Difference between revisions of "KHIKA App for Symantec Antivirus"

From khika
Jump to navigation Jump to search
(Adding the device in the Adaptor)
(How to check the output of KHIKA Symantec Antivirus App ?)
Line 84: Line 84:
  
 
== How to check the output of KHIKA Symantec Antivirus App ? ==
 
== How to check the output of KHIKA Symantec Antivirus App ? ==
 +
 +
===Discovering the logs of Syamntec Antrivirus===
 +
 +
After doing all the steps given above, we should start receiving live data into KHIKA. Go to "Discover" section in KHIKA GUI and select the index with name "*raw-symantec_antivirus*". Note that the index has a prefix of the customer name and workspace name. After selecting this index, you should see the live data coming in. Spend some time understanding this data and the fields of the data.
  
 
=== Symantec Antivirus Downloaded Content Update Failed Dashboard===
 
=== Symantec Antivirus Downloaded Content Update Failed Dashboard===

Revision as of 05:34, 27 June 2019

Contents

Introduction

Antivirus form an important part of organisations’ networks and hence by monitoring your Antivirus is imperative. Symantec Antivirus send the malware related information in the form of logs over syslog protocol. Syslog is very efficient and simple to integrate with. KHIKA Data Aggregator is pre-configured with syslog services on port 514. The key parts to get here are :

  1. Enabling Syslog forwarding on the device
  2. Install the KHIKA App for Symantec Antivirus
  3. Get data from your Symantec Antivirus into KHIKA Aggregator

Enabling Syslog forwarding on the device

Please refer below steps for enabling syslogs on your Symantec Antivirus Server.

The procedure to enable for external logging is as mentioned below:
1. In the Symantec Endpoint Protection Management console, click Admin.
2. Click Servers.
3. Click the local site or remote site that you want to export log data from.
4. Click Configure External Logging.
5. On the General tab, in the Update Frequency list box, select how often to send the log data to the file. (You can say 30 seconds here) 6. In the Master Logging Server list box, select the management server to send the logs to.
7. you use SQL Server and connect multiple management servers to the database, specify only one server as the Master Logging Server.
8. Check Enable Transmission of Logs to a SYSLOG Server.
9. Provide the following information: (NOTE: Firewall port 514 must be opened for syslog server to receive the messages) SYSLOG Server – Specify the IP address or domain name of the KHIKA Virtual Appliance that embeds SYSLOG server that will receive the log data. Destination Port & Protocol - Specify the protocol as ‘UDP’ and port as ‘514’ Log Facility – Specify the log facility as 4
10. On the Log Filter tab, check which logs to export. (Select ALL the possible logs here)
11. Click OK.
Admin-> Servers-> Local Site -> Configure External Logging


Symantecsyslog1.jpg


Symantecsyslog2.jpg


Symantecsyslog3.jpg

Verifying SYSLOG data collection

After you enable the syslog forwarding on the end device, you must verify if the logs are being really received by KHIKA Data Aggregator. Please refer here to understand how to verify syslogs on KHIKA Data Aggregator.

How to Install the KHIKA App for Symantec Antivirus ?

It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read how to configure KHIKA Data Aggregator and perform the pre-requisite steps.

This section explains how to pick and install the KHIKA application for Symantec Antivirus - Symantec Antivirus. Installing the application shall put together and activate the adapter (parser) that can handle Symantec Antivirus data format, the dashboards and the alert rules preconfigured.

Go to “Applications” tab in the “Configure” menu.

Syamntec application tab.JPG

Check whether the appropriate Workspace is selected. Note: Application is always loaded in a Workspace. Read the section on Workspaces to know more about KHIKA Workspaces. Also select your KHIKA aggregator name in the Node dropdown. This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.

Syamntec application tab2.JPG

Click on the “+” button. A pop up appears.

Symantec install application.JPG

User can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. Similarly you can select contents from Alerts and Dashboards.

Visit the sections on KHIKA Reports, KHIKA Dashboards, KHIKA Alerts & Correlations to know more about these topics.

Click “OK” to proceed with the installation of the selected Application. After successful installation, following status should be displayed :

Symantec app installation.JPG

This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.

