Settings (Yes/No): Enable archiving older logs, jobs and error logs cleanup. If yes, configure the following archiving parameters:

Archive logs older than (Weekly): Enter a number of weeks. Logs older than the entered number of weeks will be archived.

Enable job cleanup (Yes/No): Enable or disable clean-up of archiving jobs.

Enable Error Log Cleanup (Yes/No): Enable or disable clean-up of error logs.

• Enable SiteMinder (Yes/No): Enables the application for user authentication and Single Sign-on using SiteMinder.

siteminder enabled=“false” hostname=“company.com” logouturl=“http://www.google.com”/>

Encryption/Masking Settings

Encryption encrypts data in the database. Masking encrypts it only in the UI. You can choose to encrypt or mask user and account details. When you configure encryption or masking, you can set a switch to allow anyone with the ROLE_PRIVACYMASTER to see that data unencrypted or unmasked without requiring a key or passphrase. If you do not set that switch for ROLE_PRIVACYMASTER, then users with that role will have to use a key/passphrase the same as a regular user to view encrypted or masked data.

With encryption or masking enabled, you will see switches in the User Import/Configure User Import screen to set for each user attribute.

User Import – masking

User Import – encrypt



When configuring encryption or masking you will be given the option to encrypt/mask existing user data and shown the attribute mapping screen from the User Import. If you haven’t imported any user identity data yet, this will not be an option.

Settings for Enabling Encryption

Select Enable encryption from the drop down menu. Encrypt user details? Yes/No switch. Set to Yes, you will see buttons to check the user import configuration and be asked if you want

to encrypt existing users and associated accounts.

After selecting Yes, there are two buttons:

Encrypt existing users or activity data?

o Clicking on this button brings up a Check configuration screen, which lets you configure which fields to encrypt in the user import.

o Click Edit user configuration to configure the fields. This will take you back to the Configure User Import screen and give you the option for setting encryption on or off for individual fields.



o Also in the Edit user configuration screen, you can conditions under which to encrypt

data, such as only for specific countries:

View encryption/decryption job details.

o This button will bring up a jobs screen showing all encryption/decryption/masking/unmasking jobs that have been configured.

Encrypt all associated accounts. Yes/No switch. If yes, encrypts selected data during access and activity import jobs as well as user-identity import jobs.

Settings for Enabling Masking

Mask user data. Yes/No switch. Set to Yes, you will see a pop up to check the user import configuration (see above as this is the

same configuration options as encrypting user data).

After the configuration is set, you will be asked if you want to mask existing users and associated accounts. Here you can also mask associated accounts.



Check the appropriate boxes and click Continue. You will get a screen showing a preview count of accounts that will be affected. Click Continue. Confirm that you want to mask data by clicking Yes. The job status screen will display, click refresh until the status shows as complete.

At the end of the Encryption/Masking Settings screen is the PrivacyMaster switch: Do you want to show decrypted/unmasked data to users with ROLE_PRIVACYMASTER? Set as needed. Users with ROLE_PRIVACYMASTER will see encrypted or masked data in clear text. Those without that role will need to enter a key or password to decrypt or unmask data on the fly.

Unencrypting/Unmasking Data

Once data has been encrypted or masked, in order to go back to unencrypted or unmasked, follow these steps:

With Enable masking or Enable encryption selected from the dropdown, set the slide switch (Encrypt User Details or Mask User Details) to No.

A popup will ask for selections to unencrypt/unmask existing users and associated accounts. Make your selections and click Continue.

The next screen will show the number of accounts that will be unencrypted/unmasked, click Continue

if it looks correct. Then click Yes in the confirmation screen.

Click Refresh on the job status screen until the job shows as complete.

Granular Access Control Settings

Enable data and resource-level access control (yes/no): If yes, allows access control based on organizations assigned to users. (Assign organizations to user in Configure>Access Control).

Quick Links

Add items to the “Quick Links” items on the top right of the application screen.

Startup Jobs

Add and control jobs to be run when the application starts. Options on this screen include:

Name: Name of the job.

Enable (yes/no): If yes, job will be initialized if it does not exist. If no job will be deleted if it exists.

Force re-schedule (yes/no): Set to yes when config is changed. On next startup the existing job will be deleted, a new job will be created with a new config, and the flag is set back to no.



Frequency: Frequency of the job to be scheduled. Valid values are once, seconds, minutes, hourly, daily, weekly, monthly, yearly.

Time: Time at which job should be rerun, format is HH:MM:SS.

Interval: Interval after which job should be re-run. Uses value set in Frequency; i.e.; if you want a job to be automatically re-run every minute, you could set Frequency as minutes and Interval as 1, or Frequency as seconds and Interval as 60.

When you have made all desired changes to the General Settings options, click Save at the bottom of the page.

UI Preferences Users can customize the order for the menu bar and drop-down menus, the order of the widgets in the sidebars for the Security and Administrative Dashboards, and can add a custom product description or other message to the log in screen.

From the Configure>Settings menu, click UI Preferences on the sidebar. From this screen, you can create a custom message to be displayed on the log in screen and re-arrange the order of menu entries and the sub menu entries that appear in the drop-downs.

To create a custom log in screen message, use the text entry screen under Login Page Product Description to create and format your message and click Save.



To rearrange menu and submenu items:

Click the arrow next to Re-order application menu, drag and drop main menu headings to change the order, drag and drop submenu headings to change the order in which they appear. Click Save when finished.

Application Menu

Drag and drop to reorder app menu items

DNS Server Add and change IP entries for your DNS servers.

Holidays Adding holidays can affect how the application will identify anomalous behaviors; for example, a user accessing data on a weekend or holiday when they normally would not be using the system.

Housekeeping Jobs Some records maintained by the application do not hold much value as the data gets stale. These records should be deleted after a period. The application provides housekeeping jobs delete these stale records. Decide how long to maintain these records and configure the housekeeping jobs to remove old data.



Types of Housekeeping Jobs

Job Name Description Recommended Schedule

User Import History Every time a user import is fires, the HP UBA application stores the history of the number of new users, deleted users, updated users etc. This job clears this table based on the input days. Example query fired: DELETE FROM Userimporthistory WHERE importdate<Thu Sep 05 15:24:35 IST 2013

Access/Activity/User Import Errors

Clears the errors recorded while running Access/Activity/User imports. Example query fired: DELETE FROM Resourceimporterrors WHERE lastupdated<Sat Dec 14 15:30:30 IST 2013

30 days

Risk Score Card History

Clears the risk score card history data. Example query fired: DELETE FROM Riskscorecardhistory WHERE generatedtime<Thu Nov 14 15:36:51 IST 2013

180 days

Policy Violations 90 days

Auditing Clears the audit history. Example Query Fired: DELETE FROM Sysaudit WHERE logtime<Sat Dec 14 15:57:46 IST 2013

180 days

Activity User IP Mapping

Clears the activity user IP mapping that is maintained for IP address attribution. Example Query Fired: DELETE FROM Activityuseripmapping WHERE lastupdate<Sat May 03 16:03:11 IST 2014

90 days

Completed Jobs Clears the completed jobs. Example query fired: DELETE FROM QuartzCustomFiredTriggers qcft WHERE qcft.startTime <= Sat May 03 16:38:43 IST 2014 and qcft.status in ('Completed','Completed with errors')

90 days

Failed Jobs Clears the failed jobs. Example query fired: DELETE FROM QuartzCustomFiredTriggers qcft WHERE qcft.startTime < Sat May 03 16:41:10 IST 2014and qcft.status in ('Failed')

90 days

Clean Files Clear the files in success folder and failed folder on the system. Inputs:folder path(s): List of comma separated folder path.(updated to support securonix_home) File name: file name or regex pattern of the files to be deleted from above paths No. of days: file modified before these many days Include sub folders: check inside the sub folders for the above jobs. Remove non empty files: delete files with some data in it. (This should be set to true by default)

Varies on file volume per day (30 days)

Running Housekeeping Jobs

Navigate to Configure>Settings. Click Housekeeping Jobs in the left panel, then button marked + Schedule Housekeeping Job. Choose the job that you want to run.



