Beruflich Dokumente
Kultur Dokumente
Administration Guide
Contents
Preface ......................................................................................... 4
Overview: DeceptionGrid System Architecture ........................ 5
Getting Started ............................................................................ 6
Logging into TSOC for the First Time..................................................................6
Setting the Management Framework ...................................................................6
Managing Companies or Departments ................................................................7
Licensing ...............................................................................................................8
Configuring TSOC Timeout ................................................................................10
Signing the TSOC Certificate .............................................................................11
Securing DeceptionGrid .....................................................................................11
Configuring Proxy...............................................................................................12
Configuring Email ...............................................................................................12
Configuring TSOC's Clock .................................................................................13
Preface
This Administration Guide is about initial DeceptionGrid™ setup and system administration.
After installing DeceptionGrid main components (TSOC and Appliances) as in the
DeceptionGrid Installation Guide, it is recommended to go over the sections in this guide and
configure as needed.
For understanding DeceptionGrid, and for deploying emulation and deception in your
organizational network, see the DeceptionGrid Security Deployment Guide.
For event management and security analysis, see the DeceptionGrid Security Handling &
Analysis Guide.
Getting Started
This section describes initial tasks that should be performed before further configuration and
deployment tasks.
In This Section
Logging into TSOC for the First Time ..................................................6
Setting the Management Framework ................................................6
Managing Companies or Departments ..............................................7
Licensing .............................................................................................8
Configuring TSOC Timeout ...............................................................10
Signing the TSOC Certificate .............................................................11
Securing DeceptionGrid ...................................................................11
Configuring Proxy .............................................................................12
Configuring Email .............................................................................12
Configuring TSOC's Clock ..................................................................13
Passwords must contain at least six characters including at least one upper-case character and
one numerical character.
To add a company or department, click Add. To view or edit an existing one's details, click .
Details include a Status of Enabled / Disabled; It is also possible to suspend a company or
department. When enabled but suspended, events continue to be recorded (just not
displayed); when disabled, no events are recorded.
To suspend or delete a company or department, first remove its license (see Licensing on page
8). Then click to suspend, or to remove.
To view a company’s or department's assigned traps and users, from its details page go to the
Resources tab:
Licensing
TrapX provides a global license that defines, specifically for your system, your allowed
numbers of traps and expiration, for your entire framework. After uploading the global license
file (.lic) to TSOC, you need to allocate those allowances to your companies or departments,
depending on your management framework (see Setting the Management Framework on
page 6).
In This Section
Global License.....................................................................................8
Allocating Licenses .............................................................................9
Global License
TrapX provides a global license that defines, specifically for your system, your allowed
numbers of traps and expiration, for your entire framework.
To obtain and upload a global license, in TSOC go to Settings > License Manager > Global
license:
Copy the Unique System Key and send it to TrapX or to your reseller. Once you receive a
license file for your system, Upload it.
Allocating Licenses
After uploading the global license file (.lic) to TSOC as above, you need to allocate those
allowances to your companies or departments, depending on your management framework
(see Setting the Management Framework on page 6).
To manage license allocation to companies or to departments, go to Licenses:
The bottom of the page lists companies or departments with allocated licenses; from above,
you can Search to filter the list.
To allocate a license:
DeceptionGrid Administration Guide, © TrapX 9
Getting Started
Securing DeceptionGrid
In production environments, the following steps are recommended to harden security:
• For TSOC:
• Sign the TSOC certificate (see Signing the TSOC Certificate above).
• In the TSOC server's console, log in as mng, and:
• Set a strong password for access to this Administration Menu. To change the
password subsequent to first login, go to Global Settings > Change ‘mng’ User
Password.
• Go to Global Settings > Enable/Disable SSH, and disable SSH. Note that as a
result, access to TSOC's Administration Menu will be only from the server's
direct console.
• Log into TSOC's web interface as super_admin, and:
• Set a strong password. To change the password subsequent to first login, go
to Settings > Users > User info > Change password.
