McAfee Network Threat Response (NTR) 4.0



Similar documents
DiskPulse DISK CHANGE MONITOR

Smart Call Home Quick Start Configuration Guide

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

EventTracker: Configuring DLA Extension for AWStats Report AWStats Reports

EventTracker: Integrating Imperva SecureSphere

This guide provides information to show how to create and manage Riva Dynamic Distribution List policies.

Configuration Guide. Follow the simple steps given in this document when you are going to run Lepide Active Directory Cleaner for the first time.

Releasing blocked in Data Security

Core Protection Suite

Product Guide Revision A. McAfee Web Reporter 5.2.1

TSM Studio Server User Guide

Introduction. Before you begin. Installing efax from our CD-ROM. Installing efax after downloading from the internet

Configuration Information

Note: With v3.2, the DocuSign Fetch application was renamed DocuSign Retrieve.

Configuration Information

ITA Mail Archive Setup Guide

Kaseya 2. Installation guide. Version 7.0. English

Chapter 10 Encryption Service

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Integrating Trend Micro OfficeScan 10 EventTracker v7.x

Setting up SMTP in Talis Decisions

DLP Quick Start

LearningServer Portal Manager

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Sophos Anti-Virus for Linux user manual

Workflow Templates Library

Synchronization Agent Configuration Guide

EventTracker: Configuring DLA Extension for AWStats report AWStats Reports

Integrate Websense Web Security Gateway (WSG)

IBM Campaign Version-independent Integration with IBM Engage Version 1 Release 3 April 8, Integration Guide IBM

Discovery Guide. Secret Server. Table of Contents

PureMessage for Microsoft Exchange 2013 startup guide. Product version: 4.0

LepideAuditor Suite for File Server. Installation and Configuration Guide

Release Notes for McAfee(R) VirusScan(R) Enterprise for Linux Version Copyright (C) 2014 McAfee, Inc. All Rights Reserved.

GFI Product Manual. Administration and Configuration Manual

POP3 Connector for Exchange - Configuration

Tracking Network Changes Using Change Audit

McAfee Content Security Reporter 2.0.0

NETWRIX EVENT LOG MANAGER

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

F-Secure Messaging Security Gateway. Deployment Guide

Documentum Content Distribution Services TM Administration Guide

User's Manual. Intego VirusBarrier Server 2 / VirusBarrier Mail Gateway 2 User's Manual Page 1

Symantec Mail Security for Domino

Automating Administration with SQL Agent

Avatier Identity Management Suite

How do I Configure, Enable, and Schedule Reports?

Sophos for Microsoft SharePoint startup guide

Sophos Anti-Virus for Linux configuration guide. Product version: 9

SQL Server Automated Administration

Basic Exchange Setup Guide

Cloud Server powered by Mac OS X. Getting Started Guide. Cloud Server. powered by Mac OS X. AKJZNAzsqknsxxkjnsjx Getting Started Guide Page 1

New World Construction FTP service User Guide

GFI Product Manual. ReportPack Manual

SendMIME Pro Installation & Users Guide

NSi Mobile Installation Guide. Version 6.2

SerialMailer Manual. For SerialMailer 7.2. Copyright Falko Axmann. All rights reserved.

Download/Install IDENTD

User Guide. DocAve Lotus Notes Migrator for Microsoft Exchange 1.1. Using the DocAve Notes Migrator for Exchange to Perform a Basic Migration

SOA Software API Gateway Appliance 7.1.x Administration Guide

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

SQL Server Protection

User Guide. Version 3.2. Copyright Snow Software AB. All rights reserved.

Jim2 ebusiness Framework Installation Notes

Secure Messaging Server Console... 2

SysPatrol - Server Security Monitor

How To Use Gfi Mailarchiver On A Pc Or Macbook With Gfi From A Windows 7.5 (Windows 7) On A Microsoft Mail Server On A Gfi Server On An Ipod Or Gfi.Org (

Jobs Guide Identity Manager February 10, 2012

PureMessage for Microsoft Exchange Help. Product version: 4.0

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

GWAVA 5. Migration Guide for Netware GWAVA 4 to Linux GWAVA 5

6.0. Getting Started Guide

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Installation Instructions

Managing User Accounts

F-SECURE MESSAGING SECURITY GATEWAY

Exchange Granular Restore User Guide

Chapter 15: Forms. User Guide. 1 P a g e

Installing The SysAidTM Server Locally

ArcMail Technology Defender Mail Server Configuration Guide for Microsoft Exchange Server 2003 / 2000

Basic Exchange Setup Guide

Dove User Guide Copyright Virgil Trasca

MailEnable Connector for Microsoft Outlook

Version 1.7. Inbound Integration (POP3 and IMAP) Installation, Configuration and User Guide. Last updated October 2011

BillQuick Agent 2010 Getting Started Guide

Integrate Check Point Firewall

Server Manager Help 10/6/2014 1

How To - Implement Single Sign On Authentication with Active Directory

Sophos for Microsoft SharePoint Help

Integrating Juniper Netscreen (ScreenOS)

File Management Utility User Guide

Integrating with IBM Tivoli TSOM

IBM. Implementing SMTP and POP3 Scenarios with WebSphere Business Integration Connect. Author: Ronan Dalton

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

PCRecruiter Internal Client

Plesk for Windows Copyright Notice

NT Authentication Configuration Guide

SaaS Encryption Enablement for Customers, Domains and Users Quick Start Guide

Transcription:

