6.4 Analytics Guide For Cloud-136-335

Policy Violations
1. Select The Field Against Lookup Table Attribute: Select an attribute to

check against an attribute from the lookup table from the dropdown.
2. (Optional) Select Condition: Select from the dropdown.
3. (Optional) Select Lookup Table Attribute: Select an attribute within the
lookup table mapped during Lookup Data import from the dropdown.
4. (Optional) Click the drop-down and select AND or OR.
5. (Optional) Click + to add criteria, or click - to remove criteria.
NO
a. Skip to next step.
Check Against Third Party Intelligence
This function compares attributes in events against Third-Party Intelligence (TPI)

added during the TPI import.
Complete the following information:
(Optional) Click the + Add TPI Source to add an additional TPI source to check.
SNYPR Analytics Guide 136

Policy Violations
1. Field to Check Against TPI: Click the drop-down and select an attribute.
2. TPI Source To Check: Click the drop-down and select a TPI source to check.
To remove a TPI Source to Check, click -.
Check Against Watchlist
This function compares attributes in events against watch lists that were added
during the Watchlist creation.

Policy Violations
1. Select the Field To Check Against Watchlist: Click the drop-down and select a
field to check against the Watchlist.
2. Select Watchlist: Click the drop-down and select a Watchlist.
3. Do you want to flag as Violation if it is not found in Watchlist?: Select one of
the following options:
l YES: Flags as a violation, even if the account name is not found on a watch-
list.
l NO: Does not flag as a violation if the account name is not found on a watch-
list.
Check Domain Age
This function compares attributes against an age (in days). Use this analytic to
check the age of a network domain. If the age of the domain is less than the
specified number of days, a violation will flag.

Policy Violations
1. Select Field: Click the drop-down and select a field against which to check the
age. Example: Destination Network Domain.
2. Age (In Days): Enter a numeric value for the age in days. Example: 750

Policy Violations
Custom Function
You can create a custom Additional Event Analytic function using a software
development package. For information about how to create Custom Functions,
contact SNYPR.
Note: Enter a class name for the custom function.

When you have defined the Class Name, the class file must be placed in the
respective path. Example: ($$/apache-tomcat-8.0.33/webapps/snypr/WEB-
INF/classes/com/securonix/snypr/).
Email to Self
This function checks events for email recipients against the email sender using a
match threshold.

Policy Violations
1. Select Field for Email Recipient: Click the drop-down and select a field for
email recipient.
2. Match Threshold (0 to 1): Specify a match threshold. The default is 0.8.
Match String
This function matches attribute values in an event, using a match threshold.
1. Select First Field to compare: Click the drop-down and select the first field to
compare.
2. Select Second Field to compare: Click the drop-down and select the second
field to compare.
3. Match Threshold (0 to 1): Enter a threshold. The default is 0.8.

Policy Violations
Risk Boosters
Risk Boosters increase risk scores for a policy based on specified criteria.
Do the following, depending on the risk booster you select. You can select multiple
risk boosters for a policy.
Match Criteria
Match criteria increases or decreases the risk score of the policy when source criteria
matches a destination criteria.
1. Complete the following information:
a. Source Column: Click the drop-down and select an attribute.

b. Condition: Click the drop-down and select a condition.

Policy Violations
c. Destination Column/Value: You can specify the destination column/value in

two ways:
l Manually: Manually provide a value to match to the source criteria.
l Existing: Click to view a drop-down of the existing source criteria values.
d. Operator: Click the drop-down and select AND or OR.
To add (+) or delete (-) a condition, click + or - from the last column.
e. Increase Risk Score by Adjustment Factor: Provide a factor by which to

increase the risk score if the condition is present in the violation.
Watchlist Entities
Watchlist entities can increase or decrease the risk score if a specific attribute matches
a specified watchlist.

Policy Violations
a. Check if Field: Click the drop-down and select a field to check against the
watchlist. Example: sourcename.
b. Selected above is: Select if the field to check should be Present or Not
Present.
c. In Watchlist: Click the drop-down and select the Watchlist. Example: Flight_
Risk_Users

Policy Violations
Note: You must have added Watchlist data to use this risk booster function.
Click Get Entity Count to determine if any entities are found on the list.
d. Increase Risk Score by Adjustment Factor: Provide a factor by which to

After Hours Activity
After Hours Activity increases the risk score if events occur within a specified time
range.

Policy Violations
a. After Hours Start Time: Enter the start time for after hours activity on a 24-
hour clock. Example: 2000 hours (8:00 PM.).
b. After Hours End Time: Enter the end time for after hours activity on a 24-hour
clock. Example: 0700 hours (7:00 AM.).
c. Increase Risk Score by Adjustment Factor: Provide a factor by which to

Lookup Table
Lookup Table increases the risk score if an event attribute matches a value in the
specified lookup table.
a. Lookup Table: Select an existing lookup table from the dropdown. Example:
CompetitorDomains.

Policy Violations
b. Row Key: Specify the condition by which to specify the Row Key. Example: The
Destination Hostname must be equal to a value under the key in the lookup
table.
a. Condition: Select the condition the event attribute must meet compared to
the Row Key in the lookup table. Example: Equal To.
b. Select the Event Attribute to Check Against Lookup Table Field: Example:
Destination Hostname.
c. Value: Specify the condition that must be present to increase the risk. The Email
Recipient must be Equal To a value found in the Row Key.
a. Condition: Select the condition the event attribute must meet. Example:
Equal To.
b. Select the Event Attribute to Check Against Lookup Table Field: Example:
Email Recipient.

Active List

Policy Violations
a. Rule to check against Activelist: Provide the attributes to check. For example,
to check if an entity and a filename involved in the event is found on the File_
downloaded active list, provide the following attributes: accountname+filename.

Policy Violations
b. In Activelist: Click the drop-down and select the existing active list. Example:
File_downloaded.
c. Do you want to check if the rule provided above is: Select if the rule to check
should be Present or Not Present.
Next: Step 3: Risk Scoring Technique.
Step 3: Risk Choose Risk Scoring Technique

SNYPR provides flexible risk scoring options so you can choose what threats you see
first on the Security Command Center (SCC). Behavior-based policies run on the
behavior of an entity. The policies detect behavior and peer-based outliers compared
to the entity’s past behavior or behavior of their peers.
In this step, choose the risk scoring technique and set the criticality of the policy to
determine the risk score of the violated policy.

Policy Violations
1. Complete the following information to choose the risk score for the violation
entity:
a. Do you want to save violations and calculate risk scores for this policy?:
Select one of the following options:
l YES: Violations for this policy are searchable in Spotter and will calculate
risk scores for violators.
l NO: Violations are not be searchable and risk scores will not be calculated.
b. Risk Scoring Technique: Select one of the following risk scoring techniques.
Static Risk Score
Violator receives a constant score for the policy for the Check Window,
irrespective of the number of times they violate the policy.

Policy Violations
Check Window
Analytics Type Check Window
Once per Hour, Day, Week** Based on the

Behavior Based (Hourly,
window selected for the behavior profile for
Daily, Weekly)
the policy
AEE Time Window in Policy Config
Beaconing Day Window*
IEE, Rarity, Traffic Analyzer

Day Window*
(except Beaconing)
Example: If an entity violates a Daily Behavior-based policy with a Criticality

of High that carries a Risk Score of , the entity’s risk score will be for the
check window. If they violate the policy again within the check window, their
risk score will remain . If they violate the policy again after the check
window, a score of will be added to the entity’s risk score, resulting in a risk
score of .
Aggregated Risk Score
Risk score is calculated as the criticality of the policy x the number of times

Policy Violations
the policy is violated within the Check Window, up to the (optional) Cap Risk
Score.
Check Window
Analytics Type Check Window
Once per Hour, Day, Week** Based on the

Behavior Based (Hourly,
window selected for the behavior profile for
Daily, Weekly)
the policy
AEE Time Window in Policy Config
Beaconing Day Window*
IEE, Rarity, Traffic Analyzer

Day Window*
(except Beaconing)

Policy Violations
Example: If an entity violates a policy with a Criticality of Low that carries a

risk score of 0.2, the first time the entity violates the policy, their risk score is
. The second time they violate the policy within the Check Window, their risk
score is 0.2 + 0.2 (or 0.2 x 2) = . The third time, their risk score is 0.2 x 3 = ,
etc.
Daily Cap Risk S cor e (Optional)
Cap Risk Score is used to cap the risk score of an entity for a policy to a
specified limit. When set, the entity’s risk score will continue to aggregate for
each violation of the policy up to the cap limit.
Example: If Daily Cap Risk Score is specified as 10, the entity’s risk score for
a policy with a Criticality of Low that carries a risk score of 0.2 will aggregate
for each violation within the Check Window until it reaches 10:
If the entity violates the policy 49 times, the risk score is .
If the entity violates the policy 50, the risk score is .
If the entity violates the policy 100 times, the risk score remains .
c. Criticality: Use the slider to select the criticality of the policy. The criticality
affects the risk score for the user.
l None: 0.0
l Low: 0.2
l Medium: 0.6
l High: 1.0
l Custom: A value greater than 1.

Policy Violations
For custom risk scores, specify the Custom Risk Score.
d. Do you want to escalate this policy as a Threat?: Select one of the following
options:
l YES: Escalates the policy to a threat. Violations appear in the Top Threats
dashboard of the SCC.
l NO: View violations appear in the Top Violations dashboard in the SCC.
2. Click Save & Next.
Next: Step 4: Choose Actions for Violation Results.
Step 4: Choose Actions for Violation Results

In this last step, you will configure a violation summary to specify what attributes to
include on the Security Command Center and specify what actions the application will
take for violations of this policy. You can create actions to learn the actions taken by
level 2 analysts, add users to watchlists or active lists, generate cases, and export data
in CEF format.
1. Complete the following information in the Configure the Violation Information

Summary section:

Policy Violations
a. (Optional) Provide the verbose template for violation summary: Enter a

verbose template to specify custom attributes to display in the violation
summary.
Example: Account ${accountname!"ACCOUNTNAME"} performed

${transactionstring1!"ACTIVITY"} from ipaddress ${ipaddress!"UNKNOWN"}.
Warning: You must include the ! in the attribute. For example,

${resourcename!"Unknown"} initiated a suspicious process will work, but
${resourcename} initiated a suspicious process will not.
Note: For a complete list of available attributes, see Appendix B: Verbose

Template Attributes.
b. Grouping Attribute: Click the drop-down and select an attribute under which
to group the information in the summary.
c. Metadata Attributes: Click the drop-down and select up to three metadata
attributes to view within the grouping attribute in the summary.