Provide a value for Remove all data from X days prior to today’s date. Click Next.

Give the job a name or accept the default. Use the slide switch to enable or disable notifications regarding job status. Provide the schedule for running this job. (Choices are Now, Seconds, Minutes, Hourly, Daily,

Weekly, Monthly, Specify Date.) Note: Options vary depending on type of schedule, enter a start time.

Click Save and Run.

Manage License Review your licenses for the application (installed when you logged on for the first time after installation (see Installation Guide/Install the license). View details about the current license including number of users and resources licensed, license issue and expiration date and issuer details.

Uninstall the current license, if needed, and with the Install/Upgrade License options you can upload a new license and enter a new activation key.



Logging Set logging levels for modules, organized into “Parent” groups:

Safe Domains Create and maintain a list of safe domains.

SMTP Server Settings See Chapter 3: Post-Installation Activities for detail.

LDAP Authentication See Chapter 3: Post-Installation Activities for detail.

Syslog Settings Syslog, if used, is configured as part of the HP UBA installation. Use this option to make changes to those settings, as needed.



SAML Settings Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML settings are related to configuration of single-sign on (SSO).

Navigate to Configure>Settings then SAML Settings in left navigation bar

There are three hyperlinks on the SAML Settings page:

Use Click here to generate new service provider metadata to do just that.

This opens the SAML current Settings screen, with options to select and change:



Entity Id: Entity ID is a unique identifier for an identity or service provider. Value is included in the generated metadata.

Entity Base URL: Base to generate URLs for this server. For example: https://myServer:443/saml-app. The public address your server will be accessed from should be used here.

Entity Alias: Alias is an internal mechanism allowing collocating multiple service providers on one server. Alias must be unique.

Include IDP Discovery

SSO Bindings : post, PAOS, Artifact

Sign metadata: Sign sent AuthNRequests: f true the generated metadata will be digitally signed using the specified signature key.

Require signed authentication Assertion: If true the generated metadata will be digitally signed using the specified signature key.

Require signed LogoutRequest

Require signed LogoutResponse

Require signed ArtifactResolve

Click Generate Metadata when done with the settings.

List of service providers – Shows a list (hyperlink), which you can click for detail and an option to download the metadata.

List of registered identity providers – Also shows a list of hyperlinked providers to click for detail

and an option to download metadata.



Application Logs Display application logs, set application logs to auto update (if yes, option to disable after a specified period is offered.)

Encrypt/Decrypt Text Provides the ability to encrypt/decrypt plain text on the fly. Type text in the box and click Encrypt.



Tweaking Event Import Performance

The Event Import Job The event import job is a scheduled job that reads the input log, applies line filters, normalizes the events into individual fields, performs identity correlation, processes the operators attached to the import, aggregates the events and finally saves the data to the database. The volume of data to be processed may be extremely large and may be provided in a single large file or individual smaller files. In order to optimize the import process, the HP User Behavior Analytics application provides parameters that can be adjusted to meet the demands of the import process.

Parameters Available for Event Import The application is a multithreaded application that spawns multiple threads to handle the import of large volume of data. Each thread spawned during the import can handle a certain number of lines in the source log file.

This flow is followed when events are imported:

Import job triggered. Spawn specified number of threads. If split input file is set to Yes, split the file into smaller chunks each of X lines. Each thread reads specified number of lines from the source log file. Each thread performs operations on the lines read (normalization, identity correlation, operators). If Save events after each file imported is set to Yes, the data is saved to the database prior to reading

the next file. If No, the next file is read without saving to database. The following parameters are available during import and are managed under

Configure>Settings>Application Settings>Data Import Settings: Multithreading: Slide switch Yes/No

For activity import

Maximum Threads: 20

Maximum Lines Per Thread: 10000

For User import

Maximum Threads: 20

Maximum Lines Per Thread: 10000

Preview data refresh interval. (Time in minutes after which data will be refreshed from the data source.)

Save events after each file imported: Slide switch Yes/No.

Split input event file into smaller files: Slide switch Yes/No. If Yes:

Lines per file: 1000000

Notes: When selecting the number of threads to spawn, be aware of the number of cores

available on the server where the application is running



Choose to split the input file into smaller files when the number of events in the input file is larger than 1 GB

Always choose to save events after each file is imported unless you have several smaller files that must be processed in a batch

Clear Correlation: Slide switch Yes/No.

Clear Attributes: Slide switch Yes/No.

Ignore account name case: Slide switch Yes/No.

Archiving Settings: Slide switch Yes/No. If Yes:

Archive logs older than (Weekly)

Archive logs older than (Monthly)

Enable job cleanup: Slide switch Yes/No.

Enable error log cleanup: Slide switch Yes/No.

Enable Site Minder: Slide switch Yes/No.

Backup and Restore

Folder Backup There are two folders to back up regularly:

securonix_home.

Tomcat

The recommended backup interval is weekly and retain the last two backups in the event a restoration is necessary. Run the script below to back up the two folders.

securonix_home and Tomcat Folders Back Up #!/bin/bash output=/securonix/archive/securonix_home/ output1=/securonix/archive/tomcat/ datum=`date +%Y%m%d` echo "$datum" tar cvf "$output"securonix_home_"$datum".tar.gz /securonix/securonix_home tar cvf "$output1"Tomcat_"$datum".tar.gz /securonix/Tomcat

Backing up the Database

On Demand Backup

mysqldump -h localhost -u username -ppassword securonix > securonix_$datum.sql

Automated Backup

To automate the backups, set up Cron jobs to run the backup scripts regularly. Back up the database daily. The following database backup script will back up the database, compress the file and delete the .sql file:



#!/bin/bash datum=`date +%Y%m%d` dest1=/securonix/backup/database echo $dest1; mysqldump -h localhost -u username -ppassword securonix > "$dest1"/securonix_$datum.sql tar cvf $dest1/securonix_$datum.tar.gz $dest1/securonix_$datum.sql rm -f $dest1/securonix_$datum.sql

Incremental Database Script

If you are using Active/Passive node architecture, you can back up the active node database on the passive node. Use the following script for active/passive backups:

