Professional Documents
Culture Documents
6.4 Security Analyst Guide For Multi-Tenant
6.4 Security Analyst Guide For Multi-Tenant
6.4 Security Analyst Guide For Multi-Tenant
4
Security Analyst Guide for Multi-
Tenant
This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any third
party, nor used by the recipient except under the terms and conditions prescribed by Securonix.
The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their
respective owners.
This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any
medium, without the prior written authorization of Securonix.
However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and reference.
Information in this document is subject to change without notice. The software described in this document is furnished
under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with
the terms of those agreements. Nothing herein should be construed as constituting an additional warranty. Securonix
shall not be liable for technical or editorial errors or omissions contained herein. No part of this publication may be
reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including
photocopying and recording for any purpose other than the purchaser's internal use without the written permission of
Securonix.
Contact Information
Securonix
5080 Spectrum Drive, Suite 950W
Addison, TX 75001
(855) 732-6649
Introduction
The Security Analyst guide is designed to help you understand how SNYPR can be used
to assess, monitor, and analyze suspicious activities on your network. It provides step-by-
step instructions on how to navigate the user interface (UI) so you know where to go to
properly support your team, users, and company needs.
SNYPR Overview
SNYPR is a big data security analytics platform built on Hadoop that utilizes Securonix
machine-learning-based anomaly detection techniques and threat models to detect soph-
isticated cyber and insider attacks. SNYPR uses Hadoop both as its distributed security
analytics engine and long-term data retention engine. Hadoop nodes can be added as
needed, allowing the solution to scale horizontally to support hundreds of thousands of
events per second (EPS).
SNYPR features:
l Supports a rich variety of security data, including security event logs, user identity data, access
privileges, threat intelligence asset metadata, and netflow data.
l Normalizes, indexes, and correlates security event logs, network flows, and application trans-
actions.
l Utilizes machine learning-based anomaly detection techniques, including behavior profiling, peer
group analytics, pattern analysis, and event rarity to detect advanced threats.
l Provides out-of-the-box threat and risk models for detection and prioritization of insider threat,
cyber threat, and fraud.
l Provides Spotter, a blazing-fast search feature with normalized search syntax that enables invest-
igators to investigate today’s threats and track advanced persistent threats over long periods of
time, with all data available at all times.
Documentation Conventions
There are different font styles used throughout the SNYPR documentation to indicate spe-
cific information. The table below describes the common formatting conventions used in
the documentation:
Convention Description
Folders and folder Quotation marks are used around a folder name or folder path. For
paths example, “C:\Documents\UserGuide”.
Additional Resources
If you require additional information, the following guides are available:
Data Integration Data integrators who need to import activity and enrichment
Guide datasources to support existing and custom use cases.
Content developers who need to use the existing content and custom
Analytics Guide analytics available in the SNYPR platform to develop use cases to
detect the threats to your organization.
l Create cases
SCC Components
The SCC screen has the following main sections:
b. Available Tenants
c. Dashboard widgets
By default, the widgets display records for the available tenants. You can filter record
based on the tenant using Available Tenants.
The logo directs you to the SCC from any screen in the UI.
b. Navigation Menu
l Security Center
l Views
l Analytics
l Add Data
l Operations Center
l Reports
l Administration
The previous image is for reference purposes only. The categories and sub-
sections within each category are dependent on your role-based and granular
access control, meaning the items you see in your navigation menu may vary
from the previous image.
c. SNYPR Location
Lists the section and sub section that you have selected from the main navigation
menu. For this example, the Security Command Center subsection is selected
from the Security Center section.
d. Search
l Users
l Activity Account
l Resources
l Network Address
l Events
You can enter your search criteria after you select the type.
e. On-Demand Incident
The On-Demand Incidents icon allows analysts to create new incidents and add
new events to existing incidents from any screen in the UI. For more information
about the On-Demand Incidents feature, click here.
Note: When you create an On-Demand Incident, risk scores are not associated with
the incident.
f. Connection Status
The connection status of your Hadoop components and Remote Ingestion Nodes
(RIN).
g. Notifications
The notification icon displays system notifications and allows you to downloaded
reports. The notification components include:
1. Search bar: Allows you to quickly locate your notifications. You can type search criteria
in the search bar and press Enter to view notifications that match your search criteria.
2. Time range filter: Allows you to filter notifications by time range. You can click the drop-
down and select hours, days, years, or create a custom time range.
3. Module filter: Allows you to select modules based on your access permissions. You can
only receive notifications for the modules that you have selected.
5. Status icon: Allows you to set the status as read. Unread notifications are indicated with
a blue icon; read notifications are indicated with a gray icon.
h. Available Tenants
i. More Options
This icon provides access to additional global tools within SNYPR, such as:
l Geolocation: A new tab will open and display a global map with GEO-correlated logs.
l Ops Logs: A new tab will open and display a view of the ops logs.
l Debug: Launches a screen where you can view data with specific tables.
l Outbox: Launches a screen where you can see a list of emails that are going to be sent.
j. User Details
This displays your username and allows you to change your password, ask for
help, or log out. The following image includes the following screen elements:
l Date Range
l Text Filter
l Refresh Icon
l Expand/Collapse
Available Tenants
The Available Tenants section displays the tenants that you can monitor from SNYPR.
1. Date Range: Specify a date range for which the widget details are displayed in . The date range
pop-up lets you specify the date by hours, days, or years.
2. Type text to filter: Type the tenant name to search for a tenant.
4. Expand/Collapse: Click the icon to collapse the tenant names in the list.
5. Tenant Filter: Select a tenant to view that tenant's records in the SCC widgets. You can select
one or any number of tenants. In this screen, Tenant2 is selected.
6. Display/Hide: Click the button to hide and display the Available Tenant pane.
7. Expand/Collapse Available Tenants: Click the icon to collapse the Available Tenants section.
Dashboard Widgets
Widgets are the basic components that make up the Security Command Center (SCC)
dashboard. Widgets enable you to quickly view top violators, violations, and threats, and
allow you to filter dashboard results and visualize your data using charts. This section
covers the following topics:
l Widget Actions
Widget Actions
All the widgets on the SCC follow the same widget framework and offer similar action
options.
Use the following table to see what actions you can take from the SCC widgets:
Actions Description
Towards the top of the widget, you can specify a date range for
which the widget details are displayed. Date range lets you
specify the date by hours, days, or years.
a: Choose a date
range
You can also create a your own date range by clicking Custom Range at
the bottom of the pop-up. To select a date range, click the From or To
text, select a date from the pop-up calendar, then click Apply. Your
widget will then display results for the date range you selected.
b: Search for
Type a string of text to search for specific results.
widget results
c: Move a widget Click and hold the button while moving the dashboard.
Actions Description
Click to filter your widget results. The filters that display are
dependent on the widget you select; you may or may not see the
filters listed below:
Actions Description
o High
o Medium
o Low
o None
o Custom
e: Sort widget
results
Actions Description
f: View a
graphical
analysis
On the graphical analysis screen, you can click any data point
on a graph to filter results. Click X to remove the filter and view
all results.
g: Refresh widget
Click the refresh icon to refresh the list in the widget.
results
Actions Description
l Threats
l Observables
l Sandbox
l Violation Timeline
l Watchlisted Entities
Top Violators
The Top Violators widget displays the top attackers by risk score for the selected time
range. Violators can include entities such as users or device types (activity accounts,
resources, network addresses, and resource group accounts).
Note: To accommodate performance and scalability, the Total Violations value is not always
exact when processing large amounts of data. It can vary by up to 5% of the actual value for high
valuations.
The custom date range filter in the Top Violators widget allows users to view violator
details for a custom date range outside of the available preset values. When you select a
custom date range:
l All entities that display are sorted by risk score.
l There are multiple records for each entity to show risk score progression over the
course of the date range selected.
l The risk score that displays in the top left will reflect the latest risk score for that entity
within the defined custom date range.
l A list of violations will show all the policies for the selected custom time range from
the previous screen.
l The violations present a distinct list of policies in the first 1,000 instances from the risk
history.
Note: It is not recommended to have a custom date range that spans multiple months or
years.
l The incident ID will display the most recent incident for that policy. This incident can
be outside of the selected time range.
Note:
l Risk scores are a cumulative risk score, which is the sum of individual policy and
threat model risk scores. When a custom date range is selected, there are no on-
demand risk score calculations that occur and the Security Command Center
gathers the risk scores from the risk score history collection.
l The risk scores reflect the progression of the entity’s total risk score over the
defined range of time. They do not reflect the current risk score, as investigations
happened over time and risk scores may be reduced as part of incident closure.
Threats
The Top Threats widget displays the top threat model violations for the selected time
range. For more information about configuring Threat Models, see the Threat Modeler sec-
tion in the SNYPR Analytics Guide.
Note: To accommodate performance and scalability, the Threats value is not always exact when
processing large amounts of data. It can vary by up to 5% of the actual value for high valuations.
Observables
The Observables widget displays the policy violations with the highest risk ranking.
Sandbox
The Sandbox widget contains policy violations used in your testing environment. The
policy violations in the Sandbox widget are completely isolated from the policy violations
in your Observables widget (live environment). Any action performed to policy violations
in your Sandbox widget does not affect your live policy violations or contribute to risk
scores.
When your testing is complete and you're satisfied with the policy violation, move the
policy violation to the Observables widget.
Note: To accommodate performance and scalability, the Policies value is not always exact when
processing large amounts of data. It can vary by up to 5% of the actual value for high valuations.
Note: Sandbox violations and threats will not show up under the Threats and Observables wid-
get.
l Recon Stage: Attackers gather information before an attack in an attempt to find a vulnerable
point in the network. Example: Phishing emails.
l Delivery Stage: Attackers deliver a malicious package to gain access to a network. Example: A
user clicks a link in a phishing email and downloads malware from a malicious site.
l Exploit Stage: Attackers find a vulnerable point of entry into the network and gain access.
Example: Zero-day attack.
l Execute Stage: Attackers escalate access to execute the attack. Example: Escalating privileges
or stealing admin credentials, lateral movement.
l Exfiltration Stage: Attackers move freely around the network and access or remove any sens-
itive data at will. Example: An insider uploading customer information to a personal file shar-
ing/storage site.
Violation Timeline
The Violation Timeline widget displays a bubble chart that describes the name and count
of violations along the specified time line. Use your mouse to hover over a data point to
view a quick summary of the time, policy violated, and number of violations.
Note: To accommodate performance and scalability, the Violation Timeline value reported is not
always exact when processing large amounts of data. It can vary by up to 5% of the actual value
for high valuations.
Watchlisted Entities
The Watchlisted Entities widget displays a list of all entity types. On the Watchlisted Entit-
ies widget, you can perform the following actions:
You can also create custom widgets for watch lists. See Watchlists to learn more.
Violation Summary
The SCC screen displays the name of top violations, threats, or entities. You can click
any violation, threat, or entity to view the summary of the violation. The Violation Sum-
mary screen provides various of options to analyze the violation or threat, investigate,
take action, create an incident, or run playbook. The actions you can take depend on the
type of violations you are viewing.
The actions you can take depend on the type of violations you are viewing. You can per-
form the following actions on all of the Violation Summary screens:
Manage Violators
Violators can be users, activity accounts, resources, network addresses, and resource
group accounts.
From the Top Violators widget in the SCC, you can click a violator to view the summary
list of the entity's violations, which displays details about an entity including lists of policy
violations and threats. From this screen, you can drill down into the violations and take
actions such as launching an investigation, creating a case, searching Spotter, managing
the threat, and collaborating with other members of the team who are viewing the entity.
The Violation Summary screen for a violator:
If you have SecuronixSOAR, the screen displays the Playbook Output button. When you
click the Playbook Output button, the Playbook Output section is displayed.
The top section of the screen displays the playbook details and the playbook status. The
left section of the screen displays completed tasks for the playbook. The green check
sign signifies that the task completed successfully. The right section of the screen dis-
plays the details of each tasks such as input, output, and status.
UI
Description
Element
b: Risk
Display the risk score of the violator.
Score
c: Tenant
Display the tenant name where the violator is located.
Name
UI
Description
Element
d: Take
Action
e:
Incident Include the entity details, entity profile, and risk score trends of a
and Entity violator.
Details
f:
Display a summary of all violations connected to the entity.
Violations
g:
Violation Run the Spotter query for the entity.
Events
Select all violations or none. When you select all violations, the Take
h: Select
All
Action button appears on the screen.
UI
Description
Element
i: View
Session Displays the violation timeline for the violator.
Timeline
j: Filter
Type to filter threats.
Threats
UI
Description
Element
k: Filter
a. Show Only (Threat or Violations): You can filter the records either by threat
UI
Description
Element
or violations.
c. Criticality (None, High, Medium, Low, Custom): You can filter incidents
based on the criticality.
d. Action Status (In progress, New Violations, Reviewed): You can filter
Click to expand or collapse the violations. When you expand, the following
information displays for each violation:
m:
Expand
n:
Display a summary of all violations connected to the entity.