Policy Violations
d. Level 2 Attribute: Click the drop-down and select a high-level attribute to view
independent of the Grouping Attribute.
e. Level 2 Metadata Attributes: Click the drop-down and select up to three
metadata attributes to view within the Level 2 attribute in the summary.
2. (Optional) Set Enable Response Bot to YES to choose one or more features for the
Response Bot. See Response Bot in the SNYPRSecurity Analyst Guide for more
details about Smart Response.
When you enable this setting, there will be two additional sections that display:

Policy Violations
a. Choose one or more features for Response Bot: Click the box next to the
event features from which to learn responses.
b. Choose one or more user attributes for Response Bot: Click the box next to
the user attributes from which to learn responses.
3. Complete the following information in the Violation Action section:

Policy Violations
a. Do you want to enable this policy: Toggle to enable/disable this policy.

Policy Violations
b. Daily Violation Threshold: Enter a value after which to stop flagging violations
for the policy. When a violations exceeds the threshold, it will be skipped for
scoring and saving.
c. Do you want to generate incident for policy violators?: Enable to generate an
incident for policy violators.
d. Select workflow to be used while generating incidents: Click the drop-down

and select the option you want to use to generate a case for the policy violator.
e. Send Notification: Enables you to receive notifications of violations for this
policy. The following fields display when enabled:
l Select Notification Type: Select an email template from the drop-down list.
l Add Policy Violators to Watchlist?: Click to add policy violators to a

watchlist.
f. Add Policy Violators to Watchlist?: Click the drop-down and select which
policy violators to add to the watch list.
g. Add Policy Violators to Active list?: Click to add policy violators to an active
list. The following fields display when enabled:
1. Select Active list: Click the drop-down and select an active list.
l Rule in active list
2. Select attributes to be displayed in violation on SCC: This section consists

of two multi-selection lists:

Policy Violations
l Left list: This list contains a fixed set of attributes.

l Right list: This is the list that is being built.
Available buttons:
l Right arrow (>): Moves the currently selected attribute to the list being
built.
l Double right arrow (>>): Moves all the fixed set of attributes to the list
being built.
l Left arrow (<): Takes the currently selected attribute from the list being
built, and moves it back to the list with the fixed set of attributes.
l Double left arrow (<<): Takes all of the attributes from the list being
built, and moves them back to the list as the fixed set of attributes.
Tip:
You can select multiple attributes by doing either of the following:
l Contiguous attributes: Click and drag to select a group of attrib-
utes that are alongside each other in the list.
l Non-contiguous attributes: Hold down Ctrl, then click your
desired attributes to select attributes that aren't close to each
other in the list.
h. CEF Output/RSA Archer CEF Output/RSA Netwitness CEF Output: Select this
option if you want the output to be in CEF format. When enabled, the following
field displays:

Policy Violations
1. Select Connection: Select CEFExport from the drop-down list.
2. (Optional) Click the Output Field Mapping button to configure the output.
Complete the following information in the pop-up:

Policy Violations
a. CEF Field: Specify the CEF field.

b. Constant?: Set the constant to YES or NO.
c. Mapped With: Specify the mapped with value.
You must configure your connections for CEF output in Connection Types
before you can export from SNYPR. For information about integrating RSA
Archer, see Configure RSA® Archer GRC Platform. For information about
integrating RSA Netwitness, see Configure RSA Netwitness.
4. Click Save.
See Appendix B: Policy Configuration Examples to see examples of Individual Event

Analytics, Behavior-based, and Activity Outlier policies.

Policy Violations
Create an Identity or Access Policy

The following sections describe the steps to create an identity- or access-based policy.
Step 1: Enter Policy Details

In this step, you will create a rule-based policy to flag users or access accounts that
violate a specific rule, based on a built-in template. This section includes how to create
this type of policy and provides specific examples of identity policies.
1. Navigate to Menu > Analytics > Policy Violations.

2. Click +, then select Create Identity/Access Policy.
a. Create Policy:Creates real time policies that flag single or multiple events that
result in a violation. It can also create behavior-based policies that perform
frequency and rarity checks to detect behavior-based or peer-based outliers.
b. Create Identity/Access Policy: Creates policies using a built-in template.

Templates store the underlying joins to facilitate the execution of a policy.
3. Complete the following information in the Define Policy section:

Policy Violations
a. Policy Name: Provide a unique name to describe the type of violation the policy
detects.

Policy Violations
b. (Optional) Description: Enter a brief description of the policy.

c. Risk Scoring Technique: Select one of the following risk scoring techniques.
l Static Risk Score: Violator receives a constant score for the policy for the
Check Window, irrespective of the number of times they violate the policy.
l Aggregated Risk Score: Violator risk score is calculated as the criticality of
the policy x the number of times the policy is violated within the Check Win-
dow, up to the (optional) Cap Risk Score.
d. Criticality: Use the slider to select the criticality of the policy:

l None: 0.0
l Low: 0.2
l Medium: 0.6
l High: 1.0
l Custom: Specify a custom risk score.
The criticality affects the risk score for the violation entity.
e. Violation Entity: Click the drop-down and select one of the following options:
l Users: Returns list of users violating policy. Uncorrelated accounts will be
ignored. A new option will appear.
l Access Account: Returns list of access accounts (both correlated and uncor-
related) violating policy.
f. Signature Id: Type the signature ID.
g. Datasource: Click the search icon and select the datasource that this
policy should run on.
Click Assign when you have selected the datasource.

Policy Violations
Note: You can leave this blank for policies that do not run on any data
source.
4. Complete the following information in the Additional Details section:

Policy Violations
a. Owner: Click search icon to select an owner for the policy. After you
select an owner, click Add Selected Owner towards the bottom of the screen.
This can be used to send notifications and manage cases.
b. Remediator: Click search icon to select a remediator for the policy. After
you select a remediator, click Add Selected Owner. This can be used to send
notifications and manage cases.
c. Stop when violations are greater than: Specify a number to put a limit on the
number of violations flagged by the policy. The default is 1,000,000.
5. Complete the following information in the Define Risk and Threat section:

Policy Violations
a. Category: The category is displayed on the dashboard as a widget and risk will
be aggregated for policies with the same category. All violations of the same
category will be available in the widget. Do the following, depending on which
action you want to perform:
I want to create a new policy category
To create a new policy, follow the steps below:
1. Click the Create New Policy Category button.

2. Add a name for the category.
3. (Optional) Enable to add the category to sandbox.

Policy Violations
4. Click Save.
I want to use an existing policy category
To select an existing policy, follow the steps below:
1. Click the drop-down and select a policy category.
b. Threat Indicator: Violations detected are an indication of a threat. Do the

following, depending on the action you want to perform:
Create a new threat indicator
1. Click Create New Threat Indicator.

2. Complete the following information in the pop-up that displays:

Policy Violations
a. Threat Indicator Name: Enter a descriptive name for the threat indic-
ator.
b. Category: Select a threat kill chain stage from the drop-down:
l Recon Stage: Attackers gather information before an attack in an
attempt to find a vulnerable point in the network.
Example: Phishing emails.
l Delivery Stage: Attackers deliver a malicious package to gain access

to a network.

Policy Violations
Example: User clicks a link within a phishing email and downloads

malware from the malicious site.
l Exploit Stage: Attackers find a vulnerable point of entry into the

network and gain access.
Example: Zero-day attack.
l Execute Stage: Attackers escalate access to execute the attack using

admin privileges.
Example: Escalating privileges or stealing admin credentials, lateral

movement.
l Exfiltration Stage: Attackers can move freely around the network and
access or remove any sensitive data at will.
Example: An insider uploading customer information to a personal

file sharing/storage site.
Each stage represents a step in the threat kill chain. To view violations by
threat stage on the Kill Chain Analysis, navigate to Menu > Security
Center > Security Command Center. See Security Command Center for
more information.
c. What actions should be taken when this policy is violated?: Enter the
steps to take to remediate this threat. Use HTML to control the way the
steps are displayed on the Violation Summary screen.

Policy Violations
Example:
<ol>
<li>Review the Account Name and Domain Name fields, that identify
the user who cleared the log</li> 
<li>Additional fields of interest: Security ID, Logon ID,
Subject</li> 
<li>Login ID allows you to correlate backwards to the logon events as
well as with other events logged during the same logon
session</li> 
<li><a href="supportticketsite.com">Submit a ticket to
investigate</a></li>
</ol>
The Remediation Steps will appear on the Violation Summary screen:
d. Select to Associate Playbooks: Check the box next to each playbook you
want to associate with the threat indicator.

Policy Violations
Setting Auto Play to YES will automatically launch play book tasks upon
violation. If Auto Play is set to NO, you can launch play book tasks
manually from the Violation summary screen when an incident occurs.
3. Click Save.
Edit a killchain stage and response actions
1. Click Edit Killchain Stage and Response Actions.

2. Edit your desired information in the pop-up that displays.
Note: For a description of each of these fields, refer to the Create a new
threat indicator section.

Policy Violations
3. Click Save.
Select an existing threat indicator
1. Click the drop-down and select an existing threat indicator.
Next: Step 2: Select Policy Templates.
Step 2: Select a Policy Template

In this step, you will select a template to determine the attributes against which to run
the policy. For example, user attributes, access account attributes, and resource
attributes.
1. (Optional) Click Filter templates, then filter your criteria by checking one or
multiple boxes.

Policy Violations
2. Click the check-mark next to the policy template you want to use.
The check-mark will turn green when you select a policy template.

Policy Violations
Next: Step 3: Provide conditions.
Step 3: Provide Conditions

In this step, you will create groups of rules to determine what the policy will check for
and configure post-process functions to add additional data processing.
1. Complete the following information in the group:
a. Object: Objects are the database tables. Click the drop-down and select an
object from the policy template.
b. Attributes: Attributes are the respective columns for the database table. Click
the drop-down and select an attribute that is associated with the object.
c. (Optional) Function on Attribute: This column only displays if Enable attribute
functions is set to YES. Click the drop-down to select the functions to use on
the attribute.
d. Condition: Click the drop-down and select a condition.

Policy Violations
e. Value: Enter a value in the text box.
(Optional) You can also select or search for an attribute value by doing the
following:
Select attribute value
1. Click the ellipsis icon to select an attribute value.

2. Complete the following information in the Attribute values pop-up:

Policy Violations
a. Object: Click the drop-down and select an object.

b. Variables: Click the drop-down and select a variable.
3. Click Add.
Search attribute value
1. Click the search icon to search for existing attribute values.

2. Select the attribute you want.

Policy Violations
3. Click Add.
f. (Optional) Function On Value: This column only displays when Enable value

Policy Violations
functions is set to YES. Click the drop-down and select the functions to use on
the value.
For more information about using functions, see Appendix A: Functions in the
Data Integration Guide.
g. AND/OR: Click the drop-down and select AND or OR.

h. (Optional) Add (+) or delete (-) a new rule by clicking + or - in the last column.
Once steps 1.a.-1.h. are complete, the rule will translate into an HQL query with
the format: [Object.Attributes <condition> Value] (e.g. For the
following settings: Object = ”User”, Attributes = ”City”,
Condition=”Equal To”, Value=”dallas”, the resulting query is:
“users.city = ‘dallas’”
2. (Optional) Add a new group by clicking Add new group. This will create a second
group below your most recent group.
To remove a group, click Remove group.
Next: Step 4: Choose actions for violation results.