#!/bin/bash echo "Changing permission for output folder" chmod -R 755 /securonix/archive/database echo "Permission for output folder changed" dbuser=root dbpass=password dbname=securonix output=/securonix/archive/database datum=`date +%Y%m%d` if [ `date +%H` == "18" ] then echo "all existing full backup and binary log files will be removed" rm -f /securonix/database/data/mysql/mysql-bin*.zip rm -f "$output"/*.sql echo "Daily full backup started at `date`" mysqldump -u"$dbuser" -p"$dbpass" $dbname > "$output"/"$dbname"_"$datum".sql zip "$output"/"$dbname"_"$datum".zip "$output"/"$dbname"_"$datum".sql echo "HP User Behavior Analytics database backup completed" echo "starting new binary log" mysqladmin -u"$dbuser" -p"$dbpass" flush-logs echo "new binary log generated" else echo "starting new binary log" mysqladmin -u"$dbuser" -p"$dbpass" flush-logs echo "new binary log generated" fi latestlog=`ls -Alrt /securonix/database/data/mysql/mysql-bin.??????|tail -1|awk '{print $9}'` echo "$latestlog" for file in `ls -Alrt /securonix/database/data/mysql/mysql-bin.??????|awk '{print $9}'` do if [ "$file" != "$latestlog" ] then echo " begin writing to remote db server " echo "$file" mysqlbinlog $file | mysql -h PASSIVENODE -u"$dbuser" -p"$dbpass" echo " written to remote db server " rm "$file" fi done

Set up cron Jobs



To automate the backup scripts process, setup cron jobs to run the scripts.

Command> Crontab -e # Cron job for daily backup 0 14 * * * /securonix/scripts/databasebackup.sh > /securonix/scripts/flushlogs 2>&1

This will run the databasebackup.sh script every day at 2:00 pm.

Restoring the Application (Folder Restore) If you need to restore the application, transfer the folder zip files to the desired location and uncompress the tar.gz files

securonix_home Tomcat

How to Restore the Database Restore the database file securonix_[mmddyyyy].sql under /securonix/backup/database/ go to the

/securonix/backup/database folder/ cd /securonix/backup/database folder/

Login to mysql # mysql -uusername -ppassword

mysql> Create database securonix; Use securonix;

source securonix_[mmddyyyy].sql;

Wait for the database restore to complete. Once the restore completes successfully, exit mysql. Next, revert the changes made to the /etc/my.cnf file earlier as shown above.

# /etc/init.d/mysql stop # vi /etc/my.cnf

Update the value of key_buffer_size parameter what it was before the restore process. Save this file and start Mysql

# /etc/init.d/mysql start

Start the HP User Behavior Analytics application. # cd <TOMCAT_HOME>/bin # sudo ./startup.sh

Archiving

Introduction to Archiving The database may regularly cross 1 TB in size. The majority of the data stored in the database is normalized event data. The Activityfreqnwtime tables and the Activityfreqnwdaily tables store this



normalized event data. The events identified as being part of a violation are housed in a separate table called policyviolationevents.

Depending on your need to store normalized events, you can archive the events that are older than a particular date. Archived events, however, will not be available for investigation.

The application provides for archiving of normalized event data into a separate database called securonixwarm. This database may be created locally or on a remote server. The use of a separate server to house the securonixwarm database is recommended. Archiving is important to ensure that the database does not becomes extremely large, which would affect application performance.

Ultimately, data can be purged or moved to disk from the securonixwarm database.

Note: Typical recommendations for an archiving strategy is to retain 30 days of data and archive activity data older than 30 days

Setting up Activity Data Archiving Create database: securonixwarm.

mysqldump -u<sqlusername> -p<pass> -d securonix | mysql -u <sqlusername> -p<password> -Dsecuronixwarm

Edit securonix_home/conf/hibernate/hibernate.cfg.archive.xml. Make changes to MySQL settings.

Provide JDBC URL, username and password.

Do not use datasource.

Archiving can be set per datasource or set globally. The setting provided per datasource supersedes the setting provided globally.

When creating any new datasource, you can specify the number of days prior to which data will be archived.

In order to set archiving globally, follow these steps. a. Edit securonix_home/conf/application-context.xml. b. Make sure you have the following tag:

<archiving enabled="true" archiveNumDays="30" enableJobCleanup="true" enableErrorLogCleanup="true" /> where: archiveNumDays indicates the number of days prior to today.

In this case, all data older than 30 days before today will be archived.

If you changed application-context.xml, restart the application. Run the archive job.

Navigate to Configure>Jobs then Action>Run Archive Activity Data.

Supervising Jobs The application provides a centralized console called the “Administrative Dashboard” to monitor the status of all jobs and review the amount of data being imported and maintained in the application.



Additionally, you can view completed jobs under Configure>Jobs (filter by Job Status or Job Type) and view the details of each job by clicking the Show Job Details icon.

The following values show up on Activity Import Job

• Data Source/File Name: Name of the datasource.

• Lines Processed: Lines available in the input file.

• Lines Imported: Lines after applying the line filter.

• Lines Failed: Lines that failed validation.

• Lines correlated (Net new values).

• Lines uncorrelated to any user.

• Lines Eligible: Lines eligible after line filter and validation.

• Last Updated: Completion time.

The HP User Behavior Analytics application also provides the capability to receive email notifications when a job completes successfully or fails. Out-of-the-box email templates are available for these jobs (Job Status -Successful and Job Status - Failed).



System Health Monitoring HP UBA recommends enabling the script to monitor CPU and memory utilization; emails should be sent out if CPU and memory utilization remain high over a certain period. In addition, monitor the root file system so that the disk space does not get full.

Storage Alert Levels configured on appliance:

• Medium: 50%

• High: 75%

• Critical: 90%

Monitoring Disk Usage # User modifiable variables: RECIPIENT="<email_addr>,<email_addr>" # change file systems to monitor below... IFS=$'\r\n' FILESYSTEMS=($(df -k| /usr/bin/awk '{print $1}')) THRESHOLD50="50%" THRESHOLD75="75%" THRESHOLD90="90%" for FS in ${FILESYSTEMS[@]} do UTILIZED=$(df -k $FS | /usr/bin/tail -1 | /usr/bin/awk '{print $5}') # Compare the utilized value against the threshold: if [[ "$UTILIZED" > "$THRESHOLD90" || "$UTILIZED" = "100%" ]] then SUBJECT="Alert: Filesystem $FS on 192.168.1.10 is $UTILIZED full!" MESSAGE="$SUBJECT Threshold is $THRESHOLD. Half disk space is full. Please review the storage requirements and plan accordingly." echo $MESSAGE | mailx -r <email_addr> -s "$SUBJECT" "$RECIPIENT" elif [[ "$UTILIZED" > "$THRESHOLD75" || "$UTILIZED" = "100%" ]] then SUBJECT="Alert: Filesystem $FS on 192.168.1.10 is $UTILIZED full!" MESSAGE="$SUBJECT Threshold is $THRESHOLD. Half disk space is full. Please review the storage requirements and plan accordingly." echo $MESSAGE | mailx -r <email_addr> -s "$SUBJECT" "$RECIPIENT" elif [[ "$UTILIZED" > "$THRESHOLD75" || "$UTILIZED" = "100%" ]] then SUBJECT="Alert: Filesystem $FS on 192.168.1.10 is $UTILIZED 75 full!" MESSAGE="$SUBJECT Threshold is $THRESHOLD. Half disk space is full. Please review the storage requirements and plan accordingly." echo $MESSAGE | mailx -r <email_addr> -s "$SUBJECT" "$RECIPIENT" fi done exit 0