Adding the device in the Adaptor

After syslogs are enabled on the device and the App is installed into KHIKA, it is the time to add the device to the this App (in Adapter section of KHIKA Web GUI). Please refer here to know how to add the device to an App.

After making these configuration in KHIKA, you must apply these changes to the Workspace. Go to Configure, select the Workspace and in Workspace tab of configure menu press the Apply button as shown in the screenshot below.

Symantec apply configuration.JPG


Wait for a few minutes for changes to apply and data to arrive in kHIKA. With all these steps, we should now expect the data to arrive in KHIKA. Lets discover some live data in KHIKA.

How to check the output of KHIKA Symantec Antivirus App ?

Discovering the logs of Syamntec Antrivirus

After doing all the steps given above, we should start receiving live data into KHIKA. Go to "Discover" section in KHIKA GUI and select the index with name "*raw-symantec_antivirus*". Note that the index has a prefix of the customer name and workspace name. After selecting this index, you should see the live data coming in. Spend some time understanding this data and the fields of the data.

Symantec Antivirus Downloaded Content Update Failed Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard gives information about on which computer content downloaded successfully but update failed. Details like Server Name,Computer Name,from where downloaded is shown in an analytical fashion. You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Symantec Antivirus Downloaded Content Update Failed" Dashboard
Visualization Description
Contribution Of Servers Contribution of Server for Downloaded content update failed event.
Contribution of Computer Contribution of Computer for Downloaded content update failed event.
Count Of Server wise downloaded from X axis : All the Server which contain downloaded content update failed events

Y axis : Stacked within each bar (ie. for each download from(download source)) the Server and count of events

Count Of Computer wise downloaded from X axis : All the Computer which contain downloaded content update failed events

Y axis : Stacked within each bar (ie. for each download from(download source)) Computer and count of events

Time trend Trend of downloaded content update failed events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

Suggestion for useful interaction with this dashboard could be :

Click on and select a particular Computer from Contribution of Computer pie chart. The rest of the visualization reflects for all servers,downloaded from,server etc with respect to selected Computer.

Symantec Antivirus Virus Found Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. Critical files in your system are monitored for any change / edit and real time alerts are fired if any such incident, as well as displayed, on this monitoring dashboard. You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Symantec Antivirus Virus Found" Dashboard
Visualization Description
Contribution of Action Which are the actions when Virus found
Contribution of Computer Name Computer Names on which virus Found
Contribution of Server Symantec Servers Name on which virus found
Contribution of User Users Name when virus were found
IP Address wise Risk Name count X axis : All IP Address for which virus were found

Y axis : IP Address wise Risk name and its count.

Server wise Risk Name count X axis :All the Symantec Antivirus Servers for which virus were found

Y axis : Server Name wise Risk and its count

Time trend Trend of virus found events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

A suggestion for useful interaction with this dashboard could be :

  1. Click on and select a particular computer from contribution of Computer Name pie. The rest of the visualization reflects for all user,action ,risk etc with respect to the selected computer.
  2. For further granular detection click on and select particular action in Contribution of Actual Action pie chart ,now rest of the visualization will reflect accordingly. In Summary table will see all events for this particular computer name and action which is the Risk Name,Server,IP Address etc.

Symantec Antivirus Malware Information Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard gives summary of which malware's found and its daily count.Details like which is the Risk Name, Risk Count ,Category Type etc is shown in the analytical fashion.

You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Symantec Antivirus Malware Information" Dashboard
Visualization Description
Contribution of Risk Name Contribution of All Risk Name
Contribution of Category Type Contribution of All Category type for Malware events
Category Type wise Risk Name count X axis : All category Type in Malware events

Y Axis : Category Type wise Risk Name and ts event count

Risk Name wise Count X axis : All the Risk Name

Y axis : Each Risk Count

Daily trend Trend of daily malware event count. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count


Some suggestions for useful interaction with this dashboard could be :

Click on and select a particular Risk from contribution of Risk Name Name pie chart. The rest of the visualizations will reflect accordingly.