Policy Violations
Step 4: Choose Actions for Violation Results

In this last step, you will determine what actions the application will take for
violations of this policy. Create actions to generate cases, send email notifications, or
add violators to a watch list.
1. Complete the following information in the Violation Action section:
a. Send Notification: Select one of the following options:

l YES: Sends you violation notifications.
l NO: Does not send you violation notifications.
b. (Optional) Select Email Template: You can create a new email template, or you
can select an existing one. This field only displays when Send Notification is set
to YES.
c. Add Policy Violators to Watchlist?: Here, you can a new watch list or select an
existing watchlist. Do the following, depending on the option you select:
Create a new watch list
1. Complete the following information in the Create New Watch List pop-up:

Policy Violations
a. Name: Enter a name for the watch list.

b. Watch List Criticality: Click the drop-down and select one of the
following options:
l Critical
l High
l Medium
l Low
c. Select Tenant: Choose the same tenant that you are using in your
import job to ensure the violators are sent to the correct Watchlist in the
correct tenant.

Policy Violations
d. Restrict Access to this watchlist to your user groups?: The following

options are available:
l NO: The Watchlist is accessible to all the users.
l YES: The Watchlist is only accessible to the users you select.
2. Click Save.
Select an existing watch list

Policy Violations
a. Rule to remove Violators from Watchlist: Enable or disable the setting.
b. Remove Violators from Watchlist: This field only displays when the Rule to
remove Violators from Watchlist field is enabled. The following options are
available:
l Never: Never remove violators from the Watchlist.
l Specific Number of Days: The number of days a violator will be removed

from the Watchlist.
2. Click Save.
You will be directed to the Policy Violations screen.

Policy Violations
Manage Policies
To manage policies, navigate to Menu > Analytics > Policy Violations. By default, you
will be directed to the Policy Violations screen for all policies.
What can I do on this Screen?

From here, you can view information for all policies, search for a specific policy,
enable/disable polices, take actions on polices, and edit policies.
View Policies
You can view a list of available policies from the left pane, as seen in the following
image:

Policy Violations
l All Polices: View all available policies.

l All Policy Jobs: View and perform actions on policy jobs.
l Response Bot Policies: View policies with Response Bot enabled to provide smart
suggestions for violations.
l By Enabled/Disabled Status: Filter policies by their status.
l By Type: Select an option to view only policies of the selected policy type.
l By Analytical Type: Select an option to view only policies of the selected analytical
type configured during Step 2: Provide Conditions of creating a policy.
l By Violation Entity: Select an option to view only policies with the selected viol-
ation entity.
l By Category: View policies by the policy category.

Policy Violations
l By Datasource: Select an option to view only policies that run on the selected data-
source.
l By Datasource Type: Select an option to view only policies that run on the selec-
ted datasource type.
l By Functionality: Select an option to view policies that run on the selected func-
tionality type.
l By Threat: Select an option to view only policies with the selected threat indicator
(configured during Step 1 of creating a policy).
l By Criticality: Select an option to view only policies configured with the selected
criticality.
l By Threat Category: Select an option to view policies by kill chain stage.
l By Sandbox Category: Select any sandbox policy type to view.
l By Label: Select a label for the policy.
Enable Policies
By default, policies are enabled to run against imported data. To disable a policy, set
the Enabled? column to NO.
Edit Policies
To edit a policy, do the following:

Policy Violations
1. Click an existing policy name in the Name column.
You will be directed to the configurations screen for policy violations.

Policy Violations
2. Edit the information in steps 1-4 of creating a policy.
Actions for Policies

You can take the following actions on policies on the Policy Violations screen:
Icon Description
Run job.
View job details.
Re-run job.
Delete job.
Run Job
To run the policy on data imported in your environment, complete the following steps:
1. Click the Run Job icon .

Policy Violations
2. Complete the following information in the Job Details section:
a. Job Name: By default, the text box will auto-populate with a name. If you want
to change the name, delete the default and enter your own unique job name.
b. (Optional) Job Description: Enter a job description.
c. (Optional) Enable Job Related Notifications: Select one of the following
options:
YES
Specify notification emails to be sent when a job has successfully run, failed, or
for when error messages have been received:

Policy Violations
l On Success
l On Failure
l On Completed with Errors
For this example, the On Success section is used. Click the drop-down and
select one of the following options:
l Create New Email Template

l Job Status
For instructions to create a new email template, see Email Templates.

Policy Violations
No
Proceed to the next step.
3. Complete the following information in the Run Job section:
a. Do you want to run job Once?: Runs the job right now.
b. Do you want to schedule this job for future?: Specify a time for the import job

Policy Violations
to run.
4. Click Run to run the job.
View Job Details
To view details about a previously run job, click the View Job icon . A window
appears with the job details.
Re-run Job
To re-run a previously run job, click the Re-run Job icon

Policy Violations
and click Yes to confirm when the window appears.
Delete Job
To delete a previously run job, click the Delete Job icon and click Yes to confirm
when the window appears.

Policy Violations
Search Policies using Spotter

Spotter provides high-performance, text-based search and visualization capability.
To get started with your search, navigate to Menu > Security Center > Spotter. From
here, you can:
l View available violations for a policy

l Search for a specific policy using the following syntax: policyname = [policy name].
Example: policyname = "Flight Risk User - Job Search".
For more details about searching Spotter, see the Spotter section in the Security
Analyst Guide.

Sandbox
Sandbox
The Sandbox feature is an isolated environment for the content developers to create
and test policies and threat models, without affecting the risk score of entities in the
production environment. With the use of sandbox, the content team can test and
update policies without affecting production or SOC team.
You can view violations associated with the policy from the Security Command
Center. These policies will have a sandbox tag associated to it.
When the use case is tested and verified, the content developer can publish the policy
from sandbox to production. While publishing the policy to production, the content
team can choose to remove or push the risk score, violations, and incidents associated
with the policy in sandbox.
Creating a Policy in Sandbox

To create policies in sandbox, complete the following steps:

2. Select By Sandbox Category from the left pane.

Sandbox
From here, you can delete, copy, or publish the policy in production.
You can perform the following actions:
l Push to production: This icon pushes the policy violations to production.
Before you push the policy violation to production, a pop-up displays. From
here, decide to retain or publish the risk score, violations, and incidents
associated with the policy in sandbox to the production environment.
You can create policies in sandbox using the same steps as you use to create the
policy for production.

Sandbox
Creating a Threat Model in Sandbox

To create policies in sandbox, complete the following steps:

2. Select By Sandbox Category from the left pane. From here, you can delete, copy, or
publish the threat model in production.
You can perform Push to production. This icon pushes the threat models to
production. Before you push a threat model to production, a pop-up displays.

Sandbox
From here, you can decide to retain or publish the risk score, violations, and
incidents associated with the threat model in sandbox to the production
environment.
You can create threat models in sandbox using the same steps as you use to create the
threat models for production.

Network Traffic Analyzer

The Securonix Network Traffic Analyzer (NTA) analyzes proxy traffic to detect any
abnormality that can affect network performance or security. It will check proxy logs
against safe domains (commonly-visited domains, threat intelligence, and domain
rarity scores generated) based on the organization's baseline proxy traffic behavior,
compare domains to multi-language dictionary words to detect algorithmically
generated domains, and analyze request URLs.
Securonix NTA can detect the following threats:
l Rare domains
l User agents
l Domain generated algorithm (DGA)
l Patterns of malicious or robotic behavior that indicate a sophisticated cyber attack
l Beaconing behavior to possible malicious domains
l Beaconing behavior to all proxy traffic

Configure Threshold
The following table maps the number of days required for baselining to the threshold
value that should be specified in the Traffic Analyzer configuration:
Days Threshold
0 0.0
1 0.06
2 0.12
3 0.17
4 0.22
5 0.27
6 0.31
7 0.35
8 0.39
9 0.43
10 0.46
11 0.5
12 0.53
13 0.56
14 0.58
15 0.61
16 0.63
17 0.65
18 0.67
19 0.69
20 0.71

Days Threshold
21 0.73
22 0.75
25 0.79
26 0.8
27 0.81
28 0.83
29 0.84
30 0.85
31 0.86
32 0.86
33 0.87
34 0.88

Configure the Traffic Analyzer Check

This section describes how to configure the Traffic Analyzer checks.
Rare Domain Visited

This Traffic Analyzer check uses Traffic Analyzer Check: URL Visited by Visitors to
track proxy traffic to domains that are rare compared to the organization's typical
browsing behavior. The rarity of the domain is a direct measure of the number of users
visiting that pay level domain (PLD), and the rarity score is assigned on a scale of 0-1,
with 1 implying the domain is rare.
The following configuration is used for this check:

The following table describes the key configuration parameters displayed in the
previous image:
Field Parameter
Destination Hostname refers to the

Select URL Attribute
URL of the destination.
Account Name refers to the name of the

Select Visitor Attribute
account visiting the Destination Hostname.
20 refers to the number of visitors per

destination hostname to be considered for
Number of Visitors rare domain. If the number is exceeded,
the domain is no longer considered rare
and is white listed.
0.85 (30 days) refers to the number of

Threshold days of base-lining before a violation is
flagged. See for threshold values.
YES excludes domains matching white

Filter Domain Visit Patter and Common
listed and common domains from the
Domains
check.
Destination Hostname refers to the URL

Select Domain Attribute of the destination to check against white
list.
Rare User Agent

This Traffic Analyzer check uses Useragent Visited by Visitors to track proxy traffic to
user agents that are rare compared to the organization's typical browsing behavior.

previous image:
Field Parameter
requestclientapplication refers to the

Select User Agent
user agent.
requestclientapplication refers to the

user agent.

Field Parameter
5 refers to the number of accounts per

user agent to be considered for rare user
Number of Visitors agent. If the number is exceeded, the user
agent is no longer considered rare and is
white listed.
0.22 refers to the number of days (4) of

Threshold base-lining before a violation is flagged.
See for threshold values.
Distinct Number of IP Addresses

This Traffic Analyzer check uses Traffic Analyzer Checks: Grouping by Destination
Host Name to count how many distinct IP addresses are present and mark as a
violation if the number is greater than the count configured.

previous image:
Field Parameter
Destination HostName refers to the

For each instance of
IP address checks the number of

Track distinct number of occurrences occurrences for the specified attribute
after the specified distinct count.
2 refers to the count after which the

Flag when distinct count greater than
specified attribute is considered distinct.

