VMware NSX Network Detection and Response System Administration Operations

This document describes the system administration of VMware NSX Network Detection and Response appliances mostly focused on an On-Premises installation.

About Appliances

The VMware NSX Network Detection and Response deploys a three-tier architecture. It provides a monitoring tier with the Sensor, an analysis tier provided by the Engine and Data Node, and a management tier where the Manager coordinates activity and connections across the installation. In an On-Premises installation, you install all three tiers in your data center. For the Hosted environment, you only install the monitoring tier, with the VMware backend providing the analysis and management tiers, accessed through your account on the User Portal at https://user.lastline.com/ (for EMEA customers https://user.emea.lastline.com/).

Manager

The Manager collects information from Sensor appliances, processes the data, and finally presents it to the user. Artifacts (such as executables and documents) that are attached to email messages or provided in URLs are passed to the Engine for immediate analysis. Data is also shared with the Data Node.

The Manager provides a local instance of the User Portal, a comprehensive Web interface. You use its dashboards and other pages to view the activity detected within your environment and manage the VMware NSX Network Detection and Response appliances.

See the Manager Installation and Administration guide for installation and initial configuration details.

Sensor

The Sensor performs active or passive inspection of your network traffic to identify events that are of interest to the system. This ranges from file transfers (for example, executables, documents, or email messages) to metadata on network activities observed in the environment (for example, netflow, pdns, or webrequests). The information extracted by the Sensor is streamed to the VMware backend for processing.

See the Sensor Installation and Administration guide for installation and initial configuration details.

The Sensor can also be deployed to AWS and Azure cloud environments. See the Sensor on AWS Deployment and Administration and Sensor on Azure Deployment and Administration guides for details.

Engine

The Engine simulates an entire host (including the CPU, system memory, and all peripherals) and its operating environment to analyze unknown files, such as executables and documents, and URLs. These data are submitted from the Manager and other sources. The Engine then runs the artifacts and returns the results of its analysis to the Manager.

See the Engine Installation and Administration guide for installation and initial configuration details.

Data Node

The Data Node receives data records (such as netflow, passive DNS, and webrequest records) collected by the Sensor as well as from third party solutions, such as network switches and routers, security devices, and dedicated netflow probes. It stores these data and analyzes them. It then returns analysis results to the Manager.

See the Data Node Installation and Administration guide for installation and initial configuration details.

Before you begin

Before you can successfully deploy the VMware NSX Network Detection and Response in your data center, there are a number of requirements that must be met. Your network infrastructure must allow the default connections needed by the VMware appliances. You must determine the optimal placement of the Sensor appliances to gain the greatest visibility into the traffic entering and leaving your network. Finally, you must determine which system features you wish to enable and license your installation accordingly.

Connectivity requirements

In an On-Premises installation, the Manager must be able to access the VMware backend to obtain threat intelligence, software, and license updates. In addition, the VMware backend optionally (dependent on your license and system settings) returns cloud analysis results from suspicious samples you uploaded and supports on-demand queries to the Knowledge Base and other data sources. The VMware backend facilitates other essential services to ensure your installation is running correctly to provide maximum protection.

The Sensor in the Hosted environment must also be able to access the VMware backend.

Note:

In the event of disconnection, the Sensor, in either a Hosted or On-Premises environment, will continue to work autonomously using its current threat intelligence data. Detected events are stored locally. When connectivity is re-established, the data is uploaded with the correct timestamp.

Domain name services

The VMware NSX Network Detection and Response appliances require access to domain name servers (DNS) that can resolve external names, including the VMware backend as well as internal names.

External domain names

The Manager must be able to access:

  • user.lastline.com on TCP/443 (in Europe user.emea.lastline.com).

  • update.lastline.com on TCP/443 (in Europe update.emea.lastline.com).

  • ntp.lastline.com on UDP/123 for time synchronization (in Europe ntp.emea.lastline.com). It can be replaced with a local NTP server. Access to an NTP server is required for the correct operation of the system.

  • log.lastline.com on TCP/443 (in Europe log.emea.lastline.com).

  • anonvpn.lastline.com on UDP/1194.

External IP addresses

The domain names above currently resolve to IP addresses within the following CIDR blocks:

  • 38.95.226.0/24

  • 38.142.33.16/28

  • 199.91.71.80/28

  • 46.244.5.64/28

  • 66.170.109.0/24

Adjust your firewall rules to allow connections to these address ranges.

Internal domain names

The system appliances, the Sensor, the Engine, and the Data Node depend on the Manager to provide the VMware backend services. You should assign a local domain name to the Manager. Assuming your organization has the example.com domain and that lastline.example.com is the FQDN of the Manager, the following domain names should be additional aliases for the same IP address:

  • user.lastline.example.com

  • update.lastline.example.com

  • log.lastline.example.com

CDN usage

To increase availability and reduce download times, the VMware NSX Network Detection and Response installation can be configured to download large files from content distribution network (CDN) servers. As such hosts are geographically distributed, the contacted hosts may vary from system to system. CDN servers outside the documented list of IP addresses may be contacted for downloads.

The use of CDNs is enabled by default during installation or upgrade. You can also explicitly enable or disable this feature with the lastline_register command.

If you explicitly enable the use of CDNs or choose to accept the default, ensure that you adjust your firewall rules to allow access to the CDN servers.

Internal connections

Data Node cluster communication

The Data Node needs to access TCP port 9200 and 9300 on every other Data Node appliance in order to create an Elasticsearch cluster. TCP port 9200 is used for REST traffic and TCP port 9300 is used for Data Node communication. The Manager must also be able to communicate with the Data Node on TCP port 9200.

To obtain data records from the RabbitMQ broker running on log.lastline.example.com, access to port 5671 (encrypted channel) and port 5672 (non-encrypted channel) is required.

Local communication network

The VMware NSX Network Detection and Response appliances employ a number of Docker containers to provide services. These containers require an internal network to use for communication. By default, this network is defined to use 169.254.64.0/20, a portion of the IPv4 link-local address space. This network does not need to be reachable from outside services or hosts.

Proxy server

The Manager in an On-Premises installation or the Sensor in the Hosted environment must be able to access the VMware backend.

If a network proxy is deployed in your environment, you need the IP address or FQDN of the proxy server and its port number before you install the VMware NSX Network Detection and Response appliances. Authentication must be disabled for the appliances that utilize the proxy server. If the proxy server limits the domains that can be accessed, *.lastline.com must be allowed or, at a bare minimum, allow access to the listed FQDN.

Examples of valid proxy configurations: proxy.example.com:3128 or 192.168.0.1:8080

Note:

The VMware NSX Network Detection and Response appliances cannot communicate through Sophos Transparent or through Microsoft Forefront proxies.

Network Time (NTP)

To accurately report events, incidents, and intrusions, the VMware NSX Network Detection and Response appliances need to keep their clocks in close synchronization. By default, the installer selects ntp.lastline.com for time synchronization. During installation, or afterward with the lastline_setup command, you can replace this with another NTP server.

Important:

The selected NTP server, whether it is on your local network or an external device, must be reachable over UDP port 123. Without NTP access, the system cannot work correctly.

SSL/TLS certificate

The VMware NSX Network Detection and Response appliances provide most of their services through HTTPS. During installation, the Manager generates and then uses a self-signed SSL certificate. This requires all the managed appliances to store and trust this certificate during the registration phase.

When you access the User Portal hosted on the Manager, your browser also needs to trust the certificate.

Replace the certificate

You can optionally replace the SSL/TLS certificate on the Manager. This can be your own self-signed certificate or a certificate signed by the certificate authority (CA) for your organization. Assuming a FQDN of lastline.example.com, the certificate needs to be valid for:

  • user.lastline.example.com

  • update.lastline.example.com

  • log.lastline.example.com

Note:

If you deploy an active-standby configuration, the certificate should also be valid for user.standby.lastline.example.com

In this scenario, you should use user.lastline.example.com as the commonName for the certificate. Then specify the above domain names as Subject Alternative Name (SAN). This way user.lastline.example.com will work even for clients that do not support SAN. The certificate needs to be in x509 format. Intermediate CA certificates need to be appended to the server certificate file.

See the Deploy a New Certificate topic in the Manager Installation and Administration guide for instructions.

Email monitoring options

The VMware NSX Network Detection and Response provides a number of methods for monitoring email in your network and preventing attacks with the Sensor:

Passive
  • Sniff SMTP traffic

  • POP3/IMAP

  • MTA (no delivery)

Active
  • MTA inline

Passive monitoring

Passive email monitoring allows you to see email traffic on your network and obtain reports that can be used for further action.

You can configure the Sensor to sniff all network traffic. In this mode, it processes any SMTP packets it sees on the wire. A major limitation with this method is that any email that is encrypted at transport level (SMTP/TLS) cannot be inspected. In addition, the Sensor can only see traffic that traverses its network segment and cannot compensate for errors seen by its SPAN or TAP interface. Sensor placement location is critical. One of the few advantages of using SMTP sniffing is that it can see both inbound and outbound traffic on the network segment.

Alternatively you can configure the Sensor as an IMAP or POP3 client. This mode requires that you also configure the email flow into your organization to blind-copy all inbound messages to the designated user account on the Sensor. All messages received by this account are deleted after analysis.

The recommended mode for passive monitoring is to configure the Sensor as an MTA (no delivery) endpoint. This mode provides visibility into all email messages that are accepted by the downstream MTA server, including those sent over TLS. The connection is also reliable, using TCP retries for any network errors. This mode requires that you configure the email flow into your organization to FORK all inbound messages to the Sensor. All messages received by this account are deleted after analysis.

Active monitoring

The most highly recommended configuration is active email monitoring. As above, this also provides visibility into all email traffic on your network. In addition, it allows you to either quarantine messages with malicious content or to clean the malicious content from the messages before sending them onward to the next hop. Configure the Sensor as an MTA relay. This mode requires that the email flow into your organization is configured to add the Sensor as an MTA hop in your email processing.

Appliance placement

The VMware NSX Network Detection and Response provides the best protection when the Sensor appliances have complete visibility across your entire network. It is recommended that you deploy a Sensor on all the critical segments of your network:

  • Network borders for Internet, extranet, and VPN.

  • Core data center segments.

  • Cloud workloads (AWS VPCs or Azure Virtual Networks).

  • IOT/ICS/SCADA infrastructure.

  • End user segments.

Command line configuration tools

The VMware NSX Network Detection and Response provides a number of command line utilities to assist you with the configuration and management of the appliances.

During the installation and registration process, you use the lastline_register command. It defines the essential parameters of the appliance, including the critical network connections, then applies your licenses to the installation.

Once the appliance is registered and running, you can use the lastline_setup command to adjust certain settings. There are certain parameters that can only be changed from this command line application.

Note:

See Setup command options for a detailed breakdown of the options available with the lastline_setup command.

Enable SSH access

By default, the Manager is configured to allow key-based authentication. To use this feature, you must add your public SSH key to the lastline user account to enable future SSH access.

  1. Generate a key pair

    On your local system, use the ssh-keygen command to generate an RSA key pair.

    admin@host:~$ ssh-keygen -f ~/.ssh/llkey
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/admin/.ssh/llkey):
    Enter passphrase (empty for no passphrase):ENTER
    Enter same passphrase again:ENTER
    Your identification has been saved in /home/admin/.ssh/llkey.
    Your public key has been saved in /home/admin/.ssh/llkey.pub.
    The key fingerprint is:
    SHA256:pKhfuP8h9xlJKza7Z0R3Hq0LCrkYMGEv1A4JYOxFM admin@example.com
    The key's randomart image is:
    +---[RSA 2048]----+
    | . .E.           |
    |  + o .          |
    | . o *  .        |
    |  . +.=o   . .   |
    |   +...+S . o o  |
    |   ...= o. o = . |
    |  . ..o*+ + + +  |
    |   . o o+B.= =   |
    |    o...++B.o    |
    +----[SHA256]-----+

    The above example shows generating the key pair without a passphrase. For high security installations, a passphrase may be required.

    Note:

    On Windows systems, use PuTTYgen to generate the key pair.

  2. Import your public key

    Copy your public key onto a physical medium such as a USB device.

    admin@host:~$ cp .ssh/llkey.pub keycopy

    Then login to the console of the VMware NSX Network Detection and Response appliance using the username lastline.

  3. Append to the authorized keys list

    On the appliance, append the copy of your public key from the transfer device to the .ssh/authorized_keys file in the lastline user's home directory.

    lastline@lastline-manager:~$ cat keycopy >> ~/.ssh/authorized_keys

    Verify your public key was appended to the authorized keys list.

    lastline@lastline-manager:~$ cat ~/.ssh/authorized_keys
    ssh⁠-⁠rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNrBpwY54v4XDePpQlDOBNpQpyBuJnPY3ThAE3YPAtqlboKeiUNDDgHbYLVVdXV8CFpvShaJ1oFZj5CNjp4krD9Bx2aK3QpoRX3e3ZWSv2JxlbBs61J4fTiKnyDyeGcqx3Q2JjgRTww5AfE4c5GYZrpPTG5UkKfd6Jl8Pq1qyatHWXhCTpquOqPB1lTmS0f2gna8CMVyunV1CLVhmQVeNU2EgGQMh2wJpxO59ohNVD950HJM6lJiQVoAk7nAoJvvcHkCmrB7SSVN7xv2FIthYswVWnPU58BELwJazCu7qKcxKt0T6MdVhnZSiv64M56EBUJyXd7F3 admin@example.com

    Then log out of the appliance.

  4. SSH to the appliance

    From your local system, use the ssh command to access the VMware NSX Network Detection and Response appliance.

    admin@host:~$ ssh -i ~/.ssh/llkey lastline@manager.example.com
    Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-171-generic x86_64)
    
    Last login: Tue Apr 14 17:00:50 2020 on console
    lastline@lastline-manager:~$

An alternative remote access method to the VMware NSX Network Detection and Response appliance is to enable the monitoring user.

Configuration command

The lastline_setup command provides a number of configuration options that are used to administer and manage the VMware NSX Network Detection and Response appliances. Its basic usage is illustrated with the help option.

  1. Start the setup command

    From the command line of the VMware NSX Network Detection and Response appliance, execute the lastline_setup command.

    lastline@lastline-manager:~$ lastline_setup

    If you are prompted for the sudo password, use the password for the default lastline user account.

  2. Run the help option

    To view all the supported options, type help.

    -> help
    Documented commands (type help <topic>):
    ========================================
    EOF                                    email_relay_port
    analysis_max_upload_filesize_mb        email_relay_username
    analysis_queue_backlog                 email_sender_address
    anonvpn_dns_server_ip                  exit
    anonvpn_mode                           failover_multicast_address
    anonvpn_upstream_gateway_ip            failover_multicast_port
    anonvpn_upstream_ifname                failover_virtual_ip
    appliance_state                        fqdn
    appliance_uuid                         ha_active_priority
    cloud_analysis                         ha_password
    cloud_analysis_push_download_metadata  heartbeats
    cloud_analysis_push_download_source    help
    cloud_analysis_query_url_reputation    https_proxy
    data_retention_code                    image_brand_replacement
    data_retention_generated_files         license_api_token
    data_retention_memory_dumps            license_key
    data_retention_process_dumps           llama_images_server_override
    data_retention_screenshots             monitoring_user_password
    data_retention_traffic_captures        network
    data_retention_uploads                 new_monitoring_user_password
    data_retention_webpages                ntp_server
    disable_report_commenting              ntp_servers
    disable_support_channel                offline_mode
    edit                                   save
    email_relay_host                       show
    email_relay_password                   text_brand_replacement
    Tip:

    For any option, type the first few unique characters of its name then type Tab. The lastline_setup command will auto-complete the name for you.

  3. View help details

    To view a detailed description of individual options, type help topic, where topic is the name of a specific option.

    -> help network
     network <variable> [<new-value>]
            Get/set network settings.
                network interface <iface>: interface used for network access
                network method dhcp|static: use DHCP or static IP address
                    configuration for network access
            When static configuration is used, these values must also be set:
                network address <address>: IPv4 address of the interface
                network netmask <netmask>: dotted-quad netmask for the address
                network gateway <gateway>: default gateway for network access; if
                    specified value is -, set gateway to None
                network dns_nameservers <nameserver> ...: space-separated list of
                    DNS nameservers, if specified value is -, set dns_nameservers to
                    None
  4. Exit the configuration tool

    To quit from the configuration tool without saving your changes, type exit.

    -> exit
    lastline@lastline-manager:~$

Enable the monitoring user

As an alternative to the lastline user, the VMware NSX Network Detection and Response offers the monitoring user. This account can access the appliances using console or via SSH (password only without using the SSH key). Once enabled, the monitoring user has the same level of system privileges as the lastline user.

To enable the monitoring user, use the new_monitoring_user_password option of the lastline_setup command.

  1. Start the setup command

    From the command line of the VMware NSX Network Detection and Response appliance, execute the lastline_setup command.

    lastline@lastline-manager:~$ lastline_setup

    If you are prompted for the sudo password, use the password for the default lastline user account.

  2. Enable the monitoring user

    To enable the monitoring user, type new_monitoring_user_password password.

    -> new_monitoring_user_password s3cretP4ssw0rd

    Your password selection must meet the requirements specified on the passwd command man page.

    You can also enable the monitoring user with the monitoring_user_password option.

  3. Optional: View the status of the monitoring user

    If you type the new monitoring_user_password option without an argument, the obfuscated password is displayed.

    -> new_monitoring_user_password
    new_monitoring_user_password: ***

    If you type the monitoring_user_password option without an argument, the status of the monitoring user is displayed.

    -> monitoring_user_password
    monitoring_user_password: enabled; pending password change

    The "pending password change" text indicates that your change has not yet been saved.

  4. Optional: Disable the monitoring user

    To disable the monitoring user account, use the dash (-) argument:

    -> monitoring_user_password -

    The dash (-) argument to the new monitoring_user_password option clears the password:

    -> new_monitoring_user_password -
  5. Save the configuration

    After you provide all the required parameters, save your configuration.

    -> save

    The save option updates the configuration, applies any needed changes, then quits the lastline_setup command.

  6. Optional: Add your public key to the monitoring user

    You can optionally copy your public key from the lastline account (see Enable SSH access, 3):

    lastline@lastline-manager:~$ sudo tail -n 1 ~/.ssh/authorized_keys >> ~monitoring/.ssh/authorized_keys
    [sudo] password for lastline:
    
    lastline@lastline-manager:~$ sudo cat ~monitoring/.ssh/authorized_keys
    ssh‑rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNrBpwY54v4XDePpQlDOBNpQpyBuJnPY3ThAE3YPAtqlboKeiUNDDgHbYLVVdXV8CFpvShaJ1oFZj5CNjp4krD9Bx2aK3QpoRX3e3ZWSv2JxlbBs61J4fTiKnyDyeGcqx3Q2JjgRTww5AfE4c5GYZrpPTG5UkKfd6Jl8Pq1qyatHWXhCTpquOqPB1lTmS0f2gna8CMVyunV1CLVhmQVeNU2EgGQMh2wJpxO59ohNVD950HJM6lJiQVoAk7nAoJvvcHkCmrB7SSVN7xv2FIthYswVWnPU58BELwJazCu7qKcxKt0T6MdVhnZSiv64M56EBUJyXd7F3 admin@example.com

    Now you can log out of lastline user session and then use the ssh command from your local system to access the VMware NSX Network Detection and Response appliance.

    admin@host:~$ ssh monitering@manager.example.com
    Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-171-generic x86_64)
    
    monitoring@lastline-manager:~$

Throughout the rest of this guide, you can substitute the monitoring user wherever the lastline user is required.

Network Configuration

The VMware NSX Network Detection and Response supports easily changing the network configuration of its appliances. This update may be required if assigned IP addresses change (for example, upon a reconfiguration of the network) or if you choose to switch from static addressing to DHCP or vice versa.

Reconfigure for DHCP

To reconfigure the network configuration of a VMware NSX Network Detection and Response appliance to DHCP, use the network option of the lastline_setup command.

  1. Start the setup command

    From the command line of the VMware NSX Network Detection and Response appliance, execute the lastline_setup command.

    lastline@lastline-manager:~$ lastline_setup

    If you are prompted for the sudo password, use the password for the default lastline user account.

  2. Check the network settings

    To check the current network settings, type network.

    -> network
    network dns_nameservers = 8.8.8.8 8.8.4.4
    network gateway = 10.0.2.2
    network netmask = 255.255.255.0
    network address = 10.0.2.15
    network interface = eth0
    network method = static
  3. Enable DHCP configuration for network access

    To enable DHCP addressing, type network method dhcp.

    -> network method dhcp
    network method = dhcp  # changed; original value: static
  4. Save the configuration

    After you provide all the required parameters, save your configuration.

    -> save

    The save option updates the configuration, applies any needed changes, then quits the lastline_setup command.

Reconfigure for Static Addressing

To reconfigure the network configuration of a to use a static IP address or to update to a new IP address, you must provide or replace values for the address, netmask, gateway, and dns_nameservers parameters. Use the network option of the lastline_setup command to make these changes.

  1. Start the setup command

    From the command line of the VMware NSX Network Detection and Response appliance, execute the lastline_setup command.

    lastline@lastline-manager:~$ lastline_setup

    If you are prompted for the sudo password, use the password for the default lastline user account.

  2. Check the network settings

    To check the current network settings, type network. This example shows the VMware NSX Network Detection and Response appliance is currently using DCHP:

    -> network
    network interface = eth0
    network method = dhcp
  3. Enable static configuration for network access

    To enable a static IP address, type network method static.

    -> network method static
    network method = static  # changed; original value: dhcp

    This step is only needed if the appliance is currently using DCHP.

  4. Set the network address

    To set the IP address, type network address ip_address. Use an IPv4 address of four octets.