Monitoring CPU Utilization totalusage=$(top -bn 1 | awk '{print $9}' | tail -n +8 | awk '{s+=$1} END {print s}') #echo "totalUsage: $totalusage%.*" roundvalue=$(echo "${totalusage%.*}")



UTILIZED=$(($roundvalue/24)) #echo "percentUtilization: $UTILIZED" # User modifiable variables: RECIPIENT="="<email_addr>,<email_addr>" # change file systems to monitor below... THRESHOLD="80%" SUBJECT="Alert: CPU utilization on 192.168.1.10 is $UTILIZED !" MESSAGE="$SUBJECT Threshold is $THRESHOLD." # Compare the utilized value against the threshold: if [[ "$UTILIZED" > "$THRESHOLD" || "$UTILIZED" = "100%" ]]; then echo $MESSAGE | mailx -r [email protected] -s "$SUBJECT" "$RECIPIENT" fi exit 0 MySQL service script #!/bin/sh SERVICE='mysqld' if ps ax | grep -v grep | grep $SERVICE > /dev/null then echo "$SERVICE service running" else echo "$SERVICE is not running" echo "$SERVICE is not running!" | mailx -r [email protected] -s "$SERVICE down" ="<email_addr>,<email_addr>" fi

Tomcat Service Script #!/bin/sh SERVICE='tomcat' if ps ax | grep -v grep | grep $SERVICE > /dev/null then echo "$SERVICE service running" else echo "$SERVICE is not running" echo "$SERVICE is not running!" | mailx -r [email protected] -s "$SERVICE down" ="<email_addr>,<email_addr>" fi

Universal Forwarder Service Script #!/bin/sh SERVICE='UniversalForwarder' if ps ax | grep -v grep | grep $SERVICE > /dev/null then echo "$SERVICE service running" else echo "$SERVICE is not running" echo "$SERVICE is not running!" | mailx -r [email protected] -s "$SERVICE down" ="<email_addr>,<email_addr>" fi



Archiving Data from Success Folder to NAS Device Script #!/bin/bash today=`date +%Y%m%d` dest="/mnt/storage/success" for old in `find /storage/securonix_home/import/success/*.csv.completed_01_02_* -type f |grep -v "$today"` do fold=`echo $old|sed -r 's#/storage/securonix_home/import/success/(.*).csv.*#\1#'` file=`echo $old|sed -r 's#/storage/securonix_home/import/success/(.*.csv.*)#\1#'` if [ ! -d "$dest/$fold" ] then mkdir "$dest/$fold" fi tar -cvzf /storage/securonix_home/import/success/$fold-$today.tar.gz /storage/securonix_home/import/success/$fold.* mv -if /storage/securonix_home/import/success/$fold-$today.tar.gz $dest/$fold/$file done



Chapter 11: Webservices The term “web services” describes a standardized way of integrating web-based applications using the XML, SOAP, WSDL and UDDI open standards over an Internet protocol.

Unlike traditional client/server models or models that provide applications through a web browser/web server / application server, web services do not provide the user with a Graphical User Interface (GUI). Web services instead share business logic, data and processes through a programmatic interface across a network.

Web services allow different applications from different sources to communicate. Web services are not tied to any one operating system or programming language.

Available web services Representational State Transfer (REST) defines a set of architectural principles for web services that focus on a system’s resources, including how resource states are addressed and transferred over HTTP by a wide range of clients written in different languages.

HP UBA provides a RESTful web services interface. The resources provided by the RESTful application programming interface (API) can be broadly classified as:

• Healthcheck (/healthcheck): Checks whether the application nodes are up or down. • Token (/token): Used to get a new token or renew a token. • Clustering (/clustering): Used to enable clustering and configuring synchronization jobs. • Functional (/function): Used for triggering event import job. • Listing (/list): Used to retrieve different types of data from the application. • Policy (/policy): Used to retrieve security policy results. • Scheduler (/scheduler): Used to trigger and rerun jobs. • Access Outlier (/accessoutlier): Used to get results of Access Outlier jobs. • Activity Outlier (/activityoutlier): Used to get results of Activity Outlier jobs. • Case Management (/casemgmt): Used to get lists of open/closed cases. • Event Import (/eventimport): Used to get previews of event import jobs.

Using the HP UBA REST API The uniform resource identifier (URI) for HP UBA endpoints are served off of <protocol>://<host>:<port>/Profiler/ws/. Use the installation protocol (http or https) host name and port. Note that the application’s API can be secured with SSL by enabling SSL on the application server.

The HP UBA RESTful web services interface provides access to Raw data or computed intelligence stored within the HP User Behavior Analytics data store as well as the ability to trigger actions within the HP User Behavior Analytics application.

For a list of available web services, navigate to the following URL: http(s)://localhost:8080/Profiler/ws/application.wadl

Note: Replace localhost and port 8080 in the URL above with the IP address and port number of your application.



Securing RESTful Web Services The RESTful API can be secured using tokens, which are generated using a token service. The token service requires that valid credentials are provided. By default, the token generated is valid for one day and is stored in the database along with the IP address of the requestor. The validity period needed may also be passed in as part of the request.

During a call to any of the web services, the token is required in the header. The token is validated by the application. It also confirms the IP address of the client to ensure that token generation and subsequent calls to the web service are from the same IP address.

Getting Started with Web Services In the HP UBA web interface, the web services API can be enabled by following these steps:

Navigate to Configure>Settings. Click on Application Settings in the left navigation bar. Under General Settings, set Web Services switch to Yes. To secure the web services, set Token Required For Web Services? to Yes.

This setting is maintained in the configuration file: application-context.xml. This file is located in the securonix_home/conf folder. The configured state of the web services is present in this file. Example:

<webservices enabled=“true” tokenRequired=“false”></webservices>

enabled – controls the activation of web service in the application.

tokenRequired – indicates if token validation is required for accessing any web service. In order to deactivate the requirement for a token, set this value to False.

Debugging web services Enable detailed logging for web services by making the following changes in the log4j.properties file present in the Profiler/WEB-INF/classes folder of the web-application deployment folder. For tomcat this is TOMCAT_HOME/webapps.

How to Use Web Services Viewing Available Web Services For a complete listing of the available web services, navigate to http(s)://<host>:<port>/Profiler/ws/application.wadl

Note: Replace the protocol (http or https), the host and port in the URL above with the correct values for the installation of the HP User Behavior Analytics application.

The image below shows a summary of the wadl output. Each resource can be reviewed by the xml components.



Understanding GET and POST Functions The RESTful API provides GET and POST methods depending on the functionality that you are requesting. Examples of the use of GET and POST when accessing the API are:

GET: Used to retrieve information from the HP User Behavior Analytics application. In the image below the example shows a GET method and the required parameters for accessing the method.

Example: Entering the URL http://localhost:8080/Profiler/ws/list/allUsers lists all users within the system.



POST: Used to perform an action within the application, example: updateAccessAccountStatus. The input parameters allowed by the API for each resources and method are listed in the request param tags.

Return Data Format The web services provided by HP User Behavior Analytics can return data in either JSON or XML format. The application integrating with HP UBA must support making HTTP requests and parsing XML and or JSON responses.