Field Parameter

Flag only after system is trained on
days of base-lining before a violation is
historical data
Traffic to Algorithmically Generated Domains (DGA)

This Traffic Analyzer check uses Traffic Analyzer Check: Randomly Generated URL
to track traffic to domains that look algorithmically generated.

previous image:

Field Parameter

Select URL Attribute

account visiting the Destination Hostname.
20 refers to the number of visitors per

destination hostname to be considered for
Number of Visitors rare domain. If the number is exceeded,
the domain is no longer considered rare
and is white listed.

Threshold days of base-lining before a violation is
3 (Low) refers to the DGA Score

computed for the domain. The
DGA Score DGA Score is flagged when the value is
greater than the DGA Score. The check
is performed only across the PLD.
YES excludes domains matching white

Filter Domain Visit Patter and Common
listed and common domains from the
Domains
check.
Detection of beaconing behavior (to possible malicious domains)

This Traffic Analyzer check uses Traffic Analyzer Check: Beaconing to detect
beaconing traffic behavior between a source and a destination on proxy logs. This
check builds behavior profiles for every combination of source IP and destination
hostname seen on the proxy logs, and alerts if the cluster quality of the behavior is on
the high side, indicating a possible beaconing pattern.

When configuring the check from the UI, add condition to filter for domains falling
under the usual malware categories.
previous image:
Field Parameter

Select Source Attribute account requesting or visiting a destination
URL.

Select Destination Attribute
Request URL refers to the URL requested

Request URL Attribute
by the source.

Field Parameter
5 refers to only the destination domains

Number of Distinct Destination allowed for which the URL variations are less than
5 will be published as violations.
60 refers to the cluster quality (a direct

measure of the beaconing behavior) after
which the account will be considered for
Confidence Factor
analysis. For value 60, only accounts with
cluster confidence factor greater than 60
are considered for analysis.
Detection of beaconing behavior (All proxy traffic)

This Traffic Analyzer check uses Traffic Analyzer Check: Beaconing to detect
beaconing traffic behavior between a source and a destination in proxy logs. This
check builds behavior profiles for every combination of source IP and destination
hostname seen on the proxy logs, and alerts if the cluster quality of the behavior is on
the higher side, indicating a possible beaconing pattern.

The pre-requisite for this check is to run a domain rarity analysis. It also excludes
white-listed domains present in Redis from analysis.
previous image:
Field Parameters
IPAddress refers to the IP Address

Select Source Attribute
requesting or visiting a destination URL.

Select Destination Attribute

Field Parameters

Request URL Attribute URL of the destination requested by the
source IP Address.
5 refers to only the destination domains

Number of Distinct Destination allowed for which the URL variations are less
than 5 will be published as violations.
0.85 (30 days) refers to the cluster quality

(a direct measure of the beaconing
behavior) after which the account will be
Confidence Factor considered for analysis. For value 0.85,
only accounts with cluster confidence
factor greater than 0.85 are considered
for analysis.

Example Beaconing Violation
Traffic Analyzer Threat Model: Persistent Malware

Communication
Traffic Analyzer checks can be used in threat models to predict, detect, and contain the
sequence of events that could be part of an advanced attack. The Persistent Malware
Communication Threat Model uses Traffic Analyzer checks to analyze static indicators
(URL Anomalies, Domain Anomalies, and User Agent Anomalies) plus Dynamic
Indicators (Robotic Patterns, Domain Visit Scores, and Persistence Indicators) plus a
combination of Endpoint and Authentication Anomalies to boost the risk score for
these behaviors.

Violation Result
User details:
l EmployeeID: ozkang01
l NetworkID: 10.198.26.281
Threat Violation Behavior Domain
l miledaughter.ru
Domain Presence/Rarity
l s0ibspyxtb7by8.ru
Only IP in the network l 3uorg03dxfy.ru

seen to attempt
communicating to all
l n46gd0nenr1az.ru
domains.
l dmud3vysja6me4.ru
l cbbze5u2m65vg8.ru

Threat Violation Behavior Domain
l s0ibspyxtb7by8.ru
DGA
l 3uorg03dxfy.ru
Domains detected to be
DGA with successful l n46gd0nenr1az.ru
traffic.
l dmud3vysja6me4.ru
l cbbze5u2m65vg8.ru
Observed about 300

events every 15 minutes
(3 days, steady stream of
Robotic Communication miledaughter.ru
bytes, unusual time of day
compared to past
behavior).
Bytes being transmitted

Robotic Communication
were always around 2001 miledaughter.ru
Bytes Analysis
bytes or 160 bytes.
Domains seen to exhibit

proxy avoidance by l n46gd0nenr1az.ru
Suspicious
changing connection from
URL Communication l s0ibspyxtb7by8.ru
HTTP to TCP to pass
through proxy control.
Domains seen to have a

successful TCP packet l dmud3vysja6me4.ru
Suspicious Packet Drop
with a size > account l s0ibspyxtb7by8.ru
general baseline of 5 KB.

Threat Modeler
Threat Modeler
Threat models are used to predict, detect, and prioritize investigation and response.
Threat models combine policies and threats to detect the related behavior across
multiple data sources that might otherwise go unnoticed. Threat models can also help
you predict what may happen next. For example, if two out of five things have
happened in a threat model (ransomware), it can predict the attack in progress as well
as help you anticipate future actions and suggest remediation steps.
SNYPR provides an isolated sandbox environment for the content team to create and
test policies and threat models, without affecting the risk score of entities in the
production environment. You can create your threat models and test them in Sandbox
before pushing it to production. For more information on sandbox, see Sandbox.
Threat Modeling
Threat Models provide a security design that evaluates the possible goals of the
adversary and the vulnerabilities that exist as a result of those goals. Threat modeling
is a process by which potential threats can be identified and prioritized. It typically
involves visual diagramming to map out the various threats, motivations, and attack
paths.

Threat Modeler
The threat profile consists of the following main areas:
l Identify the threats

l Select the category, create the rule, and include the threats
l Investigate and analyze the threats
l Mitigate the vulnerabilities causes by the threats
6 Stages of an Advanced Cyber Attack

An advanced cyber attack occurs in six stages across email, proxy, and operating
system:

Threat Modeler
Stage Definition
The attacker gathers information to find a

Stage 1: Reconnaissance vulnerable points in the network. This
includes threats such as spam email.
The attacker delivers a malicious

package to gain access to a network. This
Stage 2: Delivery
includes threats like communication to a
malicious website over proxy.
The attacker finds a vulnerable point of

entry into the network and gains access.
Stage 3: Installation This includes threats like an unusual
process on a host in the operating
system events.
The malicious package is sending traffic to

a malicious web server to escalate access.
Stage 4: Command and Control
This includes malware beaconing over
proxy.
The attacker escalates access to execute

Stage 5: Lateral Movement
the attack using admin privileges.
The attacker moves freely around the

network and can access or remove any
Stage 6: Data Exfiltration sensitive data at will. This is detected
through an observed spike in the number
of bytes out over proxy.
Risk Scoring
Threat Models boost the risk score of policies using the following risk scoring
methods:

Threat Modeler
l Static Risk Scoring: Model Score=Weight. Sets a static score for all users based on
the weight selected. For example, if the weight specified is 10, all users will have a
risk score of 10.
l Exponential Scoring: Model Score=(weight^(number of stages). Uses predictive
modeling to calculate a risk score based on the weight to the power of the number
of stages. For Example, if the predictive scoring factor specified is 5 and the number
of stages in the threat model is 3, users will have a risk score of 5^5.
While creating stages in the Threat Model, the risk can be calculated for a user if the
user violates any one of the policies. Similarly, the risk can be calculated for the user if
the user violates all the policies.

Threat Modeler
Create a Threat Model for a Policy

You can create threat models from individual policies by category.
Note: Categories are applied to policies during Step 1: Enter Policy Details.
To create a Threat Model for Policies, complete the following steps:
1. Navigate to Menu > Analytics > Threat Modeler.

2. Click +, and then select Create Threat Model for Policy.
3. Complete the following information in the Threat Model Details section:

Threat Modeler
a. Threat Model Name: Provide a unique name for the threat model.

Example: Advanced Cyber Threat.
b. (Optional) Threat Model Description: Provide a brief description to indicate
the purpose of the threat model.
c. Threat Model Violator: Select a threat model violator from the dropdown.
Example: Activity Accounts.
d. Criticality: Use the slider to select the criticality. The criticality affects the risk
score for the violator (user). None=0.0, Low=0.2, Medium=0.6, and High=1.0.
e. What actions should be taken when this policy is violated?:

Threat Modeler
Using HTML, enter the steps to take to remediate this threat. HTML controls
the appearance of the steps that are displayed on the Violation Summary
screen.
Example:
<ol>
<li>Check the initial level privileges</li> 
<li>Contact ITOps Administrator to get more insight into his
privileges</li> 
<li><a href="supportticketsite.com">Submit a ticket to investigate
further</a></li>
</ol>
The Remediation Steps will appear on the Violation Summary screen:
f. Do you want to generate incident for threat model violators?:Enable to

generate an incident for threat model violators. When you enable this setting,
the following field displays:
l Select workflow to be used while generating incidents: Select a workflow

from the drop-down list to be used while generating incidents.
g. Risk Scoring: Threat Models boost the risk score of policies using Static Risk
Scoring or Exponential Scoring. Choose one of the following options for Risk

Threat Modeler
Scoring section:
Static Risk Scoring
This option sets a static score for all entities. For example, if the Static Score
specified is 10, all entities who violate the threat model will have a risk score of
10.
1. Provide a Static Score for the policy. Threat Model Score = Weight.
Exponential Scoring
This option uses predictive modeling to calculate a risk score based on the
scoring factor to the power of the number of stages. For example, if the scoring
factor specified is 5 and the number of stages in the threat model is 3, users will
have a risk score of 5^3.
1. Use the slider or enter a weight exponent between 1 and 10. Threat Model
Score=(weight^(number of stages)).

Threat Modeler
h. Category: Select an existing category or you can click Create New Policy
Category.
a. Category: Enter a new category policy.

b. Do you want to add this category to sandbox?: Enable to add the category
to sandbox.
c. Click Save.
4. Complete the following information in the Stage Details section:

Threat Modeler
In Stage Details, you add watchlists and define states of threats.
You can add Watch Lists in threat models to add flexibility in threat modeling and
eliminate noise from low-risk policy violations. When a watchlist is included in a
threat model, it is applicable to all stages of the threat model.
a. Add Watchlist Filters: Enable to add a watchlist filter to threat models.

b. Select Policy Categories: Choose an option from the drop-down to filter avail-
able policies.
c. Define Stages: Choose from the following options:
l Add Stage: Click to add stages to group policies together that define a
threat.
l Enter Stage Name: Provide a unique name for the stage.
l Any One/All: Select to specify if risk will increase if they violate Any One of
the policies in the stage, or if they must violate All policies in the stage to
increase risk score.