Symantec Antivirus Scan Complete with Risk Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This report gives On which computer when scan was started and ends,Number of risks in scan and how many risks are omitted.

You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Symantec Antivirus Scan Complete with Risk" Dashboard
Visualization Description
Contribution of Computers Computers on which scan completed
Contribution of Groups Group Name which are in Scan
Contribution of Servers Symantec Serves on which scan is done
IP Address Wise Count X axis : All the IP Address in Scan

Y axis : IP Address wise risk count

Begin Time Daily trend Trend of when scan begin over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
End Time Daily trend Trend of when scan ends over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

Some suggestions for useful interaction with this dashboard could be :

  1. Click on and select a particular computer from contribution of Computer pie chart. The rest of the visualization reflects all Server,Group, IP address etc with respect to the selected Computer.
  2. For further granular detection click on and select particular Group in Contribution of Group pie char, now rest of the visualization will reflect accordingly.In Summary table will see all events for this particular Computer and Group when scan is started and end ,found risk count,omitted risk count etc.

Symantec Antivirus Live Update Error Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This Dashboard gives on which computer when error occurred during live update activity.

You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Symantec Antivirus Live Update Error" Dashboard
Visualization Description
Contribution of Server Contribution of Servers(which added in KHIKA)
Contribution of Computer Name Contribution of Computer on which error occurred during live update
Contribution of Error Contribution of Error which occurred in live update activity.
Computer Wise Error count X axis : All computer name in live update activity

Y axis : Computer wise each error and its count

Daily Trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

A suggestion for useful interaction with this dashboard could be :

  1. Click on and select a particular Computer from Contribution of Computer name pie chart. The rest of the visualization reflects for all Error,Update Type etc with respect to the selected Computer
  2. For further granular detection on and select particular Error in Contribution of Error Pie chart ,now rest of the visualizations will reflect accordingly.

Symantec Antivirus Multiple Virus Found Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard gives information about multiple virus found on same machine.

You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Symantec Antivirus Multiple Virus Found" Dashboard
Visualization Description
Contribution of computer Names and contribution of the permissions given
Computer wise Risks X axis : computer Name on which multiple virus found

Y axis : Virus found on each Computer.

Time trend Trend of multiple virus found on same machine over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

A suggestion for useful interaction with this dashboard could be :

Click on and select a particular Computer from Contribution of Computers. The rest of the visualization reflects all Error, Update Type etc info with respect to the selected Computer.

Symantec Antivirus System In Risk Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This Dashboard gives summary information about on particular computer which risk found and each risk count on daily basis

You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Symantec Antivirus System In Risk" Dashboard
Visualization Description
Contribution of Computer Name and Contribution of Computer on which Risk Found
Contribution of Risk Name Name and Contribution of Risks
IP Address wise RiskName X axis : IP address

Y axis : Computer wise each Risk and its count

Computer wise RiskName X axis : Computer Name

Y axis : Computer wise each Risk and its count

Daily Trend Trend of daily risk found over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

Some suggestions for useful interaction with this dashboard could be :

  1. Click on and select a particular Risk from Contribution of Risk Name. The rest of the visualization reflects Computer,IP Address etc info for this Risk.
  2. For further drill down click on and select particular computer in Contribution of Computer Name Pie. Now rest of the visualization reflects for this Error also.

Summary table shows info for this particular risk and computer like IP Address,total count of Risk etc.

Symantec Antivirus SEP Cant Take Action Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard gives information about virus for which Symantec Endpoint Protection can not take nay action.Detail like Risk name,computer,IP Address etc. is shown in Analytical Fashion.

You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Symantec Antivirus SEP Cant Take Action" Dashboard
Visualization Description
Contribution of Computer Names Name of the computer on which virus found and SEP can not action
Contribution of Servers Contribution of Symantec AV Servers
Contribution of Risk Name Names and contribution of Risk on which SEP can not action
IP Address wise Risks X axis : IP Address

Y axis : IP Address wise Risk found on which SEP can not take action and each risk count .

Time trend Trend of SEP can not take action events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

A suggestion for useful interaction with this dashboard could be :

Click on and select a particular Risk Name from contribution of Risk Name pie chart. The rest of the visualizations reflects for all Computer,IP Address etc with respect to the selected Risk Name.