McAfee Network Threat Response (NTR) 4.0 Configuring Automated Reporting and Alerting Automated reporting is supported with introduction of NTR 4.0 and designed to send automated reports via existing SMTP mail servers. Optionally, XML reports can be generated and saved locally for processing within other systems. The following tasks describe how to configure flexible reporting templates that instruct NTR on how to generate reports and where to send them. If you do not wish to enable emailing of reports, then skip to Configure and Enable Reporting Templates. Note: Completion of the following steps assumes basic familiarity with Linux Operating Systems and the ability to execute basic Unix command line operations. Configure Email Server Tasks: 1 Logon to the NTR Management Web Console with an administrative account. 2 To perform follow-on steps, click on the Admin Settings icon located at the top of the console. 3 Click Mail Settings from the Admin Settings tab. 4 Change your configuration according to your environment as follows: Server Address: IP or hostname of the outbound SMTP server Port: Port to be used when connecting to the SMTP server

Domain: Your local fully qualified domain name BounceBack Address: Return address where delivery problems may be reported From Address: Email address that should be shown in the from field of mail 5 Click Save. Configure and Enable Reporting Templates YAML (http://en.wikipedia.org/wiki/yaml) reporting templates are included as part of the core NTR installation, but additional customer-driven templates are available for download from https://networkthreatresponse.com/reporting and each template can be modified based on customer data requirements. Automated reports can be generated in XML and HTML formats and sent to various recipients or ingested by other reporting and analysis systems. Once the configuration templates are in place, activation of the reports and configuration of the SMTP server can be done within the NTR Manager. It is recommended that the recipient email address consist of an email Distribution List (DL) that can be more easily maintained. Perform the following steps to enable automated report generation. Note: For proper parsing of report templates, it is critical that proper syntax and existing data structures are adhered to. A link to an online YAML syntax tool is provided below. Access to the Internet is assumed for successful completion of those steps. Tasks: 1. Logon to the NTR Manager system (CentOS) with root privileges and browse to the following directory where reporting templates are saved (this is also where new report templates should be saved). /opt/endeavor/amp/amp_ruby/report_templates/ 2. Each report template file that you want to activate must be modified to include proper recipient email addresses and output format (XML or HTML). Optionally, the title and description can be updated as well as the trigger that kicks off report generation. The report templates can be updated to reflect specific customer requirements as follows: a. Summary: The report Title and description can be modified by editing the Title: and Description: fields as displayed below:

b. Event Triggers: Report creation can be triggered based on a pre-determined schedule or in response to detection of a new Event or Incident. In the example below the - Event: field is set to send reports based upon a schedule outlined in crontab format. Modify the existing - Schedule: field (example below is daily at midnight) with the schedule of your choice. For those unfamiliar w/ crontab, the following online calculator can be used to assist with creating the correct format for your scheduling needs: http://www.csgnetwork.com/crongen.html. Note: existing hyphens (-) preceding Event Trigger fields are required. To configure the reporting engine to create reports in response to an Incident, set the - Event: field to New Incident as displayed in the following example: To configure the reporting engine to create reports in response to a new Event, set the - Event: field to Notification and set the - NotificationType field to the type of event you want to trigger on. NotificationType can be any of the following event types: DAT (AntiVirus) ART (File Reputation) MIP (IP Reputation) MHP (Host/URL Reputation) SC (Shellcode) XOR (Encoded File) FM (File Mismatch) CC (Command & Control) The following example is configured to trigger on all event types.

While this example will trigger only in response to GTI File reputation events: c. Output: To specify report format, specify HTML or XML for the Format: field. If you ve configured an SMTP server in prior steps and you want to send the report via email, delete the # preceding the Destination: field and ensure a valid email address or DL is configured for your environment. Alternatively, if you choose to have reports saved locally or to network drive instead of emailing, the Output: section can contain fields for specifying the destination folder (Directory:). By default, the filename will match the name of the yml report template file, but the FileNameOptions: field can be used to create unique file names with the following switches: :date insert current date into the file name. :time insert current time into the file name. :id_event_type Depending on the report trigger, insert the name of the id type ( notification_id or incident_id ) into the file name. :event_id Depending on the report trigger, insert the unique ID of the Event or Incident into the file name. In the following example, a file will be created in the local /tmp directory with a name consisting of the yml file name, current date and time, type and corresponding id for all new Incidents:

A report template named ESM-Group-local-filesave would result in a report output file name of: ESM-Group-local-filesave_2013-08-05T11:05:47+0200_incident_id_1239.xml d. Sections: Basic report formatting and data querying are handled with the Header, Title and Query fields. A single reporting template can include multiple SQL queries, each of which will be displayed as a simple table of records (HTML) or in XML representation. The Header field supports a configurable header for the entire data section, just below the overall report Title and Description. The Title and Query fields are specific to each data query, allowing for execution of an underlying database (MySQL) query, as well as a configurable data label displayed above each table. The following configuration would result in execution of two database queries with the associated labeling created within the output report. This would result in HTML report formatting similar to this: It is beyond the scope of this document to cover MySQL database queries or the underlying NTR database schema. It is expected that reporting template creators have experience with writing MySQL queries and can interpret the NTR database schema.

3. Validate your syntax and Save any changes. The following online YAML syntax tool can be used to validate and optimize proper formatting of the report template: http://yamllint.com/. 4. Logon to the NTR Management Web Console with an administrative account and click on the Admin Settings icon located at the top to enable the Administration tab. 5. Select the Reports section and click Restart Reporting to load the new configuration templates (Note: perform this step whenever underlying reporting templates or mailer configuration files are modified). If parsing errors were encountered during processing of the report templates, an error message will be displayed within the Description field of the Reports table as depicted below (Additional logging information can be found within /var/log/delayed_worker.log) on the NTR Manager system. 6. For testing purposes, you can immediately trigger any scheduled report by first clicking the checkbox within the REPORT column and then clicking Trigger Reports. This will also initiate email of the report if configured within the reporting template to do so. Reports triggered by Events or new Incidents cannot be generated on-demand, and no checkbox will appear within the REPORT column.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information