Threat Modeler
For All: Specify if the policies in the stage must be violated in sequential
order.
l Is Mandatory: Select whether the stage must be violated to result in a

threat model violation.
Note: Stages are mandatory by default, but you can toggle this off if you
want the threat model to flag violations even if the policies in the stage
are not violated.
d. Drag and drop policies from Available Policies to add them to each stage.
After you create multiple stages, you can:

l Edit Sequence: Click to rearrange stages by dragging them into the pre-
ferred order.
l Save Sequence: Click to save the new sequence.

Threat Modeler
l + Add Stage: Click to add stages to the threat model.

l Time Gap: Specify if a subsequent stage requires a time gap in seconds,
minutes, hours, or days.
l Delete Stage: Click to delete an entire stage.
l Delete a Policy: Click X to delete a policy from a stage.
l Collapse/Expand a Stage: Click to collapse or expand a stage.
5. Click Save.
To enable a threat model, navigate to the Enable column on the Threat Modeler
screen and set Enabled? to YES.
Click the trash icon to delete the threat model.

Threat Modeler
Create a Threat Model for a Threat

You can create a threat model from threat indicators to include all the policies for that
threat indicator in the threat model.
Note: Threat indicator is applied to policies during Step 1: Enter Policy Details.
To create a Threat Model for Threats, complete the following steps:
1. Navigate to Menu > Analytics > Threat Modeler.

2. Click +, and then select Create Threat Model for Threat.

Threat Modeler
a. Threat Model Name: Provide a unique name for the threat model.

Example: Advanced Cyber Threat.
b. (Optional) Threat Model Description: Provide a brief description to indicate
the purpose of the threat model.
c. Threat Model Violator: Select a threat model violator from the dropdown.
Example: Activity Accounts.
d. Criticality: Use the slider to select the criticality. The criticality affects the risk
score for the violator (user). None=0.0, Low=0.2, Medium=0.6, and High=1.0.
e. What actions should be taken when this policy is violated?:

Threat Modeler
Using HTML, enter the steps to take to remediate this threat. HTML controls
the appearance of the steps that are displayed on the Violation Summary
screen.
Example:
<ol>
<li>Check the initial level privileges</li> 
<li>Contact ITOps Administrator to get more insight into his
privileges</li> 
<li><a href="supportticketsite.com">Submit a ticket to investigate
further</a></li>
</ol>
The Remediation Steps appear on the Violation Summary screen:
f. Do you want to generate incident for threat model violators?: Enable to

generate incidents for threat model violators.

Threat Modeler
g. Risk Scoring: Threat Models boost the risk score of policies using Static Risk
Scoring or Exponential Scoring. Choose one of the following options for Risk
Scoring section:
Static Risk Scoring
This option sets a static score for all entities. For example, if the Static Score
specified is 10, all entities who violate the threat model will have a risk score of
10.
1. Provide a Static Score for the policy. Threat Model Score = Weight.
Exponential Scoring
This option uses predictive modeling to calculate a risk score based on the
scoring factor to the power of the number of stages. For example, if the scoring
factor specified is 5 and the number of stages in the threat model is 3, users will
have a risk score of 5^3.
1. Use the slider or enter a weight exponent between 1 and 10. Threat Model
Score=(weight^(number of stages)).

Threat Modeler
h. Category: Select an existing category or you can click Create New Policy
Category.
a. Category: Enter a new category policy.

b. Do you want to add this category to sandbox?: Enable to add the category
to sandbox.
c. Click Save.

Threat Modeler
4. Complete the following information in the Stage Details section:
In Stage Details, you add watchlists and define states of threats.
You can add Watch Lists in threat models to add flexibility in threat modeling and
eliminate noise from low-risk policy violations. When a watchlist is included in a
threat model, it is applicable to all stages of the threat model.
a. Add Watchlist Filters: Enable to add watchlist filters to the threat model.
b. Select Policy Category: Choose an option from the drop-down to filter avail-
able policies.
c. Define Stages: In this section, you can choose from the following options:
l Add Stage: Click to add stages to group policies together that define a
threat.
l Enter Stage Name: Provide a unique name for the stage.
l Any One/All: Select to specify if risk will increase if they violate Any One of
the policies in the stage, or if they must violate All policies in the stage to
increase risk score.
For All: Specify if the policies in the stage must be violated in Sequential
Order.

Threat Modeler
l Is Mandatory: Select whether the stage must be violated to result in a

threat model violation.
Note: Stages are mandatory by default, but you can toggle this off if you
want the threat model to flag violations even if the policies in the stage
are not violated.
d. Drag and drop threats from the Available Threats section into each stage.
After you create multiple stages, you can:
l Edit Sequence: Click to rearrange stages by dragging them into the pre-
ferred order.
l Save Sequence to save the new sequence.
l + Add Stage: Click to add stages to the threat model.

l Time Gap: Specify whether a subsequent stage requires a time gap in
seconds, minutes, hours, or days.
l Delete a Stage: Click to delete an entire stage.

Threat Modeler
l Delete a Policy: Click X to delete a policy from a stage.
l Collapse/Expand a Stage: Click to collapse or expand a stage.
5. View the threat model from the Threat Modeler main screen.
a. Enabled?: Toggle to Yes to enable the threat model. The default setting is Yes
6. Click Save.
Click the trash icon to delete the threat model.

Content Management
Content Management
Content Management allows detection engineers to seamlessly deploy content
(policies and parsers) in their environment. The Securonix content team has a content
library where they upload new and modified content to share with customers.
Customers have their own local content repository in the file system located at
"$SECURONIX_HOME/content/data". Content administrators or detection engineers
can efficiently download new and updated content, and deploy it in their SNYPR
application. The following types of content can be deployed using Content
Management:
l Parsers l Third Party Intelligence

l Data Dictionary l Active List
l Lookup Tables l Workflow
l Policy l Threat Models
Content Management has the following features:
l Content Update: Allows you to download and deploy content from the Securonix
content library to the local repository. The Securonix content library stores new
content and updates to the existing content.
l Commit Content: Allows you to version control your content by committing it to

Content Management
the Custom content library. The Custom content library is unique for each
customer, and stores content created and modified by a customer.
The following illustration depicts the content workflow:
Prerequisites
The following prerequisites are required to access Content Management:
Note: If these prerequisites are not configured, you cannot access Content
Management.

Content Management
1. The Securonix content library access details must be configured at Menu > Admin
> Settings > Content Library.
Note: For more information, refer to the Content Library section of the
Administration guide.
2. A user account with role as ROLE_CONTENT_ADMIN. When the ROLE_

CONTENT_ADMIN is not assigned to the user, the Content Management option is
not available.
3. A user account with role as ROLE_COMMIT_CONTENT to commit content from

Content Management.

Content Management
Deploy Content
When you download content using Content Management, the local content folder is
updated. If any new content is available, it is displayed in the content category. You
have to deploy the content before you can use it in SNYPR.
You can download and deploy the content from the Securonix content library using
Menu > Admin > Content Management. The Content Update screen is displayed.
The Content Update screen provides the following:
1. Existing Content: Displays the current content version deployed in SNYPR.

2. Check for Updates: Allows you to check and download the updated content.
3. Category: Lists content categories that you can download and deploy from Con-
tent Management. The number indicates the total number of updates (updated con-
tent and new content).
4. Update Content: Lists if any updates are available for existing content.
5. New Content: Lists if any new content is available for deployment.
6. Available Content: Lists the content available for deployment. It also provides
information such as current version of the content and the available version of the
content.
7. Update Log: Displays the information of the last update.

Content Management
Downloading Content
To download the content from the Securonix content library, perform the following:
1. Navigate to Menu > Admin > Content Management. The Content Management
screen is displayed.
2. Click Check for Updates. If there are any updated or new content, the Category
displays the total number of updates and new content.
Deploying Content
You can deploy content when it is downloaded. The Content Update screen displays a
list of updated and new content available at the Securonix content library.
Parser
The Content Update screen for Parsers displays a list of updated and new parsers
available at the Securonix content library. It lists the parser details such as name,
resource group for the parser, tenant name, resource type, vendor, functionality,
ownership, the current version of the parsers deployed at production, and the new
version available at the Securonix content library. You have an option to deploy all
updates or choose a specific parser and resource group for deployment.

Content Management
When you are add or edit parsers from the Activity Import screen, SNYPR application
decides if the parser is saved as an existing parser or a new parser. The following list
explains a few scenarios:
Note: For actions filters with same name, the system checks whether the filter is
enabled or disabled in Custom content library, and ensure that the status does not
change after the parser deployment. For example, if a customer has disabled any
enrichment, after the parser deployment, the enrichment remains disabled.
To deploy parsers:
3. Select the updates that you want to deploy. You can either select all or any to
deploy.
You can click version number to view release notes.
4. Click Deploy Selected Content to deploy the selected parser.

Content Management
5. Click New Content to deploy new content.

6. Select content and click Deploy Selected Content.
Parser Management Best Practices

When you are add or edit parsers from the Activity Import screen, SNYPR application
decides if the parser is saved as an existing parser or a new parser. The following list
explains a few scenarios:
l If a line filter is modified (i.e., enabled, disabled, updated, added, or removed), save
the parser as a new parser.
l If any action filter is enabled or disabled in the original parser provided by
Securonix, change the existing parser.
l If any action filter is updated or removed in the original parser provided by
Securonix, save the parser as a new parser.
l If a new action filter is added to the original parser provided by Securonix, save the
parser as a new parser if the action filter has any of the following:
l Event Severity
l Event Category
l New Derived Attribute
l If a new action filter is added to the original parser provided by Securonix, change
the existing parser if the action filter has any of the following:
l Enable Drop events toggle
l Enrich from TPI
l Persona Builder
l Populate Activelist
l Geolocate Attributes
l Enrich from Watchlist
l Enrich from Lookuptable
l Enrich from Assetmetadata

Content Management
l Perform IP Address Attribution

l Drop Events
l Time Zone Converter
Data Dictionary
The Content Update screen for Data Dictionary displays a list of updated and new
data dictionary available at the Securonix content library. It lists data dictionary name,
the current version, and the new version.
When you update Data Dictionary content, only entries with ownership as
SecuronixCreated and SecuronixChanged are updated. Any entry with the
ownership as ClientChanged is client defined and will not be modified using the
Content Management feature.
deploy.
4. Click Deploy Selected Content to deploy the selected data dictionary.

6. Select content and click Deploy Selected Content.
Lookup
The Content Update screen for Lookup displays a list of lookup tables that are new or
updated. It lists the lookup table name, the current version of the lookup table

Content Management
deployed at production, and the new version downloaded from the Securonix content
library.
deploy.
4. Click Deploy to deploy the selected lookup name.