Violations
On the violator summary screen, you can perform the following actions:
Take Action
This option is available when you view Violation Summary screen for a user.
To take action on an entity, complete the following steps:
c. Add to White List: Add entity/user to white list to approve activity that would oth-
erwise result in a violation
e. Mark in progress (still investigating): Retain the entity/user existing risk score.
f. Mark as concern and create incident: Retain the entity/user existing risk score and
creates an incident on the entity that will include all the violations performed by the
entity
2. Do one the following, depending on the action you selected in the previous
step:
Search Spotter
This action will launch Spotter in a new tab. From here, you can
search events for the entity.
To add the entity to a selected Watch List, follow the steps below:
a. Complete the following information in the Add Entity To Watch
List pop-up:
1. Choose the Watchlist you want the entity to be added to: Click
l NO: Select this option if you don't want to create a custom widget
on the SCC dashboard.
3. Expiry Date: Enter a date for when the entity will automatically
Note: If there is no expiry date, the entity will remain on the watch-
list for 12 months.
b. Click Add.
b. Click Add.
Non-Concern
You can also take action on individual violations for the entity/user. Hover over a
violation in the Violations list, then click Take Action.
Click the ellipsis icon to view the Entity Details, Entity Profile, and Risk Score
Trends:
The information available here will vary depending on the properties of the user,
actions taken against the user, and the type of violation(s) associated with the
user.
Entity Details
Click the Entity Details tab to view information such as User Details,
Workflow Details, Employment History, and Custom Properties.
Note: This section will be labeled differently and include different information
for the different entity types: Users, Activity Accounts, Resources, and Net-
work Addresses, and Resource Group Accounts. If Data Masking is enabled
in your environment, some attributes may appear masked.
Click a value in the User Details section to launch Spotter for that attrib-
ute.
Entity Profile
Click the Entity Profile tab to view information such as the Peer Groups
to which the entity belongs, the Access Accounts they hold, and the
Watchlists on which they appear.
Click the Risk Score Trends tab to view the entity's Risk Score Trend for
violations over time. Hover over any data point to view details.
Filter Threats
Type text in the Filter threats box to filter the violations displayed.
On the entities Violations tab, you can also take actions on individual violations.
When you hover over the violation, the Take Action menu appears.
The action you select will apply only for this violation. You can add the policy to a
targeted white list for the entity, mark the violation a non-concern, mark the
violation in progress, or mark as a concern and create an incident. If you add the
violation to a white list or mark it as a non-concern, the risk score will decrease to
zero only for this violation. When you mark a violation as in progress or a con-
cern, the risk score will remain the same. After you take an action on a violation,
the status will appear.
On the Policy Violation Overview screen, you can also take actions on individual
violators.
To do this, hover over the violator, and the Take Action menu appears.
The action you select will apply only to this violator. You can add the violator to a
targeted white list, add the violator to a watch list, mark the violation a non-con-
cern, mark the violation in progress, or mark as a concern and create an incident.
If you add the violator to a white list or mark as a non-concern, the risk score will
decrease to zero only for this violation. When you mark a violation as in progress
or a concern, the risk score will remain the same. After you take an action on a
violator, the status will appear.
On the entity summary screen, you can click any violation to drill down into more
details. The violation details screen displays the reason for the violation and the
risk score trend.
If no custom attribute names were defined, you will see the original attrib-
utes for the datasource that were mapped to the Securonix attributes dur-
ing activity import.
Click a date on the timeline to view only events for that date.
The analytics summary view displays the clear deviation from the estab-
lished behavior baseline. You can also view a summary of the frequency
of the behavior and the number of number of data points used to estab-
lish the behavior baseline.
If you click the Deviation from Baseline you can see the Sigma value and
the Variance.
You can click Violation Events to view the individual events associated
with the violation as a Spotter search. You can drill down or edit the
query.
On the violation details screen, click the Violation Events tab to view individual
events associated with the violation as a Spotter search. You can drill down or
edit the query. For more information, see Spotter.
Click the ellipsis icon to view more details about the threat model.
Most of the actions are the same as what you see on the entity screen, but the
type of white list is targeted. This is different than a global white list. If you add
the user to a targeted white list here, it will exempt the violator from the policies in
only this threat model, not all of the policies in SNYPR.
Click an entity name to view details about the entity associated with the violation.
l Resources
l Activity Account
l Network Address
l Incidents (Incident Created or Comments Available): You can select Incident Created
to view if any incident is created for the threat, or you can select Comments Available
to view only the incidents that have comments added by analysts.
l Action Status (In progress, New Violations, Reviewed): You can filter records
On the Violation Summary tab, you can view a summary of the stages of the
threat model.
4. An option to View Non Violated Policies to see policies for the threat model not viol-
ated by this entity
Click the Other Policies tab to view other policies violated by this entity that are
not part of the threat model.
Click the Violation Events tab to view the events associated with this threat
model.
For information about the actions you can take from this section, see Spotter.
violators and threats. From this screen, you can drill down into the violators and take
actions such as launching an investigation, creating a case, searching Spotter, managing
the threat, and collaborating with other members of the team who are viewing the entity.
On the policy violation summary screen, you can perform the following additional actions:
View policy details
1. Click the ellipsis icon to view more details about the policy.
Filter violators
Type text in the Filter violators box to filter the violators displayed.
On the Policy Violation Overview screen, you can also take actions on individual
violators.
To do this, hover over the violator, and the Take Action menu appears.
The action you select will apply only to this violator. You can add the violator to a
targeted white list, add the violator to a watch list, mark the violation a non-con-
cern, mark the violation in progress, or mark as a concern and create an incident.
If you add the violator to a white list or mark as a non-concern, the risk score will
decrease to zero only for this violation. When you mark a violation as in progress
or a concern, the risk score will remain the same. After you take an action on a
violator, the status will appear.
Click the Violation Events tab to view individual events associated with the
policy violation.
For information about the actions you can take from this section, see Spotter.
Click a violator name to view a summary of the policy violation for the entity and
take action on the policy.
Note: The violation summary will display different information based on the Action Fil-
ters enabled in Activity Data and the analytical technique configured in the Policy Viola-
tions. For more information, see the SNYPR Integration Guide.
5. Click Run Playbook. The screen displays the message Playbook execution in pro-
gress.
Once the playbook is executed, the screen displays the playbook status.
3. Complete the Enter Policy Details, Provide Conditions, and Choose Risk Scoring Technique
steps as described in the Policy Violations section of the SNYPRAnalytics Guide.
4. Scroll down to the Response Bot Recommendations section and complete the fol-
lowing information:
b. Choose one or more features for Response Bot: Select one or more features for Response
Bot.
c. Choose one or more user attributes for Response Bot: Select one or more user attributes
for Response Bot.
learn actions taken on specific attributes in aggregated events for the features
selected above.
l DISTCOUNT: Returns only distinct (or different) values for specified field.
Note: This option appears for behavior and directive-based Aggregated Event Evaluator
(AEE) policies.
2. On the Violation Summary screen, the suggestion indicates the type of action taken
and the percentage of probability that a tier 2 analyst would take the action based on
the number of times they have done so in the past for this type of event and user attrib-
utes that appear in this event.
For more information about taking actions, see Take Action on a Violator.
To view the Response Bot suggestions from the Incident Management dashboard, com-
plete the following steps:
The Response Bot shows the learned action and the probability percentage.
To start a conversation with another analyst, click the green chat icon . A text box
will appear, allowing you to type and send your message:
Note: Only users viewing the case at the same time will appear as available for chat.
To send your message, click the green arrows . To close the chat conversation,
click the green chat icon.
On-Demand Incident
The On-Demand Incident feature enables analysts and threat hunters to create a case on
non-entity attributes and attach events to a new or existing incident directly from Spotter,
even when there isn't a policy in place to detect the threat. This on-demand functionality
gives analysts and threat hunters more control over their investigations, as they are
provided with greater flexibility during the incident creation. Analysts and threat hunters
can also manage activity from the Incident Management dashboard to better manage
emerging threats that may have previously gone unnoticed.
This sections covers the following topics:
l The Incidents Panel
a. Incident ID: Each incident is assigned a unique number that is used to track the incident. Click
the Incident ID to view the incident management details for the selected incident.
b. Incident Name: Each incident includes a specific name that helps to quickly identify the incident
and focus the investigation on the most important threats in their environment.
c. Attachment icon: You can click this icon to attach important files to the incident.
d. Comments icon: This icon is used to provide additional information about the incident to help
communicate analysis.
Note: Any incident created from the Incidents panel will not have a risk score associated to the
incident.
a. Incident Name: Provide a unique name for this incident. This name appears on the incidents
panel.
b. Select Criticality: Use the slider to select the criticality for the incident.
d. Incident Description: Provide a description to help you identify the incident. This description
appears on the incidents panel.
You can also add events to a new or existing incident from the Spotter Search Results
view. See the Spotter section for more details.
Unmasking
Data Masking in SNYPR allows you to mask users, activity, and access accounts,
resource names, network addresses, and any data source attribute. To enable invest-
igation and response, analysts can request to unmask entities when violations occur.
The entity unmasking workflow is described in the following illustration:
The following roles interact with the Data Masking functionalities in SNYPR:
l Admin:The role in SNYPR that enables and disables masking, configures the unmasking
approval workflow and the Approver role, and selects the user responsible for approving unmask-
ing requests. The Admin may not view masked data.
l Security Analyst: The role in SNYPR that has permission to view and investigate violations, hunt
for threats in spotter, launch playbooks, and remediate threats. The Analyst does not have per-
mission to view masked data, but can launch the unmasking request workflow from the Security
Command Center.
l Approver: The role in SNYPR that receives, reviews, and approves or rejects unmasking
requests from the Analyst.
l Privacy Master:The only role that has permission to view ALL data in SNYPR as unmasked.
The Privacy Master does not have permission to enable or disable masking or approve unmask-
ing requests. Assign this role with caution.
Users in SNYPR may be assigned more than one role. For more information about roles,
see Access Control in the SNYPR Administration Guide.
Security analysts can request to unmask entities for a limited time period from Security
Command Center by clicking Take Action > Request to unmask entity.
The request status changes to pending and Take Action displays Request to unmask is
pending until the request is approved or denied. When the request is approved, SNYPR
sends an email, a notification appears in the security analyst's Notifications, and the viol-
ation record is unmasked.
If the request is denied, security analyst will get request denied notification.
Data Insights
Data Insights allow you to create, modify, save, and share custom dashboards to gain
data insights for your organizations. You can export dashboards in a variety of formats
such as, PDF, PowerPoint, and Excel. This allows you to reuse the Data Insights reports
within your organization and easily share the reports with management. These widely
usable formats enable analysts to create, modify, save, and share custom dashboards to
gain compliance for the organization.
The Data Insights dashboard is composed of widgets that provide visualizations of your
data, allowing you to quickly view and compare data at a glance.
Dashboards Overview
From Data Insights, you can create your own unique dashboard to access the information
that is most relevant to you and your organization. Once you have created a dashboard,
as discussed in Manage Dashboards, you will select from a variety of widgets to build out
its display.
Widgets Overview
A widget in Data Insights is a mini-report that displays your data in a number of present-
ation styles, including:
l Line Chart
l Area Chart
l Bar Chart
l Geolocation Map
l Tabular Data
l Number Chart
l Heat Map
l Donut Chart
l Top N Results
l Bubble Chart
l Text/Note
l Geolink
For information on configuring settings that are specific to a particular widget type, see
Configure a Widget.
The following table provides a description for each of the icons referenced in the figure
above:
Icon Description
a: All
Dashboards
This icon also allows you to filter the dashboard results. For example, if you
select the Email dashboard from the All Dashboards drop-down list, the left
pane will only display the Email dashboard as seen in the image below:
Icon Description
To remove a dashboard filter, click the All Dashboards icon and select
Showing All dashboard's from the drop-down list.
Icon Description
Icon Description
b: Reorder
Click the dashboard title and drag it to your desired location on the left pane.
To save your dashboard arrangement, click the check mark icon.
Icon Description
The share icon allows you to share the dashboard, enabling every member
of your team to access to the same information. Check the box for each
permission you want the user to have.
c: Share
d: Edit The Edit icon enables you to edit the contents of a dashboard or widget.
f: Time The Time Range icon displays for each widget, enabling you to change the
Range time frame of results for a specific widget.
The Select Duration icon is similar to the Time Range icon, except it
g: Select
controls the time frame of the results for all the widgets on the
Duration
dashboard.
Icon Description
The Filter icon allows you to filter the widget results by Field and
Value.
h: Filter
k: Play/Stop The Play/Stop icons play and stop the dashboard results.
Manage Dashboards
The Data Insights dashboards enable you to create a customized and strategic view of
your system, ensuring that the data you need is available at a glance. The steps outlined
in this section describe how to create and edit a dashboard.
Create A Dashboard
To create a dashboard, complete the following steps:
1. Navigate to Menu > Security Center > Data Insights.
c. (Optional) Select a category for your dashboard: Select a category from the drop-down or
Create New Category.
d. Tenant Information: Select a tenant for which you want to create the dashboard. You can
select all tenants or any combination of tenants to create the dashboard.
e. Select Any One Template: Choose a template layout to specify the grid structure
of the widgets on your dashboard. A preview of the template displays when you
click a template.