    -> network address 10.0.2.15
    network address = 10.0.2.15  # changed; original value:
  5. Set the netmask

    To set the netmask, type network netmask netmask. Use an IPv4 netmask of four octets.

    -> network netmask 255.255.255.0
    network netmask = 255.255.255.0  # changed; original value:
  6. Set the gateway address

    To set the gateway IP address, type network gateway ip_address. Use an IPv4 address of four octets.

    -> network gateway 10.0.2.2
    network gateway = 10.0.2.2  # changed; original value:
  7. Set the DNS server address(es)

    To set the DNS server IP address, type network dns_nameservers ip_address [ip_address]. Use an IPv4 address of four octets for each address.

    -> network dns_nameservers 10.2.1.1 10.2.2.1
    network dns_nameservers = 10.2.1.1 10.2.2.1  # changed; original value:
  8. Save the configuration

    After you provide all the required parameters, save your configuration.

    -> save

    The save option updates the configuration, applies any needed changes, then quits the lastline_setup command.

SMTP notifications

The Manager can be configured to send notifications or reset account passwords using email. To configure the way email messages are sent, use the email options of the lastline_setup command.

Note:

The Sensor can be configured to either passively or actively monitor and/or filter all email traffic into your network. See Configure email monitoring for further details and configuration options.

  1. Start the setup command

    From the command line of the VMware NSX Network Detection and Response appliance, execute the lastline_setup command.

    lastline@lastline-manager:~$ lastline_setup

    If you are prompted for the sudo password, use the password for the default lastline user account.

  2. Specify the SMTP relay host

    To specify an SMTP relay host for delivering email messages, type email_relay_host fqdn.

    -> email_relay_host smtprelay.example.com
    email_relay_host = smtprelay.example.com  # changed; original value:
  3. Specify the SMTP relay port

    To specify the port the SMTP relay host is listening on, type email_relay_port portnumber.

    -> email_relay_port 25025
    email_relay_port = 25025  # changed; original value:
  4. Specify the SMTP user

    To specify the username to use when authenticating to the SMTP relay host (if required), type email_relay_username username.

    -> email_relay_username admin
    email_relay_username = admin  # changed; original value:
  5. Specify the SMTP password

    To specify the password to use when authenticating to the SMTP relay host (if required), type email_relay_password password.

    -> email_relay_password adminpassword
    email_relay_password = adminpassword  # changed; original value:
  6. Specify the SMTP address

    To specify the address from which to send emails, type email_sender_address emailaddress.

    -> email_sender_address admin@example.com
    email_sender_address = admin@example.com  # changed; original value:
  7. Save the configuration

    After you provide all the required parameters, save your configuration.

    -> save

    The save option updates the configuration, applies any needed changes, then quits the lastline_setup command.

Configure Analysis Traffic Routing

The VMware NSX Network Detection and Response provides an analysis sandbox running on the Manager and Engine to examine suspicious files or URLs. The sandbox simulates various environments, including Windows 7, Windows 10, Microsoft Office, Chrome, a generic browser, and a PDF file viewer. Inside the simulated environment, the sandbox attempts to run the potentially malicious file or URL and analyzes the results of the execution.

In many cases, the runtime environment attempts to access resources on the Internet. To protect your environment and anonymize the public IP address of your client connections, the Manager is configured by default to route traffic generated inside its analysis sandbox to the Internet via a secure tunnel. This tunnel component is called AnonVPN (Anonymization VPN).

In addition to anonymizing the public IP address, AnonVPN periodically rotates the IP address with which connections to the Internet are made to avoid getting blocked when connecting to malware command-and-control infrastructure. The tunnel also prevents malware running inside the sandbox from accessing services in the local network. By routing traffic to outside the local network, only services reachable via public IP addresses are accessible to programs running inside the sandbox.

Note:

If your installation uses the Engine to perform suspicious content analysis, AnonVPN routes analysis traffic generated inside in its sandbox through the Manager to the Internet. AnonVPN only needs to be configured on Manager.

If you cannot make use of the AnonVPN feature, the lastline_setup command allows you to specify an alternate method for routing network connections. The following three modes are supported:

  • lastline Analysis traffic is routed via a secure tunnel. This is the default configuration.

  • honeypot Analysis traffic is not routed to the Internet. Instead any connections established inside the sandbox are redirected to a honeypot on the appliance.

  • custom Analysis traffic is routed via a dedicated interface that you have configured.

Configure Default AnonVPN

Manager uses AnonVPN to route traffic originating in the analysis sandbox. The VPN routes only outgoing connections and response packets. It blocks any in-bound connections.

The lastline mode of AnonVPN is the system default. It only needs to be configured if you had previously implemented one of the other modes.

  1. Start the setup command

    From the command line of the VMware NSX Network Detection and Response appliance, execute the lastline_setup command.

    lastline@lastline-manager:~$ lastline_setup

    If you are prompted for the sudo password, use the password for the default lastline user account.

  2. Select the default VPN connection

    To re-enable the default mode of AnonVPN, set the lastline parameter of the anonvpn_mode option.

    -> anonvpn_mode lastline
    anonvpn_mode = lastline  # changed; original value:
  3. Save the configuration

    After you provide all the required parameters, save your configuration.

    -> save

    The save option updates the configuration, applies any needed changes, then quits the lastline_setup command.

Configure Honeypot AnonVPN

The VMware NSX Network Detection and Response provides a secure tunnel for traffic generated inside the analysis sandbox, AnonVPN (Anonymization VPN), anonymizing the public IP address of client connections. For installations that cannot use the VMware infrastructure due to security or privacy requirements, a honeypot mode is available.

In this mode, analysis traffic is not routed to the Internet. Instead any connections established inside the sandbox are redirected to the honeypot on the appliance. This supports the analysis of artifacts in a completely isolated network, without any outgoing connectivity. Because samples undergoing analysis may attempt to access resources on the Internet, the system emulates a set of services that use well-known protocols, such as (but not limited to) DNS, FTP, HTTP, HTTPS, and SMTP.

Any outgoing traffic using an unknown protocol is blocked to avoid accessing services in the local network.

Note:

In honeypot mode, the analysis of URLs in the sandbox will fail. Since no traffic is allowed out to the Internet, when a sample attempts to access a URL, the connection fails, and an error is reported. As a consequence, the URL analysis fails and no report is generated.

When running a honeypot without connectivity to the VMware backend, you should disable the cloud analysis component to avoid the timeout waiting for analysis metadata.

  1. Start the setup command

    From the command line of the VMware NSX Network Detection and Response appliance, execute the lastline_setup command.

    lastline@lastline-manager:~$ lastline_setup

    If you are prompted for the sudo password, use the password for the default lastline user account.

  2. Select the honeypot VPN connection

    To enable the honeypot mode of AnonVPN, set the honeypot parameter of the anonvpn_mode option.

    -> anonvpn_mode honeypot
    anonvpn_mode = honeypot  # changed; original value: lastline
  3. Save the configuration

    After you provide all the required parameters, save your configuration.

    -> save

    The save option updates the configuration, applies any needed changes, then quits the lastline_setup command.

Configure Custom AnonVPN

To customize routing of analysis traffic, you must configure a dedicated network interface on the system hosting the Manager using its /etc/network/interfaces configuration file (see the interfaces.5 man page).

The dedicated interface can be a physical interface (such as eth3) or a virtual interface (such as an OpenVPN tunnel interface tun0). This interface has the following requirements:

  • The interface must be configured in /etc/network/interfaces.

  • The interface must use IPv4.

  • The interface must either use a static IP address or configured to invoke the /etc/anonvpn/routing_interface_up.sh command when it is assigned an IP address.

    The routing_interface_up.sh command is needed to trigger the setup of packet routing. For OpenVPN connections, the command can be invoked using the --up parameter.

  • The interface must not be called llanonvpn0 or llanonvpn1. These interface names are reserved for connecting the Engine to the Manager and for interfaces in AnonVPN lastline mode.

In addition to the interface configuration, you must provide the following information to enable custom routing:

DNS server IP address

The IPv4 address of the DNS server which will be used for resolving domains inside the analysis sandbox. The DNS server must be reachable over the provided interface. DNS requests from the analysis engine will be routed over the same link as other analysis traffic.

Gateway IP address

The IPv4 address of the gateway for routing packets on the custom interface. The gateway address must not be configured via /etc/network/interfaces to avoid routing non-analysis traffic via this interface.

To switch to a custom network interface for the analysis sandbox, ensure that the dedicated interface is up (use ifup interface-name, for example, ifup tun0) and then configure the AnonVPN options of the lastline_setup command.

Important:

It is possible to route analysis traffic via the primary network interface on Manager. This configuration is highly discouraged as it gives the sample under analysis full access to your local network. It is your responsibility to block any potentially malicious connections routed this way.

The routing of analysis traffic via a custom network interface does not use a proxy even if one is configured.

Configure the Manager to use a custom VPN connection to route traffic originating inside the analysis sandbox. This VPN only routes outgoing connections and response packets. Thus, the VPN blocks any in-bound connections.

  1. Start the setup command

    From the command line of the VMware NSX Network Detection and Response appliance, execute the lastline_setup command.

    lastline@lastline-manager:~$ lastline_setup

    If you are prompted for the sudo password, use the password for the default lastline user account.

  2. Specify a custom VPN connection

    To enable the custome mode of AnonVPN, set the custom parameter of the anonvpn_mode option.

    -> anonvpn_mode custom
    anonvpn_mode = custom  # changed; original value: lastline
  3. Specify the interface for the VPN connection

    To select the interface to use for the custom VPN connection, type anonvpn_upstream_ifname interface-name.

    For example, using a virtual interface such as OpenVPN:

    -> anonvpn_upstream_ifname tun0
    anonvpn_upstream_ifname = tun0  # changed; original value:

    For example, using a physical interface:

    -> anonvpn_upstream_ifname eth3
    anonvpn_upstream_ifname = eth3  # changed; original value:
  4. Specify the DNS server for the VPN connection

    To select the DNS server to use for the custom VPN connection, type anonvpn_dns_server_ip ip_address. Use an IPv4 address of four octets. For example, 8.8.4.4 for the public Google DNS servers.

    -> anonvpn_dns_server_ip 8.8.4.4
    anonvpn_dns_server_ip = 8.8.4.4  # changed; original value:
  5. Specify the gateway for the VPN connection

    You must specify a gateway when you use a physical interface for the custom VPN connection. It is optional for virtual interfaces.

    To select the gateway, type anonvpn_upstream_gateway_ip ip_address. Use an IPv4 address of four octets.

    -> anonvpn_upstream_gateway_ip 10.0.0.1
    anonvpn_upstream_gateway_ip = 10.0.0.1  # changed; original value:
  6. Save the configuration

    After you provide all the required parameters, save your configuration.

    -> save

    The save option updates the configuration, applies any needed changes, then quits the lastline_setup command.

Configure the Analysis Upload-Size Limit

By default, the VMware NSX Network Detection and Response rejects uploads of files for analysis that are larger than 10 MB. This value provides a reasonable compromise between the ability to analyze the vast majority of malicious artifacts and having to store overly large files. If required, you can modify this limit up to 200 MB.

  1. Start the setup command

    From the command line of the VMware NSX Network Detection and Response appliance, execute the lastline_setup command.

    lastline@lastline-manager:~$ lastline_setup

    If you are prompted for the sudo password, use the password for the default lastline user account.

  2. Modify the size limit for uploads

    To modify the size limit for files that can be uploaded, type analysis_max_upload_filesize_mb size. Specify the size which can be from 10 through 200.

    -> analysis_max_upload_filesize_mb 200
    analysis_max_upload_filesize_mb = 200  # changed; original value:
  3. Save the configuration

    After you provide all the required parameters, save your configuration.

    -> save

    The save option updates the configuration, applies any needed changes, then quits the lastline_setup command.

Configure Data Retention

The VMware NSX Network Detection and Response tracks all of the stored files on the appliance and issues a notification through the User Portal interface when usage of the local file-system disk exceeds certain thresholds.

Periodically, large analysis artifacts (such as the metadata that an analysis generates), are deleted according to data-retention policies that can be updated using the lastline_setup command. The following is a full list of data-retention options:

To avoid specific file-types from being affected by the data-retention policies, you can use the value unlimited (or 0).

The following steps show how to define your configuration to discard files generated during an analysis run after 90 days, but to keep files uploaded for analysis indefinitely:

  1. Start the setup command

    From the command line of the VMware NSX Network Detection and Response appliance, execute the lastline_setup command.

    lastline@lastline-manager:~$ lastline_setup

    If you are prompted for the sudo password, use the password for the default lastline user account.

  2. Modify the retention for generated files

    To retain generated files to 90 days, type data_retention_generated_files 90.

    -> data_retention_generated_files 90
    data_retention_generated_files = 90 days  # changed; original value:
  3. Modify the retention for uploaded files

    To retain uploaded files indefinitely, type data_retention_uploads unlimited.

    -> data_retention_uploads unlimited
    data_retention_uploads = unlimited  # changed; original value:
  4. Save the configuration

    After you provide all the required parameters, save your configuration.

    -> save

    The save option updates the configuration, applies any needed changes, then quits the lastline_setup command.

Configure Cloud Analysis

The VMware NSX Network Detection and Response cloud analysis component extends analysis results generated in the local On-Premises installation by querying and sharing data with the VMware backend.

This component allows an individual installation to contribute to and benefit from the global intelligence collected by VMware, Inc.. As a consequence, the analysis results generated when cloud analysis is enabled may be more accurate and may contain additional pieces of information (such as, file origin information, threat classification, more up-to-date analysis results). At the same time, sharing data with VMware, Inc. may not be desirable or even allowed in certain situations. Therefore, the cloud analysis component offers a number of configuration options to let you decide exactly what information gets shared.

  • cloud_analysis When this option is enabled, your installation shares the hashes (MD5, SHA1, and SHA256) of the analyzed artifacts with the VMware backend. For file artifacts, the actual content is not uploaded to the VMware backend.

  • cloud_analysis_push_download_source When this option is enabled, your installation shares the IP address and hostname of the server where the artifact was downloaded from with the VMware backend.

  • cloud_analysis_push_download_metadata When this option is enabled, your installation shares the URL where the artifact was downloaded from (HTTP, FTP, and SMB downloads) with the VMware backend. In the case of HTTP downloads, the referrer information is also shared, if available.

  • cloud_analysis_query_url_reputation When this option is enabled, your installation queries the VMware backend for metadata that can be included in the URL classification. Note that the full URL is shared with the VMware backend.

When the analysis system detects a malicious file or URL, it is possible to notify the VMware backend about the detection by uploading the artifact content. Sharing this information helps us and the security community by increasing the global intelligence, while limiting your sharing to malicious files minimizes the risk of exposing sensitive files.

To configure the sharing of malicious files, review the Data sharing tab of the Appliances Configuration pages provided by the User Portal running on your Manager.

  1. Start the setup command

    From the command line of the VMware NSX Network Detection and Response appliance, execute the lastline_setup command.

    lastline@lastline-manager:~$ lastline_setup

    If you are prompted for the sudo password, use the password for the default lastline user account.

  2. Disable sharing hashes

    The sharing of hashes with the VMware backend can be disabled by typing cloud_analysis off.

    -> cloud_analysis off
    cloud_analysis = off  # changed; original value: on
  3. Disable sharing download details

    The sharing of artifact source details with the VMware backend can be disabled by typing cloud_analysis_push_download_source off.

    -> cloud_analysis_push_download_source off
    cloud_analysis_push_download_source = off  # changed; original value: on (value not set)
  4. Disable sharing artifact origin details

    The sharing of artifact origin details with the VMware backend can be disabled by typing cloud_analysis_push_download_metadata off.

    -> cloud_analysis_push_download_metadata off
    cloud_analysis_push_download_metadata = off  # changed; original value: on (value not set)
  5. Enable querying URL metadata

    Querying the VMware backend for URL metadata can be enabled by typing cloud_analysis_query_url_reputation on. By default, this option is off.

    -> cloud_analysis_query_url_reputation on
    cloud_analysis_query_url_reputation = on # changed; original value: off (value not set)
  6. Save the configuration

    After you provide all the required parameters, save your configuration.

    -> save

    The save option updates the configuration, applies any needed changes, then quits the lastline_setup command.

Configure the Analysis Queue

In certain situations, it can be convenient to automatically drop tasks scheduled for analysis from the queue. This way even systems with limited resources can guarantee analyzing submitted artifacts in a timely manner, even when temporarily overloaded with a large number of submission.

The VMware NSX Network Detection and Response allows this by a configuration option that automatically deletes tasks from the analysis queue that have been pending for more than the specified number of days.

  1. Start the setup command

    From the command line of the VMware NSX Network Detection and Response appliance, execute the lastline_setup command.

    lastline@lastline-manager:~$ lastline_setup

    If you are prompted for the sudo password, use the password for the default lastline user account.

  2. Specify the number of days of the analysis queue backlog

    To specify the number of days tasks may remain in the analysis queue backlog, type analysis_queue_backlog days.

    -> analysis_queue_backlog 12
    analysis_queue_backlog = 12 days  # changed; original value: unlimited

    The default is unlimited. Typing this option without an argument displays its current value.

  3. Save the configuration

    After you provide all the required parameters, save your configuration.

    -> save

    The save option updates the configuration, applies any needed changes, then quits the lastline_setup command.

Configure Remote Assistance

By default, VMware NSX Network Detection and Response provides a mechanism to allow the VMware Support team to perform remote administration assistance on your Manager, when requested. You can disable this access with the lastline_setup command.

Note:

Should you need to contact VMware Support, the VMware, Inc. technician will probably request that you temporarily re-enable the support channel.

  1. Start the setup command

    From the command line of the VMware NSX Network Detection and Response appliance, execute the lastline_setup command.

    lastline@lastline-manager:~$ lastline_setup

    If you are prompted for the sudo password, use the password for the default lastline user account.

  2. Disable VMware Support remote access

    To disable VMware Support access to your appliances, type disable_support_channel true.

    -> disable_support_channel true
    disable_support_channel = true  # changed; original value:
  3. Save the configuration

    After you provide all the required parameters, save your configuration.

    -> save

    The save option updates the configuration, applies any needed changes, then quits the lastline_setup command.

Show the configuration

To view the current configuration of the VMware NSX Network Detection and Response appliance, use the show option of the lastline_setup command.

  1. Start the setup command

    From the command line of the VMware NSX Network Detection and Response appliance, execute the lastline_setup command.

    lastline@lastline-manager:~$ lastline_setup

    If you are prompted for the sudo password, use the password for the default lastline user account.

  2. Show the current configuration

    To view the current configuration of the appliance, type show. The following example shows the results on the Manager:

    -> show
    analysis_max_upload_filesize_mb = 100
    analysis_queue_backlog = unlimited
    anonvpn_dns_server_ip =
    anonvpn_mode = lastline
    anonvpn_upstream_gateway_ip =
    anonvpn_upstream_ifname =
    appliance_state = active
    appliance_uuid = 09036b88a68a47c99fde25ce10479f44
    cloud_analysis = on
    cloud_analysis_push_download_metadata = on
    cloud_analysis_push_download_source = on
    cloud_analysis_query_url_reputation = off (value not set)
    data_retention_code = 60 days
    data_retention_generated_files = 21 days
    data_retention_memory_dumps = 7 days
    data_retention_process_dumps = 21 days
    data_retention_screenshots = unlimited
    data_retention_traffic_captures = unlimited
    data_retention_uploads = unlimited
    data_retention_webpages = 21 days
    disable_report_commenting =
    disable_support_channel =
    email_relay_host =
    email_relay_password = ***
    email_relay_port =
    email_relay_username =
    email_sender_address =
    failover_multicast_address =
    failover_multicast_port =
    failover_virtual_ip = 10.10.42.241
    fqdn = manager.tse.int.lastline.com
    heartbeats = on
    https_proxy =
    image_brand_replacement = off (value not set)
    license_api_token = ssOrE3gKBCYGyWz6
    license_key = 0Z6LLNOU4ZP12BWBTOJ0
    llama_images_server_override =
    monitoring_user_password: enabled
    network dns_nameservers = 8.8.8.8 4.4.4.4
    network gateway = 10.10.42.250
    network netmask = 255.255.255.0
    network address = 10.10.42.242
    network interface = eno1
    network method = static
    new_monitoring_user_password = ***
    ntp_server = update.lastline.com
    ntp_servers = update.lastline.com
    offline_mode =
    text_brand_replacement =
  3. Exit the configuration tool

    To quit from the configuration tool without saving your changes, type exit.

    -> exit
    lastline@lastline-manager:~$

Update Fully Qualified Domain Name

You can update the FQDN of the VMware NSX Network Detection and Response appliances. On the Manager, this update creates a new self-signed certificate associated with the FQDN.

Important:

After you complete the following steps on the Manager, you must update all the appliances managed by Manager to use its new FQDN (see 2).

This process does not allow you to move appliances from one Manager to another.

Applying an FQDN to other appliances such as the Data Node or Engine is entirely optional. These appliances are already known to the Manager. Most direct access is at best undesirable.

  1. Use the change FQDN option

    From the command line of the Manager, execute the lastline_register command, providing the new local FQDN for the appliance as an argument.

    lastline@lastline-manager:~$ lastline_register --change-local-fqdn new_manager.lastline.example.com
    Note:

    If you are prompted for the sudo password, use the password for the default lastline user account.

    On the Manager, the command generates a new self-signed certificate. If needed, you can replace the certificate.

  2. Update the Manager FQDN

    SSH to each managed appliance (Sensor, Data Node, and Engine). Run the lastline_register command with the change-active-manager-fqdn option. Provide the new FQDN for the Manager as its argument. For example:

    lastline@lastline-sensor:~$ lastline_register --change-active-manager-fqdn new_manager.lastline.example.com
    Note:

    If you are prompted for the sudo password, use the password for the default lastline user account.