6. Select a new lookup table and click Deploy.
TPI
The Content Update screen for TPI displays a list of TPIs that are new or updated. It
lists the TPI name, the current version of the TPI deployed at production, and the new
version downloaded from the Securonix content library.

Content Management
deploy.
4. Click Deploy to deploy the selected TPI.

5. Click New Content to deploy new TPI.
6. Select a new TPI and click Deploy.

Content Management
Active List
The Content Update screen for Active List displays a list of active lists that are new or
updated. It lists the active list name, the current version of the active list deployed at
production, and the new version downloaded from the Securonix content library.
deploy.
4. Click Deploy to deploy the selected Active List.

5. Click New Content to deploy new Active List.
6. Select a new Active List and click Deploy.
Workflow
The Content Update screen for Workflow displays a list of workflow names that are
new or updated. It lists the workflow name, the current version of the workflow
deployed at production, and the new version downloaded from the Securonix content
library.

Content Management
deploy.
4. Click Deploy to deploy the selected workflow.

5. Click New Content to deploy new workflow.
6. Select a new workflow and click Deploy.
Policy
The Content Update screen for Policies displays a list of functionalities whose policies
are updated or added. It lists the functionality, policy name, policy's signature, policy
status, ownership, current version of the policy deployed at production and the new
version downloaded from the Securonix content library.
There are three types of policies available in the production environment:

l Securonix Policies: Policies that are created by Securonix.
l Securonix Policies Modified by Customer: Policies that are created by Securonix
and customized by the customer.
l Customer Policies: Policies that are created by the customer.
When you deploy a policy, you are either adding a new policy, updating the existing
Securonix policy, or updating the existing Securonix policy modified by the customer.
When you update the Securonix policy that is modified by the customer, one of the
following can occur:
l The policy is updated if the customer has only made minor changes to the policy
such as updates to behavior feature attributes.
l The customer policy is not updated and a new policy is created with the same name
in the disabled state. This occurs when the customer has made major changes to
the policy such as:

Content Management
Updates Description
Adding a feature attribute for behavior based use cases or updating an

Attribute
existing one.
Changing the type of check selected for a behavior based technique,

Check
for example, changing the daily time period with the hourly time
Type
period.
Name Changing the behavior name.
Enabling or disabling the flag that considers an incident as a violation

Minimum
only when the aggregate count exceeds the specified minimum
Threshold
threshold value.
Tier-2
Adding any tier-2 checks such as lookup, TPI, and watchlist.
Checks
Filter
Adding or updating a filter criteria.
Criteria
Risk Enabling risk boosters or modifying configuration of an existing risk

Boosters booster.
l Changing the risk scoring technique.
l Enabling or disabling the flag that tracks whether to save violation

Risk Score and calculate risk score for the policy or not.
l Enabling or disabling the flag that tracks whether to escalate a use

case as a threat or not.

Content Management
You can click version number to view release notes.
3. Select updates that you want to deploy. You can either select all or any to deploy.
4. Click Deploy to deploy selected policies. The Deploy Policies As Sandbox window
is displayed.

Content Management
Note: When you deploy policies with multiple functionalities together, policies
can not be deployed in the Sandbox category. To deploy policies in Sandbox,
you have to deploy policies for each functionality separately.
5. Click Deploy.
6. Click New Content to deploy new policy.
7. Select a new policy and click Deploy.
Threat Model
The Content Update screen for Threat Model displays a list of threat models tables
that are new or updated. It lists the threat model name, violator type, the current
version of the lookup table deployed at production, and the new version downloaded
from the Securonix content library.
deploy.
4. Click Deploy to deploy the selected threat model.

5. Click New Content to deploy new threat model.
6. Select a new threat model and click Deploy.

Content Management
Commit Content
When you commit your content, all information required for selected policies and
parsers are committed. However, you can decide if you want to commit any supporting
information or not. The supporting information for policies are tier-2 checks and
workflow, and for parser is data dictionary.
Note: Only user with role as ROLE_COMMIT_CONTENT can commit content from
Content Management.

Content Management
Committing Policy
To commit policies to the Securonix content library, perform the following:
2. Click Commit Content. The Commit Content section is displayed.

3. Select a functionality to commit policies in the Select Functionality drop-down list.
4. Select policies that you want to commit.
5. Select Export & Commit. The Commit Policy screen displays the list of files that
will be committed and an option to select supporting content.

Content Management
6. Enter the commit message and select any supporting content that you want to
commit.
7. Click Commit. The policy is committed. Similarly, you can commit parsers.
Note: You can also commit policy updates from Menu > Analytics > Policy
Violations.

Appendix A: Conditions
Conditions contain a set of rules. The rules decide which data will be marked as a
violation. Conditions are configured for policies during Step 2: Provide Conditions.
To configure Conditions, complete the following steps:
1. Click Add Group for each condition group you would like to add.
2. Click +, then select an option from the drop-down list. The following options are
available:

Add Rule
Complete the following information in pop-up window:

a. Select Event Attribute: Select an attribute from the drop-down. Event

Attributes are organized by object.
Example: Object: EVENT-EMAIL | Event Attribute: Email Recipient Domain.
There is an additional option labeled, Use Operator Expression. This option

enables you to configure the operator. See "Operators" on the next page for
more information.
b. Select Condition: Select from the dropdown. Example: Equal To.

c. Value: Provide a value to match to the source criteria.
There are three additional options to choose from, including:
l Select Event Attribute: Use to select an attribute from the drop-down.

l Use Operator Expression: Configures the operator.
l Check Against Named List: Select an option to check against the selected
event attribute.

Add Nested Group
Click + > Add Nested Group to add rules within each group.
Remove Group
This option deletes a Group, along with all the rules within the Group.
Operators
You can use operators in place of attributes or values.
To use an operator in place of an attribute of value, complete the following steps:

1. Click User Operator Expression.
2. Click Show Available Operators to select an operator.
3. Select an operator from the Available Operators list. The following operators are
available:

l DAY_OF_MONTH: The day of month.

l DAY_OF_WEEK: The day of the week.
l STRING_DAY_OF_WEEK: String day of week.
l MONTH_OF_YEAR: Month of year.
l YEAR_OF_TIME: Year.
l SUM: Sum.
l MUL: Multiple.
l DIV: Divide.
l SUB: Subtract.
l BETWEEN: Range.
l DATEDIFF: Date difference.
l GREATEST: Greatest.
l SMALLEST: Smallest.
l DSUM: Dsum.
l LCASE: Lowercase.
l UCASE: Uppercase.
l SPLIT: Split.
l CONCAT: Concat.
l MOA: The Member Of Array (MOA).
l SUBSTRING: Substring.
l REGEX: Regex.
l WEB_EXTRACTOR:Web extractor.
l WHITELIST_FILTER: Sends domains that are not present in white listed
domains.
l SKIP_INVALID_URL: Skips invalid URLs.
l CIDR_RANGE: Checks if the IP address is within the CIDR ranges.
l IPADDRESS_RANGE: Checks if the IP address is within the start and end range.

l WHITELIST_IP_FILTER: Only sends the IP address that is not present in the

white listed IP address file.
4. Click Epoch Time Long 1 for the operator you selected in the previous step.
5. Do the following, depending on the tab you select:

a. Value: Provide a value for the operator.

b. Attribute: Select an attribute from the drop-down list.
c. Operator: Click to add a nested operator nested. The selection here specifies
the value of the nested operator.

Appendix B: Policy Examples

This page provides examples of policies that you can configure in SNYPR.
Behavior-Based and Rule-Based Policies

Select Create Policy to create real time policies that flag single or multiple events that
result in a violation, and behavior-based policies that perform frequency and rarity
checks to detect behavior-based or peer-based outliers.
Behavior-based Activity Outlier Policy
This behavior-based policy detects when a user uploads an abnormally high volume of
data compared to their normal behavior. Behavior-based policies build a baseline for
the volume of bytes out by transaction on web proxy for the account.
The following example is the abnormal amount of data uploads to external storage
sites policy.

2. Click +.
3. Select Create Policy.

a. Policy Name: Abnormal amount of data uploads to external storage sites.

b. Description: A spike in the amount of data uploaded to public sites may be
indicative of malicious insider/cyber exfiltration activity. Technique Used: Beha-
vior Anomaly for Data Upload Activity.
c. Select Violation Entity: Activity Account.
d. Functionality: Web Proxy.

a. Category: Data Exfiltration.
b. Threat Indicator: Data egress via network uploads

a. Category: Exfiltration Stage.
b. What actions should be taken when this policy is violated?:
Some possible further analysis/triage steps to consider:
1. Ensure the upload activity was not blocked by the perimeter devices.
2. Review the destinationhost/destination address to see if the domain is
an approved domain to which data can be uploaded to.
3. Leverage network DLP or network products to additionally review the
files that were uploaded to the site to detect if the user egressed con-
fidential data.
Some possible remediation steps after further analysis/triage:

1. If the destination is an unauthorized/unapproved destination, modify the

firewall/proxy configurations to block traffic to these des-
tinations/categories of websites
2. Reach out to the user's manager to ensure the activity performed by user
is justified by the user's roles and responsibilities
7. Select Spike in Volume/Amount.
8. Click bytesout [Bytes_Sent] and transactionstring1 [Transaction].

9. Provide Behavior Name: Total bytes transmitted to external site
10. Choose Time Window: Daily.
11. Select Number of occurrences of selected features is unusually higher than

behavior baseline for: Self.
12. Choose the Analytical Technique to run from dropdown: Abnormally higher

Amount than User's Daily Behavior.
13. Set Flag as Violations when Rarity crosses Sigma Threshold Value to 0.85 (High
Deviation).
14. Complete the following steps to add filter conditions for volume of uploads:
15. Click + to select Add Rule under Filter Conditions.
16. Use drop-downs to create the following rules:

l Attribute: Device Action | Condition: Does Not Contain | Value: block
l Attribute: Device Action | Condition: Does Not Contain | Value: den
17. Click + Add Group to add a new rule group.
l Attribute: requestmethod | Condition: Equal to| Value: POST

Attribute: requestmethod | Condition: Equal to| Value: CONNECT

l Attribute: requestmethod | Condition: Equal to| Value: PUT

l Attribute: Device Event Category | Condition: Contains | Value: web host
l Attribute: Device Event Category | Condition: Contains | Value: content
l Attribute: Device Event Category | Condition: Contains | Value: uncategorized
l Attribute: Device Event Category | Condition: Contains | Value: Free Hosting
l Attribute: Device Event Category | Condition: Contains | Value: Blogs/Wiki
l Attribute: Device Event Category | Condition: Contains | Value: Unknown
l Attribute: devicecustomstring3 | Condition: Contains | Value: web host
l Attribute: devicecustomstring3 | Condition: Contains | Value: content

l Attribute: devicecustomstring3 | Condition: Contains | Value: uncategorized
l Attribute: devicecustomstring3 | Condition: Contains | Value: Free Hosting
l Attribute: devicecustomstring3 | Condition: Contains | Value: Blogs/Wiki
l Attribute: devicecustomstring3 | Condition: Contains | Value: Unknown
l Attribute: CustomNumber 1 | Equal To: | Value: 153.0
l Attribute: CustomNumber 1 | Equal To: | Value: 204.0

l Attribute: Device Event Category | Condition: Contains | Value: pvpn
l Attribute: Device Event Category | Condition: Contains | Value: whst
l Attribute: Device Event Category | Condition: Contains | Value: -
l Attribute: devicecustomstring3 | Condition: Contains | Value: pvpn
l Attribute: devicecustomstring3 | Condition: Contains | Value: whst
l Attribute: devicecustomstring3 | Condition: Contains | Value: -

l Attribute: bytesout | Condition: Greater Than| Value: 100000
Note: The following values represent default values and are fully customizable
to suit the needs of your organization.
24. Toggle to YES for Do you want to save violations and calculate risk scores for
this policy?.