Edit Dashboards
Once a dashboard has been created, it can be edited. To edit a dashboard, complete the
following steps:
1. Navigate to Menu > Security Center > Data Insights.
2. Click a dashboard name from the left pane, then select the edit icon.
A section displays at the top of the screen, enabling you to edit the dashboard details.
The following dashboard details are available:
From here, you can add a new widget by clicking Add Widget. For more information
on customizing widgets, see the Manage Dashboard Widgets section.
Customize a Widget
Upon selecting a widget type, you are presented with the various configuration settings
for that widget. This section provides instructions on how to configure settings for each
widget type.
Line Chart
Note: Based on the configuration, facet levels can cause the y-axis to spike upwards.
To work around this, an aggregation must occur on the y-axis attribute.
a. Chart Label: The label entered here displays at the top of the widget.
b. (Optional) Chart Orientation: Specifies whether the orientation of the widget is ver-
tical or horizontal.
a. (Optional) Datasource: The datasource you want to create the chart for.
b. What type of data you want to use: The type of data you want to run the query on.
c. Time Range: The date range you want to run the query for.
b. Field: An attribute. Available attributes are based on the datasource, if it has been
selected for this chart.
c. (Optional) Label Rotation: The rotation style for the x-axis label. You can choose to
display the label horizontally, vertically, or at a slant.
b. Field: An attribute. Available attributes are based on the datasource, if it has been
selected for this chart.
c. (Optional) Label Rotation: The rotation style for the y-axis label. You can choose to
display the label horizontally, vertically, or at a slant.
Area Chart
An Area Chart is similar to a Line Chart, except the area under each line is filled
in with color.
The following image is an example of the Area Chart widget:
b. (Optional) Chart Orientation: Specifies whether the orientation of the widget is ver-
tical or horizontal.
b. What type of data you want to use: The type of data you want to run the query on.
c. Time Range: The date range you want to run the query for.
b. Field: An attribute. Available attributes are based on the datasource, if it has been
selected for this chart.
c. (Optional) Label Rotation: The rotation style for the x-axis label. You can choose to
display the label horizontally, vertically, or at a slant.
b. Field: An attribute. Available attributes are based on the datasource, if it has been
selected for this chart.
c. (Optional) Label Rotation: The rotation style for the y-axis label. You can choose to
Bar Chart
b. (Optional) Chart Orientation: Specifies whether the orientation of the widget is ver-
tical or horizontal.
b. What type of data you want to use: The type of data you want to run the query on.
c. Time Range: The date range you want to run the query for.
b. Field: An attribute. Available attributes are based on the datasource, if it has been
selected for this chart.
c. (Optional) Label Rotation: The rotation style for the x-axis label. You can choose to
display the label horizontally, vertically, or at a slant.
b. Field: An attribute. Available attributes are based on the datasource, if it has been
selected for this chart.
c. (Optional) Label Rotation: The rotation style for the y-axis label. You can choose to
display the label horizontally, vertically, or at a slant.
Geolocation Map
The Geolocation Map displays a map showing where your active users are com-
ing from.
The following image is an example of the Geolocation Map widget:
a. (Optional) Datasource: The datasource you want to create the chart for.
b. What type of data you want to use: The type of data you want to run the query on.
c. Time Range: The date range you want to run the query for.
Tabular Data
The Tabular Data widget organizes data into a table with rows and columns.
Each column in the table represents an x or y axis, and each row shows a selec-
ted attribute of that axis.
The following image is an example of the Tabular Data widget:
b. (Optional) Chart Orientation: Specifies whether the orientation of the widget is ver-
tical or horizontal.
b. What type of data you want to use: The type of data you want to run the query on.
c. Time Range: The date range you want to run the query for.
a. (Optional) Column 1 Label: The text that displays on the first column.
b. Field: An attribute. Available attributes are based on the datasource, if it has been
selected for this chart.
c. (Optional) Label Rotation: The rotation style for the label of the first column. You
can choose to display the label horizontally, vertically, or at a slant.
Number Chart
b. What type of data you want to use: The type of data you want to run the query on.
c. Time Range: The date range you want to run the query for.
a. Operator: Select the AVG (average), MAX (maximum), MIN (minimum), or SUM
operator from the drop-down.
b. Field: An attribute. Available attributes are based on the datasource, if it has been
selected for this chart.
c. (Optional) View Based on: Select Daily, Weekly, Hourly, or Monthly from the
drop-down.
Heat Map
The Heat Map chart is a combination of nested, colored squares, each rep-
resenting an attribute element. The squares contain many shadings of colors,
which emphasize various activity levels.
The following image is an example of the Heat Map widget:
b. What type of data you want to use: The type of data you want to run the query on.
c. Time Range: The date range you want to run the query for.
5. Select the AVG (average), MAX (maximum), MIN (minimum), or SUM oper-
6. Click the drop-down to select the color of your heat map blocks.
Donut Chart
A Donut Chart is a circular chart that is divided into slices, each of which rep-
resents a proportion to a whole. The size of a slice is determined by the per-
centage of the total of all values.
The following image is an example of the Donut Chart widget:
b. (Optional) Chart Orientation: Specifies whether the orientation of the widget is ver-
tical or horizontal.
b. What type of data you want to use: The type of data you want to run the query on.
c. Time Range: The date range you want to run the query for.
4. Click the drop-down and select a label for the pie slice in the donut chart.
5. Click the drop-down and select the size for each pie slice in the donut chart.
The Stacked Bar Chart is a chart that stacks multiple data on a horizontal or ver-
tical bar.
The following image is an example of the Stacked Bar Chart widget:
b. What type of data you want to use: The type of data you want to run the query on.
c. Time Range: The date range you want to run the query for.
b. Field: An attribute. Available attributes are based on the datasource, if it has been
selected for this chart.
c. (Optional) View Based on: Select Daily, Weekly, Hourly, or Monthly from the
drop-down.
d. (Optional) Label Rotation: The rotation style for the x-axis label. You can choose to
display the label horizontally, vertically, or at a slant.
c. Label Rotation: The rotation style for the y-axis label. You can choose to display the
label horizontally, vertically, or at a slant.
Top N Results
The Top N Results widget displays the top number, based on the Count (number
of results) and field(s) from your datasource.
The following image is an example of the Top N Results widget:
b. What type of data you want to use: The type of data you want to run the query on.
c. Time Range: The date range you want to run the query for.
d. Field: An attribute. Available attributes are based on the datasource, if it has been
selected for this chart.
Bubble Chart
The Bubble Chart is a chart that plots an x-axis (horizontal) and a y-axis (vertical)
as a set of points scattered on a graph.
b. What type of data you want to use: The type of data you want to run the query on.
c. Time Range: The date range you want to run the query for.
b. Field: An attribute. Available attributes are based on the datasource, if it has been
selected for this chart.
c. (Optional) View Based on: Select Daily, Weekly, Hourly, or Monthly from the
drop-down.
d. (Optional) Label Rotation: The rotation style for the x-axis label. You can choose to
display the label horizontally, vertically, or at a slant.
b. Field: An attribute. Available attributes are based on the datasource, if it has been
selected for this chart.
c. (Optional) Label Rotation: The rotation style for the y-axis label. You can choose to
display the label horizontally, vertically, or at a slant.
The Source Destination Chart displays the source and destination by field.
The following image is an example of the Source Destination Chart widget:
Complete the following steps to configure the Source Destination Chart widget:
1. Select one or multiple tenants from the Tenant Information section.
b. What type of data you want to use: The type of data you want to run the query on.
c. Time Range: The date range you want to run the query for.
Text/Note
The Text/Note widget allows you to create more descriptive explanations to your
dashboard by adding texts or notes. There are various options for creating dif-
ferent text styles, such as changing the font color, defining the text alignment, and
adding hyperlinks.
The following image is an example of the Text/Note widget:
Geolink
The Geolink widget provides a quick and efficient method of locating anomalies
based on the geographical connection between two IP addresses. This widget
displays an arrow to indicate direction.
The following image is an example of the Geolink widget:
b. What type of data you want to use: The type of data you want to run the query on.
c. Time Range: The date range you want to run the query for.
Edit a Widget
From the left pane, select the dashboard you want to edit, then click the edit icon.
a. Clone Widget: To clone a widget, click the Clone Widget icon and select Yes in the pop-up.
Selecting Yes will default the widget name to Copy of [Current Widget Name] - [Duration], and
will display the cloned widget at the bottom of the dashboard.
b. Edit Widget: To edit a widget, click the pencil icon. A dialog box displays on the right side of the
screen where you can edit the widget details. For more information on how to configure settings
for a specific widget,see the Configure a Widget section above.
c. Select Duration: To change the time range displayed on a widget, click the Select Dur-
ation icon and select a time value to filter the widget. You can select from a variety of
hours, days, and years, or you can create a custom time range. The time range you
select will become the new time range the widget displays.
Note: When you change Time Period or operator specific filter (such as Top 10 and daily) for
a dashoboard or a widget, the chart displays the data based on the selection but labels do
not change.
e. Resize the Widget: To resize a widget, hover over the widget. When a two sided arrow appears,
click and drag to resize. A gray dotted line appears to indicate the new widget size.
1. Refresh Dashboard: Click the icon to refresh the Data Insights dashboards.
2. Filter Notification: Click to provide a global filter to all the widgets on the dashboard.
l Click Add New Filter, and then select a filter from the Field drop-down or enter a query.
l To remove a filter, click the filter icon and then click the red X.
3. Select Duration—Dashboard: Set the time / date duration for the Data Insights dashboards.
4. Select Duration—Widget: Set the time / date duration for one widget on the dashboard.
Note: Available actions vary based on the chart type and data type.
l Add to Filter: Filters the chart results based on the data point.
l Launch Spotter: Launches a Spotter search based on the data point. For more information
about searching SNYPR, see Spotter.
The dashboards for PCI requirements are listed in the following table.
PCI - Password
Changes and
Do not use vendor-
Resets
02 - System supplied defaults for
Password system passwords PCI - Account OS
Management and other security Sharing
parameters
PCI - Account
Lockouts
PCI - All
Authentication
Events
PCI - Denied
Authentication
Events PCI - All
System Auditing
Events
PCI - VPN Access
VPN, OS,
Summary
Restrict physical Access
09 - Physical
access to cardholder PCI - System Privilege, DB,
Access
data Admin/Root User Application
Activity and CMS
PCI - DB Admin
Activity
PCI - Application
Admin Activity
PCI - File and
Document
Management Activity
PCI - Critical
Vulnerabilities
PCI - Top
Vulnerable Assets
PCI - All
11-Test Security Regularly test Vulnerabilities by Scanner,
Systems and security systems and Criticality Firewall, IDS,
Processes processes Wireless
PCI - All Firewall
Configuration
Events
PCI - All Wireless
Configuration
Events
HIPAA Dashboards
HIPAA - All
Policy
Changes
HIPAA - All
Policy
Violations
HIPAA - File
and Document
Management
Activity HIPAA
- Critical
HIPAA Security Rule - Vulnerabilities
Administrative Safeguards - CMS,
HIPAA - Top
45 CFR 164.308 requires Scanner,
Vulnerable
appropriate administrative Firewall,
Assets
safeguards to ensure the IDS,
HIPAA -
confidentiality, integrity, and HIPAA - All Wireless,
Administrative
Vulnerabilities Malware,
Safeguards security of electronic
by Criticality OS, VPN,
protected health information.
Application
For more information visit, HIPAA - All Privilege,
https://www.hhs.gov/hipaa/fo Firewall DB
r-professionals/security/ Configuration
Events HIPAA
- All Wireless
Configuration
EventsHIPAA
- Anti-Malware
Deployed
HIPAA - Hosts
without Anti-
Malware
Protection
(Stopped,
Disabled, Not
installed)
HIPAA - Hosts
with Malware
Infection
HIPAA - Anti-
Malware
Protection
Events
HIPAA - Anti-
malware Scan
Summary
HIPAA - Anti-
Malware
Update
Failure,
Success
HIPAA -
Password
Changes and
Resets
HIPAA -
Account
Sharing
HIPAA -
Account
Lockouts
HIPAA - All
Authentication
Events
HIPAA -
Denied
Authentication
Events
HIPAA - VPN
Access
Summary
HIPAA -
System
Admin/Root
User Activity
HIPAA - DB
Admin Activity
HIPAA -
Application
Admin Activity
HIPAA - User
Account
Creation,
Deletion
HIPAA - User
Account
Privilege
Changes
HIPAA - User
Group
Creation,
Deletion
HIPAA Security Rule - HIPAA - User
Technical Safeguards - 45 Group
CFR 164.312 requires that Privilege
only authorized persons have Changes
HIPAA -
access to electronic protected HIPAA - DB
Technical OS and DB
Safeguards health information (e-PHI). User Account
Creation,
For more information visit,
Deletion
https://www.hhs.gov/hipaa/fo
HIPAA - DB
r-professionals/security/
User Privilege
Changes
HIPAA -
Account
Sharing
Summary
HIPAA -
Automated
Logoff of User
Account
HIPAA -
Critical File
Changes
HIPAA - EMR
Access by
Admin Users
HIPAA -
Encryption
Events
Summary
HIPAA - File
Integrity
Events
Summary
HIPAA - Logon
Attempts (Win)
HIPAA -
Summary of
Database
Accessed
HIPAA -
Summary of
File Access
HIPAA - User
Account
Access
Summary
HIPAA - ePHI
Application
Audit Events
HIPAA -
Application
Admin Activity
HIPAA - All
System
Auditing
Events
HIPAA -
System
Admin/Root
User Activity
HIPAA - DB
Admin Activity
Spotter
Spotter is a lightning fast, natural language search engine that uses normalized search
syntax and visualization techniques to provide threat hunters the tools they need to invest-
igate current threats and trends, and track advanced persistent threats over long periods
of time. Spotter is built on Apache Lucene™, a java-based, high-performance text search
engine that provides powerful, efficient, and accurate search capabilities.