Web Service Details

Clustering WS: (/clustering)

Resource Description /configureHibernate Configuration of the database integration /enableClustering Enables clustering /configureSyncNodesJob Forces synchronization of data between nodes /getHibernateProperties Get properties for the database connection

Functional WS: (/function)

Resource Description /triggerEventImport Trigger Event import job

HealthCheck WS: (/healthcheck)

Resource Description /node Check for health status of child node (available in Master-Child

architecture) /nodeDb Check for connectivity to node database from master database

Scheduler WS: (/scheduler)

Resource Description /getNextFireTime Get next fired time for job /rerunJobById Rerun an existing job /rerunJob Rerun a job



Resource Description /resumeTrigger Resume a job /interruptJob Interrupt a job /cancelJob Cancel a running job /deleteJob Delete a job /pauseTrigger Pause a scheduled job

Token WS: (/token)

Resource Description /generate Generate a new token /validate Request validation for a token /renew Renew an existing token

Access Outlier WS: (/accessoutlier)

Resource Description /getHighRiskAccessUsers Get a list of Users with high risk access /getHighRiskAccessUsersByResource Get a list of users with high risk access on

a particular resource /getHighRiskAccessUsersByPeerGroup Get a list of users with high risk access by

Peer group /getHighRiskAccessUsersbyPeerGroupAndResource Get a list of users with high risk access by

Resource and peer group /getHighRiskAccessUsersByGroupOwner Get a list of users with high risk access by

group owner /getEntitlementRiskScoreDetails Get risks core details for a particular

entitlement

Activity Outlier WS: (/activityoutlier)

Resource Description /getHighRiskActivityUsers Get a list of Users with high risk activities /getHighRiskActivityUsersByResource Get a list of users with high risk activity on

a particular resource /getHighRiskActivityUsersByPeerGroup Get a list of users with high risk activity by

Peer group /getHighRiskActivityUsersByPeerGroupAndResource Get a list of users with high risk activity by

Resource and peer group /getHighRiskActivityUsersByResourceOwner Get a list of users with high risk activity by

group owner



/getHighRiskActivityUsersByGroupOwner Get a list of users with high risk activity by resource owner

/getEntitlementRiskScoreDetails Get risks core details for a particular entitlement

Case Management WS: (/casemgmt)

Resource Description /allCases All Cases /caseById Cases by ID /casesByState Cases by State /casesByUser Cases by User /unassignedCases Unassigned Cases

Event Import WS: (eventimport)

Resource Description /preview Preview event import /previewLineFilter Preview event import using line filter /previewFieldFilter Preview event import using field filter

Listing WS: (/list)

Resource Description /allUsers List all users /usersByCondition List users by condition /usersByPeerGroup List users by peer group /usersByManager List users by manager /managerByUser List managers by user (they manage) /resources List all resources /resourcesByResourceGroup List resources by group /resourceByType List resources by type /resourceGroups List resource groups /resourceGroupsByType List resource groups by type /peerGroups List peer groups /peerGroupsByType List peer groups by type /peerGroupsByUser List peer groups by user /accessAccountsByType List access accounts by type /accessAccountsByUser List access accounts by user /accessAccountsByResource List access accounts by resource /activities List activities



Resource Description /allActivityAccounts List all activity accounts /activityAccountsOnResourceByPeer List activity accounts on resources by peer /activityAccountsByType List activity accounts by type /criticalActivityAccountsOnResource List activity accounts on resources /activityAccountsByUser List activity accounts by user /activityAccountsByResource List activity account by resource /suggestedMatchesForAccount Show suggested matched for account /accessValues List access values

Policy WS: (/policy)

Resource Description /getAllPolicies Get all policies /getPolicyViolations Get all policy violations /getPolicyViolationsByPolicyId Get all policy violoations by policy ID /getPolicyViolationsByPolicyName Get policy violations by policy name /getViolationDetailsByViolationId Get violation details by violation ID

Web services sample application A sample web services test suite is provided with HP UBA to demonstrate the use of the provided RESTful API. Use this web service client-test suite for implementing and testing the web service connections. The code example shown below is an example of an application consuming the HP UBA RESTful API.

Steps to be followed:

Enable Web services in the application: Ensure the web service is enabled in securonix_home/conf/application-context.xml file.

From the HP UBA web interface, navigate to Configure>Settings menu and click on Application Settings in the left sidebar menu.



Under General Settings, set Web Services switch to Yes and set Token Required for Web Services? switch to Yes.

Open the web services test suite in an IDE (Netbeans). The Netbeans Project can be opened by clicking File>Open Project as shown in the image below.

Open AbstractTestClient.java. In the IDE go to package com.securonix.ws.clients. Open the file

AbstractTestClient.java. Edit the file to provide the correct hostname and the port number of the application. The image below shows the file and its contents. The token will be generated in the next step.



Generate a token: Generate a token using the TokenWSClient.java file. As shown below, put in the

application login username and password. Make sure the main method calls the generateToken method before running the file. The file will provide a token in the output that you can place in the AbstractTestClient.java file as shown in the above image.

Supply the number of days for the token requested will be valid for in the validity parameter.

Run the CrudWSClient.java file in the com.securonix.ws.client package. The will execute the updateAccessAccountsStatus, which should be called from the main method in CrudWSClient.java file. The input parameters to be passed to the method are: Resource Name: The resource should be existing in the application.

Account Name: Name of an account within the resource.

Account Status: Active, Inactive, etc.

Account type: User, System, Service, etc.



After executing the sample, Review the http status code. An http 200 status code, indicates that the web service call was successful. The new account values should be reflected in the UI. To verify:

Navigate to Manage>Resources. Click on the appropriate resource. Go to Monitor Accounts and search for the account name mentioned in the web service call. The UI

should reflect the new values.



Appendix A: Files in securonix_home All configuration files for the IRTM suite are placed in the securonix_home folder. When the application is launched, a number of files are read into the cache memory and utilized throughout the application. Most of the customer specific data is also stored in configuration files to allow for porting between environments. Note: If you make changes directly to configuration files, you may need to restart the application server for the application to load the data into cache.

Structure of the securonix_home folder:

\securonix_home\ \conf

\lic \templates

\import \in \success \failed

\workflow \docs (optional) \legal (optional) \reports (optional) \scripts (optional)

Here is a listing of files and folders under securonix_home:

File Name Purpose AccessImportConfig.xml Stores the configuration required to import access from flat files, databases and

LDAP sources AccessOutlierConfig.xml Stores configurations required to detect Access Outliers during Peer Group