25. Select Risk Scoring Technique: Static Risk Score.

26. Select Criticality: Low.
27. Set Do you want to escalate this policy as a Threat? to NO.
29. Complete the following information to appear on the Violation Summary screen:
User: ${accountname!"ACCOUNTNAME"} uploaded

${bytesout$SUM!"UNKNOWN"} to ${destinationhostname!"UNKNOWN"}

a. Grouping Attribute: EVENT CATEGORY

b. Metadata Attributes: METHOD
c. Level 2 Attribute: Destination Hostname
d. Level 2 Metadata Attributes: DEVICE ACTION
e. Level 2 Metadata Attributes: REQUESTURL
f. Level 2 Metadata Attributes: BYTESSENT
30. Click Save.

31. View or search for violations on Spotter:
a. Navigate to Menu > Security Center > Spotter or click F2.
b. (Optional) Click the policy name from Available Violations or the datasource
from Available Datasources to view events.
c. (Optional) Search Spotter using the following syntax: policyname="[poli-
cyname]".
32. View violations on the Security Command Center.

a. Navigate to Menu > Security Center > Security Command Center.

b. Find violation on Top Violations widget.
Rule-Based Policy
This rule-based policy checks proxy traffic to detect uploads to sites categorized as
personal sites that could indicate malicious insider or cyber data exfiltration.
Uploads to personal websites

2. Click +.


a. Policy Name: Uploads to personal websites.

b. Description: Description: Uploads to personal sites may be indicative of mali-
cious insider/cyber exfiltration activity. Technique Used: Entity attribution
a. Category: Data Exfiltration.
b. Threat Indicator: Data egress via network uploads

a. Category: Exfiltration Stage.
1. Ensure the upload activity was not blocked by the perimeter devices.
2. Review the destinationhost/destination address to see if the domain is
an approved domain to which data can be uploaded to.
3. Leverage network DLP or network products to additionally review the
files that were uploaded to the site to detect if the user egressed con-
fidential data.
Some possible remediation steps after further analysis/triage:


2. Reach out to the user's manager to ensure the activity performed by user
is justified by the user's roles and responsibilities
7. Select Individual Account Analytics.
8. Complete the following steps to add filter conditions for volume of uploads:

l Attribute: Device Action | Condition: Does Not Contain | Value: block
l Attribute: Device Action | Condition: Does Not Contain | Value: den
l Attribute: requestmethod | Condition: Equal to| Value: POST

Attribute: requestmethod | Condition: Equal to| Value: CONNECT
l Attribute: requestmethod | Condition: Equal to| Value: PUT


l Attribute: Device Event Category | Condition: Contains | Value: Private

Websites
l Attribute: Device Event Category | Condition: Contains | Value: personal
l Attribute: Device Event Category | Condition: Contains | Value: unknown
l Attribute: devicecustomstring3 | Condition: Contains | Value: Private Websites
l Attribute: devicecustomstring3 | Condition: Contains | Value: personal
l Attribute: devicecustomstring3 | Condition: Contains | Value: unknown
l Attribute: CustomNumber1 | Condition: Equal To | Value: 153.0

l Attribute: Device Event Category | Condition: Contains | Value: pers
l Attribute: Device Event Category | Condition: Contains | Value: uncategorized
l Attribute: Device Event Category | Condition: Contains | Value: none
l Attribute: Device Event Category | Condition: Equal To: | Value: -
l Attribute: devicecustomstring3 | Condition: Contains | Value: pers

l Attribute: devicecustomstring3 | Condition: Contains | Value: uncategorized
l Attribute: devicecustomstring3 | Condition: Contains | Value: none
l Attribute: devicecustomstring3 | Condition: Equal To: | Value: -
l Attribute: Device Event Category | Condition: Contains | Value: IW_pers
15. Select the Additional Event Analytic: Email Sent to Self.
16. Provide the following information:

l Field for Email Recipient: Destination Hostname.

l Match Threshold: 0.6.

this policy?.
19. Select Risk Scoring Technique: Aggregated Risk Score.

20. Select Criticality: None.

Account ${accountname!"ACCOUNTNAME"} uploaded data to:

${destinationhostname!"UNKNOWN"}

f. Level 2 Metadata Attributes: BYTESSENT
24. Click Save.



cyname]".

Directive-based Policy
This directives-based policy detects multiple unsuccessful login attempts followed by a

successful login on an Identity/Access Managementt datasource.
Brute Force Activity Detected

2. Click +.


a. Policy Name: Brute Force Activity Detected

b. Description: This policy detects multiple failed login attempts followed by a suc-
cessful login. This activity indicates a successful brute force attack.
d. Functionality: Identity/Access Management. Example: Active Directory.

a. Owner: None selected.
b. Remediator: None selected.
6. Complete the following information in the Define Risk and Threat section:
a. Category: Account Misuse.

b. Threat Indicator: Possible Brute Force Attack.

c. Click Edit Killchain Stage and Response Actions to add Remediation Steps or
Playbooks for this policy.
8. Select Aggregated Event Analytics.
Attribute: message | Condition: Contains | Value: Sign-in Failed
OR
Attribute: message | Condition: Contains | Value: Sign-in Successful

11. Click + Add under Directive.
12. Configure the following parent directive for unsuccessful logins:
a. Name: Unsuccessful Logins

b. Filter for Events Matching Criteria?: YES.
c. Attribute: message | Condition: Contains | Value: Sign-in Failed

d. Filter for Amount matching criteria?: NO.

e. Having similar: Account Name.
f. Number of Occurrences: At least 25.
g. Within Duration: 01:00:00
h. Should events happen consecutively?: NO.
i. Distinct?: NO.
13. Click Save.
14. Click + Child.
15. Configure the child directive for successful login as follows:

a. Name: Sign-in Successful

b. Filter for Events Matching Criteria?: YES.
c. Attribute: message | Condition: Contains | Value: Sign-in Successful
d. Filter for Amount matching criteria?: NO.

e. Having similar: Account Name.

f. Number of Occurrences: At least 1.
g. Within Duration: 01:00:00
h. Should events happen consecutively?: NO.
i. Maximum duration between parent and child: 0
j. Distinct?: NO.
16. Click Save.
this policy?.


Account ${accountname!"ACCOUNTNAME"} performed

${transactionstring1$COUNT!"UNKNOWN"} failed logon attempts

a. Grouping Attribute: SOURCEIP

b. Metadata Attributes: USERNAME
c. Level 2 Attribute: DestinationIP
d. Level 2 Metadata Attributes: ACTION
e. Level 2 Metadata Attributes: DEVICEADDRESS
24. Click Save.

cyname]".

Rule-based Policy
This rule-based policy uses geolocation data and advanced analytics to compute land

speed to flag an activity account that performs multiple successful login attempts from
different geographic locations within unusual or impossible periods of time. This
indicates account misuse.
Landspeed Violation
Pr e r e quisite s
Before enabling this policy, you must complete the following:
1. Import Geolocation data from MaxMind. For more information about importing
from MaxMind, see Import Geolocation.
2. Enable Geolocate_Attributes for the datasource during activity import Step

3: Provide Conditions. For more information about using action filters, see
To configure the policy, complete the following steps:
1. Navigate to Menu > Analytics > Policy Violations:
2. Click +.

Enter Policy Details

De fine Policy



a. Policy Name: Land Speed Violation.

b. Description: This policy flags accounts that violate land speed by logging in to
different IP addresses within an unusual period of time.
d. Do you want to run the policy on a: Select the Datasource or the Functionality
and use dropdown to select the datasource the policy should run on.
Example: Identity Access Management.
e. Owner: Click search icon to select an owner for the policy: None selected.
f. Remediator: Click search icon to select a remediator for the policy: None selec-
ted.
De fine Risk and T hr e at

a. Category: Account Misuse.

b. Threat Indicator: Landspeed Violation - Use of account from multiple geo-
locations.
c. Click Edit Killchain Stage and Response Actions to add Remediation Steps or
Playbooks for this policy.
Provide Conditions
What do y ou want to de te ct?
4. Select Land Speed Detection.
Filte r Conditions
5. Click +.
6. Click Add Rule.
7. Use drop downs to create the following rule:

a. Attribute: Transactionstring1 | Conditions: Contains | Value: default SSLVPN

LOGIN.

Land S pe e d De te ction
8. Configure the following:
a. Flag as Violation if: Max_Speed.

b. Greater than Value (Miles): 60.0 (miles).
c. Having similar: Account Name.
this policy?.


Choose Action for Violation Results

Account $[account!"ACCOUNTNAME"} performed

${transactionstring1!"ACTIVITY"} from ipaddress ${ipaddress!"UNKNOWN"}

a. Grouping Attribute: Source.
b. Metadata Attributes: None.
c. Level 2 Attribute: Destination.
d. Level 2 Metadata Attributes: None.
16. Click Save.

cyname]".


19. Complete the following information to appear on the Violation Summary screen
Traffic Analyzer Rarity Policy
This traffic analyzer policy detects when an account visits a domain that has not been
visited by other members of the organization. This indicates a possible malicious
domain.
Rare domain visited by account

2. Click +.


a. Policy Name: Rare domain visited by account.

b. Description: Web traffic to a rare domain identifies low ranked domains in
terms of the enterprise's traffic which would indicate a possible unseen mali-
cious domain being detected. Technique Used: Behavior anomaly for typical
domains visited
c. Violation Entity: Activity Account.
a. Category: Malware.
b. Threat Indicator: Suspicious web request

a. Category: Execute Stage.
1. Look to see if there was a spike in web traffic to domains that are rare
across the organization
2. If the domains are not authorized or allowed domains, leverage endpoint
IDS/IPS logs to see if there are any alerts reported at the user's endpoint.
3. Look for other anomalies on process/service execution on the user's end-
point for any malicious presence.