    If the Manager is using a self-signed SSL certificate, the appliance needs to be configured to trust the new SSL certificate to ensure all communication succeeds. Use the following commands instead:

    lastline@lastline-sensor:~$ lastline_register -C --change-active-manager-fqdn new_manager.lastline.example.com
    lastline@lastline-sensor:~$ lastline_test_appliance --auto-fix network:master_api_query
    lastline@lastline-sensor:~$ lastline_apply_config -f

    If the Manager IP address is assigned statically, the following command can be used to update /etc/hosts to point to its new address:

    lastline@lastline-sensor:~$ lastline_register --change-active-manager-ip 192.20.24.42

    You can combine both options into a single command:

    lastline@lastline-sensor:~$ lastline_register --change-active-manager-fqdn new_manager.lastline.example.com --change-active-manager-ip 192.20.24.42
    lastline@lastline-sensor:~$ lastline_test_appliance --auto-fix network:master_api_query
    lastline@lastline-sensor:~$ lastline_apply_config -f

Appliance Management API

The VMware NSX Network Detection and Response provides the Appliance Management API as an interface to configure or re-trigger a configuration on an appliance.

The easiest way to invoke the Appliance Management API is to download and use the NSX PAPI client implementation.

Enable shell timeout

The setting interactive_shell_timeout allows a configurable timeout for the duration that an interactive shell can idle before Bash terminates it.

By default the value is set to 0 which means no timeout.

Warning:

Note that setting a shell timeout can lead to long running commands running in interactive shells being interrupted before they can complete. Therefore, if this setting is configured, we recommend that administrative tasks that require running any potentially long-running shell commands be run within a tool such as screen or tmux that can allow the commands to complete even after the shell times out.

Configuring the shell timeout

The setting can be configured using the Lastline Appliance Management API method appliance_mgmt.action_request by providing the setting interactive_shell_timeout with a value in seconds.

The following API parameter values are required:

  • appliance_uuid You can obtain the appliance_uuid from the User Portal. Navigate to the AdminAppliancesStatus page. Scroll down to the Appliance UUID entry. The UUID can also be retrieved using the accounting API.

  • action_type The action type CONFIGURE should be used to configure an appliance.

  • action_parameters The JSON encoded object: '{"settings": {"appliance::user::interactive_shell_timeout": 600}}'

An example of using the Lastline Appliance Management API to configure this setting would look like the following command using curl:

$ curl --cookie lastline-cookie \
       --data 'appliance_uuid=a2a241d655f741969d12fbaadae795ac' \
       --data 'action_type=CONFIGURE' \
       --data 'action_parameters={"settings": {"appliance::user::interactive_shell_timeout": 600}}' \
       --request POST 'https://<FQDN>/papi/appliance_mgmt/action/request'

The session cookie (--cookie lastline-cookie) can be obtained by following the Authentication Quick-Start guide.

Alternatively, you can use the NSX PAPI software from the User Portal with the following command:

client.appliance_mgmt.configure(
    appliance_uuid=appliance_uuid,
    settings={
        "appliance::user::interactive_shell_timeout": 600,  # 10 minute timeout
    }
)

The following API parameter values are required:

  • appliance_uuid You can obtain the appliance_uuid from the User Portal. Navigate to the AdminAppliancesStatus page. Scroll down to the Appliance UUID entry. The UUID can also be retrieved using the accounting API.

  • settings Type and version specific settings to configure on the appliance.

User Portal

The User Portal (Web UI) provides support for both the Administrator and the Analyst roles. The Administrator uses the User Portal for configuration and management tasks.

Login to the User Portal

You access the User Portal with your web browser. The VMware NSX Network Detection and Response supports the following browsers:

You must use a recent version of your selected browser to ensure compatibility plus the most up-to-date security patches. The system is tested and warranted to work correctly with the listed browsers. Other modern browsers might also work correctly however VMware cannot support any issues you may encounter when using unsupported software.

  1. Connect to the User Portal

    Using your web browser, connect to the User Portal (Web UI):

    For On-Premises installations, use the portal running on the Manager, for example, https://user.lastline.example.com/.

    For Hosted customers, go to the User Portal at https://user.lastline.com/ (for EMEA customers https://user.emea.lastline.com/).

  2. Enter your VMware username and password

    On the Log in to the Lastline Portal page, enter your Username and Password then click the Sign in button.

    Note:

    This is your User Portal username. For On-Premises installations, the initial administrator account was generated using this username and password during registration of the Manager.

    If you have forgotten your password, the VMware NSX Network Detection and Response provides a password reset service. Click the Forgot your password? link on the portal login page.

    For your first login, the User Portal displays the Dashboard:Overview page. On any subsequent login, the page you last visited is displayed.

  3. Access the main menu

    The Main navigation menu is displayed across the top of the page under the logo header. This menu allows you to access the corresponding top-level pages of the User Portal:

    • Dashboard Displays an overview of the threats in your network and provides general visibility into the devices on the network.

    • Network Displays information about your network including the currently known intrusions and recent incidents and events.

    • Email Displays mail attachments.

    • Investigation Investigate intrusions and events, using a graphical representation of entities in your network.

    • Analyst Submit artifacts (files and URLs) for analysis.

    • Intelligence Search the Knowledge Base for analysis artifacts (for example, files, IP addresses, domains).

    • Admin Administration Settings for configuring accounts, licenses, and appliances.

    Note:

    Depending on your license, some of the items in the Main navigation menu may be unavailable.

  4. Optional: Set the appearance

    By default, the appearance of the User Portal matches the system default. Click the Switch to dark mode icon / Switch to light mode icon icon to access the drop-down menu that allows you to toggle the appearance. Select Light, Dark, or System Default.

  5. Optional: Access the help and other documentation

    Click the Help button icon icon to access the drop-down help menu. Use the menu to access the following pages: Release Notes, Portal guide, API docs. Downloads, and Manuals.

  6. Access your user settings or exit

    Click Your User ID angle down to access the pull-down menu. Select cogs (multiple actions) Settings to modify your personal settings or logout Logout to exit the User Portal.

Dashboard pages

The dashboard pages provide a general overview of the status of the VMware NSX Network Detection and Response installation and its observed events. The various widgets and lists on these pages display a high-level view of all relevant information related to your setup and the observed events.

You are redirected to the dashboard pages at each login to the User Portal. There are four predefined dashboard pages:

  • Overview
  • Network
  • Mail
  • Files

Most of the widgets and lists are intended to help the Analysts role. The dashboard widget designed to be the most useful for the Administrator is the Sensors Status widget.

Sensors status widget

The Sensors Status widget provides a quick snapshot of the status of the Sensor appliances deployed in your VMware NSX Network Detection and Response installation. Each of the status field buttons Up, Monitoring, ICAP, Mail, or Integrations displays a ratio of status:server and are also color-coded.

Sensors Status widget

Click the plus button to display a list of the deployed appliances. You can also click any of the status field buttons to toggle the display of the list.

Click the reload button to refresh the display.

Status list

The Sensor appliances list displays the following fields:

  • Name Displays the name of the Sensor. Click the plus button to display a detailed view of the appliance.

  • Up Displays the running status: Running, The sensor is offline, etc.

  • Monitoring Displays the monitoring status.

  • ICAP Displays the ICAP status.

  • Mail Displays the email filtering status.

  • Integration Displays the status of integrations with services such as Active Directory, SIEM servers, etc.

Manage users

Use the Admin Accounts page to add and manage users on the User Portal.

The VMware NSX Network Detection and Response supports two basic user roles: the Administrator and the Analyst. In addition, there is a Read only role. You edit users to assign one of the roles to their accounts. Alternatively, you can use permissions to assign more granular access to users.

The Accounts page consists of the following tabs:

  • My account Administer your user account and permissions.

  • All accounts Manage existing accounts.

  • Add account Create a new user account.

  • Audit log View user access and actions.

About roles

A Role defines a set of permissions that you can apply to user accounts on the User Portal. A set of built-in roles are provided.

Using the Lastline API, you can create custom roles.

Roles descriptions
Administrator

This role is for an administrator. It provides full read-write access to all functions of the User Portal. This role has the following permissions:

Analyst

This role is for a full-fledged analyst. A user with this role can view most of data on system and operate on network/detection data. This role has the following permissions:

Read only

This role is for read-only access. It provides broad access to view the configuration and detection data, but no ability to make any kind of modifications. This role has the following permissions:

About permissions

Permissions define the specific system access rights granted to a user. These permissions can be fined tuned to different levels of granularity. Editing an account allows you to set specific permissions for each user.

Permissions are tiered. Each permission tier supersedes the tier below.

Customer

Permissions set on the customer tier will grant an account these permissions globally across your environment and on all licenses and subkeys.

License

Permissions set on a license will grant an account these permissions on that license and all its subkeys.

See About licenses for details about licensing.

Subkey

Permissions set on a subkey will grant an account permissions on that subkey only.

See About licenses for details about licensing.

Permission descriptions
Administrator

Tiers: Customer

Allows a user to manage other user accounts, such as creating new accounts, modifying or blocking existing accounts, and changing the password of other accounts. It also allows a user to manage licensing. This includes editing license details as well as creating new Sensor subkeys.

The Administrator permission implies all other permissions, so administrator accounts can perform all operations available through the User Portal and API.

Can access alerts

Tiers: Customer License Subkey

Allows a user to view alerts and statistics from protected networks. It also allows viewing the status, monitoring logs and metrics from Sensor appliances. This permission can be granted globally, or limited to specific licenses or subkeys.

Can access analyzed files

Tiers: Customer

Allows a user to download the original files submitted for analysis, when these are of a file type that is considered less sensitive, such as executables and scripts.

Can access Kibana

Tiers: Customer

Allows a user to access network traffic analysis records using the Kibana visualization tool.

Can access pcaps

Tiers: Customer License Subkey

Provides access to additional information collected from a protected network. Currently, this controls access to traffic captures (PCAPS) as well as the associated DNS data.

This permission can be granted globally, or limited to specific licenses or subkeys. It can be granted in addition to Can access alerts.

Can access sensitive analyzed files

Tiers: Customer

Allows a user to download the original files submitted for analysis when these are of a file type that is considered more sensitive, such as Office or PDF documents.

This permission can be granted in addition to Can access analyzed files.

Can be workflow assignee

Tiers: Customer License Subkey

Ability to be assignee for workflow items (for example, campaigns).

Can manage appliances

Tiers: Customer License Subkey

Allows a user to view and manage appliance configurations. It also allows a user to install new appliances, as well as re-register or de-register existing appliances.

This permission can be granted in addition to Can view appliances.

Can manage custom threat intelligence entries

Tiers: Customer

Ability to manage custom intelligence entries.

Can manage intelligence alerting rules

Tiers: Customer

Permission to manage rules set to alert a customer when a matching artifact is indexed by the intelligence platform.

Can manage labels

Tiers: Customer License Subkey

Controls access to several features:

  • Allows a user to make use of the incident workflow functionality available in the incidents tab, such as the ability to close and open incidents.

  • Allows a user to configure network-related display settings. These are the Home Network, the silenced IP Range and the host labels.

  • Allows a user to configure notification integrations for sending notification by email, syslog, or other mechanisms when an event happens.

  • Allows a user account to push detection information about a monitored network into the system through the Push Detection API. This can be used for integration with third party products.

This permission can be granted globally, or limited to specific licenses or subkeys.

Can set password

Tiers: Customer

Allows the user to set, change, or reset the account password. This permission is usually set by default.

Can view appliances

Tiers: Customer License Subkey

Allows a user to view the status of appliances. This includes access to the status, log, and metrics views of the appliance management UI.

Can view benign emails

Tiers: Customer

Ability to view information about benign emails observed in a protected network.

Can view custom threat intelligence entries

Tiers: Customer

Ability to get a listing of all custom threat intelligence entries and full information on individual entries.

Can view emails

Tiers: Customer License Subkey

Ability to view information about emails observed in a protected network.

Can view intelligence alerting rules

Tiers: Customer

Ability to view matches and rules set to alert a customer when a matching artifact is indexed by the intelligence platform.

View users

The All accounts tab displays a list of the users defined on the User Portal.

  1. Navigate to the All accounts tab

    From the Main navigation menu, click Admin. On the Admin page, select Accounts from left sidebar menu. Then on the Accounts page, click the All accounts tab.

  2. Search for a specific user

    The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

  3. Re-sort the list of users

    By default, the list is sorted by Username. You can sort the list by Name, Email, or Blocked. Click the sort icon in the header beside each column title.

  4. Edit a user

    Click the edit icon for the selected user. Then edit the settings for that user account on the Account Settings page.

  5. Delete a user

    Click the delete icon. Then click Yes in the Delete confirmation pop-up.

    Important:

    You should avoid deleting users. When a user is deleted, important history for that user account is also deleted. Instead you should Block the user account.

  6. Block a user

    To block a user, click the lock icon. Then click Yes in the Confirm block pop-up.

    To later unlock a blocked user. Click the lock icon again.

    Important:

    Blocking is the preferred method of disabling a user's access to the User Portal.

Add a user

Create a new user account on the Add account tab.

  1. Navigate to the Add account tab

    From the Main navigation menu, click Admin. On the Admin page, select Accounts from left sidebar menu. Then on the Accounts page, click the Add account tab.

  2. Enter a username

    In the Username field, type a user name. We recommend that the user name be an email address, however any text string is a valid user name.

  3. Enter a password

    In the Password field, type a password.

    By default, the password must be at least 12 characters.

    Note:

    VMware NSX Network Detection and Response uses the zxcvbn library (developed and shared by Dropbox) to enforce strong passwords on the User Portal. It applies various heuristics to ensure your password cannot be easily cracked.

    These heuristics are applied when you click create/save the user account. If the zxcvbn library determines that the entered password is too easily cracked, an error message is displayed at the top of the page, and the create/save operation terminates. Enter a more rigorous password.

    VMware recommends the use of a password manager to generate and recall strong passwords.

    In the Confirm password field, re-enter the password.

  4. Enter the user's name

    In the First, last name fields respectively, type the user's first and last name.

  5. Enter an email address

    In the Email address field, type the user's email address.

  6. Select the timezone

    Select the Default timezone for the user from the pull-down menu. This timezone is used as the default timezone for all security-related reporting for the user.

  7. Complete the new user account

    Click Create to add the new user account.

    The User Portal creates the user account, then loads the Account Settings page.

    A new user account is assigned default permissions. You must update the account to add a role or to add or modify its permissions. See Configure role and permissions.

Set primary customer account

Each VMware customer, whether Hosted or On-Premises, is represented by a Primary customer account. The primary customer account is shown on the Admin Accounts License information tab. This information is used by VMware for billing notifications, to send out information about product updates and, if required, as the main contact person regarding questions about your VMware NSX Network Detection and Response installation.

  1. Navigate to the All accounts tab

    From the Main navigation menu, click Admin. On the Admin page, select Accounts from left sidebar menu. Then on the Accounts page, click the All accounts tab.

  2. Select a user account

    Scroll through the users list until you find the appropriate account, username. Click the edit icon for that user.

    The Account Settings page is displayed.

  3. Assign the primary customer account

    Scroll down and click the plus icon to open the Advanced settings section. Then click the Make username the primary account button.

Configure role and permissions

A new user account is assigned default permissions. You must update the account to add a role or to add or modify its permissions.

The Roles section allows you to set or remove the roles assigned to a user account. See About roles for details about the different roles available.

The Permissions section allows you to modify the individual permissions for a user account. See About permissions for details about the different permissions available.

You modify the role and permissions of the user account on the Account Settings page. This page is loaded after you click create on the Add account tab or when you click the edit icon for a specific user on the All accounts tab.

  1. Navigate to the All accounts tab

    From the Main navigation menu, click Admin. On the Admin page, select Accounts from left sidebar menu. Then on the Accounts page, click the All accounts tab.

  2. Apply a role to the user

    Click the add roles plus button to add a role to a user account. In the roles dialog, select the Administrator, Analyst, or Read only role to be added. You can assign more than one role to a user.

    To remove a role, click checkbox on the role to be removed. In the Confirm role removal prompt, click Remove role.

  3. Apply permissions to the user

    By default, permissions are only enabled at the Customer tier. If you want to restrict a user to a specific license or subkey, you must first enable those tiers.

    To add a permission, click the add permission plus button. In the permission dialog, select the permissions to be added.

    To remove a permission, click checkbox on the permission to be removed. In the Confirm permission removal prompt, click Remove permission.

    1. Enable the license tier

      Click Add license plus , then select a License from the pull-down menu, and click Select license.

      The Add license permission dialog is displayed, allowing you to add permissions for the selected license.

      Note:

      You can add multiple licenses up to the number of available licenses.

    2. Enable the subkey tier

      Click Add subkey plus , then select a License and Sensor from the pull-down menus, and click Select subkey.

      The Add subkey permission dialog is displayed, allowing you to add permissions for the selected sensor.

      Note:

      You can add multiple subkeys.

Edit a user

You edit user accounts on the Account Settings page. Change the password, update the email address, etc. This page is loaded after you click create on the Add account tab or when you click the edit icon for a specific user on the All accounts tab.

Also see Set primary customer account and Configure role and permissions.

  1. Change the password

    In the Password field, enter a new password.

    In the Confirm password field, re-enter the password.

  2. Change the user's name

    In the First, last name fields respectively, update the user's first and last name.

  3. Change the email address

    In the Email address field, update the user's email address.

  4. Change the timezone

    Modify the Default timezone from the pull-down menu.

Audit users

The Audit log tab allows you to view the access and actions of all of the users of the User Portal.

You can apply filters to the audit log list. Select an item to Filter by from the pull-down menu.

Use the Quick search field to display only those entries that have text, in any field, that matches your query string.

Scroll through the list to find audit events that of interest. Click the plus icon (or anywhere on an entry row) to expand a specific entry.

Manage licenses

Use the Admin Licensing page to manage the licenses of your VMware NSX Network Detection and Response installation.

Your account will have at least one license provisioned by VMware. Depending on the layout and scale of your installation, you may have multiple VMware provisioned licenses.

You can subsequently create any number of subkeys from any VMware provisioned license. Each subkey is used to add a Sensor to your installation. They are also referred to as sensor licenses. The subkey always belongs to a specific license.

The Licensing page consists of the following tabs:

  • Licenses tab View a list of all licenses for this installation.

  • License information tab View and modify the current license information.

  • Sensors tab View and modify all the available subkey licenses. You can also create a subkey license.

  • Sensor groups tab View, create, and modify sensor groups.

View licenses

The Licenses tab displays all the licenses associated to this installation. The list includes the following fields:

  • License key The unique identifier for the license.

  • Product The product type associated to the license. Products hosted in the NSX Cloud are denoted with a cloud icon.

  • License type The type of license.

  • Installation key Identifies the main license of an On-Premises installation.

  • Start date The date when the license was initialized.

  • Expiration date The date when the license expires.

  1. Navigate to the Licenses tab

    From the Main navigation menu, click Admin. On the Admin page, select Accounts from left sidebar menu. Then on the Licensing page, click the Licenses tab.

  2. Optional: Reset the API token

    Click edit to reset the API token for the license.

    For an On-Premises installation, you need to perform this request on the appliance. You can only reset the API token of secondary licenses. To reset the API token of your main license, contact VMware Support.

  3. View the sensors

    If there are sensors associated with the license, click the server icon or the license key to view the sensors.

Manage sensors

The Sensors tab displays all the available Sensor licenses. A Sensor license consists of a Sensor key, which is a string you create, concatenated to your VMware generated customer License key (for example, ABCDEFGHIJ0123456789:sensor-1). This license structure allows the On-Premises Manager or the VMware backend to quickly and correctly identify the Sensor when it connects.

  1. Navigate to the Sensors tab

    On the Licenses tab, click the server icon or the license key or click the Sensors tab.

  2. Set the sensor status

    By default, a Sensor is set to Active. You can toggle it to Inactive. The system prompts you that toggling an active Sensor to inactive takes effect immediately.

  3. Add a sensor license

    Click the plus icon to create a new Sensor license. On the Add sensor tab, perform the following steps:

    1. Select a license key

      Select a License key from the pull-down menu. For example, ABCDEFGHIJ0123456789.

    2. Enter a sensor key

      Enter a Sensor key. The sensor key is restricted to alpha-numeric characters, dot (.), and dash (-). For example, sensor-1.

      The resulting sensor license is the license key with the sensor key concatenated to it, for example, ABCDEFGHIJ0123456789:sensor-1.

    3. Optional: Enter a name for the sensor

      Enter a Name. The name is restricted to alpha-numeric characters and following special characters: ( ) [ ] - : . , ; _ @ ~ / # % ! | $ ^

    4. Save the license

      Click Save. Click the Sensors tab to return to the Sensors listing and confirm the sensor license has been added.

    After you have added a sensor license, you can install and register a new Sensor. When you are prompted for a license for the Sensor, the lastline_register command will display the sensor license you created in the list of available licenses.

  4. Add or edit a sensor group

    Click edit in the Group column header. The Sensor groups tab is loaded.

About sensor groups

A sensor group is a correlation domain; a mechanism to correlate data from multiple sensors under a single identifying Sensor. All incidents and campaigns belong to the sensor group. The sensor group correlates events from its member sensors into incidents and campaigns. All events are detected by individual sensors and attributed to them. Incidents and campaigns are attributed to the sensor group. Events from sensors that are not part of the sensor group are not combined or correlated (however, they are combined within the sensor, allowing campaigns to be derived).

If a sensor is not part of a sensor group or if an incident was detected before the sensor was configured to be a member of a sensor group, that incident will be attributed to the individual sensor.