Symantec Antivirus Update Failed Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard gives information about update failed for to load or install.

You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Symantec Antivirus Update Failed" Dashboard
Visualization Description
Contribution of Computer Names Name Computer and Contribution for which update failed
Contribution of Servers Contribution of Symantec AV Servers
Contribution of Errors Contribution of Error : Failed to Load and Failed to Install
Computer Wise Update Count X axis : Computer Name

Y axis : Computer wise update type which is failed and its event count.

Time trend Trend of SEP can not take action events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

A suggestion for useful interaction with this dashboard could be :

  1. Click on and select a particular Computer from Contribution of Computer name pie chart. The rest of the visualizations reflects for all Error, Update Type etc with respect to the selected Computer.
  2. For further granular detection click on and select particular Error in Contribution of Error Pie chart ,Now rest of the visualizations will reflect accordingly.

Symantec Antivirus Alerts

Alerts are generated when certain critical behavior is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here Click on “Alert Dashboard” on left menu.

Certain alerts for Symantec Antivirus are pre-scanned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :

Alerts Description

Alert Details Table
Alert Name Description Suggested Resolution
Host with multiple infections This alert is triggered when host is infected with multiple(two or more) viruses within a 5 minutes of interval. A host infected with multiple viruses is a good indication of a compromised host and this becomes a weak link in the network and can be used by the attacker to launch sophisticated attacks.

Quarantine the host. Understand the behavior of the host by checking recent history (such as websites visits from proxy or firewall logs, email download, USB events if any). Check hosts showing similar threats. Try to correlate the behavior.

Antivirus audit policy changed This alert is triggered when someone modifies the system audit policy. Someone modified system audit policy.

Check with admin. Check if CR was in place.

Virus Infection Detected This alert is triggered when system Symantec detects virus on the system. System is affected with virus. It is normal as long as the Symantec AV is cleaning the virus.

No immediate action is needed. However, if the same system is getting affected with virus/viruses multiple times, the system should be deeply inspected for
1) Network traffic to websites (firewall)
2) Emails
3) USB events if any

Single virus outbreak on few hosts This is alert is triggered when malware is found on multiple hosts but not cleaned. This is a typical case of a virus spreading laterally.

Quarantine the affected hosts. Clean the virus. Check threat intelligence (VirusTotal etc.) for virus source. Check with your AV experts

Malware detected but not cleaned This alert is triggered when malware is detected on a host but not cleaned within 24 hours of time window. An uncleaned malware is dangerous. The machine remains in compromised state and it could be a potential danger to the entire network.

Clean the malware manually. Check the reason why was it not cleaned.

Antivirus audit policy added Alert triggered when someone modifies the system audit policy,typically added new policy. Someone modified system audit policy.

Check with admin. Check if CR was in place.

variety of viruses on multiple hosts This alert is triggered when multiple viruses are detected on multiple hosts but not cleaned. Multiple host have been infected with different viruses within a short time span. This is a typical case of virus outbreak showing multiple varieties.

To treat the symptom, quarantine the affected hosts. Clean the virus. Check threat intel (VirusTotal etc.). It may happen that the hosts are infected with similar type viruses, with different names. This could be lateral spread of the virus. Consult virus experts to now more about the type of the virus

single virus outbreak on multiple hosts This alert is triggered when typical case of virus outbreak is detected that shows multiple hosts are detected with multiple of same virus within short time span. Multiple host have been infected with same or different viruses within a short time span. This is a typical case of virus outbreak.

To treat the symptom, quarantine the affected hosts Clean the virus. Check threat intel (VirusTotal etc.). It may happen that the hosts are infected with similar viruses, with different names. This could be lateral spread of the virus. Consult virus experts to know more about the type of the virus

Multiple malware detected but not cleaned This alert is triggered when uncleaned malware is detected on a host. An uncleaned malware is dangerous. The machine remains in compromised state and it could be a potential danger to the entire network.

Clean the malware manually. Check the reason why was it not cleaned. It is also important to investigate why multiple infections were seen on a single host