Outlier Analysis AccessUniqueIdRules.xml Stores configurations required for correlating Account Ids to User Identities

during Access Import Jobs CommonNames.properties Stores the Common Names given to Constants used within the application ConfigurationFilesLocations.properties Stores the list of configuration files read by the application to perform various

functions CriticalityConfig.xml Stores the ranges for running algorithms Error_Messages.properties Stores the Error Messages displayed in the log files Error_Messages_Matcher.properties Stores the error messages related to the Identity Matching process shown in

the log files Error_Messages_Scheduler.properties Stores the error messages related to the Scheduling process shown in the log

files Error_Messages_SuspectWorkflow.properties Stores the error messages related to the running of the Suspect workflow

shown in the log files Error_Messages_Workflow.properties Stores the error messages related to the running of the workflow shown in the

log files SuspectAttributeIdMapping.properties Stores the mapping of the different checks conducted SuspectWorkflow.jpdl.xml Stores the configuration for the workflow (Deprecated in version 2.8) SuspectWorkflowConfig.xml Stores the Remediators/Approvers for the workflow UniqueIdRules.xml Stores configurations required for correlating Account Ids to User Identities

during Activity Import Jobs



File Name Purpose UserImportConfigTemplate.xml Stores the configurations required for importing User Identities into the system UserProfileData.xml Stores the configuration required for the machine learning algorithm to learn

from actions done by security administrators UserProfileData_gen.xml Stores the configuration required for the machine learning algorithm to learn

from actions done by security administrators application-context.xml Stores the configuration required by the application for date formatting bulkimport.xml Stores the configuration for bulk importing user activity(log/audit) files into the

system comparator-list.xml Stores the class names for the comparators used during activity imports into

the system comparator-meta.xml Deprecated and included in uniqueidrules holiday-meta.xml Stores the list of holidays in the calendar year ldap-config.properties Stores the properties required for authenticating against ldap lic Folder to hold the license key license.properties Stores the public key password for the licensing mail.properties Stores the properties for sending out emails when jobs are completed and

workflow tasks nitrofields.properties Used only for Nitrosecurity integration. Provides the readable names for the

attributes stored in Nitrosecurity database privateKeys.store Used for licensing. DO NOT DELETE profile-config.xml Stores the configuration for running Behavioral Suspect Analysis publicCerts.store Used for Licensing. DO NOT DELETE schedulernotification.xml Stores configuration for sending emails when jobs are completed suspect-config.xml Stores the configurations for threshold values for checking during Activity

Suspect templates Stores the workflow design template that is used when access, activity or policy

checks fail workflow Stores the configuration parameters required by the workflow design template

to conduct tasks RiskConfig.xml



Appendix B: Policy Templates Policy Templates are organized into filter groups. By selecting a filter group, you get a smaller selection of policy templates from which to select. The following tables are organized by filter group.

Filter Group: Access Access Account

Access Values

Resource Access Metadata

Access Account User

Template Name Template Description Objects Available

Accounts that don’t have Users Orphaned Accounts

RESOURCE, ACCESS ACCOUNT, ACCESS ACCOUNT USER

Accounts with defined Access Privileges on Resource

Enables policies that include Access account attributes and Resource attributes

RESOURCE, ACCESS ACCOUNT, RESOURCEACCESSMETADATA, ACCESS VALUES, ACCESS ACCOUNT USER

Separation of Duties Checks (Access Based)

Enables policies that include User attributes, Resource attributes, Accessaccount attributes and access values

USER, RESOURCE, ACCESS ACCOUNT, RESOURCEACCESSMETADATA, ACCESS VALUES

SOD-User - Accessaccount -Resource - Access Values


USER, RESOURCE, ACCESS ACCOUNT, ACCESS VALUES

Users with defined Access Privileges on Resource

Enables policies that include User attributes, Access account attributes and Resource attributes


Users with defined account types on Resource

Enables policies that include User attributes, Access account attributes and Resource attributes

USER, RESOURCE, ACCESS ACCOUNT



Filter Group: Activity

Activity Template Name Template Description Objects Available

Activity Account Activity

Hourly Activity

per IP Address

Hourly Activity

Activity IP

Address

Resource Activity

Dates Activity

Summary

Activity From Multiple Geo-Locations

HOURLY ACTIVITY, ACTIVITY IPADDRESS

Activity From Multiple Hosts ACTIVITY ACCOUNT, HOURLY

ACTIVITY

Activityaccount - Resource - Activity

Enables policies that include Activity account attributes, Activity attributes and Resource attributes

ACTIVITY ACCOUNT, RESOURCE, ACTIVITY

Activityaccount - Resource - Activity - Hourly Activity Aggregation

Enables policies that include User attributes, Resource attributes, Activity Attributes and Hourly activity attributes

ACTIVITY ACCOUNT, RESOURCE, ACTIVITY, HOURLY ACTIVITY

Activityaccount - Resource - Hourly Activity Aggregation

Enables policies that include User attributes, Resource attributes and Hourly activity attributes

ACTIVITY ACCOUNT, RESOURCE, HOURLY ACTIVITY

Activityaccount- Resource- IP Address

Enables policies that include Activityaccount attributes, Network Sources and Resource attributes

ACTIVITY ACCOUNT, RESOURCE, ACTIVITY IPADDRESS

Activityaccount-Resource-Activity-Hourly Activity Aggregation by Network Source - IP Address - Geolocation

Enables policies that include Hourly activity attributes , Activity , Resource attributes, IP Address, Geolocation and Activityaccount attributes

ACTIVITY ACCOUNT, RESOURCE, ACTIVITY, HOURLY ACTIVITY PER IPADDRESS, ACTIVITY IPADDRESS

Checks based on activity summary Checks with activity summary,activity account,resources,activity

ACTIVITY ACCOUNT, RESOURCE, ACTIVITY, ACTIVITY SUMMARY, HOURLY ACTIVITY

Checks based on activity summary and users


ACTIVITY ACCOUNT, RESOURCE, ACTIVITY, ACTIVITY SUMMARY, HOURLY ACTIVITY, USER

Checks Based on Event Table HOURLY ACTIVITY

Detect Users that have Activity Outliers and have specific Policy Violations

Enables the detection of Users that have Activity Outliers and POlicy Violation

USER, PEER BASED ENTITLEMENT RISK, POLICY VIOLATION, ACTIVITY ACCOUNT

Detect Users/Accounts that have violated multiple Policies

Enables the detection of Accounts/Users that have violated multiple Policies

ACTIVITY ACCOUNT, RESOURCE, POLICY VIOLATION

Email Attachment Size Exceeding Threshold



Email Attachments Exceeding Hourly Threshold



https://97.77.29.3:18443/Profiler/monitor/showPolicyManagement




















Hourly Activity

per IP Address

Hourly Activity

Activity IP

Address

Resource Activity

Dates Activity

Summary

Existing Violations with Activity Transactions

PVE and activities POLICY VIOLATION EVENTS, ACTIVITY

Existing Violations with Activity Transactions and User Details

PVE and activities and users POLICY VIOLATION EVENTS, USER, ACTIVITY

Existing Violations with User Details

PVE and users POLICY VIOLATION EVENTS, USER

Multiple Events From Same Source

ACTIVITY ACCOUNT, HOURLY ACTIVITY

Peer - User - Activityaccount - Resouce

Enables policies that include Peer attributes-User attributes, Activity account attributes and Resource attributes

ACTIVITY ACCOUNT, USER, RESOURCE, PEER

Peer - User - Activityaccount - Resource

Enables policies that include User attributes, Activityaccount attributes, Peer attributes and Resource attributes

USER, ACTIVITY ACCOUNT, PEER, RESOURCE

Peer - User - Activityaccount - Resource - Hourly Activity Aggregation

Enables policies that include Peer attributes,User attributes , Resource attributes, Activityaccount attributes and Hourly activity attributes

USER, PEER, RESOURCE, ACTIVITY ACCOUNT, HOURLY ACTIVITY

Peer - User - Activityaccount-Resource- IP Address

Enables policies that include User attributes, Peer attributes, Activityaccount attributes, Network Sources and Resource attributes