From the Spotter start screen, you can search for and view threats using various search fil-
ters. You can specify the report format to display information in tables, as bar charts,
bubble charts, and time charts, or view a geographical map.
Tip: Press F2 to launch the Spotter start screen from any section of the SNYPR UI.
The Spotter search bar filters your data based on the query you provide.
It also contains a different components such as clear, save, and other actions that
let you manage your Spotter query, including:
1. Spotter search bar: Enter a query in the Spotter search bar, then click the magnifying
glass/search results icon or press Enter. This will filter and return only the results that
match your query.
2. Help: Opens a new tab with help information regarding the Spotter search lan-
guage. To learn more about the Spotter search language, click here.
5. Settings: Expands a list of Cached Queries and Saved Queries. The fol-
b. Refresh Config: If the Spotter search application has changed, this button will
refresh the configuration.
6. Time frame filter: Limits the search results based on the time frame you spe-
cify. You can select from a list of predefined time frames or create a custom
time frame:
7. Search results: Searches and returns results based on the query you entered. You can
also press Enter to return your results.
C: Navigation Tabs
Within Spotter, you will be presented with various navigation tabs. These tabs
are structured to present you with key information about your search results, quer-
ies, and jobs.
By default, you are directed to this tab. This tab displays a list of Avail-
able Violations and Available Datasources.
Search Results
a. Column chart: The column chart provides a way to visualize and compare
your data. The horizontal access shows the date an event was queried, and
the vertical access shows the number of events that match your query. Each
blue column represents a day.
format. The tabular view allows you to create a custom table layout by
specifying what data should be displayed, in what order, and how the
data should be sorted.
In addition to the items listed above, you have the option to lock the
first three columns in place by enabling the Freeze column setting.
When you freeze a column(s), it remains in place as you reorder or
scroll through other columns in the Tabular View.
d. Reports: This button gives you the ability to export your Spotter query
e. Add All Events to Incident: Allows you to add all the events or selec-
ted events from the Spotter query to an incident. To learn more about
how to create an incident, see the Create an On-Demand Incident sec-
tion of the Security Analyst Guide.
f. Selected Fields: This button will expand and collapse the information in this
section.
g. Settings: When you click this icon, you can select how the attribute
names are displayed. The following two options are available:
Tip: To query data using Securonix attributes, use the "@" prefix, then
enter the Securonix attribute. The "@" prefix indicates you are using the
Securonix attribute to run a query.
Limitation:
l The search with resource type does not work when a resource type is
i. Events: Each event card represents a matched result/event for your query.
The attributes are in the Key-Value Pair format.
j. Pagination: The number of page results which relate to your Spotter query.
Recent Queries
Displays the recently executed queries with the option to save or clear.
b. Query: Displays a list of executed queries, with the most recent query at the
top.
d. Save: Saves a cached query and opens the following dialogue box
Saved Queries
Displays the saved queries with the option to share, edit, or delete.
2. Table of queries: Contains the query name, query string, and actions you can
perform on the query.
Console
Displays the console output for a search with the time stamp, query, and
number of results.
a. Time stamp: The time stamp of when the query was executed.
View Jobs
Displays query details including start and stop time stamps, records
returned, status, and provides the ability to delete the query.
a. Search: Allows you to search and narrow down queries in the table.
d. Job Start Time: Shows the time that the query was started.
e. Job End Time: Shows the time that the query ended.
c: Filter Toolbar
The filter toolbar allows you to limit the search results that display in the Avail-
able Violations and Available Datasources panel. Both panels have an inde-
pendent filter toolbar that appear above it.
The filter toolbar gives you access to many filter actions, including:
a. Search bar: The search bar auto-suggests policies/datasources as you type. Enter the
policy or datasource to filter the panels that display below the search bar.
b. Drop-down filter: The drop-down will filter results by the following attributes:
l Name
l Count
l Criticality
Note: All the images in this section are for illustrative purposes only and may differ from the
actual product due to product enhancements.
Note: To query data using Securonix attributes, use the "@" prefix, then enter the Securonix
attribute. The "@" indicates that you are using Securonix attribute to run a query.
2. Click the Search Results tab, then select Reports > Export Spotter Results.
The option to Export Spotter Results appears in the drop-down along with any Spot-
ter reports configured under Menu > Reports > Categorized Reports. For information
about how to configure Spotter reports, see Reports.
3. Click the Select Report Format drop-down and select a format for the report:
l PDF
l CSV
l XLS
l RTF
l TXT
l DOCX
Note: When disabled, the toggle below the Select Report Format only exports 1,000 events
in the report.
4. Check the box next to each attribute you want to be included in the report, then click
the right arrow highlighted in blue. Attributes that appear in the User Attributes
column are included in the report.
Note: By default, when the STATS or TOP table queries are used, the attributes display in
the User Attributes (Securonix Attributes) box.
Tip: To select all attributes, check the Select All box in the column header.
5. Click Schedule to save the label and include the attribute in the report.
6. Click Run to run the report and download the report from the Notifications menu when
status is complete.
You are directed to the Live Channel screen. This screen aggregates and consolidates
logs on a single UI, and is used for log troubleshooting and exploration.
Pausing Logs
To pause the Live Channel, scroll up in the Live Channel or click Pause.
Click the help icon (?), located to the right of the Live Channel search bar to see regex
example searches.
Saving Searches
Once you create queries and begin to successfully search your data, you can use the
Save Search icon to save your Live Channel. The Save Search icon is great for saving
queries you want to continuously run, such as malware detection patterns.
Provide a name for the saved Live Channel, and optionally, share the saved Live Chan-
nel with other users or groups.
Once the search is saved, it displays in the Saved Live Channels section. To access your
Saved Live Channels, click the expand/collapse icon.
Filtering to Search
You can filter the Live Channel log events based on the filters you select.
When the filters are applied, the Live Channel displays only the log events that match
your selected tenant or datasource. You can also click the filter tabs, just below the
applied filters, to browse between your selected tenant or datasource logs.
Search Terms are the simple search parameters used to form a query. This is
also called Simple Search.
l Field-Value pair is a single search term.
l OR: Indicates at least one of the linked search terms must be present in the data set.
Example
Syntax: <field> <comparator> <value>
l Field: The field, or attribute, within the data.
l Comparator: The comparison, or condition, against which to match the value to the
field.
Streaming Operators
Streaming Operators execute an action on the search results returned from the
Spotter query.
l All EVAL functions are steaming operators.
Transforming Operators
Transforming Operators display the search results into different visual formats.
l Typical transforming operators include Statistical and Chart functions.
Data Processing Operators perform an action on the whole set of search results,
whether or not the results have been transformed by a transforming operator.
l Typical data processing operators are those such as Order by and Where.
Query Syntax
Spotter queries use the following syntax:
l Strings that contain special characters and / or white space characters require quotes.
l Multiple values for operators such as “IN” and “NOT IN” require quotes as needed and must be
separated by comma’s. Example: accountname IN “jdoe”, “jsmith”.
l Quotes:
l Used around phrases and values that contain white spaces, commas, brackets, pipes, and
other punctuation.
l Should be used around phrases, keywords, and wildcards (if you don't want to search for
their default meaning such as "AND" (the Boolean operator or) * (the multi-character wild-
card).
l Wildcards ( ?, *):
l *: Used to represent 0 or more characters wildcard in a search.
Indexes
Spotter uses natural language to search within the data indexed in SNYPR Search. You
can search within any index into which you have imported data. SNYPR Search uses the
following indexes to store data:
l Activity: Used to search for security log events from Windows, Proxy devices, Firewalls,
IDS/IPS, etc.
Note: Queries are slower for this index than for the other (hot) indexes.
l Asset: Used to search metadata for assets such as servers, workstations, laptops, ATMs, POS
devices, etc.
l Lookup: Used to search for entries in lookup tables such as Competitor Domains, Non-Business
Domains, etc.
l TPI: Used to search for threat intelligence ingested from third party sources such as
ThreatSteam.
l Users: Used to search user information ingested through Identity Access Management devices,
HR systems, etc.
l Violation: Used to search for policy and threat violations that are associated with an entity and a
risk score.
l Watchlist: Used to search for entities that have been added to a watchlist.
l Whitelist: Used to search for entities that have been added to a whitelist.
Common Fields
The following fields are commonly used in Spotter search:
l eventtime: Time the event occurred on the resource (datasource).
l generationtime: Time a violation was detected by SNYPR. appears only in indexes: violation,
risk score , and risk score history.
l policyname: Used to search a specific policy name for which violations have been observed.
l resourcegroupname - Used to search for a datasource by the specific name the datasource was
given when the connection was created to import data.
Search Operators
Search Operators tell the system how to locate, format, manipulate, and display the data
you want to see. These include the following types of commands:
Basic Commands
indexedat
The indexedat command finds events that are indexed within the specified dur-
ation.
Supported Variables:
l MINUTES: [NOW-5MINUTES NOW]
Policy
The Policy command searches for a specific policy to find violations. The format
supported for the date attributes to query is MM/dd/yyyy HH:mm:ss.SSS.
Syntax: <policyname> <=> <value>
Data Sources
Queries the activity core for specific data sources. The format supported for the
date attributes to query is MM/dd/yyyy HH:mm:ss.SSS.
Syntax: <resourcegroupname> <=> <value>
Text
Returns all results that include the specified text.
Syntax: <value>
Example: smith
*
Multiple character wild card searches looks for 0 or more characters.
Syntax: <field1 | *> < field2 | *> <field n | *>
?
To perform a single character wild card search use the "?" symbol.
Syntax: <field1 | ?> < field2 | 2> <field n | ?>
Example: ??2497
Index Commands
The following operators are used to specify the index in which to search.
Lookup
Searches within lookup index for all items added in lookup tables.
Syntax: index= < lookup > <and | or> <field>| Report Commands | Field Com-
mands
Activity
Searches within the activity index for events. This is the default index for Spotter
searches.
Syntax: index = < activity > <and | or> <field> = <field value>
Example: index = activity; index = activity and accountname = secure; index = activity
and deviceaction = 26952 and transactionstring1 = THREAT
Violation
Searches within the index for policy violations.
Syntax: index = < violation > <and | or> <field> = <field value>
Example: index = violation; index = violation and violator = Users; index = violation
and sessionid = 1102
Riskscore
Searches within the riskscore index, which that stores all violators and provides
riskscore information based on doctype. Doctype can be further classified at the
policy level. This can be identified by “entity_policy” and “entity_threatmodel”.
Additionally, doctype can be aggregated at an entity level, identified by “entity”,
“entity_policy_rtaccount”, “entity_policy_rgaccount”, and “entity_policy_account”.
Note: Doctype “policy”, “threatmodel”, and “category” is used for RBAC and not used
for risk score calculations.
Syntax: Index = < riskscore > <and | or> <field>| Report Commands | Field Com-
mands
Archive
Searches historical data on HDFS using Impala/Hive. You must specify resource-
groupname, resourcetype, or rg_functionality, and tenantname in the query.
For Impala queries, resourcegroupname is the table name.
Syntax: index = < archive > <and> <resourcegroupname> <=> <value> <and | or>
<field> = <field value>
Whitelist
Searches within the whitelist core for entities in a global or targeted whitelist.
Syntax: index = < whitelist > <and | or> <field> = <field value>
TPI
Searches within the TPI index, which stores third party threat intelligence.
Syntax: Index = <tpi> <and | or> <field> | Report Commands | Field Commands
Example: index = tpi; index = tpi and tpi_addr = zztxdown.com; index = tpi and tpi_
srckey = zzshw.net_MalwareDomains
Asset
Searches within the asset index, which stores device metadata.
Syntax: Index <asset> <and | or> <field> | Report Commands | Field Commands
Watchlist
Searches within watchlist index for all watchlisted entities.
Syntax: Index = <watchlist> <and | or> <field> | Report Commands | Field Com-
mands
Users
Searches within the user index.