• Set a session timeout (see Configuring TSOC Timeout on page 10).
• For each DeceptionGrid Appliance:
• In the Appliance's console, log in as sensor (default password: Log2sensor ), and:
DeceptionGrid Administration Guide, © TrapX 11
Getting Started
• Go to Global Appliance Settings > Change setup Password, and set a strong
password for the setup user.
• Go to Global Appliance Settings > Change sensor Password, and set a strong
password for access to this Administration Menu.
• In TSOC, go to Appliances > select Appliance > Configuration > Settings, and set
SSH Service to Disabled (prevents starting upon future reboots) and Stopped
(immediate stop). Note that as a result, access to the Appliance's Administration
Menu will be only from its direct console.
Configuring Proxy
If TSOC is deployed behind your organizational proxy server, you need to provide TSOC with
the organizational proxy settings so TSOC can pull updates and intelligence feeds from TrapX.
To configure proxy settings, in TSOC go to Settings > General > Proxy:
Configuring Email
To enable TSOC users to receive emails with reports and alerts, provide TSOC with your
organizational email server details. In TSOC, go to Settings > General > Mail:
By Relay Server provide the mail server address, and provide its connection details.
To customize email message text fields, select Use Custom info.
You can Test Mail. Make sure to Save.
DeceptionGrid Administration
This section describes additional configuration and setup tasks. These are in addition to initial
basic configuration (see Getting Started on page 6).
In This Section
Integrating with Third-Party IT Systems ...........................................14
User Authentication and Authorization ...........................................18
Setting Up DeceptionGrid Appliances ..............................................21
Integrating with Third-Party Security Systems .................................24
Updating DeceptionGrid ..................................................................43
Enabling CLI / SDK / API ....................................................................45
Enabling Attack Intelligence .............................................................46
Whitelisting Legitimate Connections: Event Exceptions ..................47
Asset Inventory.................................................................................48
In This Section
Enabling SMB Signing Support .........................................................14
Integrating with Full OS Trap Infrastructure ....................................15
Monitoring Appliance Health ...........................................................16
b. Select Enable SMB Domain, provide details of the DC (Domain name, FQDN, DC
IP address and host name), and the details of the above configured computer
object (name and password):
c. For these details to be used for Active Directory tokens, provide the location in
the organizationalAD Schema where the token should be recorded, and select
Use this information for AD tokens.
d. Click Apply.
Save.
• System resources such as CPU, RAM, and disk utilization, and network interfaces
• Essential processes related to Appliance and trap operation
• Control and data connectivity between the Appliance and TSOC
These system health syslogs do not include security events and usually should not be sent to
a SIEM.
The syslogs are sent via the local4 facility and use standard syslog severity levels:
• Local and LDAP: All users submit their credentials directly in TSOC. Each user's
credentials can either be stored locally in TSOC, or, if TSOC has been integrated with
organizational LDAP / Active Directory (see Enabling TSOC LDAP / Active Directory
Authentication on page 20), the user can be configured for LDAP / Active Directory
authentication. In this case, upon the user submitting credentials to TSOC,
TSOC queries the organizational LDAP / Active Directory server for authentication.
• SAML (single sign-on): Upon attempting to connect to TSOC, users are redirected to
the organizational SAML-based Identity Provider (IdP) system for authentication
(some examples are PingFederate and OneLogin). Users log into the organizational
system, according to whatever security protocols are organizationally required (for
example, multifactor authentication), and are then automatically redirected back to
TSOC, where they are automatically authorized according to TSOC user configuration.
Depending on IdP configuration, users who are already logged into the organizational
system (for example, when they accessed another integrated organizational
application) may be immediately authorized without needing to log in specifically for
TSOC.
In either case, authenticated users are authorized for accessing TSOC as configured in their
user details in TSOC. Each configured user has one of the following Roles:
The user detail fields that the IdP will pass to TSOC upon authentication must
include the user's email address, which will be used to match the authenticated user
with the user's configuration in TSOC, for authorization. Make note of the exact field
name which will contain the email address.