Some guidelines and features of sensor groups:

  • A group will only start aggregating new incidents after it is created. This means there won't immediately be any incidents or events for a new group.

  • A group is identified by a sensor. This sensor is the group identifier and is always listed first in the listing of sensors the group contains. It cannot be removed.

  • The group identifier should be an existing sensor, associated with an actual appliance. Select Existing sensor key when you create a group (see below).

  • A group name can only be changed by changing the name of its identifying sensor.

Sensor groups and notifications

The VMware NSX Network Detection and Response can be configured to send notifications to various third party systems. Notifications are triggered by different classes of events.

  • Notifications for network events are sent from the individual sensors. For an On-Premises installation, you can instead configure notifications to be sent from the manager.

  • Notifications for the intrusions are sent from the main sensor for the sensor group.

  • There are no separate notifications for incidents.

All members of a sensor group belong to the same license. You should apply the notification parameters to the license. Alternatively, you must individually configure the notification parameters for each sensor in the sensor group. Using a sensor group to configure notifications for a set of sensors is not supported.

CAUTION:

Under certain circumstances, intrusion notifications may not work correctly:

  1. If notifications are sent from the sensors

  2. The sensors belong to a sensor group

  3. The group identifier is tied to a virtual sensor or to a sensor that is currently not running

The workaround is to ensure the group identifier source is an existing physical sensor.

Manage sensor groups

Manage your sensor groups on the Sensor groups tab.

  1. Navigate to the Sensors groups tab

    On the Sensors tab, click edit in the Group column header or click the Sensor groups tab.

  2. Add a sensor group

    To create a new sensor group in the Add group section, perform the following steps

    1. Select the group identifier source

      Using the buttons, select the Group identifier source. Your choice is New sensor key or Existing sensor key. The recommendation is that you use an existing sensor key.

    2. Select a license

      Select a License key from the pull-down menu.

    3. Select a sensor

      Select a Sensor from the pull-down menu.

      The License key, Sensor key, and Sensor name are displayed below the menus.

    4. Save the sensor group

      Click Create group from existing sensor to save the sensor group.

  3. Add sensors to the group

    Click plus to expand the Sensor groups list. In the Add sensor to group section, select a Sensor from the pull-down menu. The block below the menu displays the sensor parameters.

    Click plus Add sensor to group.

  4. Optional: Remove a sensor from the group

    To remove a sensor, click the delete Remove sensor button. Then click the delete Confirm remove sensor button.

Manage appliances

Use the tabs on the Admin Appliances page to manage the appliances of your VMware NSX Network Detection and Response installation. You can view an overview of the active appliances, inspect the configuration of a selected appliance and make changes, and view the logs and other metrics for all appliances or a specified appliance.

For a On-Premises environment, you will have at least one Manager, as well as Data Node, Engine, and Sensor appliances.

For a Hosted environment, you will have one or more Sensor appliances to manage.

The Appliances page consists of the following tabs:

  • Overview tab View a map showing the locations of all the appliances in this installation. This tab also displays a listing with information about each of the appliances.

  • Status tab View the current status of a selected appliance.

  • Configuration tab Modify the configuration settings of a selected appliance.

  • Action logs tab View status changes made to the selected appliance.

  • Monitoring logs tab View the monitoring logs from the selected appliance or appliances.

  • Metrics tab View performance metrics of the User Portal and the various appliances.

View appliances

The Overview tab displays the locations of the active appliances in your VMware NSX Network Detection and Response installation on a map. It also displays a listing with information about the appliances.

Set geolocation

By default, a geolocation database is used to define the physical location of each appliance. Although this technique for determining the location of the appliance is generally accurate, there might be cases where the databases are out of sync, and the appliance location is not exact. You can manually correct the appliance location.

  1. Navigate to the Overview tab

    From the Main navigation menu, click Admin. On the Admin page, select Appliances from left sidebar menu. For most users, the Appliances Overview tab is initially displayed by default.

  2. Set the appliance location

    Manually correct the appliance location using one of the following methods:

    • You can drag-and-drop the map marker icon (appliance marker) on the map.

    • You can specify the location from the Appliance list. Click the map marker icon in the IP column for the specific appliance. In the Appliance coordinates pop-up, enter latitude and longitude values (for example, use coordinates provided by Google maps), then click Save.

    • You can set the appliance to the current location of your browser by using the geolocation API. Open the Appliance coordinates pop-up and click the Use current position button.

Appliance actions

The Appliance list allows you to check license information and perform a number of actions with the Quick links button for each listed appliance. Perform the following tasks on the Overview tab:

  1. View license information

    Click the license key in the License column for the specific appliance. The Sensors tab is displayed for the license.

  2. View the Status tab

    Click the Quick links button and select the Status option from the pull-down menu. The Status tab is loaded for the specified appliance. See View appliance status

  3. Navigate to the Configuration tab

    Click the Quick links button and select the Configuration option from the pull-down menu. The Configuration tab is loaded for the specified appliance. Make configuration changes to the appliance on this tab.

  4. View the Action logs tab

    Click the Quick links button and select the Action logs option from the pull-down menu. The Action logs tab is loaded for the specified appliance. See Monitor appliances

  5. View the Monitoring logs tab

    Click the Quick links button and select the Monitoring logs option from the pull-down menu. The Monitoring logs tab is loaded for the specified appliance.

  6. View the Metrics tab

    Click the Quick links button and select the Metrics option from the pull-down menu. The Metrics tab is loaded for the specified appliance.

  7. Retrigger the configuration

    Click the Quick links button and select the Retrigger configuration option from the pull-down menu. The configuration for the specified appliance is reloaded.

  8. Delete the appliance

    The Delete option from the Quick links pull-down menu is disabled by default. Before the Delete option can be enabled, the appliance must be offline and deregistered. For detailed instructions, see the following:

View appliance status

The Status tab displays the current configuration of the selected appliance. This tab can directly accessed from the Overview tab by clicking the Quick links button. If you accessed this tab by clicking the Status tab, you must select an appliance using the server Appliance: none selected button.

Information displayed on this tab includes:

  • The currently deployed version of the appliance.

  • The update status of the appliance.

  • The installed version and current status of a number of services that are running on the appliance.

Rows in the list may be highlighted in green, yellow, or red to indicate whether the appliance is functioning as expected. The help icon next to an item indicates that more information is available. Click the icon to access the information.

Use appliance selector widget to select an appliance to view. If no appliance is initially selected, click the server Appliance: none selected button and select an appliance from the Select appliance pop-up.

At any time, you can click the Update now reload icon to refresh the appliance data.

Some optional configuration actions for the appliance are available from this page. To access them, click the cogs (multiple actions) icon and then select an action from the pull-down menu. Select Reboot, Retrigger configuration, or Deregister.

Note:

When you need to replace hardware or otherwise need to change an appliance, you must first use the Deregister option to release its license. You can deregister the following appliances:

Data Node

Engine

Sensor

Instead of the cogs (multiple actions) icon, your configuration may display the heartbeat/test icon. Click this icon to access the Sensor test page. Network traffic is created to test the sensor capabilities. Click the Start test button to start the test.

Configure the Manager

Use the different options on the Configuration tab to manage the settings of the Manager. The Manager settings are where you control the data retention rules for your installation as well as which data you are willing to share with the VMware backend.

  1. Navigate to the Configuration tab

    From the Main navigation menu, click Admin. On the Admin page, select Appliances from left sidebar menu. Then on the Appliances tab, click Configuration. Initially, no appliance is selected on the Configuration tab. Click the server Appliance: None Selected link and select the Manager from the Select Appliance pop-up.

    Alternatively, from the Appliances Overview tab, scroll to the row for the Manager, click the Quick links button, and select Configuration from the pull-down menu.

  2. Set the System options

    On the Configuration: System tab, you can set the following options:

    • Auto Update is Enabled by default. The Manager automatically updates when new software versions are released by VMware.

    • Install daily OS security updates automatically is Enabled by default. The Manager automatically installs new security updates when they are released by Ubuntu.

    • Syslog streaming is Disabled by default. If you set it to Enabled, you can stream the system logs from the Ubuntu server hosting the appliance to a remote syslog server. This feature streams all files from the /var/logs directory (such as auth.log, kernel.log, etc.). It can be used for enhanced security. For example, by setting a policy of using sudo to run privileged commands combined with syslog streaming, the history of all privileged commands run on the system will be logged to the remote log server.

      You must define at least one destination server in the displayed Syslog Destinations list. For each destination, select the Protocol (UDP or TCP) then enter a Host (IP address or FQDN) and Port (default is port 514).

      Use the Actions to delete the entry (click delete ) or reset the port (click reload ).

    When you are done, click the Save and deploy button. Otherwise click Cancel to discard any changes.

    The User Portal displays a pop-up prompt to stop you from navigating away with unsaved changes.

  3. Set the data retention rules

    The VMware NSX Network Detection and Response generates and stores a lot of data during normal processing. On the Configuration: Data retention tab, you can modify the default data retention values.

    • The Database retention section defines how long data is retained in number of months. You can modify the following options:

      • Appliance log

      • Endpoint detection

      • Mail detection

      • Network detection

      • Network detection metadata

      • Network log

      • Network analysis

      • Network analysis log

      The allowed range is 1 to 22 months. Enter a value or click the increment/decrement icon to change the value. Click the checkbox icon to set the retention value to Unlimited. If you have changed the value, click the Default button to reset it.

    • The Analysis artifacts retention section defines the number of days that analysis reports are retained. This includes detailed analysis results, such as the sandbox reports (or any metadata files, such as screenshots of network traffic captures). Enter a value or click the increment/decrement icon to change the value. Click the checkbox icon to set the retention value to Unlimited. If you have changed the value, click the Default button to reset it.

    When you are done, click the Save and deploy button. Otherwise click Cancel to discard any changes.

    The User Portal displays a pop-up prompt to stop you from navigating away with unsaved changes.

  4. Set the data sharing rules

    The VMware NSX Network Detection and Response detects malicious artifacts that attempt to gain access to your environment. If your system encounters a novel artifact, sharing this information will help VMware and the wider security community. This feature is designed so that there is very little risk of exposing confidential or sensitive information.

    On the Configuration: Data sharing tab, you can enable and configure the level of sharing you are comfortable with. By default, Upload malicious files is Disabled. When Enabled, your system will share its detection of a malicious artifact by uploading the artifact content to the VMware backend. You can configure at what level of maliciousness the file is shared with the other options on this tab:

    • Minimum score for documents

    • Minimum score for executables

    • Minimum score for Java files

    • Minimum score for SWF files

    • Upload connection metadata

    • Upload protocol metadata

    For the minimum score options, enter a value or use the increment/decrement icon to change the score. The value can be from 0 to 100. Click the checkbox icon to select Never upload.

    Toggle the connection and protocol metadata options to Enabled to share with the VMware backend.

    When you are done, click the Save and deploy button. Otherwise click Cancel to discard any changes.

    The User Portal displays a pop-up prompt to stop you from navigating away with unsaved changes.

Configure the Data Node

Use the options on the Configuration tab to manage the settings of the Data Node.

  1. Navigate to the Configuration tab

    From the Main navigation menu, click Admin. On the Admin page, select Appliances from left sidebar menu. Then on the Appliances tab, click Configuration. Initially, no appliance is selected on the Configuration tab. Click the server Appliance: None Selected link and select the Data Node from the Select Appliance pop-up.

    Alternatively, from the Appliances Overview tab, scroll to the row for the Data Node, click the Quick links button, and select Configuration from the pull-down menu.

  2. Set the System options

    On the Configuration: System tab, you can set the following options:

    • Auto Update is Enabled by default. The Data Node automatically updates when new software versions are released by VMware.

    • Install daily OS security updates automatically is Enabled by default. The Data Node automatically installs new security updates when they are released by Ubuntu.

    • Syslog streaming is Disabled by default. If you set it to Enabled, you can stream the system logs from the Ubuntu server hosting the appliance to a remote syslog server. This feature streams all files from the /var/logs directory (such as auth.log, kernel.log, etc.). It can be used for enhanced security. For example, by setting a policy of using sudo to run privileged commands combined with syslog streaming, the history of all privileged commands run on the system will be logged to the remote log server.

      You must define at least one destination server in the displayed Syslog Destinations list. For each destination, select the Protocol (UDP or TCP) then enter a Host (IP address or FQDN) and Port (default is port 514).

      Use the Actions to delete the entry (click delete ) or reset the port (click reload ).

    When you are done, click the Save and deploy button. Otherwise click Cancel to discard any changes.

    The User Portal displays a pop-up prompt to stop you from navigating away with unsaved changes.

Configure the Engine

Use the options on the Configuration tab to manage the settings of the Engine.

  1. Navigate to the Configuration tab

    From the Main navigation menu, click Admin. On the Admin page, select Appliances from left sidebar menu. Then on the Appliances tab, click Configuration. Initially, no appliance is selected on the Configuration tab. Click the server Appliance: None Selected link and select the Engine from the Select Appliance pop-up.

    Alternatively, from the Appliances Overview tab, scroll to the row for the Engine, click the Quick links button, and select Configuration from the pull-down menu.

  2. Set the System options

    On the Configuration: System tab, you can set the following options:

    • Auto Update is Enabled by default. The Engine automatically updates when new software versions are released by VMware.

    • Install daily OS security updates automatically is Enabled by default. The Engine automatically installs new security updates when they are released by Ubuntu.

    • Syslog streaming is Disabled by default. If you set it to Enabled, you can stream the system logs from the Ubuntu server hosting the appliance to a remote syslog server. This feature streams all files from the /var/logs directory (such as auth.log, kernel.log, etc.). It can be used for enhanced security. For example, by setting a policy of using sudo to run privileged commands combined with syslog streaming, the history of all privileged commands run on the system will be logged to the remote log server.

      You must define at least one destination server in the displayed Syslog Destinations list. For each destination, select the Protocol (UDP or TCP) then enter a Host (IP address or FQDN) and Port (default is port 514).

      Use the Actions to delete the entry (click delete ) or reset the port (click reload ).

    When you are done, click the Save and deploy button. Otherwise click Cancel to discard any changes.

    The User Portal displays a pop-up prompt to stop you from navigating away with unsaved changes.

Configure the Sensor

The main purpose of the Sensor is to perform active or passive inspection of your network traffic. The data and traffic it inspects ranges from file transfers and email messages to metadata on network activities. The Sensor settings are where you configure the detection and blocking rules, email processing, proxy capability, and system settings:

Configure detection and blocking

Use the Configuration: Detection and blocking tab to manage the Sensor detection and blocking options.

  1. Navigate to the Configuration tab

    From the Main navigation menu, click Admin. On the Admin page, select Appliances from left sidebar menu. Then on the Appliances tab, click Configuration. Initially, no appliance is selected on the Configuration tab. Click the server Appliance: None Selected link and select the Sensor from the Select Appliance pop-up.

    Alternatively, from the Appliances Overview tab, scroll to the row for the Sensor, click the Quick links button, and select Configuration from the pull-down menu.

    Detection and blocking is the initial sub-tab.

  2. Enable network traffic sniffing

    By default, Network traffic sniffing is Enabled. This option automatically enables all options that depending on the traffic sniffing capabilities of the Sensor.

    This option can be left disabled for a Sensor performing active protocol monitoring, such as ICAP, email MTA, etc.

  3. Enable deep packet inspection

    By default Deep packet inspection is Enabled. This configures the Sensor to utilize its full intrusion detection system capabilities. It applies deep packet inspection heuristics to identify malicious interactions on the network.

    If Disabled, the Sensor only performs basic reputation checks and netflow processing on the contacted endpoints.

  4. Inspect webpage content

    By default On-the-wire webpage inspection is set to Disabled.

    If Enabled, the Sensor captures web content transiting in the network and submits it for in-depth analysis. It inspects all HTML and JavaScript content: if any suspicious element is detected, the content is submitted for in-depth analysis. Information on analyzed web content is available in the URLs view of the User Portal. If suspicious content is detected by this analysis, a network event will be generated. These network events may also lead to notification if notifications are configured for network trigger type Suspicious URL.

  5. Set the Sensor feed location

    Change how the Sensor manages traffic depending on where it is physically located in the data center:

    • When the Sensor is deployed on a network segment that has visibility into the traffic generated upstream from the HTTP proxy, set Monitor HTTP requests from an HTTP proxy to Enabled. In this mode, the actual client address is extracted from the X-Forwarded-For header set by the proxy.

      This toggle is Disabled by default.

    • When the Sensor is deployed on a network segment that has visibility into the interactions between clients and an HTTP proxy, set Monitor HTTP requests towards an HTTP proxy to Enabled. In this mode, the actual destination is extracted from the HTTP request sent to the proxy.

      This toggle is Disabled by default.

  6. Set the blocking locations

    The Sensor can block traffic at different locations in your network. There are three options offered. You can select more than one blocking location:

    • Click Enabled to block traffic Within home network.

    • Click Enabled to block traffic Outbound from home network.

    • Click Enabled to block traffic Inbound to home network.

    Limit the scope of the blocking by selecting Flow blocking (limited to the same 4-tuple that triggered the original alert: src_ip, src_port, dst_ip, dst_port), Host service blocking (block further interactions between the same client and service: src_ip, dst_ip, and dst_port), or Service blocking (block the specific destination: dst_ip and dst_port).

    The blocking pipeline used by the Sensor supports receiving feedback from slower detection mechanisms such as IDS rules or URL malicious reputation lists. The analysis may not be processed quickly enough to respond to the initial flow that triggered it. Therefore the first malicious request towards an endpoint may not be successfully blocked. To maximize the blocking success rate, blocking of slower detection pipelines is stateful. Once a given endpoint is flagged as malicious, all similar interactions with the endpoint are considered malicious and are blocked.

    Modify the Block timeout(seconds). The default is 600 seconds.

  7. Configure the blocking techniques

    Select the blocking techniques to deploy against potentially malicious traffic detected by the Sensor:

    • When Block test mode is Enabled, the Sensor logs all blocking actions but will not actually perform a block action. This allows you to ensure that the expected behavior occurs before you make changes to your user environment.

    • When TCP Blocking: RST injection is Enabled, the Sensor injects a TCP RST (reset) response packet into the traffic. This breaks connections that have been detected to be malicious.

    • When HTTP blocking: HTTP redirection is Enabled, the Sensor redirects all HTTP traffic to the provided URL. You must enter a redirection URL in the textbox, for example https://lastline.example.com/blocked.php.

    • When UDP blocking: ICMP port unreachable injection is Enabled, the Sensor returns an ICMP port unreachable response to malicious port requests.

    • When DNS blocking: sinkholing is Enabled, the Sensor returns the sinkhole IP address in response to any DNS request. You must provide an IP address for a sinkhole server in the textbox.

      When DNS blocking: sinkholing is enabled, NX injection is disabled and cannot be changed.

    • When DNS Blocking: NX injection is Enabled, the Sensor intercepts domain look-ups. It injects a DNS response with the NX error flag set (domain does not exist) for any DNS request for a low reputation domain.

      When DNS blocking: NX injection is enabled, sinkholing is disabled and cannot be changed.

  8. Set the payload and metadata parameters

    By default, all the payload and metadata parameters are Enabled. You can modify these settings to control what data is uploaded to the VMware backend or to your On-Premises Manager.

    In general, disabling the upload of any of these records may reduce the number of malicious binaries or anomalies that are identified.

  9. Enable host resolution

    When Resolve hostnames is Enabled, the Sensor is configured to resolve internal IP addresses to domain names. Internal IP addresses are defined by the home network setting. If the home network is not defined, the Sensor defaults to performing reverse resolution for private networks.

    For this feature to work, the Sensor needs to be configured with a DNS server providing such mapping.

  10. Save the detection and blocking changes

    When you are done, click the Save and deploy button. Otherwise click Cancel to discard any changes.

    The User Portal displays a pop-up prompt to stop you from navigating away with unsaved changes.

  11. Update the Sensor configuration

    Once you have made your desired changes and saved them, click the Retrigger configuration button to reload the Sensor configuration.

Configure email monitoring

The Sensor can be configured to passively sniff email traffic or to actively participate in the email processing chain in your environment. The Sensor supports sniffing SMTP traffic or running as an IMAP or POP3 client, an MTA end node, or an inline MTA relay.

Configure SMTP traffic sniffing

During registration, the Sensor is configured by default for passive sniffing (see the Sensor Installation and Administration guide for details about sniffing interfaces configuration). The Sensor uses the sniffing interface to examine the traffic available on the wire.

  1. Navigate to the Configuration tab

    From the Main navigation menu, click Admin. On the Admin page, select Appliances from left sidebar menu. Then on the Appliances tab, click Configuration. Initially, no appliance is selected on the Configuration tab. Click the server Appliance: None Selected link and select the Sensor from the Select Appliance pop-up.

    Alternatively, from the Appliances Overview tab, scroll to the row for the Sensor, click the Quick links button, and select Configuration from the pull-down menu.

    Click the Email sub-tab.

  2. Enable email analysis

    By default, Email analysis option is Enabled. The Sensor is configured to perform email analysis.

  3. Enable SMTP traffic inspection

    By default, Inspect SMTP traffic is Enabled. The Sensor is configured to sniff SMTP traffic from the wire and analyze it.

    Note:

    You must enable traffic sniffing before the Sensor can sniff SMTP traffic.

    To configure the other methods for monitoring email, you must toggle Inspect SMTP traffic to Disabled.

  4. Inspect URLs

    By default, Inspect URLs is Enabled. The email body will be inspected for malicious URLs.

  5. Save the SMTP sniffing changes

    When you are done, click the Save and deploy button. Otherwise click Cancel to discard any changes.

    The User Portal displays a pop-up prompt to stop you from navigating away with unsaved changes.