Syntax: index = < users > <and | or> <field> = <field value>
Riskscorehistory
Searches within the riskscore history index. This is primarily used for accu-
mulating and keeping track of historical risk scores information based on doc-
type. Doctype can be further classified at the policy level. This can be identified
by “entity_policy” and “entity_threatmodel”. Additionally, doctype can be aggreg-
ated at an entity level, identified by “entity”, “entity_policy_rtaccount”, “entity_
policy_rgaccount”, and “entity_policy_account”.
Note: Doctype “policy”, “threatmodel”, and “category” is used for RBAC and not used
for risk score calculations.
Geolocation
Searches within the geolocation index for IP address.
Syntax: index = < geolocation > <and | or> <field> = <field value>
Activelist
Searches within the activelist index for entries found on active lists in Redis.
Syntax: index = < activelist > <and | or> <field> = <field value>
Comparators
CONTAINS
Checks is a string field contains the specified value. Contains does not support
Date attributes like hiredate, terminationdate, expirydate and etc. Contains is not
case sensitive.
Syntax: <field> CONTAINS <value>
NOT CONTAINS
Checks if a string field does not contain the specified value. This comparator
does not support date attributes like hiredate, terminationdate, expirydate and
etc. Contains is not case sensitive.
Syntax: <field> NOT CONTAINS <value>
AND
Shows the result that fulfills both conditions.
Syntax: <field> <AND> <value>
OR
Shows the result which fulfills either one of the specified conditions.
Syntax: <field> <OR> <value>
BEFORE
Filter the events before date. The format supported for the date attributes to query
is MM/dd/yyyy HH:mm:ss.SSS.
Syntax: <field> BEFORE <value>
AFTER
Filter events after specified date. The format supported for the date attributes to
query is MM/dd/yyyy HH:mm:ss.SSS.
BETWEEN
Filter the events between value1 and value2. The format supported for the date
attributes to query is MM/dd/yyyy HH:mm:ss.SSS.
Syntax: <field> BETWEEN <value1><,><value2>
NOT BETWEEN
Filter the events not between value1 and value2. The format supported for the
date attributes to query is MM/dd/yyyy HH:mm:ss.SSS.
Syntax: <field> NOT BETWEEN <value1><,><value2>
STARTS WITH
Checks if string field value starts with specified value.
Syntax: <field> STARTS WITH <value>
NULL
Returns the events if the field value is empty.
Syntax: <field> NULL
NOT NULL
Returns the events if the field value is not empty.
Syntax: <field> NOT NULL
IN
Checks if string field value is present in specified list of comma separated values.
Syntax: <field> IN <value>
NOT IN
Checks if string field value is present in specified list of comma separated values.
Syntax: <field> NOT IN <value>
ENDS WITH
Checks if string field value ends with specified value.
Syntax: <field> ENDS WITH <value>
= (Equals)
Finds value that equals operator, tests quality.
Syntax: <field> <=> <value>
!= (Not Equals)
Finds value that does not equal operator, tests if field is not equal to value.
Syntax: <field> <!=> <value>
Time Modifiers
These operators are used to specify Relative Time or Snap Time using date time
fields.
+/-Time_Offset_IntegerTime_Unit_String
Relative Time. Specifies a specific amount of time to be added or subtracted from
current time.
Note:
l Can be used with any time field
Example: eventtime after -2d (All events that occurred after Today -2 days or within
the last 2 days)
@Time_Unit_String
Snap Time. Specifies the beginning of the time unit selected. For example, @w
is start of the week.
Note:
l Can be used with any time field
Example: eventtime between “@m”,”@d” (All events from the start of the month to the
start of today)
+/-Time_Offset_IntegerTime_Unit_String@Time_Unit_String
Combines relative time and snap time.
Syntax: <field> <comparator> +/-Time_Offset_IntegerTime_Unit_String@Time_
Unit_String
w, week, weeks
w0 (week0 = Sunday
w1 = Monday
w2 = Tuesday
Week w3 = Wednesday
w4 = Thursday
w5 = Friday
w6 = Saturday
w7 = Sunday (same as w0)
Filter Command
This command is used to run a query on multiple collections such as: activity,
violation, watchlist, riskscore , riskscorehistory, users, lookup, geolocation, etc.
FILTER
Performs an inner join on two indexes. This means that the results display the
specified value contained in both indexes based on the comparator.
Note:
l Negative comparators are not valid, as this only performs an inner Join
l Start with the larger index and filter to the smaller index
l Any search terms before | (pipe) are applied to the first index only. The search
terms that follow the | pipe are then used to further narrow and enrich your
returned events within the second index.
Streaming Operators
Warning: Capital letters, dashes (-), and spaces in the generated field name breaks
the query when piped into other operators.
DEC
Returns the decimal value.
Syntax: EVAL (store-field) = (DEC) ( field )
EQUALS
Returns true is value matches. Returns false if value does not match.
Syntax: EVAL <store-field> = <EQUALS> < field > < field-value >
ISDIGIT
Returns true if the value is a digit. Returns false if value is not a digit.
Syntax: EVAL <store-field> = <ISDIGIT> < field >
MATCH
Populates the new field with true if the field’s value matches the regular expres-
sion pattern and false if it does not.
Syntax: VAL (store-field) = MATCH (Field, REGEX)
ADD
Returns sum of two or more fields / numbers.
Syntax: EVAL <store-field> = ADD (Field1, Field2, #) EVAL <store-field> =
Field1 + Field2 + #
SUBTRACT (DIFFERENCE)
Returns the difference of two or more fields / numbers.
Syntax: EVAL <store-field> = DIFFERENCE (Field1, Field2, #) EVAL <store-
field> = Field1 - Field2 - #
MULTIPLY
Returns the product of two or more fields / numbers.
Syntax: EVAL <store-field> = MULTIPLY (Field1, Field2, #) EVAL <store-field> =
Field = Field1 * Field2 * #
DIVIDE
Returns the quotient of two or more fields / numbers.
Syntax: EVAL <store-field> = DIVIDE (Field1, Field2, #) EVAL <store-field> =
Field1 / Field2 / #
FROM_UNIXTIME
Returns date String from an epoch time.
Note:
l Only converts 10 digit epoch (unix) time at this time.
l yyyy-MM-dd'T'HH:mm:ssZ
l yyyy-MM-dd'T'HH:mm:ss
l yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
l yyyy-MM-dd'T'HH:mm:ss.SSSZ
l yyyy-MM-dd HH:mm:ss
l yyyyMMdd
l MM/dd/yyyy
l MM/dd/yyyy HH:mm:ss
l MM/dd/yyyy'T'HH:mm:ss.SSS'Z'
l MM/dd/yyyy'T'HH:mm:ss.SSSZ
l MM/dd/yyyy'T'HH:mm:ss.SSS
l MM/dd/yyyy'T'HH:mm:ssZ
l MM/dd/yyyy'T'HH:mm:ss
l yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
l MM/dd/yyyy'T'HH:mm:ss.SSS'Z'
Syntax: EVAL <store-field> = <from_unixtime> < field > < date format >
to_unixtime
Returns epoch time from a valid date string.
BASE64
Returns the base64 encoding value.
Syntax: EVAL (store-field) = (BASE64) ( field )
UNBASE64
Returns the base64 decoding value.
Syntax: EVAL (store-field) = (UNBASE64) ( field )
CONCAT
Populates new field with results by concatenating (joining) the values specified.
Limited to 3 values.
Syntax: EVAL (store-field) = CONCAT (Field/”string”, field/”string”, field/”string”)
ISINT
Returns true if value is an integer. Returns false if value is not an integer.
Syntax: EVAL <store-field> = <ISINT> < field >
ISNOTNULL
Returns true if value is not null. Returns false is value is null.
Syntax: EVAL <store-field> = <ISNOTNULL> < field >
ISBOOLEAN
Returns true or false if field is Boolean.
Syntax: EVAL <store-field> = <ISBOOLEAN> < field >
LEN
Find length of field value.
Syntax: EVAL <store-field> = <LEN> < field >
ISNUM
Returns true is the value is a number. Returns false is value is not a number.
Syntax: EVAL <store-field> = <ISNUM> < field >
UPPERCASE
Converts all characters to uppercase.
Syntax: EVAL <store-field> = <UPPERCASE> < field >
ISSTRING
Returns true is value is string. Returns false if value is not string.
Syntax: EVAL <store-field> = <ISSTRING> < field >
ISNULL
Returns true if value is null. Returns false is value is not null.
Syntax: EVAL <store-field> = <ISNULL> < field >
ISEMPTY
Returns true if value is empty. Returns false is value is not empty.
Syntax: EVAL <store-field> = <ISEMPTY> < field >
HEX
Returns the hexadecimal value.
Syntax: EVAL (store-field) = (HEX) ( field )
LOWERCASE
Converts all characters to lowercase.
Syntax: EVAL <store-field> = <LOWERCASE> < field >
REPLACE
Returns a string after replacing all occurrences.
Syntax: EVAL <store-field> = <REPLACE> < field > < fieldvalue > <replace-
value>
SUBSTR
Returns substring of actual field value.
Syntax: EVAL <store-field> = <SUBSTR> < field > < start-position > <end-
position>
SUBSTRBYINDEX
Returns sub-string of actual field value by index.
Syntax: EVAL <store-field> = <SUBSTRBYINDEX> < field > < delimiter > <An
integer indicating the number of occurrences of delimiter>
VISUALCOMPARATOR
Provides the visual comparator value.
Syntax: EVAL (store-field) = VISUALCOMPARATOR( field , field value , (> | < |
<= | >= | = )(threshold value))
Example: EVAL (store-field) = VISUALCOMPARATOR( field , field value , (> | < | <= |
>= | = )(threshold value)); EVAL (store-field) = VISUALCOMPARATOR( field , field
value , (> | < | <= | >= | = )(threshold value)); EVAL (store-field) =
VISUALCOMPARATOR( field , field value , (> | < | <= | >= | = )(threshold value))
Nested Queries
You can nest queries that use EVAL commands.
Field Commands
RENAME
Rename the source field to destination field.
Syntax: RENAME < field1> <as> <field2>
FIELDS
Display or remove the specified fields from the Results. "+" displays only spe-
cified fields."-" removes the specified fields from results.
Syntax: FIELDS < + or - > <field1><,><field2><,>...<field N>
DELETE
Delete specific events.
Syntax: DELETE <field1 = value> ...<field N = value>
GEOLOOKUP
Extract location information such as city, country, latitude, and longitude, based
on IP address.
Syntax: GEOLOOKUP <field>
REX
Extracts and creates fields based on regular expression groupings matched in
the specified key field.
Note:
l Field name is the same as Regex group name
l Multiple groupings (fields) can be formed from a single use as long as all the data is
in the specified field
Transforming Operators
These operators display search results in various visualization formats.
Reporting Commands
AVG DISTINCT
Get the Average distinct results for the field.
Syntax: AVG DISTINCT((filed 1) <,> (field N)) (by) ( houlry | daily | weekly |
monthly | field)
SUM DISTINCT
Get the Sum of distinct results for the field.
Syntax: SUM DISTINCT((filed 1) <,> (field N)) (by) ( houlry | daily | weekly |
monthly | field)
GEOMAP
Displays the events in a GEOMAP.
Syntax: GEOMAP < field1> <field2> <field-n>
BUBBLECHART
Shows a type of chart that displays three dimensions of data (x, y, z).
Syntax: BUBBLECHART <field1> <count> <by> <field2> .... <field N>
BARCHART
Represents grouped data with rectangular bars with lengths proportionate to the
values they represent.
Syntax: BARCHART <field1> <count> <by> <field2> .... <field N>
TIMECHART
Displays the data for field(s) in a time series.
Syntax: TIMECHART <hourly | daily | weekly | monthly> <count by> <field1>
<by> <field2> ... <field N>
SPAN
Filters group information within a specified time span.
Note:
Duration: dur =
l Seconds - s, sec, second, seconds.
RARE
Displays the least common values of a field(s). Use this limit to restrict the num-
ber of displayed events.
Syntax: RARE <limit = constant> <filed1> <by> <field 2> .... <field N>
TOP
Displays the most common values of a field. Use this limit to restrict the number
of displayed events.
Syntax: TOP <limit = constant> <filed1> <by> <field 2> .... <field N>
STATS
Displays the values as observed with count of events for each value based on
the specified attributes.
Note: Each field refers to faceting of the previous field. Field1 is L1, Field2 is L2, etc.
Syntax: STATS < field | count> <by> <field> STATS LIMIT=# Field1 Field2 field3
LINK
Provide the Graphical tools for organizing and representing events.
Syntax: LINK < field1> <field2> <field-n>
TABLE
Display the specified fields in table format and fields seperated by ","(comma).
Syntax: TABLE <field1><,><field2><,>...<field N>
GEOLINK
Plots the geographical connection between two fields on a world map.
Note:
l Field1 sets the starting point
HEATMAP
Forms a matrix based on selected attributes where values are represented by
color.
Note:
l Chart does a count on field1 by default unless an aggregated operator is applied to
the attribute
l Count of field1 determines the color (and size of block if only one attribute is given)
INDEXEDVOLUME
Displays the number of events indexed based on a duration period in the form of
a table or bar chart.