Make sure you have the certificate used by the IdP.
3. Back in TSOC, select Enable SAML authentication and configure the relevant URLs
and certificate. By Email attribute field, provide the exact name of the field that the
IdP will provide containing authenticated users' email addresses.
4. Test the connection, and upon success Save the configuration.
To disable SAML authentication (reverting to Local and LDAP authentication), in the above
SAML Authentication page clear the main check box. If you can't access the TSOC UI (for
example, there's a problem with the IdP), use the TSOC Server Administration Menu (see
Administration Menus on page 65) option to Disable SAML authentication.
Configuring Users
Create and manage users at: Settings > Users:
To add a user, click Add user and configure the user's details, including authentication, role,
and personal details. To view or edit an existing user's details, click .
If TSOC is configured for SAML authentication (see Overview of User Authentication and
Authorization on page 18), all users' authentication will be by the organizational IdP rather
than as defined in user details. For authorization, the IdP authorization will be matched to
TSOC user configuration by the Email address as defined in TSOC user details, so make sure to
set the correct email address.
User details include a Status of Enabled / Disabled. It is also possible to temporarily suspend
a user: click to suspend, to resume. You can also lock ( ) or unlock ( ) a user; when a user
tries unsuccessfully to log in too many times, their account is automatically locked.
For users with limited roles, assign Appliances and Full OS Traps, in Appliances > Appliance >
Users > Add user:
In This Section
Initializing Appliances .......................................................................22
Configuring DeceptionGrid Appliances ............................................23
Initializing Appliances
Once a DeceptionGrid Appliance has been set up as in the DeceptionGrid Installation Guide,
you need to initialize it to TSOC. When one or more Appliances is available for initialization,
their number appears in TSOC:
To initialize an Appliance:
1. Either click the above number, or, in the Appliances page click See Pending:
3. Click Finish.
Appliance clocks must be synchronized with TSOC's clock (see Configuring TSOC's
Clock on page 13), so make sure to set either the Time zone and Time, or NTP
Service.
SSH and NTP services can be immediately Started or Stopped; and, to affect
subsequent reboots can be Enabled or Disabled.
3. When you’re done making changes, make sure to click Apply.
In This Section
Integrating with Forensic Analysis Systems .....................................25
Integrating with Data Analysis (SIEM / BI) .......................................26
Enabling VirusTotal to Check Suspicious Files ..................................31
Integrating with Endpoint Protection ..............................................31
Integrating with Network Access Control Systems ..........................34
Integrating with Organizational Firewalls ........................................41
Note: Only one sandbox can be integrated. Enabling one automatically disables all others.
3. Select the relevant sandbox vendor, select Enable and provide the connection
details.
4. Click Apply.
In This Section
Sending Events via Syslog .................................................................26
Retrieving Events via ODBC ..............................................................29
Sending Events via Syslog
TSOC can send trap and NIS events to one or more SIEM or other syslog servers. Only UDP (not
TCP) is supported.
As an alternative, you can have DeceptionGrid Appliances directly send their events via syslog.
Send events from TSOC
1. In TSOC, go to Settings > General > Eco System > SIEM > Syslog:
2. For each destination Syslog server, click , provide connection details and click Add.
3. Select which Event Types TSOC should send.
4. Click Apply.
Send events from Appliance
1. In TSOC, go to Appliances > Appliance > Configuration > Settings, and by Syslog
server (security) click :
2. Enable Syslog and provide the syslog server's address. Click Apply.
The sent events are in CEF format, and include the following fields:
For a data analysis application to pull TSOC trap and NIS events via ODBC:
1. In TSOC, go to Settings > General > Eco System > SIEM > ODBC:
2. Select Enable ODBC, click Add connection and provide the data analysis
application’s IP address. Connections from this address will be authorized to view
relevant parts of TSOC’s database.