Configure IMAP/POP

You can configure the Sensor as an IMAP or POP3 client. Your MTA server must be configured to blind-copy all inbound messages to the designated user account on the Sensor. A major limitation of this method is that you can only see inbound messages.

Note:

All messages received by the monitoring account are deleted after analysis.

  1. Navigate to the Configuration tab

    From the Main navigation menu, click Admin. On the Admin page, select Appliances from left sidebar menu. Then on the Appliances tab, click Configuration. Initially, no appliance is selected on the Configuration tab. Click the server Appliance: None Selected link and select the Sensor from the Select Appliance pop-up.

    Alternatively, from the Appliances Overview tab, scroll to the row for the Sensor, click the Quick links button, and select Configuration from the pull-down menu.

    Click the Email sub-tab.

  2. Enable email analysis

    By default, Email analysis option is Enabled. The Sensor is configured to perform email analysis.

  3. Disable SMTP traffic inspection

    By default, Inspect SMTP traffic is Enabled. To configure the IMAP or POP3 method for monitoring email, you must toggle Inspect SMTP traffic to Disabled.

  4. Select the desired protocol

    From the Email protocol pull-down menu, select IMAP or POP3. Although IMAP and POP3 are very different protocols, the only difference in this configuration is the default port number.

    In the following steps, you configure an email user similar to any email client. This allows the Sensor to download emails from a predetermined mailbox in your organization.

  5. Define the mail server

    In the Email server textbox, enter the IP address or FQDN of the IMAP or POP3 mail server to connect to.

    In the Email port textbox, enter the port to use to connect to the mail server. The default port is TCP/143 for IMAP or TCP/110 for POP3. For a secure connection, use TCP/993 for IMAP or TCP/995 for POP3.

  6. Define the mail user

    Enter the Email username to use to log into the mail server. Then enter the Email password for the user account.

  7. Enable SSL downloads

    When Use SSL for downloading emails is Enabled, the Sensor uses SSL encryption when downloading emails.

  8. Set the polling interval

    The default Email polling interval (seconds) for new mail messages is 60 seconds. Adjust this to suit the amount of email traffic seen in your network.

  9. Set the sender and recipient headers

    Use the radio buttons to specify the Sender source header (Mail header) to use as the sender for reporting email:

    • From

    • Sender

    • Manually specify an email header

    Use the radio buttons to specify the Recipient source header (Mail header) to use as the recipient for reporting email:

    • To

    • Manually specify an email header

  10. Inspect URLs

    By default, Inspect URLs is Enabled. The email body will be inspected for malicious URLs.

  11. Save the IMAP/POP3 changes

    When you are done, click the Save and deploy button. Otherwise click Cancel to discard any changes.

    The User Portal displays a pop-up prompt to stop you from navigating away with unsaved changes.

Configure MTA (no delivery)

The recommended mode for passive monitoring is to configure the Sensor as an MTA (no delivery) endpoint. This mode provides visibility into all email messages that are accepted by the downstream MTA server, including those sent over TLS. The connection is also reliable, using TCP retries for any network errors.

This mode requires that you configure your MTA server to FORK all inbound messages to the Sensor. A major limitation of this method is that you can only see inbound messages.

Note:

All messages received by the monitoring account are deleted after analysis.

  1. Navigate to the Configuration tab

    From the Main navigation menu, click Admin. On the Admin page, select Appliances from left sidebar menu. Then on the Appliances tab, click Configuration. Initially, no appliance is selected on the Configuration tab. Click the server Appliance: None Selected link and select the Sensor from the Select Appliance pop-up.

    Alternatively, from the Appliances Overview tab, scroll to the row for the Sensor, click the Quick links button, and select Configuration from the pull-down menu.

    Click the Email sub-tab.

  2. Enable email analysis

    By default, Email analysis option is Enabled. The Sensor is configured to perform email analysis.

  3. Disable SMTP traffic inspection

    By default, Inspect SMTP traffic is Enabled. To configure the IMAP or POP3 method for monitoring email, you must toggle Inspect SMTP traffic to Disabled.

  4. Select the desired protocol

    From the Email protocol pull-down menu, select MTA (no delivery).

  5. Enable SSL/TLS

    When Use SSL/TLS to receive emails is Enabled, the Sensor uses SSL/TLS encryption to receive emails. Do not enable this if you want to use STARTTLS for incoming emails.

  6. Define allowed connections

    In the Allowed connections, specify networks that are allowed to connect to the Sensor. Use CIDR notation and type return to add each allowed network.

    Leaving this field empty allows all connections.

  7. Set the sender and recipient headers

    Use the radio buttons to specify the Sender source header (SMTP envelope or Mail header) to use as the sender for reporting email:

    • MAIL FROM

    • From

    • Sender

    • Manually specify an email header

    Use the radio buttons to specify the Recipient source header (SMTP envelope or Mail header) to use as the recipient for reporting email:

    • RCPT TO

    • To

    • Manually specify an email header

  8. Set the accepted recipient domains

    In the Accepted recipient domains textbox, enter a regular expression to match against recipient domains that should be accepted by the Sensor. Any domains that do not match will be dropped.

    Leaving this field empty allows all domains.

  9. Inspect URLs

    By default, Inspect URLs is Enabled. The email body will be inspected for malicious URLs.

  10. Save the MTA (no delivery) changes

    When you are done, click the Save and deploy button. Otherwise click Cancel to discard any changes.

    The User Portal displays a pop-up prompt to stop you from navigating away with unsaved changes.

Configure MTA relay

The most highly recommended configuration is active email monitoring. The Sensor is configured as an MTA relay. This mode provides visibility into all email messages that are accepted by the downstream MTA server, including those sent over TLS. The connection is also reliable, using TCP retries for any network errors. In addition, it allows the Sensor to either quarantine messages with malicious content or to clean the malicious content from the messages before sending them onward to the next hop.

This mode requires that the email flow into your organization is configured to add the Sensor as an MTA hop in your email processing.

  1. Navigate to the Configuration tab

    From the Main navigation menu, click Admin. On the Admin page, select Appliances from left sidebar menu. Then on the Appliances tab, click Configuration. Initially, no appliance is selected on the Configuration tab. Click the server Appliance: None Selected link and select the Sensor from the Select Appliance pop-up.

    Alternatively, from the Appliances Overview tab, scroll to the row for the Sensor, click the Quick links button, and select Configuration from the pull-down menu.

    Click the Email sub-tab.

  2. Enable email analysis

    By default, Email analysis option is Enabled. The Sensor is configured to perform email analysis.

  3. Disable SMTP traffic inspection

    By default, Inspect SMTP traffic is Enabled. To configure the IMAP or POP3 method for monitoring email, you must toggle Inspect SMTP traffic to Disabled.

  4. Select the desired protocol

    From the Email protocol pull-down menu, select MTA.

  5. Define the next hop destination

    The Next-hop destinations widget is used to define the SMTP servers to which email messages will be delivered once they have been analyzed. If you do not otherwise specify a next-hop destination, the existing Default next-hop section is used for all messages destined for any domain.

    Click the plus (add next-hop) icon to add a custom, domain based, next-hop destination.

    Define the following options for each next-hop destination:

    • Define the receiving domain(s) Enter the email Receiving domains. Only messages addressed to the defined domain(s) will be delivered to the next-hop server.

      Type a period (.) in front of the domain name as a wild-card for any sub-domain (for example, .example.com). A higher specificity takes precedence. Type space or comma (,) to end a domain entry.

      Note:

      You cannot edit the Receiving domains for the default next-hop. The period (.) is a wild-card for any domain.

    • Define the next-hop destination server:

      • Priority Enter the priority of the next hop server. Use a value from 0 to 100.

      • Host IP or FQDN Enter the IP address or domain name of the next hop server.

      • Port Enter the port number that the next hop server is listening on. The default port is TCP 25.

      • Encryption Select None, SSL/TLS, or STARTTLS from the pull-down menu.

        If you select STARTTLS encryption, you must ensure Use SSL/TLS to receive emails is not enabled.

      • Actions Click the delete icon to delete the entry.

      Click the plus (Add destination) icon to add a row to define another destination server.

  6. Enable SSL/TLS

    When Use SSL/TLS to receive emails is Enabled, the Sensor uses SSL/TLS encryption to receive emails. Do not enable this if you want to use STARTTLS for incoming emails.

  7. Define allowed connections

    In the Allowed connections, specify networks that are allowed to connect to the Sensor. Use CIDR notation and type return to add each allowed network.

    Leaving this field empty allows all connections.

  8. Define a separate destination for bounced messages

    When Use separate outgoing SMTP server for bounces is Enabled, bounced messages will be processed by the SMTP servers you define with the DSN Next-hop destinations widget. The options for the SMTP servers are the same as Next-hop destinations options.

  9. Notify sender on bounce

    When Notify sender on bounce is Enabled, notify the sender if the message is bounced by the next-hop server.

  10. Notify user on bounce

    Optionally enter the email address of a user to notify in the Always notify on bounce textbox in the event of a message bouncing.

  11. Define the sender of failure notifications

    In the Sender of failure notifications textbox, define the email address provided as the sender of bounced messages. Use an address similar to no-reply@example.com.

  12. Set the sender and recipient headers

    Use the radio buttons to specify the Sender source header (SMTP envelope or Mail header) to use as the sender for reporting email:

    • MAIL FROM

    • From

    • Sender

    • Manually specify an email header

    Use the radio buttons to specify the Recipient source header (SMTP envelope or Mail header) to use as the recipient for reporting email:

    • RCPT TO

    • To

    • Manually specify an email header

  13. Set the accepted recipient domains

    In the Accepted recipient domains textbox, enter a regular expression to match against recipient domains that should be accepted by the Sensor. Any domains that do not match will be dropped.

    Leaving this field empty allows all domains.

  14. Edit the malicious subject tag

    In the Malicious subject tag field, define a prefix to add to the subject header of a message with suspicious or malicious content. The default is lastline-warning. Click the checkbox icon to disable this prefix.

  15. Define a warning text template

    The Template for text added to email with suspicious/malicious content textbox allows you to define a warning to be added to the body of messages with suspicious or malicious content. The system will insert summary information about the type of content discovered if you provide the variable {malicious-content}.

    You can choose to use the provided default warning text.

  16. Define the location of the warning text

    Use the Inline warning radio buttons to determine if the warning is prepended to the message as a separate MIME part (recommended) or at the beginning of the first text MIME part (needed for Outlook Web Mail).

  17. Select the use of X-Lastline headers

    When X-Lastline headers is Enabled, the system inserts X-Lastline headers into messages that have been processed by the Sensor.

  18. Select fail-open behavior

    When Fail open on analysis is Disabled (default), the Sensor rejects new incoming messages. These messages are rejected at the SMTP level, relying on the previous hop to react to the rejection by rerouting the messages via a fail-open destination.

    If enabled, new messages are delivered to the next-hop destination without further analysis if the analysis queue is full. In this condition, the Sensor is not capable of accepting further messages for analysis. This only occurs when there are severe issues with the Sensor and should not be considered normal.

  19. Set the analysis timeout

    In the Analysis timeout, set the maximum time in seconds the Sensor is allowed to delay a message while performing analysis. The default is 3,600 seconds (1 hour). Once processing the message exceeds the configured threshold, it will be delivered to the next-hop destination without being fully analyzed. Messages are not expected to be held by the Sensor for a long time. Any such occurrences are probably a software or hardware issue. In this case a warning will be inserted into the monitoring logs.

    Set the timeout value to zero to disable fail-open on analysis processing time. The Sensor will detain messages for an indefinite amount of time.

  20. Select analyst failure behavior

    When Auto disable Analyst analysis is Enabled (default), messages that require in-depth analysis are delivered to the next-hop destination without being fully analyzed if the Analyst becomes unreachable.

    The Sensor will attempt to identify permanent down-times of the Manager and the file analysis API by detecting subsequent upload failures. Once a sufficient number of upload failures is detected, analyst analysis will be disabled.

  21. Set the Analyst timeout

    In the Analyst analysis timeout, set the maximum time in seconds the Sensor is allowed to delay a message in the event that the Analyst is required to perform an in-depth analysis. The default is 1,800 seconds (30 minutes).

  22. Set local quarantine

    When Local quarantine enabled is Enabled and the Sensor is also configured to drop messages that contain malicious URLs and/or attachments, the dropped messages are stored on the local filesystem in a quarantine. These quarantined messages can either be deleted or released to the original recipient.

    Local quarantine is enabled by default. Disabling it causes dropped messages to be deleted immediately and is not recommended.

  23. Define quarantine storage

    In the Local quarantine storage textbox, define the amount of local filesystem space on the Sensor to reserve for quarantined messages. When this amount is exceeded, the oldest message will be removed.

  24. Define quarantine duration

    In the Local quarantine duration textbox, define the maximum number of days the mail sensor is allowed to quarantine an email message. When this amount is exceeded, messages that are older than the allowed number of days will be removed.

  25. Select attachment inspection option

    When Inspect attachments is Enabled, messages will be extracted and inspected for malicious attachments. This is enabled by default.

  26. Define drop policy

    When Drop emails with malicious attachments is Enabled, messages with malicious attachments will be dropped. This is enabled by default.

  27. Define the attachment policy

    From the Attachment policy pull-down menu, select from Block, Warn, or Do not add in-line warning:

    • Block deletes any malicious attachments from the message. A prefix is added to the email subject, indicating the action taken. If the drop policy is enabled, this option is not available.
    • Warn preserves any malicious attachments, but warns the recipient. A prefix is added to the email subject, indicating the action taken.
    • Do not add in-line warning does no modification to the email or subject.
  28. Edit the replacement text for blocked attachments

    If Block is your selected attachment policy, the Template for text used to replace blocked attachments textbox is displayed. You can edit or replace the example text. You should include the variables {original-filename} and {malicious-content}. The system uses these variables to insert information about the type of content discovered when the text is added to the message.

  29. Adjust the thresholds for malicious content

    Adjust the levels at which the system blocks or warns about malicious content with the sliders of the Thresholds widget.

  30. Select URL inspection option

    When Inspect URLs is Enabled, the email body will be inspected for malicious URLs.

  31. Define drop policy

    When Drop emails with malicious URLs is Enabled, messages with malicious URLs will be dropped.

  32. Define the URL policy

    From the URL policy pull-down menu. Select from Block, Warn, or Do not add in-line warning:

    • Block deletes any malicious attachments from the message. A prefix is added to the email subject, indicating the action taken. If the drop policy is enabled, this option is not available.
    • Warn preserves any malicious attachments, but warns the recipient. A prefix is added to the email subject, indicating the action taken.
    • Do not add in-line warning does no modification to the email or subject.
  33. Edit the replacement text for blocked URLs

    If Block is your selected URL policy, the Text used to replace blocked URLs textbox is displayed. You can edit the example text. The text is added to the message.

  34. Adjust the thresholds for malicious content

    Adjust the levels at which the system blocks or warns about malicious content with the sliders of the Thresholds widget.

  35. Save the MTA changes

    When you are done, click the Save and deploy button. Otherwise click Cancel to discard any changes.

    The User Portal displays a pop-up prompt to stop you from navigating away with unsaved changes.

Configure proxy

Use the Configuration: Proxy tab to manage the proxy option for the Sensor. This option is used for detecting traffic going through web proxies. The Sensor supports ICAP.

Configure ICAP proxy

ICAP integration allows a third party proxy server or security appliance to use the ICAP protocol to offload its HTTP traffic to the Sensor for the analysis and blocking of malicious content. See VMware NSX Network Detection and Response ICAP Integration for more information.

Configure the ICAP options:

  1. Navigate to the Configuration tab

    From the Main navigation menu, click Admin. On the Admin page, select Appliances from left sidebar menu. Then on the Appliances tab, click Configuration. Initially, no appliance is selected on the Configuration tab. Click the server Appliance: None Selected link and select the Sensor from the Select Appliance pop-up.

    Alternatively, from the Appliances Overview tab, scroll to the row for the Sensor, click the Quick links button, and select Configuration from the pull-down menu.

    Click the Proxy sub-tab.

  2. Enable ICAP

    By default, the ICAP server option is Disabled. When Enabled, the Sensor runs an ICAP service. This allows ICAP-aware HTTP proxies to connect to this service and receive blocking decisions based on the system's protection capabilities.

  3. Enable inline analysis

    If Inline analysis is Enabled, the ICAP capability can act upon the transfer of malicious files. This option is made accessible after you enable ICAP server.

  4. Set the blocking threshold

    By default, the Blocking threshold is set to Disable. Clear the checkbox to enable it, then set a value between 0 and 100. Any content with a score above that threshold value will be sanitized.

  5. Select secure ICAP

    If Secure ICAP is Enabled, ICAP-aware HTTP proxies can connect to the Sensor by means of a secure connection.

  6. Set the blocking pages options

    When the Sensor blocks a transaction deemed to be malicious, it replaces the original content with simple self-contained HTML pages providing details of its reasons. There are two options: Blocked page message and Pending page message. Each can be customized. Enabling Blocked page details inserts the details into the pages. You can also enable X-Lastline-* headers which include details in the metadata.

  7. Set the blocking behavior

    You can configure the blocking policy to be applied by the ICAP daemon for each type of file. The file types are Executable, Archive, Media, Document , PDF, Other, and File upload. The following policies can be applied:

    • Passive No blocking is attempted on this type of file, but any relevant content will be analyzed.

    • Sensor-known Block all artifacts known to be malicious by the Sensor (listed in its local cache). This method offers the lowest levels of protection but ensures minimal lag.

    • Manager-known Block all artifacts known to be malicious by the Manager. These data are listed in the Manager cache and shared across all managed appliances.

    • Full Artifacts are not served to the client until they have been fully analyzed. This method offers the maximum level of protection against new, unknown files. However, it can result in significant delays (in the order of minutes) when serving certain types of content.

    • Full with feedback Same as Full, artifacts are not served to the client until they have been fully analyzed. While waiting for analysis results, a feedback page is served to the client. This page is refreshed regularly until the analysis completes. The results are then served to the client.

  8. Set the action for malicious content

    The HTTP POST option determines what the Sensor does with malicious content. If Block, the blocked page message is sent to the destination. If Sanitize, the Sensor removes the malicious content before it forwards the request to its destination.

  9. Define the timeout

    Timeout sets the maximum time in seconds that the proxy server is allowed to delay the request.

  10. Save the proxy changes

    When you are done, click the Save and deploy button. Otherwise click Cancel to discard any changes.

    The User Portal displays a pop-up prompt to stop you from navigating away with unsaved changes.

Configure system settings

Use the options on the Configuration: System tab to manage the Sensor monitoring interfaces and other system settings.

  1. Navigate to the Configuration tab

    From the Main navigation menu, click Admin. On the Admin page, select Appliances from left sidebar menu. Then on the Appliances tab, click Configuration. Initially, no appliance is selected on the Configuration tab. Click the server Appliance: None Selected link and select the Sensor from the Select Appliance pop-up.

    Alternatively, from the Appliances Overview tab, scroll to the row for the Sensor, click the Quick links button, and select Configuration from the pull-down menu.

    Click the System sub-tab.

  2. Set the System options

    On the Configuration: System tab, you can set the following options:

    • The PF_RING Enabled option is only effective on legacy systems. It was used to speed up packet capture. On systems with recent NICs and on virtual sensors, this toggle enables AF_PACKET.

    • The AF_PACKET Enabled option is Enabled, the Sensor uses the AF_PACKET driver for packet capture. AF_PACKET is a high performance acquisition strategy, offering better support for recent NICs and virtual sensors.

      If the Sensor detects a supported NIC, it enables the AF_PACKET driver. It is generally safe to enable AF_PACKET on any NIC and virtual sensor, as the technology is likely to deliver better performance.

    • Auto Update is Enabled by default. The Sensor automatically updates when new software versions are released by VMware.

    • Install daily OS security updates automatically is Enabled by default. The Sensor automatically installs new security updates when they are released by Ubuntu.

    • Syslog streaming is Disabled by default. If you set it to Enabled, you can stream the system logs from the Ubuntu server hosting the appliance to a remote syslog server. This feature streams all files from the /var/logs directory (such as auth.log, kernel.log, etc.). It can be used for enhanced security. For example, by setting a policy of using sudo to run privileged commands combined with syslog streaming, the history of all privileged commands run on the system will be logged to the remote log server.

      You must define at least one destination server in the displayed Syslog Destinations list. For each destination, select the Protocol (UDP or TCP) then enter a Host (IP address or FQDN) and Port (default is port 514).

      Use the Actions to delete the entry (click delete ) or reset the port (click reload ).

  3. Save the system changes

    When you are done, click the Save and deploy button. Otherwise click Cancel to discard any changes.

    The User Portal displays a pop-up prompt to stop you from navigating away with unsaved changes.

  4. Update the Sensor configuration

    Once you have made your desired changes and saved them, click the Retrigger configuration button to reload the Sensor configuration.

Monitor appliances

The User Portal provides logging and metrics information on the Appliances page.

  • The Appliances Action logs tab displays status changes made to the current appliance.

  • The Appliances Monitoring logs tab displays the monitoring logs from the selected appliance(s).

  • The Appliances Metrics tab contains a number of sub-tabs that you use to monitor the VMware NSX Network Detection and Response. The sub-tabs display statistics about the state of the appliances, the artifacts and email messages that have been processed, network traffic that has been observed and processed, system loads, ICAP transactions, and the records used for network analysis.

Backup appliances

Use the tabs on the Admin Backup page to configure and manage periodic backups, and if needed, restores, of the On-Premises installation of the VMware NSX Network Detection and Response. A backup consists of the user data stored on the Manager, including network events and traffic captures, analyzed files, and analysis results.