Note:
l Duration periods:
o Seconds
o Minutes
o Hours
o Days
o Months
l Supported Types:
o Table
l Chart
Aggregation Operators
Command Syntax
Command Syntax
Command Syntax
Command Syntax
Examples: STDDEV(bytesin)
Examples: VARIANCE(bytesin)
Examples: where count > 10; With Top - resourcegroupname = OKTA | top
accountname | WHERE count > 35; With Top & ORDERBY - resourcegroupname =
OKTA | top accountname | WHERE count > 35| ORDERBY asc; With STATS:
resourcegroupname = OKTA | stats accountname | WHERE count > 35; With STATS
& ORDERBY: resourcegroupname = OKTA | STATS accountname transactionstring1
| WHERE count > 0 | ORDERBY desc; With BARCHART: resourcegroupname =
OKTA | BARCHART accountname ipaddress | WHERE count > 5
Examples
Description Syntax
Examples: Index=riskscore and violator = Activityip | Filter; index = tpi and addr =
entityid and criticality = high
Best Practice
This section describes the recommended best practices and provides support for fre-
quently asked questions for searching in Spotter.
Optimizing Queries
l Limit operators to 3-5 for a search if the operators convert to a Regex match in Solr, as
they will be CPU intensive.
Refining Queries
l Use the following query to see all threat model violations when name is
unknown: index= violation | FILTER index=riskscore and
employeeid=employeeid and doctype = entity_threatmodel
Note: You will be unable to see the violated policies that resulted in the threat
model violation.
Support Queries
l If enrichment is
functioning, Open
ticket for further
Substitute / add support.
Geomap / eventlatitude
other fields from
Geolink not NOT NULL and l If no, validate
GEOMAP table to
displaying points eventlongitude enrichment in
validate if they are
on the map NOT NULL Activity import
populated
screens and
further validate
enrichment job.
l If no data in
index: import
geolocation data
(Maxmind)
Geolookup is
not populate index = ipto and ipfrom l If ipto and ipfrom
Geolocation geolocation must be populated are missing or
attributes has 0.0.0.0 the
index is not valid.
Re-import
geolocation data
l Use external
unix to human
time convertor
to validate.
| EVAL x = to_
l All Times
unixtime(time_
attribute) | eval y should match
Validate Unix in human
=from_unixtime Open ticket if they are
Time
(x,"MM/dd/yyyy readable not functioning
Conversions
HH:mm:ss") | format
FIELDS + x,
l If field is
time_attribute, y
missing from
fields
command
switch to table
l If match observed
check continue
does the name
match when
added to spotter
index=violation
Validate policy search including
and
Missing details name matches all whitespace
accountname =
on Violation from SCC, trailing characters?
ACCOUNT_N_
Events Tab spaces are
Question | Stats l If no match, check
sometimes cut off.
policyname if any other
violation details
exist in riskscore
and/or
riskscorehistory
l Need to know
data source
name
l If field is being
l Validate field is parsed send
being parsed in ticket to PM for
activity import further Support
configuration
screens l If field is not being
undefined field N/A
parsed work with
l Validate field & Content to
parsed field is parse and
stored in revalidate going
collection as it forward
may not exist in
older
collections.
l If Solr version is
SOLR 7 or newer
old, remove keys
Default Value: true
Spotter Setting / refine and
SOLR Error: Spotterconfig Acceptable values: overrefine from
Unknown spotterconfig in
Faceting Level > l simple
RefineMethod DB
Refine l TRUE
l Change value to
l none
true
Limitations
Note: All of the following limitations are configurable in Configxml > spotter_config. If
you want to change beyond the default value, you must consider the Application
Resources & the Solr Cell configuration / resources to maintain application stability.
If changed while application is running, use Refresh Config button in Spotter expanded
spotter search bar to apply.
l Max Bucket Size: When you execute a Spotter Search which threatens to
take the application out of memory by returning too many tuples (unique Val-
ues). The application will cancel the Query to maintain application stability.
l Tag & default value: <maxBucketSize>100000</maxBucketSize>
l UI message: Query matched too many unique values. Query has been stopped to
maintain application stability.
l Query timeout: All spotter queries will be canceled at the 3 minute mark regardless of
results returned, to prevent the underlying system, SOLR, from crashing which impacts
the application itself
l Tag & default value: <timeAllowed>3000</timeAllowed>
l UI Message
l 0 Results: Query Time out passed , current query is too resource intensive or
search servers are busy. Please narrow your search.
l Partial Results: Query time allowed exceeded. Partial results returned. Please
refine query.
l Allowed Faceting Fields for Commands: Any command that using faceting / aggreg-
ation has a set limit of fields allowed to be utilized to maintain application stability.
l Tag & default value: <allowedFacetField-
sForCommands>3</allowedFacetFieldsForCommands>
l Leftside Maximum collections: This is the number of SOLR collections that the system
will search through for the attributes added to the Selected Fields panel on the left side
for simple searches.
l Tag & default value: <leftSideMaxCollections>5</leftSideMaxCollections>
l Facet Levels: All aggregation commands and the time line that appears on spotter use
faceting to obtain the counts of events as designed. These are used to maintain applic-
ation stability. No message is displayed for this.
l Use report with index = to archive to go beyond the Facet level limitations
l Others:
l Transforming and Aggregation Operators do not cross Archive. The operators are
performed in different systems and therefore can not be combined. If you need to
perform these action for data that includes archive prefix the query with index-
x=archive
Incident Management
SNYPR includes comprehensive case management capabilities that allow multiple
teams to collaborate on investigation and incident response. You can manage and col-
laborate on cases from the Incident Management dashboard.
You can run an Incident Management summary or detail report and it to the security oper-
ations center (SOC) manager or an analyst of your choice. The reports include:
l Incident Management Weekly Summary
Manage Cases
When a case is created, you can manage and track the case using the management fea-
tures on the Incident Management dashboard.
To get started, navigate to Menu > Security Center > Incident Management.
The following table provides a description for each element referenced in the previous
image:
Management
Description
Features
Management
Description
Features
d: Change Status
Click the drop-down and select a status. The following status options
are available:
l Assign to Analyst
l Close as Fixed
Management
Description
Features
l Claim
l Change Criticality
l Entityid
l Employeeid
l department
l firstname
l lastname
e: Search l Incident id
l manageremployeeid
l title
l comments
l policy name
l group name
Refreshes the dashboard after you update it with edits, filters, or if you
f: Refresh
want to view more recent data.
g: Filter
Filters the dashboard by incidents or reports.
Incidents/Reports
Management
Description
Features
l Risk Score
Management
Description
Features
i: Graphical
Analysis
Management
Description
Features
Select any incident in the Incident Management panel to view the Case
Details. The Case Details screen includes the violator’s name and
information, a summary of the violation, the violation events, an activity
stream, and the playbooks associated with the event. From the Case
Details screen, you can take action on:
l An entity based on their violated policies
l A single policy
Management
Description
Features
To start a conversation with another analyst, click the green chat icon . A text box
will appear, allowing you to type and send your message:
Note: Only users viewing the case at the same time will appear as available for chat.
To send your message, click the green arrows . To close the chat conversation,
click the green chat icon.
justify the action. See Take Actions on Cases for more information about the actions you
can take from this screen.
To view case details, complete the following steps:
1. Navigate to Menu > Security Center > Incident Management.
The following table lists the user interface elements (UI) on the Case Management
screen:
UI
Description
Element
UI
Description
Element
b: Violator l Department
l Title
l Policy Name
UI
Description
Element
The Incident Details tab displays details about the entity associated
with the violation.
c: Incident
and Entity
Details
The Entity Details tab displays information such as user and workflow
details, employment history, and custom properties.
UI
Description
Element
e:
Violation Displays the reason for the violation and a graph of the risk score trend.
Summary
UI
Description
Element
f: Activity
Stream
g:
A summary representation of the violation that is connected to the
Violation
incident.
Summary
h: Other
A list of additional policies violated by an entity.
Policies
UI
Description
Element
The individual events that are associated with the violation as a Spotter
search.
i: Violation
Events
UI
Description
Element
You can toggle between the securonix attribute names and the user-defined
attribute names the content developer selected during activity import. The
following options are available:
l Show Securonix Attribute Names: The standard naming format that
Securonix uses for an attribute.
j: Attribute
Names l User Defined Attribute Name: A customized naming format for an
attribute.
The information that displays in the images above are based on the violation
summary configured by the content developer during the policy or threat
model creation.
l Closed as Fixed
l Claim
l Change Criticality
l Claim an open case (a case not yet assigned), and begin the investigation process.
l
Note: These actions vary for all cases and may be labeled differently for custom work-
flows.
This option is used to assign the case to an individual user or a user group.
To assign a case to an analyst, complete the following steps:
1. Complete the following information:
2. Click Submit.
3. Click the ellipses icon to view the analyst or group that the case is
Assigned To.
Use this option to change the criticality of the case. To change the criticality of
a case, complete the following steps:
1. Check the box next to the incident(s) you want to change the criticality for.
4. Click the Criticality drop-down and select from one of the following status
options:
l None
l Low
l Medium
l High
l Custom
5. Click Update.
Claim
Use this option to claim the case for the current user (you) and start working
the investigation. To claim a case, complete the following steps:
1. Enter comments to explain or justify the action.
2. Click Submit.
Note: Only the analyst who has claimed the case will have the authority to edit the
case. Other analysts in the group will be able to view the case and the case details.
Accept Risk
Use this option to close the case and mark the violation as fixed. To accept
risk for a case, complete the following steps:
1. Complete the following information:
2. Click Submit.
Note: You will not be able to take further action on a case when it has been closed
for Accept Risk. You must reopen the case.
Violation
Use this option to close the case and mark the case a confirmed violation. To
close a case, complete the following steps:
2. Click Submit.
Note: You will still be able to take actions such as Claim, Release and Assign to
Analyst when the case is closed as a violation.
l Entity/violator: For an entity, violations across all jobs are grouped in one case.
After you create a case for the security incident, you can use the Incident Management
dashboard to analyze the data. For more details about the features available on this
screen, see Violation Summary.
To create a case, complete the following steps:
1. Navigate to Menu > Security Center > Security Command Center.
2. Click an entity, violation, or threat from any of the dashboard widgets. For example, a
3. Click Take Action from the right side of the violator, then select Mark as concern and
create incident.
4. Complete the following information in the Mark as concern and create incident dialog box:
a. Available Workflow: Select a workflow from the drop-down. For more information about con-
figuring work flows, see Workflows in the SNYPR Administration Guide.
To search for a user or group, click the magnifying glass icon. The Select
Assignee pop-up displays. To select an assignee, select the radio button next to
the user or group you want to assign the case to, then click Assign.
5. Click Submit.
After you create the case, you can navigate to Menu > Security Center > Incident Man-
agement to manage the case from the Incident Management dashboard.
Reports
SNYPR has both out-of-the-box standard reports and extensive ad-hoc reporting cap-
abilities. From the Report menu, the following options are available:
l Categorized Reports: Schedule and run default reports or create custom reports.
l Scheduled Reports Job: View existing report jobs and schedule new report jobs for saved
reports.
Categorized Reports
This feature allows you to schedule and run default reports, or create custom reports to
run on Spotter, database, or archived data.
To access categorized reports, navigate to Menu > Reports > Categorized Reports.
On the left navigation pane, reports are filtered by category. You can add categories and
create new reports within an existing category.
Screen
Description
Elements
a: Report
Category Type the report category name to filter records.
Filter
Screen
Description
Elements
b: Total
View total number of report categories.
Category
c: Add
Click to create a new report category.
Category
View the report categories. By default, the following report categories are
included:
l Auditing
l Incident Management
l Miscellaneous
d:
Category l Resources Reports
l Spotter Reports
l User Reports
You can click a report category to view the existing default reports available
for that category.
e: Add
Click to add a new report.
Report
Screen
Description
Elements
f:
Schedule
d Reports
g: Merge
Click to merge two spotter reports into one.
Reports
h:
Archived Click to view the archived reports.
Reports
Type the report name or tenant name to search for report by name or tenant
i: Filter
name.
j: Report Display the report details such as report name, tenant name, and available
Details actions.
k: Tenant
Displays the name of the tenant the report is assigned to.
Name
Screen
Description
Elements
m:
Click to schedule the report job.
Schedule
o:
Click to download the report.
Download
3. In the Add New Category dialog box, enter a unique name in the Category Name
field.
4. Click Save.
The new category will appear in the left navigation pane. To create new reports for this
category, see Create a New Report.
a. Report Category: Select an existing report category from the drop-down under which the
new report will appear.
b. Report Visibility (Owner): Select a specific user or group or users who will have
visibility to the report. If no owner is selected, the report is visible to all logged in
users.
Tip: Click the magnifying glass to open a list of available groups and users. From here,
you can select a group or individual user.