USER, ACTIVITY ACCOUNT, RESOURCE, ACTIVITY IPADDRESS, PEER

Peer - User - Activityaccout- Resource- Activity-Hourly Activity Aggregation by Network Source - IP Address - Geolocation

Enables policies that include User attributes , Peer attributes, Hourly activity attributes , Activity , Resource attributes, IP Address, Geolocation and Activityaccount attributes

USER, ACTIVITY ACCOUNT, RESOURCE, ACTIVITY, ACTIVITY, HOURLY ACTIVITY PER IPADDRESS, PEER, ACTIVITY IPADDRESS

Peer - User - Hourly Activity Aggregation

Enables policies that include User attributes , Hourly activity attributes and Peer attributes

USER, HOURLY ACTIVITY, PEER

Peer - User -Activity - Hourly Activity Aggregation

Enables policies that include User attributes , Hourly activity attributes , Activity attributes and Peer attributes

USER, HOURLY ACTIVITY, ACTIVITY, PEER

Policy Violators performing activities

Policy Violation Details and Activities

USER, HOURLY ACTIVITY, POLICY

Resource Event Last Received Resource Event Last Received

Time RESOURCE, RESOURCEACTIVITYDATES

SOD - Activityaccount - Resource - Hourly Activity Aggregation

Enables Activity Based Seperation of Duties on Hourly Basis

USER, RESOURCE, HOURLY ACTIVITY, ACTIVITY












Hourly Activity

per IP Address

Hourly Activity

Activity IP

Address

Resource Activity

Dates Activity

Summary

SOD - Hourly Activity Aggregation Enables Activity Based Seperation

of Duties on Hourly Basis USER, HOURLY ACTIVITY

User - Activity - Hourly Activity Aggregation

Enables policies that include User attributes , Hourly activity attributes and Activity attributes

USER, HOURLY ACTIVITY, ACTIVITY

User - Activityaccount - Resouce Enables policies that includes User attributes, Resource attributes and Activity account attributes

ACTIVITY ACCOUNT, USER, RESOURCE

User - Activityaccount - Resource - Activity

Enables policies that include User attributes, Activity account attributes, Activity attributes and Resource attributes

ACTIVITY ACCOUNT, USER, RESOURCE, ACTIVITY

User - Activityaccount - Resource - Hourly Activity Aggregation

Enables policies that include User attributes , Resource attributes, Hourly activity attributes and Activityaccount attributes

USER, RESOURCE, HOURLY ACTIVITY, ACTIVITY ACCOUNT

User - Activityaccount- Resource- IP Address

Enables policies that include User Attributes, Activityaccount attributes, Network Sources and Resource attributes

USER, ACTIVITY ACCOUNT, RESOURCE, ACTIVITY IPADDRESS

User - Hourly Activity Aggregation Enables policies that include User attributes and Hourly activity attributes

USER, HOURLY ACTIVITY

User - Peer - Activityaccount - Activity

Enables policies that include User attributes, Peer attributes, Activityaccount attributes and Activity attributes

USER, PEER, ACTIVITY ACCOUNT, ACTIVITY

User - Resource - Hourly Activity Aggregation

Enables policies that include User attributes, Resource Attributes and Hourly activity attributes

USER, RESOURCE, HOURLY ACTIVITY

User -Activityaccount-Resource-Activity-Hourly Activity Aggregation

Enables policies that include User attributes , Hourly activity attributes , Activity , Resource attributes and Activityaccount attributes

USER, ACTIVITY ACCOUNT, RESOURCE, ACTIVITY, HOURLY ACTIVITY

User -Activityaccount-Resource-Activity-Hourly Activity Aggregation by Network Source - IP Address

Enables policies that include User attributes , Hourly activity attributes , Activity , Resource attributes, IP Address and Activityaccount attributes

USER, ACTIVITY ACCOUNT, RESOURCE, ACTIVITY, HOURLY ACTIVITY PER IPADDRESS, ACTIVITY IPADDRESS









Hourly Activity

per IP Address

Hourly Activity

Activity IP

Address

Resource Activity

Dates Activity

Summary

User -Activityaccount-Resource-Activity-Hourly Activity Aggregation by Network Source - IP Address - Geolocation

Enables policies that include User attributes , Hourly activity attributes , Activity , Resource attributes, IP Address, Geolocation and Activityaccount attributes


User Logon From Multiple Geo-Locations in an Hour

ACTIVITY ACCOUNT, RESOURCE, ACTIVITY, HOURLY ACTIVITY, ACTIVITY IPADDRESS

User Logon from Multiple Hosts in Hour

User logged in from multiple hosts within one hour


Violators of specific policy now performing certain activities

Enables Policies for violators performing certain activities

POLICY VIOLATION EVENTS, HOURLY ACTIVITY, POLICY

Watchlist Users with Policy Violations

Checks for users who are on watchlist and violating policies

ACTIVITY ACCOUNT, POLICY VIOLATION, WATCHLIST

Watchlisted Activity Account with Activity

Enables policies for detecting events done by watchlisted accounts

WATCHLIST, ACTIVITY ACCOUNT, RESOURCE, ACTIVITY, HOURLY ACTIVITY






Filter Group: Entities

Entities Template Name Template Description Objects Available

User Peer Resource Resource (2)

Peer Based Entitlement Risk

Watch list

User Change History

Accounts that dont have Users Orphaned Accounts RESOURCE, ACCESS ACCOUNT, ACCESS ACCOUNT USER

Accounts with defined Access Privileges on Resource

Enables policies that include Access account attributes and Resource attributes

RESOURCE, ACCESS ACCOUNT, RESOURCEACCESSMETADATA, ACCESS VALUES, ACCESS ACCOUNT USER

Activityaccount - Resource - Activity

Enables policies that include Activity account attributes, Activity attributes and Resource attributes

ACTIVITY ACCOUNT, RESOURCE, ACTIVITY

Activityaccount - Resource - Activity - Hourly Activity Aggregation

Enables policies that include User attributes, Resource attributes, Activity Attributes and Hourly activity attributes


Activityaccount - Resource - Hourly Activity Aggregation

Enables policies that include User attributes, Resource attributes and Hourly activity attributes

ACTIVITY ACCOUNT, RESOURCE, HOURLY ACTIVITY

Activityaccount- Resource- IP Address

Enables policies that include Activityaccount attributes, Network Sources and Resource attributes

ACTIVITY ACCOUNT, RESOURCE, ACTIVITY IPADDRESS

Activityaccount-Resource-Activity-Hourly Activity Aggregation by Network Source - IP Address - Geolocation

Enables policies that include Hourly activity attributes , Activity , Resource attributes, IP Address, Geolocation and Activityaccount attributes

ACTIVITY ACCOUNT, RESOURCE, ACTIVITY, HOURLY ACTIVITY PER IPADDRESS, ACTIVITY IPADDRESS

Checks based on activity summary

Checks with activity summary,activity account,resources,activity

ACTIVITY ACCOUNT, RESOURCE, ACTIVITY, ACTIVITY SUMMARY, HOURLY ACTIVITY



ACTIVITY ACCOUNT, RESOURCE, ACTIVITY, ACTIVITY SUMMARY, HOURLY ACTIVITY, USER
















Watch list

User Change History

Existing Violations with Activity Transactions and User Details

PVE and activities and users POLICY VIOLATION EVENTS, USER, ACTIVITY

Existing Violations with User Details

PVE and users POLICY VIOLATION EVENTS, USER

Peer - User - Activityaccount - Resouce

Enables policies that include Peer attributes-User attributes, Activity account attributes and Resource attributes