The Backup page consists of the following tabs:

  • Jobs tab Display a list of backup jobs.

  • Restore tab Select a backup and restore it on the system.

  • Configure backups tab Configure a named backup process.

  • Configure storage tab Configure and manage backup storage locations.

About the jobs tab

Use the Jobs tab to view the list of backup jobs. Set a range of dates. Click the From or To buttons to open a calendar widget. You can also enter a date directly in the From or To textboxes using the format YYYY-MM-DD. Then click Apply reload to search for relevant backup jobs.

The Backups jobs list displays the backup jobs that were found in the selected date range. The list includes the following fields:

  • Start time The date and time the backup was started.

  • Duration The length of time the backup took.

  • Size The size of the backup.

  • Job type The type of job (for example, Backup or Restore).

  • Backup name The name of the backup configuration.

  • Backup type The type of backup (for example, Full or Incremental).

  • Job status The status of the job (for example, Waiting, Running, Success, or Failed). Click the reload icon to refresh the list.

About the backups tab

Use the Configure backups tab to configure and manage your backups. If there is at least one backup, it displays the existing backup configurations in the Backup Configuration list. The list includes the following fields:

  • Name The name of the backup configuration.

  • Storage The name of the configured backup storage.

  • Last backup type Either Full or Incremental.

  • Last backup start The date and time the last backup started.

  • Last backup end The date and time the last backup ended.

  • Last backup status Possible values are Waiting, Running, Success, or Failed.

Use the quick search field above the Backup Configuration list to find a specific backup configuration.

Warning:

You delete backup configurations from this tab. Deleting a configuration does not delete any of your backups. It only removes the access information.

About the storage tab

Use the Configure storage tab to define and manage the backup storage locations. VMware NSX Network Detection and Response backups can be stored to an Amazon S3 bucket or to an SSH server. The tab has two sections:

Storage configuration

The Storage configuration section may contain two lists: the SSH configurations list and the Amazon S3 configurations list. These lists are only displayed if there is at least one storage back-end of the corresponding type.

Use the quick search field above the lists to find a specific backup storage entry.

Warning:

You delete backup storage configurations from this tab. Deleting a configuration does not delete any of your backups. It only removes the access information.

SSH

An SSH server can be used to store backups. Key-based authentication must be configured to allow the Manager to connect to the SSH server.

Important:

The server you select for your SSH storage backend must be running a Linux operating system. Ubuntu SSH servers have been tested and are supported. Using a Windows server is not supported.

Important:

Do not use the Managers or its child appliances to store the backups.

The SSH configurations list includes the following fields:

  • Storage name The name of the storage location.

  • Server name Hostname or IP address of the SSH server where backups will be stored.

  • Server base Base path on the SSH server where the backups will be stored.

  • Username User account used to access the SSH server.

  • SSH key SSH Key used to authenticate to the SSH server.

  • SSH port The port used to connect to the SSH server.

Amazon S3

Amazon Simple Storage Service (Amazon S3) is an object storage service of Amazon Web Services (AWS). You must have an IAM account that gives you full read and write access to the S3 bucket to be used as the data storage for your backups.

The Amazon S3 configurations list includes the following fields:

  • Storage name The name of the storage location.

  • AWS key ID The access ID generated by AWS for the authorized account.

  • Bucket name The name of the S3 bucket.

SSH key management

If there is at least one SSH key, the SSH Key Management list is displayed. It includes the following fields:

  • Name The name of the SSH key.

  • Public key Clicking the View pub key button displays the public key in a pop-up.

  • Key size The number of bits in the key.

Configure backups

The creation and management of VMware NSX Network Detection and Response backups is performed using the Configure backups and Configure storage tabs.

Before you can create a backup configuration, you must first define a backup storage location to use. The system supports storing backups to an Amazon S3 bucket or to an SSH server.

  1. Navigate to the Configure storage tab

    From the Main navigation menu, click Admin. On the Admin page, select Backup from left sidebar menu. Then on the Backup page, click the Configure storage tab.

  2. Optional: Add an SSH key

    If your storage back-end is an SSH server, generate an SSH key.

    Click the New SSH key button to add a backup configuration. If there is an existing SSH key, click the plus icon to add another.

    In the Add SSH Key pop-up, provide the following:

    • Key name Enter a name for the key.

    • Key size Select the size from the pull-down menu. The recommended key size is 2048 bits. For more security, you can select 4096 or 8192. The system will warn you of the longer processing time to generate a larger key.

    Click the Generate key button. When the process completes, click the Close button.

  3. Add a storage back-end

    Click the New storage button to add a storage back-end. If there is an existing storage back-end defined, click the plus icon to add another.

    The Add storage pop-up is displayed.

  4. Define the storage name

    Enter a Name for the storage back-end.

  5. Select the storage type

    From the Type drop-down menu, select the storage type. Select Amazon S3 or SSH.

    If you select Amazon S3, fill in the Amazon S3 configuration section:

    • Bucket name Enter the name of the S3 Bucket to be used for backup.

    • AWS key ID Enter the access key ID generated by AWS for the account.

    • AWS secret key Enter the secret access key generated by AWS for the account.

    • Destination Select the destination from the pull-down menu. Select Amazon AWS cloud (the default) or Private cloud. If you select Private cloud, the following additional fields are added to the pop-up.

    • Host Enter the hostname or IP address of the private cloud provider.

    • Port Select the port number to use. By default, this is port 443.

    • Use System Proxy Set the toggle to determine if the system proxy is to be used.

    Note:

    To obtain the AWS key ID and AWS secret key, login to your AWS IAM dashboard and select the appropriate account (this account must have appropriate permissions). On the Summary page, select the Security credentials tab. Click Create access key to generate a new Access key ID and Secret access key.

    AWS lets you download these credentials in a .csv file.

    If you select SSH, fill in the SSH configuration section:

    • Server name Set the hostname or IP address of SSH server.

    • Server base Enter the base path where the backups will be stored on the SSH server. This directory must exist on the SSH server and be writable by the configured user.

    • Username Enter the username of the account that will be used to access the SSH server. This user must exist on the SSH server and support login with public key authentication using the configured SSH Key.

    • SSH key From the pull-down menu, select the SSH key to use to authenticate to the SSH server. If there is no SSH key available or you want to use a different key, click plus to add a new SSH key.

      To enable access for the backup to the SSH server, you must add the SSH key to the SSH server. From the SSH Key Management list, click the View pub key button to view the key. Then copy and paste it into the ~/.ssh/authorized_keys file in the home directory of the configured user.

    • SSH port Select the SSH port to use to connect to the SSH server. The default port is 22.

    Once the storage location for either Amazon S3 or SSH is properly configured, click the Add button to save your changes and dismiss the pop-up.

  6. Navigate to the Configure backup tab

    From the Configure storage tab on the Backup page, click the Configure backup tab.

  7. Add a backup configuration

    Click the New configuration button to add a backup configuration. If there is an existing backup defined, click the plus icon to add another.

    The Add backup configuration pop-up is displayed.

  8. Define the backup configuration name

    Enter a Name for the backup configuration.

  9. Select the storage back-end

    From the Storage drop-down menu, select the storage back-end. The menu is populated with the storage back-end defined in 3 through 5.

  10. Optional: Provide an encryption key

    In the Encryption key enter a text string to use as an encryption key. The VMware NSX Network Detection and Response uses aes256 CBC to encrypt the backup data before it is transferred to the backup storage.

  11. Optional: Select essential files only

    To speed up the backup process, you can enable the Essential files only toggle (disabled by default). When you enable this toggle, the system will only backup the VMware backend database but not any PCAP or analysis files.

  12. Set the backup frequency

    Click the Full Backup Configuration link and provide the following:

    • Full Backup Frequency Select when to perform a backup from the pull-down menu. If you select Manual (the default), the configuration is complete. If you select Yearly, Monthly, Weekly, or Daily, then you must provide specific date and time parameters.

    Click the Incremental Backup Configuration link and provide the following:

    • Incremental Backup Frequency Select when to perform a backup from the pull-down menu. If you select Manual (the default), the configuration is complete. If you select Yearly, Monthly, Weekly, or Daily, then you must provide specific date and time parameters.

  13. Save the backup configuration

    Once the backup is properly configured, click the Add Config button to save your changes and dismiss the Add backup configuration pop-up.

Restore a backup

The VMware NSX Network Detection and Response provides a mechanism to restore the system from a backup in the event of a critical data loss.

  1. Navigate to the Restore tab

    From the Main navigation menu, click Admin. On the Admin page, select Backup from left sidebar menu. Then on the Backup page, click the Restore tab.

  2. Select a storage location, host, and date range

    By default, the Date range is one month prior to the current date. The other parameters are blank.

    Select Storage from the associated pull-down menu. Select Hostname from the associated pull-down menu. Click the From or To buttons to open a calendar widget. You can also enter a date directly in the From or To textboxes using the format YYYY-MM-DD. Then click the Apply reload button to search for relevant backup jobs.

    The User Portal displays a Restore backups list. It includes the following fields:

    • Timestamp The date and time the backup was performed.

    • Config name The name of the backup configuration.

    • Storage name The name of the backup storage location.

    • Backup type The type of backup (for example, Full or Incremental).

    • Path The path to the backup on the storage location.

    • Encrypted If the backup is encrypted, this is True. At the end of the row is the Restore backup button.

  3. Select a backup

    Select the backup to restore from the Restore backups list. Click the Restore backup button of its row. Since this is a destructive action, the system forces you to confirm before the restore is started.

    The Restore backup confirmation pop-up displays the Storage name, Configuration name, Backup timestamp, Backup path, Backup type, and Encryption status. Click the checkbox before the prompt Yes, I am sure I want to restore this backup.. Then click the Restore button.

Depending on the amount of data in the backup, the restore process can take a considerable amount of time during which the User Portal interface will non-responsive. As soon as the process has completed successfully, you will be able to access the interface using one of the accounts that were restored by the backup.

Note:

The restore process reset credentials to their state at the time of backup. Any credentials that were added or modified after the time at which the backup was taken will need to be manually updated or recreated.

Recover from disaster

To recover from a disaster, you may need to restore a VMware NSX Network Detection and Response appliance from your backups. Contact VMware Support for assistance with licenses and other issues.

Warning:

Restoring from a backup will overwrite any data on the appliance, replacing it with the data contained in the backup.

Note:

If the Manager was re-installed as part of the backup restore process, the system might have invalidated API credentials, such as the API-token used to access the Analyst-API. As a result, external Engine appliances need to be re-configured using the lastline_engine_config -f command. For details, refer to the Engine Installation and Administration guide.

Restoring from a backup is performed with the following steps:

  1. Install a new system

    Install a new system with the same hostname and VMware licenses as the appliance from which the backups were performed. VMware Support will need to re-initialize the licenses.

  2. Provide a storage location

    On the newly installed system, use the Configure storage tab to provide a storage location from which the backup will be retrieved. Most fields of this configuration will need to match the values that were previously used.

  3. Perform a restore

    On the newly installed system, select a backup and perform the restore.

Notifications

The VMware NSX Network Detection and Response can send notifications to various third party systems. Configure the required connections and triggers on the tabs of the Notifications page:

About notification triggers

Notifications can be triggered by different classes of events.

When configuring a notification, you must specify which trigger(s) will enable notifications. Each trigger can have customized settings. When the notification is first created, a default list of triggers will be selected with default settings.

A notification will have one or more trigger groups. A trigger group is a list of triggers.

Each row that is highlighted blue is an enabled trigger. Click checkbox to toggle the trigger to disabled. Click edit to modify the trigger parameters.

The entire trigger group can be toggled by clicking the Enabled button in the trigger group header. This collapses the trigger group and sets all the now hidden triggers to disabled. You cannot save the notification if it has only one trigger group and you have disabled it.

Modify trigger parameters

To modify a trigger, update the following:

Min interval

The minimum amount of time between notifications. Select Minutes (the default) or Hours.

Threshold

The minimum impact level which will trigger the notification. The impact level range is 30 to 100. Any event with an impact level below 30 is considered benign and will not trigger a notification.

Max Daily

Maximum number of notifications that can be triggered over a 24 hour period.

When you are done, click the Update trigger button. The parameters are saved and the pop-up dismissed.

Click Reset to return the trigger to the previously saved parameters.

Click Defaults to reset the trigger parameters to default values.

Click Cancel to dismiss the pop-up without saving any changes.

Sensor group notifications

All members of a sensor group belong to the same license. The recommended method is to apply the notification parameters to the license. Alternatively, you must individually configure the notification parameters for each sensor in the sensor group. Using a sensor group to configure notifications for a set of sensors is not supported (see About sensor groups).

  • Notifications for network events are sent from the individual sensors. For an On-Premises installation, you can configure notifications to be sent from the manager.

  • Notifications for the intrusions are sent from the main sensor for the sensor group.

  • There are no separate notifications for incidents.

CAUTION:

Under certain circumstances, intrusion notifications may not work correctly:

  1. If notifications are sent from the sensors

  2. The sensors belong to a sensor group

  3. The group identifier is tied to a virtual sensor or to a sensor that is currently not running

The workaround is to ensure the group identifier source is an existing physical sensor.

Configure email notifications

Configure email notifications for the VMware NSX Network Detection and Response appliances using the Email notification tab. These email notifications can be configured with various options, such as the frequency of alerts, maximum number of alerts in a day, and the types of alerts that trigger a notification. In addition to these settings, the syntax of the email subjects can be modified to your preference.

You can create a new notification or edit an existing notification.

  1. Navigate to the Email notification tab

    From the Main navigation menu, click Admin. On the Admin page, select Notifications from left sidebar menu. The Email notification tab is the default on the Notifications page.

  2. Configure a new notification

    Click the plus icon to add a notification.

  3. Select the license and appliance

    In the Appliance field, select the appliance or sensor that triggers the notifications.

    Use the License pull-down menu to select from a license:

    • All licenses Automatically selects all sensors and disables the Sensor pull-down menu.

    • All sensors Use the Sensor pull-down menu to select a sensor from any license.

    • Specific license Use the Sensor pull-down menu to select All sensors for that license or any specific sensor.

  4. Set the daily limit

    In the Daily limit field, set the maximum number of notifications to send within a 24 hour period. 0 (zero) means unlimited.

  5. Select the timezone

    Select the Timezone within which daily limits are computed. By default, the current system timezone is selected.

  6. Enable or disable notification

    When the Enable/disable notification button is Enabled, notifications are enabled upon being saved. This is the default. Notifications can be enabled or disabled at any time.

  7. Optional: Set the template overrides

    The Template Overrides allow you to configure what the email subject will look like when the triggers send email.

    The different overrides are broken down by the matching trigger type:

    • Network

    • Mail

    • Appliance

    • Audit

    • Intel

    • Intrusion

    If you don't provide an override, the Default Template for the trigger type is used.

  8. Define the recipients

    List the Recipients of the email notifications. This can be either an individual user or a list of users. A valid email address must be specified for each recipient.

    This field is prepopulated with a drop-down menu of the email addresses of the known users. You can select one or more entries from the menu or directly enter an email address.

  9. Select the triggers

    Select the appropriate triggers for the notification.

    • When Appliance triggers are Enabled, notifications are sent when an appliance check-in occurs or a status message is received.

    • When Audit triggers are Enabled, notifications are sent when an audit event occurs.

    • When Network triggers are Enabled, notifications are sent when a drive-by attack was detected, fake Anti-virus software communication was detected, malware Command & Control traffic was detected, a malicious file was downloaded, suspicious activity was detected, a suspicious or malicious URL was accessed, unwanted software (such as adware) was detected, or a test event was triggered

    • When Intrusion triggers are set to Enabled, notifications are sent when an intrusion event occurs.

    • When Mail triggers are set to Enabled, notifications are sent when analysis detected a suspicious email, a malicious email attachment, or a malicious URL in an email message.

    • When Intelligence triggers are Enabled, notifications are sent when an intelligence rule is matched against an analysis task.

      Note:

      The Intelligence triggers are available only when All licenses is selected.

    • When Network IoC triggers are Enabled, notifications are sent when a domain name or an IP address was identified as a potential Indicator of Compromise.

    Note:

    Some notification types only support a subset of these trigger categories.

    For further information, see About notification triggers. Also see Sensor group notifications for some caveats about notifications and sensor groups.

  10. Save the configuration

    Once the notification is properly configured, click the Save button to apply the changes. The Email notification configuration summary pop-up is displayed. When you close it, the Email notifications list is displayed in the Email notification tab.

Configure HTTP notifications

Configure HTTP or HTTPS notifications for the VMware NSX Network Detection and Response using the Generic HTTP notification tab. These notifications can be configured with various options, such as the frequency of alerts, maximum number of alerts in a day, and the types of alerts that trigger a notification.

See the VMware NSX Network Detection and Response HTTP Post Integration guide for additional configuration details.

You can create a new notification or edit an existing notification.

  1. Navigate to the Generic HTTP notification tab

    From the Main navigation menu, click Admin. On the Admin page, select Notifications from left sidebar menu. Then on the Notifications page, click Generic HTTP notification.

  2. Configure a new notification

    Click the plus icon to add a notification.

  3. Select the license and appliance

    In the Appliance field, select the appliance or sensor that triggers the notifications.

    Use the License pull-down menu to select from a license:

    • All licenses Automatically selects all sensors and disables the Sensor pull-down menu.

    • All sensors Use the Sensor pull-down menu to select a sensor from any license.

    • Specific license Use the Sensor pull-down menu to select All sensors for that license or any specific sensor.

  4. Set the daily limit

    In the Daily limit field, set the maximum number of notifications to send within a 24 hour period. 0 (zero) means unlimited.

  5. Select the timezone

    Select the Timezone within which daily limits are computed. By default, the current system timezone is selected.

  6. Enable or disable notification

    When the Enable/disable notification button is Enabled, notifications are enabled upon being saved. This is the default. Notifications can be enabled or disabled at any time.

  7. Specify the POST URL

    In the POST URL section, specify the URL that the notification will be posted to:

    • Select the protocol, HTTPS:// or HTTP://, from the pull-down menu.

    • Enter a fully qualified domain name or an IP address.

    • By default, the Port is selected for HTTPS (443) or HTTP (80). Change this if the host is listening on another port.

    • Provide the Path (which may be a path, query strings, or both) required for the POST request to succeed.

  8. Optional: Set the proxy

    When HTTP Proxy is Enabled, the POST request uses the configured system proxy.

  9. Verify the SSL certificate

    When Verify SSL Cert is Enabled, the SSL certificate must be valid in order for the POST request to succeed.

  10. Select the HTTP source

    In the HTTP Source section, select the source from the pull-down menu. Select Manager or Sensor.

    Selecting Manager allows you to centralize your notification source at the Manager.

    Selecting Sensor allows you to distribute the notifications across your network to the specific Sensor that generated the alert.

    Note:

    This option is only available for On-Premises installations.

  11. Select the body format

    In the Post Body Format section, select the format of the body of the POST request from the pull-down menu. Select JSON or XML.

  12. Include PCAP data

    When Include PCAP is Enabled, notification messages include a base-64-encoded dump of the packet capture associated with the event.

  13. Select the triggers

    Select the appropriate triggers for the notification.

    • When Appliance triggers are Enabled, notifications are sent when an appliance check-in occurs or a status message is received.

    • When Audit triggers are Enabled, notifications are sent when an audit event occurs.

    • When Network triggers are Enabled, notifications are sent when a drive-by attack was detected, fake Anti-virus software communication was detected, malware Command & Control traffic was detected, a malicious file was downloaded, suspicious activity was detected, a suspicious or malicious URL was accessed, unwanted software (such as adware) was detected, or a test event was triggered

    • When Intrusion triggers are set to Enabled, notifications are sent when an intrusion event occurs.

    • When Mail triggers are set to Enabled, notifications are sent when analysis detected a suspicious email, a malicious email attachment, or a malicious URL in an email message.

    • When Intelligence triggers are Enabled, notifications are sent when an intelligence rule is matched against an analysis task.

      Note:

      The Intelligence triggers are available only when All licenses is selected.

    • When Network IoC triggers are Enabled, notifications are sent when a domain name or an IP address was identified as a potential Indicator of Compromise.

    Note:

    Some notification types only support a subset of these trigger categories.

    For further information, see About notification triggers. Also see Sensor group notifications for some caveats about notifications and sensor groups.

  14. Optional: Enable a proxy sensor

    For a Hosted installation, Audit and Intelligence events occur on the VMware backend. A proxy device is required to relay notifications when these triggers are Enabled. The Proxy sensor setting allows you to select a Sensor to relay the notifications:

    • Select a License from the pull-down menu. Select All licenses or a specific license.

    • Select a Sensor from the pull-down menu.

  15. Save the configuration

    Once the notification is properly configured, click the Save button to apply the changes. The Generic HTTP notification configuration summary pop-up is displayed. When you close it, the Generic HTTP notifications list is displayed in the Generic HTTP notification tab.

Configure streaming notifications

Create a notification stream that retrieves information about specific events which are selected based on trigger configurations using the Streaming API tab. Triggers, like in other notification types, can be tailored by frequency, quantity per day, and specific types of alerts.

See the VMware NSX Network Detection and Response Streaming API Integration guide for additional configuration details.

You can create a new notification or edit an existing notification.

  1. Navigate to the Streaming API tab

    From the Main navigation menu, click Admin. On the Admin page, select Notifications from left sidebar menu. Then on the Notifications page, click Streaming API.

  2. Configure a new notification

    Click the plus icon to add a notification.

  3. Select the license and appliance

    In the Appliance field, select the appliance or sensor that triggers the notifications.

    Use the License pull-down menu to select from a license:

    • All licenses Automatically selects all sensors and disables the Sensor pull-down menu.

    • All sensors Use the Sensor pull-down menu to select a sensor from any license.