6. Click Assign.
In the Connection Details section, you will set up the report file and connection type. You
can run reports on the following connection types:
Database
The Database option runs the report on data stored in a database. To create a
Database report, complete the following steps:
1. Complete the following information:
a. Choose the source of your report data: Select Database from the drop-down.
b. Tenant Name: Select the tenant name from the drop-down list.
c. Logo: Choose a jpg or png logo that is associated with the report.
report.
Note: SNYPR integrates with Jasper Reports to use the contents and con-
figurations of JRXML files as a template for the report. The securonix_home/re-
ports directory contains over 50 JRXML default files you can use. For more
information about Jasper Reports, see http://-
community.jaspersoft.com/project/jasperreports-library. For a complete list of
the JRXML files available in Securonix/tenants/<tenant>/securonix_home/re-
ports, see Report Templates.
e. Character set encoding formats: Choose the character set encoding that will be
used for the CSV reports. By default, UTF-8 encoding is used.
Note: To add additional parameters, click the green plus + sign. To delete para-
meters, click the red minus - sign.
Report file.
Example:
l The value of attribute NAME of the parameter tag from the report file
l REPORT_DATA_SOURCE
Example: Resource.
Example: $ID.
4. Click Save.
Archived Data
The Archived Data option runs the report on historical data stored in HDFS. To
create an Archived Data report, complete the following steps:
1. Provide the following information:
a. Choose the source of your report data: Select Archived Data from the drop-down
list.
b. Tenant Name: Select the tenant name from the drop-down list. In-case of con-
nection type SPOTTER, filtered global tenants will be considered while running
report.
c. Logo: Choose a jpg or png logo that is associated with the report.
report.
Note: SNYPR integrates with Jasper Reports to use the contents and con-
figurations of JRXML files as a template for the report. The securonix_
home/reports directory contains over 50 JRXML default files you can use. For
more information about Jasper Reports, see http://-
community.jaspersoft.com/project/jasperreports-library. For a complete list of
the JRXML files available in Securonix/tenants/<tenant>/securonix_home/re-
ports, see Report Templates.
e. Character set encoding formats: Choose the character set encoding that will be
used for the CSV reports. By default, UTF-8 encoding is used.
Note: To add additional parameters, click the green plus + sign. To delete para-
meters, click the red minus - sign.
Report file.
4. Click Save.
Spotter
The Spotter option runs the report on data in Solr using Spotter search terms. To
create a Spotter report, complete the following steps:
a. Choose the source of your report data: From the drop-down list, select
b. Logo: Choose JPG or PNG logo to be associated with this report. The file size
should not exceed 100 kilobytes (kB).
d. Do You Want to Export All Records that matched the report query.: Toggle this
setting to one of the following options:
l NO: Specify a maximum number of records to export.
l YES: The report will export all records for the query.
e. Character set encoding formats: This is used for CSV reports. By default, UTF-8
encoding is used.
b. Do you want to export all records that match the report query?: When
enabled, the flag will fetch all entries (up to five million) for a given Spotter
query in reports.
Note: Only the csv format is available for exporting reports, and the zip file is
generated (which includes multiple CSV files).
The Snypr Datasource Report option runs the report on SNYPR data source. To
create a Snypr Datasource Report, complete the following steps:
a. Choose the source of your report data: Select SNYPR Datasource Report from
the drop-down.
b. Logo: Select the logo you want to print on the report. To navigate to the appropriate
file location, click Browse.
c. JRXML template: Select the JRXML file of the template associated with this report.
To navigate to the appropriate file location, click Browse.
d. Character Set Encoding Format: Select the character set encoding format
Incident Management
the drop-down.
c. Logo: Select the logo you want to print on the report. To navigate to the
d. JRXML template: Choose the JRXML file of the template associated with
e. Character Set Encoding Format: Select the character set encoding format
3. Select the reports from the Supported Reports Formats box and click the double
arrows (>>) to move them to the Included Reports Formats box.
Note: To add additional parameters, click the green plus + sign. To delete para-
meters, click the red minus - sign.
Report file.
6. Click Save.
The Security Command Center option runs the report on SCC. To create a SCC
report, complete the following steps:
1. Provide the following information:
a. Choose the source of your report data: Select Security Command Center
c. Logo: Select the logo you want to print on the report. To navigate to the
d. JRXML template: Choose the JRXML file of the template associated with
e. Character Set Encoding Format: Select the character set encoding format
3. Select the reports from the Supported Reports Formats box and click the double
arrows (>>) to move them to the Included Reports Formats box.
Note: To add additional parameters, click the green plus + sign. To delete para-
meters, click the red minus - sign.
Report file.
6. Click Save.
The new report appears under the category you selected when the Report Details were
configured.
3. Locate the report you want, then click the Schedule icon in the Actions column.
Note: Fields on the form may vary depending on the type of report and resource on which the
report is to run.
b. Tenant Information: Select the tenant you want to generate the report.
a. Do you want to run Job Once?: Select to run the job once now.
b. Do you want to schedule this job for future?: Select this option to select how often
8. Click Schedule.
The report opens in the format you selected in the Report Details section.
3. Locate the report you want to run, then click the Download icon to run the report.
4. Select the appropriate file format. The following formats are available:
a. PDF
b. XML
c. CSV
d. RTF
e. TXT
f. DOCX
4. Drag desired reports from the List of Available Spotter Reports section to the
Included Reports for Merge in Sequence section.
5. Complete the following information in the Schedule and Email Template Details section:
a. Select Report Format: Select an option from the drop-down. Example: pdf.
b. Choose Email Template: Select the email template you want to use to send the report via
email from the drop-down.
a. Do you want to run Job Once?: Select to run the job once now.
b. Do you want to schedule this job for future?: Select this option to select how often
7. Click Schedule.
8. Download the report from Scheduled Reports Jobs when status is complete.
1. Navigate to Menu > Security Command Center > Spotter to conduct a search.
2. Click the Search Results tab, then select Reports > Export Spotter Results.
The option to Export Spotter Results appears in the drop-down along with any Spot-
ter reports configured under Menu > Reports > Categorized Reports. For information
about how to configure Spotter reports, see Reports.
3. Click the Select Report Format drop-down and select a format for the report:
l PDF
l CSV
l XLS
l RTF
l TXT
l DOCX
Note: When disabled, the toggle below the Select Report Format only exports 1,000 events
in the report.
4. Check the box next to each attribute you want to be included in the report, then click
the right arrow highlighted in blue. Attributes that appear in the User Attributes
column are included in the report.
Note: By default, when the STATS or TOP table queries are used, the attributes display in
the User Attributes (Securonix Attributes) box.
Tip: To select all attributes, check the Select All box in the column header.
5. Click Schedule to save the label and include the attribute in the report.
6. Click Run to run the report and download the report from the Notifications menu when
status is complete.
Edit a Category
To edit a category, complete the following steps:
1. Navigate to Menu > Reports > Categorized Reports.
2. Click the edit icon in the left pane next to the report you want to edit.
4. Click Save.
To delete a report, locate the report you want to delete, then click the trash icon at the end
of the row.
Auditing
The Auditing feature allows you to audit activity performed in the SNYPR application and
check log tampering. It maintains a historical record of users actions to provide proof of
compliance and system integrity. The audit trail contains details about each action, includ-
ing the date, time, the before and after changes, audit code, and information about the
user associated with the action.
To access the Auditing screen, navigate to Menu > Reports > Auditing. You can take the
following actions on this screen:
a. Configure auditing
Note: Following the SNYPR 6.3.1 upgrade, you can only generate auditing report for the current
records from Auditing. To generate the auditing report for old records, refer to the Generate
Auditing Report for Old Data section.
3. Select an activity type from the left pane. The following activity types are available:
a. Security Center
b. Operations Center
c. Views
d. Reports
e. Analytics
f. Administration
g. Add Data
h. User Authentication
i. Web Services
j. Content_Dispenser
k. Data Dictionary
l. Configuration Migration
Successful password
Change Password
change
Removed an organization
Views - Users Remove organization
Configure an access
Analytics - Access Configure Access Review Job
review job
Reviews Jobs
Delete Job Delete a policy job
Run Run
Reports - Schedule
Schedule Report Schedule a report
Reports
Change a user's
Change Password
password
Enable geolocation in
Activity Geolocation
activity data
Evidence saved
Save Evidence
successfully
Evidence deleted
Delete Evidence
successfully
Evidence image
Workbench - Evidence Download evidence image
downloaded successfully
Auditing Report
To download or schedule an auditing report, do the following:
1. Navigate to Menu > Reports > Auditing.
c. Select Report Format: Select an option from the drop-down. Example: PDF.
b. StartTime: Click the field to use the calendar control to select the start date and time for the
report.
c. EndTime: Click the field to use the calendar control to select the start date and
a. Do you want to run Job Once?: Select to run the job once now.
b. Do you want to schedule this job for future?: Select this option to select how often
7. Click Schedule.
b. Start Time: Click the field to use the calendar control to select the start date and time for the
report.
c. End Time: Click the field to use the calendar control to select the start date and time for the
report.
a. Do you want to run Job Once?: Select to run the job once now.
b. Do you want to schedule this job for future?: Select this option to select how often
6. Click Schedule.
l Click the schedule icon beside the search bar on the Categorized Reports screen:
You can take the following actions on report jobs from the Scheduled Report Jobs
screen:
Views
From the Views screen, you can view general details about users and resources, drill
down into users to view details such as peer groups, access, activity, and behavior pro-
files, modify and delete user identities, view and manage Watch Lists, create and man-
age White Lists, and view data in Lookup Tables.
The following Views are available in the SNYPR application:
l Users
l Peers
l Resources
l Watch List
l White List
l Lookup Tables
User Views
Users, in the context of the application, refers to all users interacting with the IT infra-
structure of the organization. Users can be employees, contractors, temporary workers,
partners, vendors, suppliers, and even customers.
The User Views feature allows security administrators to view user identity, access and
activity data, peer group memberships, and behavior profiles of individuals, and to modify
imported user identities within the SNYPR application.
Before you can view and manage users, you must import user data into SNYPR. For
more information about importing user data, refer to the User Data section in the SNYPR
Data Integration Guide.
Manage Users
To manage users, navigate to Menu > Views > Users to view and manage user iden-
tities. By default, the list is sorted by Employee ID in ascending order.
Note: The column headings may vary depending on the attributes mapped when importing user
data.
Click the Advanced Options icon in the left navigation panel to view users by department
or division.
Click the filter icon to type text to filter the list of departments or divisions.
Click an ID under the Employee ID column to view user details. For more information, see
View User Details.
a. Search criteria: Enter the search criteria in the text box. For example, type "Clarke" to search
for users with the last name Clarke.
d. Attribute search: Use the drop-down list to choose the attribute on which to search. For
example, lastname.
e. Search icon: Click the search icon to search. The screen refreshes with the search results.
General Details
The General Details option displays the identity details for the selected user. The inform-
ation displayed on this screen represents the data collected for the user during the import
process.
In the lower right corner of the screen is a collapsible menu. When the menu is expanded,
you can select from the following options to jump to that section of the user details:
l General Details
l Contact Details
l Workflow Details
l Employment History
l Custom Properties
l Change History
Peer Groups
A user may belong to one or multiple Peer Groups. These Peer Groups are typically
based on user HR attributes such as job code, title, and manager. The application uses
peer groups to compare the user’s access and activities and determine outlier behavior or
anomalies.
Monitor Access
The Monitor Access option allows you to view the accounts, access privileges, and pro-
files held by a user on each resource. To view details of an account, click Account Name.
a. General Details about the account including the type, risk score, criticality, and status.
b. Access Details about the account including the values for each attribute mapped to
the account. For example, the employeeID.
Monitor Activities
The Monitor Activities option allows you to view all activities performed by a user across
all resources for a selected period. Click on any data point or field to filter events, enter a
custom Spotter query, or export the search results as Reports. For information about how
to search events and what actions you can take on this screen, see Spotter.
Edit Users
Administrative users can make changes to individual users or groups of users.
Warning: To maintain integrity of user data, any changes to user information should be made in
the source application (HR data source), and then those changes imported into SNYPR from
the source using a data feed. If users are updated in SNYPR, and a new data feed is imported
from the source application, the latest information from the source will overwrite any manual
changes made in SNYPR.
3. Edit the details for the user and click Update to save the changes, or click Disable to
Peer Views
A peer group in SNYPR is defined as a group of users who perform similar job functions.
Users may be grouped based on department, job code, location, and reporting manager.
HR user attributes are typically used for this purpose. You can also derive peer groups
based on resources to which users have access. Any number of peer groups can be
defined based on business requirements. There is no limit to the number of peer groups
that can be created or the number of users assigned to peer groups.
Peer Groups are created to manage access outliers, access logs, and activity logs for the
users that belong to a particular peer group. Policies that search for abnormal behavior
compared to peers, also use peer group attributes.
l Peer Assignment Rules: Manually create peer groups and assign users to the groups.