4. Check for the data or the amount of data exchanged to these sites to
ensure the user did not leverage these domains to exfiltrate sensitive
data.
Some possible remediation steps after further analysis triage:

2. If there are additional endpoint process anomalies or IDS/IPS alerts,
ensure that the endpoint has been re-imaged or if the IDS/IPS systems
have taken the necessary corrective actions.
c. Playbooks: Select appropriate playbooks available in your environment.

Examples: VirusTotal ScanIP+VirusTotal ScanURL+VirusTotal ScanDomain.
6. Click Save & Next to proceed to Provide Conditions.

7. Select Traffic Analyzer.
8. Complete the following steps to add filter conditions:

l Attribute: Destination HostName | Is Not Null
l Attribute: Destination HostName | Condition: Equal To | Value: WHITELIST_

FILTER(EEO.destinationhostname
11. Select the Traffic Analyzer check: URL Visited by Visitors.
12. Provide the following details:

l URL Attribute: DestinationHostName

l Visit Attribute: Account Name
l Number of Visitors: 10
l Threshold: High 0.85
13. Toggle to YES for Filter Domain Visit Pattern and Common Domains.
14. Select Domain Attribute: Destination Hostname.

this policy?.
17. Select Risk Scoring Technique: Aggregated Risk Score.


Account ${accountname!"ACCOUNTNAME"} visited rare domain

${destinationhostname!"UNKNOWN"}



c. (Optional) Search Spotter using the following syntax: policyname="

[policyname]".

Identity/Access Policies
Select Create Identity Policy to create policies using a built-in template. Templates
store the underlying joins to facilitate the execution of a policy.
Access Policy
This Identity/Access Policy detects users belonging to privileged groups in Active

Directory. This policy is applied to access accounts.
Accounts with Privileged Access on Active Directory

Use the following steps to create this policy:

2. Click +.
3. Select Create Identity Policy.


a. Policy Name: Accounts with Privileged Access on Active Directory.

b. Description: Users belonging to privileged groups in Active Directory.
c. Risk Scoring Technique: Aggregated Risk Score.
d. Criticality: Low.
e. Daily Capped Risk Score (Optional): 2
Note: This value will differ based on your environment and can be fully
customized.
f. Select Violation Entity: Access Account.

g. Datasource: Active Directory.

a. Owner: None.
b. Remediator: None.
c. Stop when violation are greater than: 10,000.
6. Complete the following:

a. Category:
l Account Misuse
l Rogue Access Privileges
b. Threat Indicator: Possible escalation of privileges

a. Category: Recon Stage.
Remediation Steps
1. Determine if the account has other authentication anomalies

2. Determine if there are any process anomalies on the endpoint
Some possible remediation steps after further analysis/prioritization/triage:

1. List privileges for the account to check if privileges need to be revoked

2. Disable account if account is not created with the appropriate change
control or if account is a locally created account
c. Playbooks: Select appropriate playbooks available in your environment.

Examples: AD BlockUser+AD UnBlockUser
7. Click Save & Next to proceed to Select Policy Template.

8. Select the following template: Accounts with defined Access Privileges on
Resource.
9. Click Save & Next to proceed to Provide Conditions.

10. Click + New Group.
11. Enable attribute functions: No.
12. Enable value functions: No.
13. Use dropdown to add the following rules:

a. Object: ResourceAccessMetadata| Attribute: Attribute | Condition: Equal To |

Value: MemberOf
14. Click Add New Group to add a group with the following rules:
a. Object: Access Values | Attribute: Access Level 1 | Condition: Contains | Value:

CN=Account Operators
b. Object: Access Values | Attribute: Access Level 1 | Condition: Contains | Value:

CN=Administrators
c. Object: Access Values | Attribute: Access Level 1 | Condition: Contains | Value:

CN=Domain Admins
d. Object: Access Values | Attribute: Access Level 1 | Condition: Contains | Value:

CN=Domain Admins
e. Object: Access Values | Attribute: Access Level 1 | Condition: Contains | Value:

CN=Backup Operators
f. Object: Access Values | Attribute: Access Level 1 | Condition: Contains | Value:

CN=Distributed COM Users
g. Object: Access Values | Attribute: Access Level 1 | Condition: Contains | Value:

CN=Cert Publishers

h. Object: Access Values | Attribute: Access Level 1 | Condition: Contains | Value:

CN=DnsAdmins
i. Object: Access Values | Attribute: Access Level 1 | Condition: Contains | Value:

CN=Group Policy Creator Owners
j. Object: Access Values | Attribute: Access Level 1 | Condition: Contains | Value:

CN=DHCP Administrators
k. Object: Access Values | Attribute: Access Level 1 | Condition: Contains | Value:

CN=Incoming Forest Trust Builders
l. Object: Access Values | Attribute: Access Level 1 | Condition: Contains | Value:

CN=Network Configuration Operators
m. Object: Access Values | Attribute: Access Level 1 | Condition: Contains | Value:

CCN=Print Operators
n. Object: Access Values | Attribute: Access Level 1 | Condition: Contains | Value:

CN=Schema Admins
o. Object: Access Values | Attribute: Access Level 1 | Condition: Contains | Value:

CN=Server Operators
p. Object: Access Values | Attribute: Access Level 1 | Condition: Contains |b:

CN=WinRMRemoteWMIUsers
15. Click Preview to view the HQL query.
16. Click Save & Next to proceed to Choose Action for Violation Results.

a. Send notification: No.

b. Add Policy Violators to Watchlist?: Privileged Accounts.
c. Confidence Factor: 1.
d. Rule to remove Violators from Watchlist: YES.
l Remove Violators from Watchlist: Reduce Confidence Factor.
l Decay Factor: 1.0.
18. Click Save to proceed to Appendix C: Policy Configuration Examples.

19. Find violations in the Security Command Center.

20. View and manage users in Watch list:

a. Navigate to Menu > Views > Users.
b. Click Watch list name on left navigation panel Privileged Accounts.
Identity Policy
This Identity Policy flags employees/users with upcoming terminations within the next
30 days. This policy is applied to user data.
Employees with Upcoming Terminations within 30 Days

Use the following steps to create this policy:

2. Click +.
3. Select Create Identity Policy.


a. Policy Name: Employees with upcoming termination within 30 days.

b. Description: Detect employees with termination date within the next 30 days.
c. Risk Scoring Technique: Aggregated Risk Score.
d. Criticality: Low.
e. Daily Capped Risk Score (Optional): 2
Note: This value will differ based on your environment and can be fully
customized.
f. Select Violation Entity: Users.

g. Datasource: None.

a. Would you like to Aggregate Risk Score on Each Run?: Yes.

b. Owner: None.
c. Remediator: None.
d. Stop when violation are greater than: 10,000.
5. Complete the following in the Define Risk and Threat section:

a. Category: Alert + Account Misuse

a. Threat Indicator: Identity-Upcoming Termination.
a. Category: Recon Stage.
6. Click Save & Next to proceed to Select Policy Template.
7. Select template for User: Enables policies based on USER attributes.

8. Click Save & Next to Provide Conditions.
9. Click + New Group.

10. Enable value functions: Yes.
11. Enable attribute functions: No.
12. Use dropdown to add the following rules:
a. Object: User | Attribute: Employee Type | Condition: Equal To | Value: FT

b. Object: User | Attribute: Termination Date | Condition: Greater Than | Value:
$CURRENT_DATE
c. Object: User | Attribute: Termination Date | Condition: Greater Than | Value:
$CURRENT_DATE | Function on Value: Date_Add: Interval Period: 30 Day.
13. Click Preview to view the HQL query.
14. Click Save & Next to proceed to Choose Action for Violation Results.

a. Send notification: No.

b. Add Policy Violators to Watchlist?: Employees-Upcoming Terminations.
c. Rule to remove Violators from Watchlist: Yes.
l Remove Violators from Watchlist: Specify Number of Days.
l Number of Days: 30.
16. Click Save.

a. Navigate to Menu > Security Center > Spotter.

c. (Optional) Search Spotter using the following syntax: policyname="

[policyname]".
18. Navigate to Menu > Security Center > Security Command Center to view policy
violations.
Note: Policies will only appear in the Security Command Center if violations
exist for those policies.

6.4 Analytics Guide For Cloud-136-335

Uploaded by

Copyright:

Available Formats

You might also like

6.4 Analytics Guide For Cloud-136-335

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

6.4 Analytics Guide For Cloud-136-335

Uploaded by

Copyright:

Available Formats

Policy Violations

1. Select The Field Against Lookup Table Attribute: Select an attribute to

a. Skip to next step.

Check Against Third Party Intelligence

This function compares attributes in events against Third-Party Intelligence (TPI)

Complete the following information:

SNYPR Analytics Guide 136

To remove a TPI Source to Check, click -.

Check Against Watchlist

Complete the following information:

SNYPR Analytics Guide 137

Check Domain Age

Complete the following information:

SNYPR Analytics Guide 138

SNYPR Analytics Guide 139

Note: Enter a class name for the custom function.

Complete the following information:

SNYPR Analytics Guide 140

This function matches attribute values in an event, using a match threshold.

Complete the following information:

SNYPR Analytics Guide 141

1. Complete the following information:

a. Source Column: Click the drop-down and select an attribute.

SNYPR Analytics Guide 142

c. Destination Column/Value: You can specify the destination column/value in

l Existing: Click to view a drop-down of the existing source criteria values.

d. Operator: Click the drop-down and select AND or OR.

e. Increase Risk Score by Adjustment Factor: Provide a factor by which to

SNYPR Analytics Guide 143

1. Complete the following information:

SNYPR Analytics Guide 144

d. Increase Risk Score by Adjustment Factor: Provide a factor by which to

After Hours Activity

1. Complete the following information:

SNYPR Analytics Guide 145

c. Increase Risk Score by Adjustment Factor: Provide a factor by which to

1. Complete the following information:

SNYPR Analytics Guide 146

d. Increase Risk Score by Adjustment Factor: Provide a factor by which to

1. Complete the following information:

SNYPR Analytics Guide 147

SNYPR Analytics Guide 148

Next: Step 3: Risk Scoring Technique.

Step 3: Risk Choose Risk Scoring Technique

SNYPR Analytics Guide 149

b. Risk Scoring Technique: Select one of the following risk scoring techniques.

Static Risk Score

SNYPR Analytics Guide 150

Analytics Type Check Window

Once per Hour, Day, Week** Based on the

AEE Time Window in Policy Config

Beaconing Day Window*

IEE, Rarity, Traffic Analyzer

Example: If an entity violates a Daily Behavior-based policy with a Criticality

Aggregated Risk Score

SNYPR Analytics Guide 151

Analytics Type Check Window

Once per Hour, Day, Week** Based on the