    • Specific license Use the Sensor pull-down menu to select All sensors for that license or any specific sensor.

  4. Set the daily limit

    In the Daily limit field, set the maximum number of notifications to send within a 24 hour period. 0 (zero) means unlimited.

  5. Select the timezone

    Select the Timezone within which daily limits are computed. By default, the current system timezone is selected.

  6. Enable or disable notification

    When the Enable/disable notification button is Enabled, notifications are enabled upon being saved. This is the default. Notifications can be enabled or disabled at any time.

  7. Provide a stream name

    Enter a unique name for the stream in the Stream name textbox.

  8. Include PCAP data

    When Include PCAP is Enabled, notification messages include a base-64-encoded dump of the packet capture associated with the event.

  9. Select the triggers

    Select the appropriate triggers for the notification.

    • When Appliance triggers are Enabled, notifications are sent when an appliance check-in occurs or a status message is received.

    • When Audit triggers are Enabled, notifications are sent when an audit event occurs.

    • When Network triggers are Enabled, notifications are sent when a drive-by attack was detected, fake Anti-virus software communication was detected, malware Command & Control traffic was detected, a malicious file was downloaded, suspicious activity was detected, a suspicious or malicious URL was accessed, unwanted software (such as adware) was detected, or a test event was triggered

    • When Intrusion triggers are set to Enabled, notifications are sent when an intrusion event occurs.

    • When Mail triggers are set to Enabled, notifications are sent when analysis detected a suspicious email, a malicious email attachment, or a malicious URL in an email message.

    • When Intelligence triggers are Enabled, notifications are sent when an intelligence rule is matched against an analysis task.

      Note:

      The Intelligence triggers are available only when All licenses is selected.

    • When Network IoC triggers are Enabled, notifications are sent when a domain name or an IP address was identified as a potential Indicator of Compromise.

    Note:

    Some notification types only support a subset of these trigger categories.

    For further information, see About notification triggers. Also see Sensor group notifications for some caveats about notifications and sensor groups.

  10. Save the configuration

    Once the notification is properly configured, click the Save button to apply the changes. The Streaming API notification configuration summary pop-up is displayed. When you close it, the Streaming API notifications list is displayed in the Streaming API tab.

Configure Syslog notifications

Use the Syslog tab to specify a Security Information and Event Management (SIEM) appliance and/or syslog server where VMware NSX Network Detection and Response events can be sent. These notifications can be configured with various options, such as the frequency of notifications, maximum amount of notifications in a day, and the types of alerts that trigger the notifications.

See the VMware NSX Network Detection and Response Syslog Integration guide for additional configuration details.

You can create a new notification or edit an existing notification.

  1. Navigate to the Syslog tab

    From the Main navigation menu, click Admin. On the Admin page, select Notifications from left sidebar menu. Then on the Notifications page, click Syslog.

  2. Configure a new notification

    Click the plus icon to add a notification.

  3. Select the license and appliance

    In the Appliance field, select the appliance or sensor that triggers the notifications.

    Use the License pull-down menu to select from a license:

    • All licenses Automatically selects all sensors and disables the Sensor pull-down menu.

    • All sensors Use the Sensor pull-down menu to select a sensor from any license.

    • Specific license Use the Sensor pull-down menu to select All sensors for that license or any specific sensor.

  4. Set the daily limit

    In the Daily limit field, set the maximum number of notifications to send within a 24 hour period. 0 (zero) means unlimited.

  5. Select the timezone

    Select the Timezone within which daily limits are computed. By default, the current system timezone is selected.

  6. Enable or disable notification

    When the Enable/disable notification button is Enabled, notifications are enabled upon being saved. This is the default. Notifications can be enabled or disabled at any time.

  7. Enter the server location and port

    In the SIEM Server, the Location is the hostname/IP address of the SIEM appliance that the SIEM messages will be sent to. If the SIEM source is a Sensor, this is the address for a SIEM appliance accessible by the Sensor. Otherwise it is an appliance accessible by the Manager.

    The Port is the port on which the Manager/Sensor will send SIEM syslog messages for the associated appliance.

  8. Enter the server name

    Provide a SIEM Hostname. The hostname that will show up in the prefix of the syslog message in the format timestamp {SIEM Hostname} siem_message. In the following example, the SIEM Hostname is example_ll_sensor:

    20:47:12 CDTSep 04 02:13:16 example_ll_sensor CEF:0|Lastline|Defender|9.1|test-event|User triggered test event|1|cn1=10 cn1Label=impact cn2=44 cn2Label=notification_config_id devTime=Sep 03 2019 21:13:16 CDT devTimeFormat=MMM dd yyyy HH:mm:ss z externalId=4fac11b7611643e094ae910d155a0f8e
  9. Select the transport protocol

    From the Transport protocol pull-down menu, select either TCP or UDP.

  10. Select the message origin

    Use the SIEM source pull-down menu to select the source of the SIEM logs in your network. Select either Manager or Sensor.

    • Selecting Manager allows you to centralize your log source at the Manager.

    • Selecting Sensor allows you to distribute the log source across your network to the Sensor that generated the alert.

    Note:

    This option only appears on an On-Premises User Portal. For Hosted customers, the source of the SIEM logs is always a Sensor.

  11. Select the log format

    Use the SIEM log format pull-down menu to choose the format in which the SIEM logs are sent to the appliance. Select either CEF or LEEF.

  12. Include PCAP data

    When Include PCAP is Enabled, notification messages include a base-64-encoded dump of the packet capture associated with the event.

    PCAP information can only be included when the log format is LEEF.

  13. Select the triggers

    Select the appropriate triggers for the notification.

    • When Appliance triggers are Enabled, notifications are sent when an appliance check-in occurs or a status message is received.

    • When Audit triggers are Enabled, notifications are sent when an audit event occurs.

    • When Network triggers are Enabled, notifications are sent when a drive-by attack was detected, fake Anti-virus software communication was detected, malware Command & Control traffic was detected, a malicious file was downloaded, suspicious activity was detected, a suspicious or malicious URL was accessed, unwanted software (such as adware) was detected, or a test event was triggered

    • When Intrusion triggers are set to Enabled, notifications are sent when an intrusion event occurs.

    • When Mail triggers are set to Enabled, notifications are sent when analysis detected a suspicious email, a malicious email attachment, or a malicious URL in an email message.

    • When Intelligence triggers are Enabled, notifications are sent when an intelligence rule is matched against an analysis task.

      Note:

      The Intelligence triggers are available only when All licenses is selected.

    • When Network IoC triggers are Enabled, notifications are sent when a domain name or an IP address was identified as a potential Indicator of Compromise.

    Note:

    Some notification types only support a subset of these trigger categories.

    For further information, see About notification triggers. Also see Sensor group notifications for some caveats about notifications and sensor groups.

  14. Save the configuration

    Once the notification is properly configured, click the Save button to apply the changes. The Syslog notification configuration summary pop-up is displayed. When you close it, the Syslog notifications list is displayed in the Syslog tab.

Configure TippingPoint notifications

Configure integration with the TippingPoint Security Management System (SMS) using the TippingPoint tab. This integration allows a VMware NSX Network Detection and Response server to push reputation information to the TippingPoint SMS server based on the threats it detects on the monitored network.

When malicious network behavior is detected, an appliance will, depending on configuration, push to the SMS server reputation information about the source or destination host involved in the malicious traffic. A network administrator can use this information in the policies deployed by the SMS server, for example, to automatically block traffic to hosts that the system has detected are acting as Malware Command and Control servers. In the terminology of TippingPoint SMS, these policies are called Reputation Filters.

The reputation information about a host that the system can push to TippingPoint SMS is structured into the following five tag categories:

Malware Class

String in the format:

{infected|malicious}:Malware Class Name

Malware Class Name is the name of a Malware Class as displayed in the details of the detection in the VMware NSX Network Detection and Response interface.

The prefix infected: is used for the client hosts (typically within the network) that are victim of the detected malware, such as an infected host that is calling out to a Command and Control server, or a client that was subject to a Drive-By attack.

The prefix malicious: is used for server hosts (typically outside the network) that are hosting the detected Malware, such as a Command and Control server or a web server distributing exploits or Malware binaries.

Impact

Integer in the range 1-100. The impact of the detected event. This corresponds to the impact score displayed in the event details.

Confidence

Integer in the range 1-100. The confidence of the detection.

Last Seen

Datetime. The timestamp of the most recent occurrence of the detected malicious behavior.

Event URL

URL. A URL to the details about the detection in the system interface.

Before reputation information can be pushed to an SMS server, the tag categories used by the system need to be imported into the TippingPoint SMS Server. A definition of these five tag categories, plus the three additional tag categories used by TippingPoint Reputation DV, is available for download.

  1. Navigate to the TippingPoint notification tab

    From the Main navigation menu, click Admin. On the Admin page, select Notifications from left sidebar menu. Then on the Notifications page, click TippingPoint.

  2. Configure a new notification

    Click the plus icon to add a notification.

  3. Select the license and appliance

    In the Appliance field, select the appliance or sensor that triggers the notifications.

    Use the License pull-down menu to select from a license:

    • All licenses Automatically selects all sensors and disables the Sensor pull-down menu.

    • All sensors Use the Sensor pull-down menu to select a sensor from any license.

    • Specific license Use the Sensor pull-down menu to select All sensors for that license or any specific sensor.

  4. Set the daily limit

    In the Daily limit field, set the maximum number of notifications to send within a 24 hour period. 0 (zero) means unlimited.

  5. Select the timezone

    Select the Timezone within which daily limits are computed. By default, the current system timezone is selected.

  6. Enable or disable notification

    When the Enable/disable notification button is Enabled, notifications are enabled upon being saved. This is the default. Notifications can be enabled or disabled at any time.

  7. Set the valid duration

    Using the Seconds Valid field, define for how long a notification is valid after being sent. A lower impact notification will not be sent for a host so long as a higher impact one was sent for it no longer than so many seconds in the past. The goal is to avoid overwriting reputation information about a high impact threat with less critical information.

    A value of 0 will disable this filter. VMware recommends values of a day or above.

  8. Set the server location and port

    In the SMS Server field, set the location and port of the TippingPoint SMS server.

    • Location is the hostname/IP address of the server.

    • Port is the port on which the server is listening.

  9. Select the protocol

    Use the Protocol pull-down menu to select protocol used to connect to the to the TippingPoint SMS server. Select HTTP or HTTPS.

  10. Set the SMS user information

    Using the SMS Username/Password fileds, set the credentials used to connect to the TippingPoint SMS server.

  11. Select the triggers

    TippingPoint SMS only supports Network triggers. Notifications are sent when a drive-by attack was detected, fake Anti-virus software communication was detected, malware Command & Control traffic was detected, a malicious file was downloaded, suspicious activity was detected, a suspicious or malicious URL was accessed, unwanted software (such as adware) was detected, or a test event was triggered

    For further information, see About notification triggers. Also see Sensor group notifications for some caveats about notifications and sensor groups.

  12. Save the configuration

    Once the notification is properly configured, click the Save button to apply the changes. The TippingPoint notification configuration summary pop-up is displayed. When you close it, the TippingPoint notifications list is displayed in the TippingPoint tab.

Configure detection reports

You can configure and view reports that provide an overview of detections by the Sensor. These reports might help you to determine the notifications you need to configure. The reporting settings allow you to specify email addresses and choose the frequency of reports for the email reporting function.

You can create a scheduled report, generated in PDF or HTML format, or an on-demand report in PDF format.

The Reports tab displays a list of Scheduled reports. The list contains the following fields:

  • Sensor The sensor that is providing the data. This is displayed, for example, as ABCDEFGHIJ0123456789:sensor-1.

  • Periodicity The frequency that reports are generated and received. This can be on a daily, weekly, monthly, or quarterly basis.

  • Format Scheduled reports are generated in HTML or PDF format.

  • Owner The email address of the user that created the scheduled report. This is not necessarily the email address of the recipient.

  • Enabled The status of the scheduled report.

Create a scheduled report with the following steps:

  1. Navigate to the Reports tab

    From the Main navigation menu, click Admin. On the Admin page, select Notifications from left sidebar menu. Then on the Notifications page, click Reports.

  2. Add a new scheduled report

    Click the New button to add a new scheduled report. The Add Scheduled Report page is displayed.

  3. Select the license and sensor

    In the Sensor field, select the License then select the Sensor from the pull-down menus.

  4. Select the frequency

    In the Periodicity field, select the frequency of the report from the pull-down menus. Select Daily report, Weekly report, Monthly report, or Quarterly report.

  5. Select the format

    In the Format field, select the format, HTML or PDF, from the pull-down menus.

  6. Select the timezone

    In the Timezone field, select the timezone from the pull-down menu. By default, the current system timezone is selected.

  7. Select the recipients

    In the Recipients field, enter a comma separated list of email addresses. If no recipient addresses are provided, the reports are sent to your default e-mail address.

  8. Enable the report and save it

    By default the report is Enabled. Click the checkbox to disable the scheduled report.

    Click Save when you are done. Then click Back to reports list.

Generate on-demand reports

In the On-demand Report section, you can generate an on-demand report in PDF format.

  1. Create an on-demand report

    On the Reports tab, click Generate and Download to generate and download a report. The Generate and Download PDF Report page is displayed.

  2. Select the license and sensor

    In the Sensor field, select the License then select the Sensor from the pull-down menus.

  3. Select the date range

    In the Date range field, select Relative, then select or enter a number of days, or Absolute, then select From and To date using the pop-up calendars.

  4. Select the timezone

    In the Timezone field, select the timezone from the pull-down menu. By default, the current system timezone is selected.

  5. Download the report

    Click Download to view or save the PDF report. When you are done, click Back to reports list.

Data sources

THe VMware NSX Network Detection and Response can interact with various third party systems, ingesting data and providing additional network visibility.

  • Active Directory integration Active Directory integration enhances the system by providing user information from the Domain Controllers.

  • AWS integration Configure credentials for Amazon AWS. You can authenticate to AWS using an access key or an IAM role. Use the credentials to configure collectors for Amazon VPC flow logs.

  • DHCP integration Configure collectors that can receive and process DHCP records produced by an external generator.

  • Flow records integration Configure collectors that can receive flow records from third-party devices.

Active Directory integration

The integration of Active Directory technology, developed by Microsoft for Windows operating systems, enhances VMware NSX Network Detection and Response by providing additional information extracted from the Domain Controllers. This information details the Windows users that are logged in on hosts in the network. The system is thus able to associate events that occur in the monitored network with the Windows users logged in on the host. You can then immediately identify the users that have been exposed to a detected threat and take appropriate measures.

Before the Sensor can pull information from Active Directory, the Windows network must be properly configured. See the VMware NSX Network Detection and Response Active Directory Integration guide for additional configuration details and requirements.

  1. Navigate to the Active directory tab

    From the Main navigation menu, click Admin. On the Admin page, select Data sources from left sidebar menu. The Active directory tab is the default view on the Data sources page.

  2. Select an appliance

    Enter a valid Sensor UUID in the Appliance UUID textbox or click list and select a compatible appliance from the pop-up.

  3. Add a Domain Controller

    Click the Add domain controller button to configure a Domain Controller. If you want to add another Domain Controller to an already existing configuration, click the plus icon.

    On the Add domain controller page, fill in the following:

    • Enter a Source Name. This is the name of the domain controller, another way of manually identifying a configured Domain Controller. It can be useful in the event of configuring multiple Domain Controller servers.

    • In the Hostname field, enter the hostname or IP address of the domain controller.

    • Set a Polling interval. The default is 60 seconds.

    • Enter a Username in the format USERNAME. This is the account used to authenticate with the Domain Controller.

    • Enter a Password. The password used to validate the username to the Domain Controller. Enter it a second time in the Confirm password field.

  4. Save the configuration

    When you are done, click Add.

Once the configuration is complete and the system has had time to gather data, you can view user login events from the configured Domain Controller servers on the Network Events page by clicking the User tab.

AWS integration

AWS Flow logs capture information about the IP traffic traversing an AWS VPC. The flow log data can be published to Amazon S3 logs and Amazon CloudWatch. You can then integrate the flow logs for ingestion by the VMware NSX Network Detection and Response.

Before the system can ingest flow logs, you must configure AWS credentials.

See the VMware NSX Network Detection and Response AWS flow logs guide for additional configuration details and requirements

Configure AWS credentials

To obtain the Access key ID and Secret access key, login to your AWS IAM dashboard and select the appropriate account. On the Summary page, select the Security credentials tab. Click Create access key to generate a new Access key ID and Secret access key. Amazon encourages you to download these credentials in csv format. There is no subsequent way of obtaining the secret access key. However, you can always create another key pair.

The IAM role should be configured with the minimal security policy recommended by ScoutSuite. An IAM role can only be used with a Sensor running as an AWS instance.

See the Sensor on AWS Deployment and Administration guide for further details.

Configure AWS authentication on the AWS credentials tab. These credentials are used for the collection of VPC flow logs or the acquisition of AWS Cloud Asset data. You can authenticate to AWS using an access key or an IAM role.

  1. Navigate to the AWS credentials tab

    From the Main navigation menu, click Admin. On the Admin page, select Data sources from left sidebar menu. Then on the Data sources page, click AWS credentials.

  2. Select a sensor

    Click the server Appliance button at the top right of the tab, then select the appropriate appliance from the Select appliances pop-up. Click the checkbox icon in the Name column to select a specific appliance. Then click Apply reload to dismiss the pop-up.

  3. Add new AWS credentials

    Click the plus button to create a new AWS credentials entry.

    1. Enter a profile name

      In the Profile name field enter a unique name for the AWS account. This must be the same name you used on AWS.

      For an account that has the both credential types, you must create two profiles. In this case, you should use the same name for each profile.

    2. Select the type of credentials

      In the Credential type field, click the underlined text and select Access and Secret Key or IAM Role from the pull-down menu. Then click checkbox to save your selection or cancel/close to cancel.

      Note:

      An IAM role can only be used with an AWS Sensor instance.

    3. Enter the access key

      Enter the Access key ID generated by AWS for the account. Then click checkbox to save your selection or cancel/close to cancel.

      This column is always N/A for the IAM Role.

    4. Enter the secret access key

      Enter the Secret access key generated by AWS for the account. Then click checkbox to save your selection or cancel/close to cancel.

      This column is always N/A for the IAM Role.

    5. Set the discovery default

      Click the Discovery default toggle to select the specified profile as the cloud asset discovery default. Only one profile from the credentials list can be set as default. If the credentials for the selected profile are incomplete, it cannot be selected.

      Note:

      You must explicitly select the cloud asset discovery default profile.

  4. Optional: Delete the AWS credentials

    To delete an AWS credential, click the delete icon in the Actions column.

  5. Deploy the AWS credentials

    Click the Deploy changes button to save changes and retrigger a device configuration. Any changes that have not been deployed will be lost.

Configure an S3 collector

On AWS, configure your VPC to send flow logs to Amazon S3. See the guide for additional configuration details and requirements

Configure AWS credentials. You must configure Access and Secret Key credentials.

Configure the User Portal to ingest flow logs from Amazon S3.

  1. Navigate to the VPC flow logs tab

    From the Main navigation menu, click Admin. On the Admin page, select Data sources from left sidebar menu. Then on the Data sources page, click VPC flow logs.

  2. Select a sensor

    Click the server Appliance button at the top right of the tab, then select the appropriate appliance from the Select appliances pop-up. Click the checkbox icon in the Name column to select a specific appliance. Then click Apply reload to dismiss the pop-up.

  3. Configure an S3 collector

    On the VPC flow logs tab, click plus over the S3 list to add an S3 collector.

    1. Select the profile name

      In the Profile name field, click the underlined Select text. From the pull-down menu, select the unique ID created on the AWS credentials tab. Then click checkbox to save your selection or cancel/close to cancel.

      This provides the credentials the collector uses to access the S3 bucket.

    2. Enter a collector label

      In the Label field, enter a unique name that is used to identify the collector.

    3. Enter the S3 bucket name

      In the Location field, enter the name of the S3 bucket.

    4. Optional: Enter AWS regions

      In the Regions field, enter the regions that can sent flow logs to the S3 bucket.

      AWS allows you to configure multiple VPC flow logs, from multiple regions, all using the same S3 bucket. This optional parameter is used to filter flow logs by the specified regions.

      Refer to Flow Log Files for the structure of the flow log folders.

    5. Optional: Enter user accounts

      In the Accounts enter one or more account IDs. Similar to the previous, this optional parameter is used to filter flow logs by the account ID of the bucket folder.

  4. Optional: Delete the S3 collector

    To delete an S3 collector, click the delete icon in the Actions column.

  5. Save the S3 collector

    Click Save when you are done. The Sensor will be reconfigured with the options provided.

Configure a CloudWatch collector

On AWS, configure your VPC to send flow logs to Amazon CloudWatch logs. See the VMware NSX Network Detection and Response AWS flow logs guide for additional configuration details and requirements

Configure AWS credentials. You must configure Access and Secret Key credentials.

Configure the User Portal to ingest flow logs from Amazon CloudWatch.

  1. Navigate to the VPC flow logs tab

    From the Main navigation menu, click Admin. On the Admin page, select Data sources from left sidebar menu. Then on the Data sources page, click VPC flow logs.

  2. Select a sensor

    Click the server Appliance button at the top right of the tab, then select the appropriate appliance from the Select appliances pop-up. Click the checkbox icon in the Name column to select a specific appliance. Then click Apply reload to dismiss the pop-up.

  3. Configure a CloudWatch collector

    On the VPC flow logs tab, click plus over the CloudWatch list to add an Amazon CloudWatch collector.

    1. Select the profile name

      In the Profile name field, click the underlined Select text. From the pull-down menu, select the unique ID created on the AWS credentials tab. Then click checkbox to save your selection or cancel/close to cancel.