For additional information, see the Peer Groups in the SNYPR Data Integration Guide.
a. Filter: Click the icon to expand or collapse the text filter box.
b. Advanced Options: Click the icon to choose whether to show peer groups by type or
peer name.
a. Peer Group Type: Lists all the peer groups of a selected Peer Group Type.
b. Peer Name: Lists all the peers within a selected peer group.
c. Text Filter: Type text to filter the list of peer groups shown in the left navigation pane.
d. All Tenants: Select a tenant(s) from the drop-down to filter the peer names that display in the
table.
e. Peer Group Type: Click a peer group type to display all peer groups associated with a
Note: If Peer Name is selected, click a peer group name to view the details for the peer
group.
f. Collapse: Click the icon to collapse the left navigation pane. Click the expand icon: to
expand the left navigation pane.
g. Refresh: Click the icon to return to the default peer views screen.
h. Search Criteria: Type text to search for a peer group name that matches the search text.
l. Peer Name: Click a peer group name to view and the General Details, Members, and Behavior
Profile associated with the peer group. For more information, see View Peer Group Details.
3. Click an option on the left navigation pane to view the following details:
Note: You can edit the Owner field on this screen. Click Update to save.
Resource Views
Resources are the applications, servers, databases, and etc. that enable users to perform
various tasks. One resource may contain one or more datasources. For example, Google
is a resource, and the datasource for the resource may include Google Admin and
Google Login.
1. Filter: Click the icon to expand or collapse the text filter box.
2. Advanced Options: Click the icon to choose whether to show Resources by Type, Cat-
3. Text to Filter: Type text to filter the list of peer groups shown in the left navigation pane.
4. Resource Type: Click a resource name to view the datasources associated with the resource.
5. Exit: Click the icon to exit the left navigation pane. Click the expand icon to expand the left
navigation pane.
6. Search Criteria: Type text to search for a resource name that matches the search text.
9. Name: Click an option under the Name column to view the Resource Details screen. For more
information, see View Resource Details.
3. Click a name from the Name column to view the Resource Details screen.
On the left navigation pane, click this option to view the following information
for the datasource:
l Resource Details: Displays the connection details configured during data import.
Peer Groups
Monitor Activities
On the left navigation pane, click Monitor Activities > Events to supervise the
activity event data associated with different data sources.
Click any data point or field to filter events, enter a custom Spotter query, or
export the search results as Reports. For information about how to search
events and the actions you can take on this screen, see Spotter.
Behavior Profile
For more detailed information about how behavior profiles are generated,
refer to the Behavior Profiles section in the SNYPR Analytics Guide.
On the Behavior Profile screen for a Resource, you can perform the following
actions:
1. Select a policy that has been configured for the datasource for which to view the
behavior profile.
2. From the Type drop-down, select options to view the Resource Behavior,
Note: Menu options may vary based on the violation entity selected during
policy creation.
l Account Behavior shows account behavior across the time line for the
selected resource.
l Account Names shows the behavior profile for the account across a
time line for the selected resource.
o Resource: Select a specific resource from the drop-down to view behavior
profile for that resource.
o Account: Select an account from the drop-down to view events for that
account.
3. Select a time range in which to view the behavior baseline: daily, weekly,
4. Click All Attributes to filter the data points on which to view the baseline.
5. View Valid Clusters on which the profiles are generated. Valid Clusters
6. View a Summary of the events associated with the behavior profile you are
viewing. Click any data point on the baseline to view specific events or
enter a custom Spotter query. For more information about what you can do
in this section, see Spotter.
a. Click a date on the timeline to see the events that took place on that date:
c. In the filter field, you can enter a custom Spotter query. For more information, see Spotter.
d. Click Reports to export the search results as a report. For more information, see Reports.
For more detailed information about how behavior profiles are generated, refer to Beha-
vior Profiles in the SNYPR Analytics Guide.
On the Behavior Profile screen for a Resource, you can perform the following actions:
1. Select a policy that has been configured for the datasource for which to view the beha-
vior profile.
2. From the Type drop-down, select options to view the Resource Behavior, the Account
a. Resource Behavior: Shows the baseline activities for the selected resource and any devi-
ations from the baseline across the time line.
l Resource: Select a specific resource from the drop-down to view the behavior profile for
that resource.
b. Account Behavior: Shows account behavior across the time line for the selected resource.
l Resource: Select a specific resource from the drop-down to view the behavior profile for
that resource.
c. Account Names: Shows the behavior profile for the account across the time line for the selec-
ted resource.
l Resource: Select a specific resource from dropdown to view behavior profile for that
resource.
l Account: Select an account from the dropdown to view events for that account.
Note: These options may vary based on the violation entity selected during policy creation.
3. Select a time range in which to view the behavior baseline: daily, weekly, monthly,
day of week, or time of day.
4. Click All Attributes to filter the data points on which to view the baseline. Baseline is
defined as the maximum value for a valid cluster.
5. View Valid Clusters on which the profiles are generated. Valid Clusters are a numer-
ical measure applied to judge various aspects of cluster validity. Multiple groups of
similar data points between the minimum frequency and maximum frequency help to
create a valid cluster.
6. View a Summary of the events associated with the behavior profile you are viewing.
Click any data point on the baseline to view specific events or enter a custom Spotter
query. For more information about what you can do in this section, see Spotter.
a. Watchlist Name: Click the drop-down list to filter by the watch list name or tenant name.
b. Text to Filter: Type text to filter the list or click the Advanced Options menu to search for a spe-
cific watch list.
c. Edit: To edit a watch list, click the edit icon. An edit dialog box will appear with the fol-
lowing fields:
1. Do you want to create a new widget on the Security Command Center for this
Watchlist?:
l Toggle to YES and provide a new widget name to create a new widget on the Security
Command Center.
3. Click Save. The widget will appear on the Security Command Center.
When you select a watch list, the list of members appear on the right side of the screen.
From here, you can add, remove, or view members in a watch list. Members can be users,
activity accounts, network addresses, or resources.
2. Click the watch list you want to edit from the left pane.
1Lists of users, activity accounts, network addresses, and resources that are deemed prob-
lematic and require special attention due to suspicious activity or inherent risk factors.
4. Click the drop-down and select the type of entity to be added to the watchlist. The fol-
lowing options are available:
a. User
b. Activity Account
c. IP Addresses
d. Resources
watchlist
6. Click Next.
a. Watchlist
b. Expiry Date
c. Location
Note: If you have a paginated list of users, select and add users one screen at a time; changing
pages may clear any selections. You may change the number of records shown per page to add
multiple users.
2. Click the watch list you want to edit from the left pane.
A confirmation message will appear to confirm that the member is removed from the
watch list.
White List
SNYPR uses white lists to exempt entities and attributes from monitoring. You can create
following types of white lists:
l Global White List
From White List option, you can only create global white lists but add entities or attributes
for all types of white lists.
l Activity Account
l Resources
l Network Address
l RG Activity Account
You can create global white list and add entities from the following options:
l White List of View
You can create targeted white list for policy or threat model only from Security Command
Center. However, you can add attributes to an existing whitelist from the following
options:
l White List of View
3. Provide a unique name for the white list in Whitelist Name. Example: VIP Users.
l User
l Activity Account
l Resources
l Network Address
l RGActivityaccount
5. Select a tenant from Select Tenant drop-down list to create the white list.
6. Click Save.
2. Select a white list from the left navigation pane and click Add Member(s).
a. Select Datasource: Select the datasource from which you want to whitelist
the attributes.
b. Input the resource name: Provide the resource name from which you need to add
entities.
l Select Attribute: Select the attribute. The list displays the attributes from the
selected datasource.
l Select Condition: Select any of the following conditions to apply on the selected
attribute:
l Equals
l Contain
l Not equal to
l AND / OR: Select AND or OR condition if you want to set multiple filter criteria.
d. Comments:
e. Do you want to reduce the risk score for selected entity to zero?: Enable
to reduce the risk score of the user. Disable to retain user's risk score
when they violate a policy.
f. Add expiry date?:Enable to specify the duration the attributes will be white listed.
Disable if you don’t want to set the expiration date for white listed attributes.
l Select Create New and enter the white list name in New Whitelist Name.
6. Enable Do you want to reduce the risk score for selected entity to zero?to reduce
the risk score of the user. Disable to retain user's risk score when they violate a policy.
7. Enable Add expiry date? to specify the duration the white list attributes will be enabled.
Disable if you don’t want to set the expiration date.
8. Select the duration the attribute will be white listed in Select Duration. When
Add expiry date? is enabled, you have to specify the duration after which the
attribute will not be white listed.
4. Scroll down to the Additional Settings section, then click White List.
2. Perform any of the following for Do you want to white list this entity indefinitely:=
l Select NO for and specify the date in Whitelist Until.
l Select YES.
3. Do you want to reduce the risk score for selected entity to zero?: Enable to reduce
the risk score of the user. The selected user will be skipped next time they violate a
policy. Disable to retain user's risk score when they violate a policy.
l Attribute: Select the attribute. The list displays the attributes from the selected data-
source.
l Condition: Select any of the following conditions to apply on the selected attribute:
l Contain
l Not equal to
l Equal to
l In
l Greater Than
l Less Than
l AND / OR: Select AND or OR condition if you have to set multiple filter criteria.
l Observables widget
These white lists are displayed in White Lists option of View. You can assign more attrib-
utes from White List option, if required.
Add Attributes to Policy White List from SCC
6. Select a policy.
7. Enable Add expiry date? to specify the duration the white list attributes will be enabled.
Disable if you don’t want to set the expiration date.
8. Select the duration the attribute will be white listed in Select Duration. When
Add expiry date? is enabled, you have to specify the duration after which the
attribute will not be white listed.
This creates a new White List for the policy. You can add more attributes from the
White List option of View.
l Select Attribute: Select the attribute. The list displays the attributes from the
selected datasource.
l Select Condition: Select any of the following conditions to apply on the selected
attribute:
l Equals
l Contain
l Not equal to
l AND / OR: Select AND or OR condition if you have to set multiple filter criteria.
c. Add expiry date?: Enable to specify the duration the white list attributes will be
enabled. Disable if you don’t want to set the expiration date.
d. Select Duration: Select the duration the white list attribute will be enabled.
When Add expiry date? is enabled, you have to specify the duration after
which the attribute will not be white listed.
1. Navigate to Menu > Security Center > Security Command Center, and then
2. Click Take Action next to the violators name, then select Add toWhite List.
6. Select a policy.
7. Enable Add expiry date? to specify the duration the white list attributes will be enabled.
Disable if you don’t want to set the expiration date.
8. Select the duration the white list attribute will be enabled in Select Duration.
When Add expiry date? is enabled, you have to specify the duration after
which the attribute will not be white listed.
l Select Attribute: Select the attribute. The list displays the attributes from the
selected datasource.
l Select Condition: Select any of the following conditions to apply on the selected
attribute:
l Equals
l Contain
l Not equal to
l AND / OR: Select AND or OR condition if you have to set multiple filter criteria.
c. Add expiry date?:Enable to specify the duration the white list attributes will be
enabled. Disable if you don’t want to set the expiration date.
d. Select Duration: Select the duration the white list attribute will be enabled.
When Add expiry date? is enabled, you have to specify the duration after
which the attribute will not be white listed.
This creates a new whitelist for functionality. You can add more attributes from
the White List option of View.
UI Element Description
a: Filter
UI Element Description
o : Policy.
o : Functionality.
o : Activity account.
b: Add
o : User.
o : Resource.
o : Network address.
o : RG activity account.
o : Threat model.
UI Element Description
l : Policy.
l : Functionality.
l : Activity account.
l : Resource.
l : Network address.
l : RG activity account.
l : Threat model.
2. Type index=whitelist in the search bar, and then click the search icon.
The left navigation panel displays a list of imported Lookup Tables. From the left nav-
igation panel, you can perform the following actions:
b. Tenant: Displays which tenant the lookup table applies to. The lookup table can apply to all ten-
ants or a specific tenant.
c. Edit: Allows you to restrict access to the lookup table. When selected, choose one of
the following options for the Restrict Access to this lookup table to your user groups?
setting:
l NO: When disabled, the lookup table is accessible to all users.
l YES: When enabled, the User Group table displays, allowing you to select which
You can also add or delete lookup data. To add lookup data, click the Add Lookup
Records button, located below the search bar.
Tip: To select all your lookup tables at once, check the box in the header row.
The Add Lookup Data dialogue box displays. In a multi-tenant deployment, you can add
three types of lookup tables, including:
l Global: The lookup data you add is available across all tenants.
l Tenant: The lookup data you add is only available for a specific tenant.
l Meta: The lookup data you add can be available across all tenants or for a specific
tenant. This allows content developers to create a single policy for all tenants, elim-
inating the need to duplicate and customize policies per tenant.
Limitations:You can only add one column (key) to the meta lookup table.
a. Enter Lookup(Key): Allows you to add multiple records to a lookup table using
comma separated values.
Example: -.zip,.tar,.7z
b. Select Tenant: Select the tenant that should have access to this lookup data.
c. Choose lookup key attribute: Select a lookup attribute from the drop-down list.
To delete a lookup table, check the box next to the lookup table(s) you want to delete,
then click the Delete Lookup Records button.