ACTIVITY ACCOUNT, USER, RESOURCE, PEER

Peer - User - Activityaccount - Resource

Enables policies that include User attributes, Activityaccount attributes, Peer attributes and Resource attributes

USER, ACTIVITY ACCOUNT, PEER, RESOURCE

Peer - User - Activityaccount - Resource - Hourly Activity Aggregation

Enables policies that include Peer attributes,User attributes , Resource attributes, Activityaccount attributes and Hourly activity attributes

USER, PEER, RESOURCE, ACTIVITY ACCOUNT, HOURLY ACTIVITY

Peer - User - Activityaccount-Resource- IP Address

Enables policies that include User attributes, Peer attributes, Activityaccount attributes, Network Sources and Resource attributes

USER, ACTIVITY ACCOUNT, RESOURCE, ACTIVITY IPADDRESS, PEER

Peer - User - Activityaccout- Resource- Activity-Hourly Activity Aggregation by Network Source - IP Address - Geolocation

Enables policies that include User attributes , Peer attributes, Hourly activity attributes , Activity , Resource attributes, IP Address, Geolocation and Activityaccount attributes

USER, ACTIVITY ACCOUNT, RESOURCE, ACTIVITY, ACTIVITY, HOURLY ACTIVITY PER IPADDRESS, PEER, ACTIVITY IPADDRESS

Peer - User - Hourly Activity Aggregation

Enables policies that include User attributes , Hourly activity attributes and Peer attributes

USER, HOURLY ACTIVITY, PEER

Peer - User -Activity - Hourly Activity Aggregation

Enables policies that include User attributes , Hourly activity attributes , Activity attributes and Peer attributes

USER, HOURLY ACTIVITY, ACTIVITY, PEER

Policy Violators performing activities

Policy Violation Details and Activities

USER, HOURLY ACTIVITY, POLICY

Resource Event Last Received Resource Event Last Received

Time RESOURCE, RESOURCEACTIVITYDATES

Separation of Duties Checks (Access Based)









Watch list

User Change History

SOD - Activityaccount - Resource - Hourly Activity Aggregation

Enables Activity Based Seperation of Duties on Hourly Basis

USER, RESOURCE, HOURLY ACTIVITY, ACTIVITY

SOD - Hourly Activity Aggregation Enables Activity Based Seperation of Duties on Hourly Basis


SOD-User - Accessaccount -Resource - Access Values


USER, RESOURCE, ACCESS ACCOUNT, ACCESS VALUES

User - Activity - Hourly Activity Aggregation

Enables policies that include User attributes , Hourly activity attributes and Activity attributes

USER, HOURLY ACTIVITY, ACTIVITY

User - Activityaccount - Resouce Enables policies that includes User attributes, Resource attributes and Activity account attributes

ACTIVITY ACCOUNT, USER, RESOURCE

User - Activityaccount - Resource - Activity

Enables policies that include User attributes, Activity account attributes, Activity attributes and Resource attributes

ACTIVITY ACCOUNT, USER, RESOURCE, ACTIVITY

User - Activityaccount - Resource - Hourly Activity Aggregation

Enables policies that include User attributes , Resource attributes, Hourly activity attributes and Activityaccount attributes

USER, RESOURCE, HOURLY ACTIVITY, ACTIVITY ACCOUNT

User - Activityaccount -Resource Enables policies that include User attributes, Activity account attributes and Resource attributes

USER, ACTIVITY, RESOURCE

User - Activityaccount- Resource- IP Address

Enables policies that include User Attributes, Activityaccount attributes, Network Sources and Resource attributes

USER, ACTIVITY ACCOUNT, RESOURCE, ACTIVITY IPADDRESS

User - Hourly Activity Aggregation Enables policies that include User attributes and Hourly activity attributes


User - Peer - Activityaccount - Activity

Enables policies that include User attributes, Peer attributes, Activityaccount attributes and Activity attributes

USER, PEER, ACTIVITY ACCOUNT, ACTIVITY

User - Resource - Hourly Activity Aggregation

Enables policies that include User attributes, Resource Attributes and Hourly activity attributes

USER, RESOURCE, HOURLY ACTIVITY







Watch list

User Change History

User -Activityaccount-Resource-Activity-Hourly Activity Aggregation

Enables policies that include User attributes , Hourly activity attributes , Activity , Resource attributes and Activityaccount attributes

USER, ACTIVITY ACCOUNT, RESOURCE, ACTIVITY, HOURLY ACTIVITY

User -Activityaccount-Resource-Activity-Hourly Activity Aggregation by Network Source - IP Address

Enables policies that include User attributes , Hourly activity attributes , Activity , Resource attributes, IP Address and Activityaccount attributes


User -Activityaccount-Resource-Activity-Hourly Activity Aggregation by Network Source - IP Address - Geolocation

Enables policies that include User attributes , Hourly activity attributes , Activity , Resource attributes, IP Address, Geolocation and Activityaccount attributes


User Change History Enables Policies for tracking User

attribute changes USERCHANGEHISTORY, USER

User Logon From Multiple Geo-Locations in an Hour

ACTIVITY ACCOUNT, RESOURCE, ACTIVITY, HOURLY ACTIVITY, ACTIVITY IPADDRESS

User Logon from Multiple Hosts in Hour

User logged in from multiple hosts within one hour


Users with defined Access Privileges on Resource

Enables policies that include User attributes ,Access account attributes and Resource attributes


Users with defined account types on Resource

Enables policies that include User attributes ,Access account attributes and Resource attributes

USER, RESOURCE, ACCESS ACCOUNT

Users with defined HR attributes Enables Monitoring based on

User HR details USER




Watchlist Users with Policy Violations

Checks for users who are on watchlist and violating policies


Watchlisted Activity Account with Activity

Enables policies for detecting events done by watchlisted accounts

WATCHLIST, ACTIVITY ACCOUNT, RESOURCE, ACTIVITY, HOURLY ACTIVITY



Filter Group: Miscellaneous Policy Violation

Policy Policy Violation Events

Template Name Template Description Objects Available




Detect Users/Accounts that have violated multiple Policies

Enables the detection of Accounts/Users that have violated multiple Policies

ACTIVITY ACCOUNT, RESOURCE, POLICY VIOLATION

Existing Violations with Activity Transactions PVE and activities POLICY VIOLATION

EVENTS, ACTIVITY

Existing Violations with Activity Transactions and User Details PVE and activities and users POLICY VIOLATION

EVENTS, USER, ACTIVITY Existing Violations with User Details PVE and users POLICY VIOLATION

EVENTS, USER Policy Violators performing activities Policy Violation Details and

Activities USER, HOURLY ACTIVITY, POLICY




Watchlist Users with Policy Violations Checks for users who are on watchlist and violating policies


HP User Behavior Analytics€¦ · Step 2: Installation and Configuration The HP UBA Installation...

Documents

Transcript of HP User Behavior Analytics€¦ · Step 2: Installation and Configuration The HP UBA Installation...