      This provides the credentials the collector uses to access Amazon CloudWatch.

    2. Enter a collector label

      In the Label field, enter a unique name that is used to identify the collector.

    3. Enter the region

      In the Regions field, enter the region the flow log was created in.

    4. Enter log group

      In the Log group field, enter the CloudWatch group name.

  4. Optional: Delete the CloudWatch collector

    To delete a CloudWatch collector, click the delete icon in the Actions column.

  5. Save the CloudWatch collector

    Click Save when you are done. The Sensor will be reconfigured with the options provided.

DHCP integration

You can forward DHCP logs to the VMware NSX Network Detection and Response for ingestion and processing. The primary reason to collect DHCP logs is the ability to correlate the origin of an event detected by the Sensor with the IP address a host was using at the same time.

Before the Sensor can pull DHCP logs, the Windows network must be properly configured. See the VMware NSX Network Detection and Response DHCP Integration guide for additional configuration details and requirements.

  1. Navigate to the DHCP collection tab

    From the Main navigation menu, click Admin. On the Admin page, select Data sources from left sidebar menu. Then on the Data sources page, click DHCP collection.

  2. Select an appliance

    Click the server Appliance: button and select the appropriate Sensor from the Select Appliance pop-up.

  3. Add a DHCP Collector

    Click the plus button to configure a collector in the DHCP collectors list. Fill in the following:

    • Enter a Name. This name uniquely identifies the data generator. This field is required. A string of lowercase characters is expected.

    • The Generator IP(s) field is optional. This is the IP address of the generator as seen by the collector (to enable firewall filtering). If set, the collector will only accept records from sources at the specified IP address(es). Any records from other IP addresses are discarded. If left unset, the collector will accept records sent from any IP address.

    • Set the Port number. This is the port on the sensor where the DHCP log data will be received. This field is required. It accepts values from 1024 to 65535.

    When you are done, click Save.

Saving the collector triggers a reconfiguration on the sensor, after which a DHCP ingestion process is ready to receive DHCP logs on the specified port number. The progress of the reconfiguration action can be followed on the AdminAppliancesMonitoring logs tab.

Flow records integration

Configure the Sensor to receive flow records from third-party devices (for example, switches and routers) on the Flow collection tab. These records are then uploaded to the VMware backend for indexing and analysis.

Flow records describe a sequence of packets with common characteristics, such as the same source and destination IP address, transport layer port information, and type of protocol. Importing flow records from a third-party device is useful when you want the VMware NSX Network Detection and Response to have visibility into the traffic flowing in parts of the network that are not monitored by a Sensor (the Sensor generates flow records information of the traffic it monitors).

To configure a third-party device to generate flow records and send them to the Sensor, refer to the manufacturer's configuration guide. In general, ensure that:

  • The destination port configured on the third-party device matches the port number configured for the flow collector.

  • The protocol configured on the third-party device matches the protocol configured for the flow collector.

  • The flow type configured on the third-party device matches the flow type configured for the flow collector.

  1. Navigate to the flow collection tab

    From the Main navigation menu, click Admin. On the Admin page, select Data sources from left sidebar menu. Then on the Data sources page, click Flow collection.

  2. Select a sensor

    Click the server Appliance button at the top right of the tab, then select the appropriate appliance from the Select appliances pop-up. Click the checkbox icon in the Name column to select a specific appliance. Then click Apply reload to dismiss the pop-up.

  3. Configure a flow collector

    On the Flow collection tab, click plus over the Flow Collectors list to add an Amazon CloudWatch collector.

    1. Optional: Enter the collector name

      In the Name field, enter an optional name to uniquely identifying the collector.

    2. Optional: Provide an IP address list

      Provide an optional list of IP addresses from which to expect flow records in the Generator IP(s) field. If set, the collector will only accept records from sources at the specified IP addresses. Any records from other IP addresses are discarded. If left unset, the collector will accept records sent from any IP address.

      VMware recommends setting this field to the IP address of the device that will generate flow records.

    3. Select the type of flow records

      Using the Flow type pull-down menu, select the type of flow records that will be accepted by this collector. The integration currently supports collecting the following flow records types: NetFlow v5, NetFlow v9, IPFIX, and sFlow.

    4. Select the protocol

      The protocol (TCP or UDP) that will be used to transfer records to the collector. IPFIX records can be collected over either TCP or UDP; for other flow types only UDP transport is supported.

      When you have an option, you can use the Protocol pull-down menu to select TCP or UDP.

    5. Select the port

      Enter the Port on the Sensor where the flow collection data will be received. This field is required. It accepts values from 1024 to 65535.

  4. Optional: Delete the flow collector

    To delete a flow collector, click the delete icon in the Actions column.

  5. Save the flow collector

If there are issues with your flow collection configuration, refer to the following support article: Troubleshooting the flow integration.

Appendices

Installation and integration guides

Setup command options

The lastline_setup command provides a number of configuration options that are used to administer and manage the VMware NSX Network Detection and Response appliances.

Command line arguments

The lastline_setup command supports the following command line arguments:

Help
-h, --help

Print the help message and exit.

Acquire lock
--lock-timeout TIME

The lastline_setup command has a configuration lock to prevent more than one user from accessing its database at the same time. Set the amount of TIME (in seconds) to allow for acquiring the lock. The default is 0 (zero) seconds.

Configuration options

The available options varies depending on the type of appliance. The Manager has an extensive set whereas the Sensor has fewer options. To view all the supported options for the current appliance, use the help option.

To view a detailed description of individual options, type help topic, where topic is the name of a specific option.

The lastline_setup command supports the following configuration options:

Maximum file upload size
analysis_max_upload_filesize_mb [= size]

Display or set the maximum file size (in MB) the system will accept for analysis. With no argument, display the current maximum file size allowance. If an argument is provided, set maximum file size allowance to the specified value. The argument size must be numeric.

Length of analysis queue
analysis_queue_backlog [= days | unlimited]

Display or set the number of days to keep unprocessed tasks in the analysis queue. With no argument, display the current number of days. The default is unlimited. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

AnonVPN DNS server
anonvpn_dns_server_ip [= IPaddr | -]

You can configure a DNS server specifically for AnonVPN to assist with anonymizing client connections.

Display or set the IP address for the DNS server for AnonVPN. With no argument, display the current IP address of the AnonVPN DNS server. If an argument is provided and is an IP address, set the DNS server to the specified value. You must provide a valid IPv4 address for the DNS service. This address must be reachable via the AnonVPN interface. If the argument is - (dash), clear (unset) the DNS server address.

AnonVPN mode
anonvpn_mode [= lastline | honeypot | custom | -]

Display or set the AnonVPN mode. With no argument, display the current setting. If an argument is provided and is one of lastline, honeypot, or custom, set the mode to the specified value.

If the value is - (dash), clear the mode (set to an empty value). This argument should not be used.

AnonVPN gateway
anonvpn_upstream_gateway_ip [= IPaddr | -]

Display or set the AnonVPN upstream gateway address. With no argument, display the current IP address of the gateway. If an argument is provided and is an IP address, set the gateway to the specified value. Any valid IPv4 address can be used for the gateway. This address must be in the same subnet as the IP address assigned to the AnonVPN interface. If the provided argument is - (dash), clear (unset) the gateway address.

This setting is not required for point-to-point tunnel connections (for example, OpenVPN).

AnonVPN interface
anonvpn_upstream_ifname [= interface | -]

Display or set the AnonVPN upstream interface. With no argument, display the current interface name. If an argument is provided, set the interface name to the specified value. You can specify any valid interface name other than llanonvpn0 or llanonvpn1. If the argument is - (dash), clear the interface name (set to an empty value).

Appliance state
appliance_state

Display the appliance state. For example, active, error, offline, etc.

Appliance UUID
appliance_uuid

Display the appliance UUID. For example, 0123456789abcdef0123456789abcdef.

Cloud analysis
cloud_analysis [= on | off]

Display or set analysis support. With no argument, display the current status. If an argument is provided, set cloud analysis support to the specified value. Possible values are on or off. When enabled, hashes (MD5, SHA1, and SHA256) of the analyzed artifacts are shared with the NSX Cloud.

Download metadata for cloud analysis
cloud_analysis_push_download_metadata [= on | off]

Display or set support to allow sending artifact metadata (download origin, filename, type, etc.) to the NSX Cloud. With no argument, display the current status. If an argument is provided, set the download support to the specified value. Possible values are on or off. When enabled, the URL the artifact was downloaded from (HTTP, FTP, and SMB downloads) is sent to the VMware backend.

Download URL for cloud analysis
cloud_analysis_push_download_source [= on | off]

Display or set support to allow sending artifact download origin to the NSX Cloud. With no argument, display the current status. If an argument is provided, set the download support to the specified value. Possible values are on or off. When enabled, the IP address and host name of the server the artifact was downloaded from are sent to the VMware backend.

Query URL reputation from cloud analysis
cloud_analysis_query_url_reputation [= on | off]

Display or set support to allow requesting URL reputation data from the NSX Cloud. With no argument, display the current status. If an argument is provided, set the URL classification support to the specified value. Possible values are on or off. When enabled, the VMware backend is queried for reputation metadata that can be used to classify a URL. The full URL is shared with the VMware backend.

Data retention for code
data_retention_code [= days | unlimited]

Display or set the number of days to retain Web-code captured during an analysis run of a submitted URL. With no argument, display the current number of days. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

Data retention for generated files
data_retention_generated_files [= days | unlimited]

Display or set the number of days to retain files generated by a program during a dynamic analysis run. With no argument, display the current number of days. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

Data retention for memory dumps
data_retention_memory_dumps [= days | unlimited]

Display or set the number of days to retain memory buffers allocated by a program during a dynamic analysis run. With no argument, display the current number of days. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

Data retention for process dumps
data_retention_process_dumps [= days | unlimited]

Display or set the number of days to retain full-process snapshots of a program during a dynamic analysis run. With no argument, display the current number of days. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

Data retention for screenshots
data_retention_screenshots [= days | unlimited]

Display or set the number of days to retain screenshots taken during a dynamic analysis run. With no argument, display the current number of days. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

Data retention for traffic captures
data_retention_traffic_captures [= days | unlimited]

Display or set the number of days to retain network traffic captured during a dynamic analysis run. With no argument, display the current number of days. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

Data retention for uploads
data_retention_uploads [= days | unlimited]

Display or set the number of days to retain files uploaded for analysis. With no argument, display the current number of days. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

Data retention for webpages
data_retention_webpages [= days | unlimited]

Display or set the number of days to retain Web page content captured during a dynamic analysis run. With no argument, display the current number of days. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

Comment on analysis reports
disable_report_commenting [= true | false | -]

Display or set the ability to comment on analysis reports. With no argument, display the current status. If an argument is provided, set the ability to comment to the specified value. Possible values are true or false. If the argument is - (dash), clear the field (this is the same as setting the value to false).

Disable the support channel
disable_support_channel [= true | false | -]

Display or set the support channel. With no argument, display the current status. If an argument is provided, set the support channel to the specified value. Possible values are true or false. The default (false) allows VMware Support to perform remote administration assistance at your request. If the argument is - (dash), clear the field (this is the same as setting the value to false).

Edit variables
edit [variable]

Edit the value stored for the entered variable. A prompt for entering a new value for the variable is displayed. If the variable being edited is a password variable, your input will not be displayed.

To view a list of the variables available for editing, run the edit option with no argument.

Email relay host
email_relay_host [= IPaddr | hostname | -]

Display or set the host name or IP address for the SMTP relay host. With no argument, display the current host. If an argument is provided, set the host to the specified value. If the argument is - (dash), clear (unset) the host. In this case, the VMware backend is used.

Email relay password
email_relay_password [= password | -]

Display or set the authentication password for the SMTP relay host. With no argument, display the current password. If an argument is provided, set the password to the specified value. If the argument is - (dash), clear (unset) the password.

Email relay port
email_relay_port [= port | -]

Display or set the port number for the SMTP relay host. With no argument, display the current port. If an argument is provided, set the port to the specified value. If the argument is - (dash), clear (unset) the port.

Email relay username
email_relay_username [= username | -]

Display or set the username for the SMTP relay host. With no argument, display the current username. If an argument is provided, set the username to the specified value. If the argument is - (dash), clear (unset) the username.

Email sender address
email_sender_address [= address | -]

Display or set the email address to be used for delivering email. With no argument, display the current email sender address. If an argument is provided, set the sender address to the specified value. If the argument is - (dash), clear (unset) the sender address.

Failover multicast address
failover_multicast_address [= address | -]

Display or set the multicast address needed by the tools used for managing the shared virtual IP between active and standby Manager in an active/standby configuration. With no argument, display the current value of the failover multicast address. If an argument is provided, set the address to the specified value. If the argument is - (dash), clear (unset) the failover multicast address.

Failover multicast port
failover_multicast_port [= address | -]

Display or set the multicast port needed by the tools used for managing the shared virtual IP between active and standby Manager in an active/standby configuration. With no argument, display the current value of the failover multicast port. If an argument is provided, set the port number to the specified value. If the argument is - (dash), clear (unset) the failover multicast port.

There is no standard multicast port number. VMware NSX Network Detection and Response uses 5405 as its default.

Failover virtual IP address
failover_virtual_ip [= address | -]

Display or set the virtual IP address shared between active and standby Manager in an active/standby configuration. With no argument, display the current value of the virtual IP address. If an argument is provided, set the virtual IP address to the specified value. If the argument is - (dash), clear (unset) the virtual IP address.

Fully qualified domain name
fqdn

Display the fully qualified domain name of the appliance.

Active manager priority
ha_active_priority [= priority | -]

Display or set the priority of the active Manager for the purposes of determining ownership of the shared virtual IP address in an active/standby configuration. Select a value higher than the highest priority recently used for this virtual IP address.

With no argument, display the current value of the active manager priority. If an argument is provided, set the priority to the specified value. If the argument is - (dash), clear (unset) the active manager priority.

Active manager password
ha_password [= password | -]

Display or set the password for managing the virtual IP address shared between active and standby Manager in an active/standby configuration. With no argument, display the current active/standby password (displayed as ***). If an argument is provided, set the password to the specified value. If the argument is - (dash), clear the active/standby password (set to empty value).

HTTPS proxy
https_proxy [= proxy_address:port | -]

Display or set the HTTPS proxy. With no argument, display the current proxy. If an argument is provided, set the proxy to the specified value. The HTTPS proxy must be in the format proxy_address:port (for example, proxy.example.com:8080 or 192.168.0.1:443). If the argument is - (dash), clear (unset) the proxy.

Replace branding images
image_brand_replacement [= on | off]

This feature is provided for partners who wish to replace the VMware logo and other assets with their own.

Display or set the status of brand images replacement policy. With no argument, display the current status. If an argument is provided, set the policy to the specified value. Possible values are on or off. When enabled, the Manager will display the replacement visual assets in its hosted User Portal. These files must be located in the /home/lastline/brand_replacement_files/ directory.

Inject interface
inject_interface [= interface | -]

Display or set the interface used for injecting blocking packets according to the configured modes, for example, TCP RST packet, DNS NXDOMAIN response, HTTP 302 redirect, etc. With no argument, display the current interface name. If an argument is provided, set the interface name to the specified value. You can specify any valid interface name, for example eth1. If the argument is - (dash), clear the interface name (set to an empty value).

Inline interfaces
inline_interfaces [= interface-interface, interface-interface, ... | -]

Display or set the list of interface pairs used for inline mode. With no argument, display the current interface pairs. If an argument is provided, set the interfaces to the specified value. Specify a comma-separated list of interface pairs, for example eth1-eth2, eth3-eth4. If the argument is - (dash), clear the interface pairs (set to an empty value).

License API token
license_api_token

Display the On-Premises license API token.

License key
license_key

Display the On-Premises license key.

Update server override
llama_images_server_override [= IPaddr | hostname | -]

Display or set the host name or IP address for the server from which to download LLAMA images. With no argument, display the current host. If an argument is provided, set the server to the specified value. If the argument is - (dash), clear (unset) the server.

This option is provided for installations that must substitute another server for the default update.lastline.com.

Manager domain name
manager [= domain name | -]

Display or set the domain name of the Manager. With no argument, display the current value for manager. If an argument is provided, set manager to the specified value. If the argument is - (dash), clear (unset) the server.

In most instances, you should leave this field to its default value of lastline.com or for an On-Premises installation, the fqdn of the local Manager. If you must change this entry, enter the domain name of the Manager you want to connect to. If you use lastline.example.com, for example, update.lastline.example.com and log.lastline.example.com should be additional aliases for the same IP address in your default DNS server.

Monitoring user
monitoring_user_password [= password | -]

Enable or disable the monitoring user. With no argument, display the current state. If an argument is provided, set the monitoring user password to the specified value. If the argument is - (dash), disable password-based authentication.

Network parameters
network [= variable value]

Display or set the network parameters of the appliance. There are two network methods: DHCP or static. With no argument, display the current network settings. For example:

DHCP settings

network interface = eth0
network method = dhcp

Static settings

network dns_nameservers = 8.8.8.8 8.8.4.4
network gateway = 10.0.2.2
network netmask = 255.255.255.0
network address = 10.0.2.15
network interface = eth0
network method = static

The network option has a number of variables:

  • network interface Set the interface used for network access.

    network interface interface
  • network method Set the network method. For dhcp, the appliance gets its address and other network information from a DHCP server. For static, you define all the network parameters.

    network method dhcp | static
  • network address For a static configuration, set the IPv4 address of the interface.

    network address IPaddr
  • network netmask For a static configuration, set the dotted-quad netmask of the interface.

    network netmask netmask
  • network gateway For a static configuration, set the IP address of the default gateway for network access. If the argument is - (dash), set the gateway address to None.

    network gateway [IPaddr | -
  • network dns_nameservers For a static configuration, enter a list of space separated IP addresses for the DNS servers. If the argument is - (dash), set the DNS servers to None.

    network dns_nameservers [IPaddr IPaddr ... | -
Monitoring user
new_monitoring_user_password [= password | -]

Enable or disable access to the appliance for the monitoring user. With no argument, display the current monitoring user password (displayed as ***). If an argument is provided, set the monitoring user password to the specified value. If the argument is - (dash), clear the monitoring user password (set to empty value).

NTP servers
ntp_servers [= IPaddr,IPaddr,... | -

Display or set the NTP servers list. With no argument, display the current value for the NTP servers list. If an argument is provided, set the NTP servers list to the specified value. The NTP server addresses must be comma separated. If the argument is - (dash), clear (unset) the NTP servers list.

Offline mode
offline_mode

Display offline mode. This allows the appliance to work without an Internet connection.

Save
save [skip_apply] [skip_network_restart]

Save your changes, apply the new configuration, and exit.

If skip-restart-network is specified, the network will not be restarted and therefore any changed network settings will be saved but not applied.

If skip_apply is specified, the new configuration will be saved but not applied. You can later run the lastline_apply_config command to make the new configuration effective.

Sensor subkey
sensor_subkey

Display the Sensor subkey. To change this value, the Sensor must be deregistered, and then re-registered using the lastline_register command.

Show configuration
show

Display the current configuration. For example, the configuration of a Sensor:

-> show
anonymization_password = ***
appliance_state = active
appliance_uuid = 046cf54cb3d46eab0c3263724cd56b6a
disable_support_channel =
https_proxy =
inject_interface = eth2
inline_interfaces =
license_key = 0Z6LLNOU4ZP12BWBTOJ0
manager = manager.lastline.example.com
monitoring_user_password: enabled
network interface = eth0
network method = dhcp
new_monitoring_user_password = ***
ntp_server = update.lastline.com
ntp_servers = update.lastline.com
sensor_subkey = sensor01
sniffing_interfaces = eth2
Sniffing interface
sniffing_interface [= interface, interface, ... | -]

Display or set the list of interfaces the Sensor should monitor. With no argument, display the current interfaces. If an argument is provided, set the interfaces to the specified value. Specify a comma-separated list of interface names, for example eth1, eth2. If the argument is - (dash), clear the sniffing interfaces (set to an empty value).

Replace branding images
text_brand_replacement [= JSON]

This feature is provided for partners who wish to replace the VMware logo and other assets with their own.

Display or set the brand text replacement using JSON. With no argument, display the current JSON. If an argument is provided, set the brand text to the specified value.

Your JSON content should technically be a single line. For example:

text_brand_replacement = {"company_short_name_ascii":"llPartner","company_short_name_utf8":"エロパタナ"}

Exit options

To quit from the lastline_setup command without saving your changes, type exit.

If you made changes that you want applied, you must use the save option to update the appliance database and configuration. It then quits the lastline_setup command.

Terminology

event

An event represents a security-relevant activity that has occurred in the monitored network. An event may involve multiple data flows (for example, TCP connections), but it represents a single type of activity occurring over a short period of time (at most one hour). Multiple events are automatically correlated into incidents.

incident

An incident represents a security-relevant activity that has occurred in the monitored network. An incident may consist of a single event, or a number of events that have been automatically correlated, and that have been determined to be closely related.

infection

An infection is an incident that has been determined to be critical. Infections should be dealt with without delay.

intrusion

An intrusion is a correlated set of incidents that affect one or more devices over a period of time.

nuisance

A nuisance is an incident of low risk. This typically corresponds to potentially unwanted/risky activity that does not necessarily indicate a compromise or infection on the monitored network. Nuisances are tracked since they contribute to provide a more comprehensive network situational awareness.

watchlist

A watchlist is an incident that has been determined to be of medium risk. Such incidents, while indicating a potential risk, do not need immediate attention; they are kept under close watch in case new evidence appears that modifies their status.

For example, an incident involving an inoperative command and control infrastructure will be classified as watchlisted.