Note: If the connections to TSOC will go through a NAT gateway, provide that
gateway’s IP address, as this is what will appear in the connections as source
address.
4. Configure the data analysis application to retrieve relevant data, using the following
credentials:
Username: odbc_nms
Password: odbc_nms88$
The following views appear to the ODBC connection but are not for use:
dxl_malware_trap_monitor
view_white_list_and_false_positive_connections_list
view_white_list_and_false_positive_downloads_list
In This Section
Integrating with McAfee DXL for ePO ..............................................32
Integrating with Carbon Black Cb Response ....................................33
Integrating with McAfee DXL for ePO
TSOC can send malware infection and NIS events to McAfee Data Exchange Layer (DXL) on
McAfee ePolicy Orchestrator (ePO) or on an organizational McAfee Threat Intelligence
Exchange (TIE) for message handling, to be used in McAfee products such as ePolicy
Orchestrator (ePO), Active Response, or custom API scripts.
In addition, an ePO extension is provided to bring the events into ePO and enable appropriate
querying and reporting in ePO. With extension installation, some preconfigured ePO queries
and a TrapX dashboard are added to ePO; you can also configure your own.
To integrate TSOC with McAfee DXL:
1. Make sure organizational firewalls allow the following traffic from TSOC:
• To ePO:
TCP 8443
TCP 443
• To TIE / broker:
TCP 8883
2. Make sure your organizational ePO is running the McAfee Mobile ePO (MePO)
extension. For more information on this extension, see McAfee KB84824.
3. In ePO, go to Menu > User Management > Permissions Sets, and enable (Edit, select
and Save) the following permissions:
• Group Admin > DXL McAfee MePO Certificate Creation > Create DXL McAfee
MePO Certificates
• Group Admin > McAfee DXL Fabric > View Data Exchange Layer Fabric
• DXL MePO Authentication Permission Set > DXL McAfee MePO Certificate
Creation > Create DXL McAfee MePO Certificates
4. Create an ePO user (Menu > Users > New User) with the following Manually
assigned permission sets:
• Group Admin
• DXL MePO Authentication Permission Set
5. In TSOC, go to Settings > General > Eco System > Endpoint Protection > McAfee
DXL, select Enable McAfee DXL, and provide:
• ePO details (to be authenticated to the TIE agent handler, TSOC needs to first
connect directly to ePO):
• ePO IP Address or resolvable name, and its Port
• Username and Password of the user you created in step 4
• TIE agent handler IP address or resolvable name, and Port
Note: Make sure organizational firewalls allow the above traffic.
6. Enable ePO to pull the events from the TIE agent handler:
a. Download the TrapX ePO extension .ZIP file from:
https://share.trapx.com/fl/ZCrffNZBWA
b. In ePO, go to Menu > Software > Extensions and click Install Extension:
c. Click Choose File, navigate to the TrapX extension and click OK.
When the extension installation is complete, the extension will appear in ePO’s left-hand
navigation menu as Third Party > TrapX DXL. Preconfigured queries appear under TrapX and
in the preconfigured TrapX dashboard. You can configure additional relevant queries by going
to Menu > Reporting > Queries & Reports > New Query > Others and selecting TrapX Botnet
detector (for NIS events) or TrapX MD5. You can add queries to any ePO dashboard.
TSOC can send malware infection and NIS events to Carbon Black Cb Response, for manual
(from Event Analyzer) and optional automatic isolation of attacking endpoints.
The integration requires connectivity from TSOC to python.org .
To integrate with Cb Response:
1. From the Cb Response user interface, obtain an API token.
2. In TSOC, go to Settings > General > Eco System > Endpoint Protection > Carbon
Black:
• Remediation actions: TSOC events or manual action in TSOC can trigger the network
security system to display the event in its systems and/or automatically disconnect
(divert) the infected endpoint from the network.
• Endpoint details (Cisco integration only): The Event Analyzer displays an enriched
alert, with detailed endpoint-related information.
In This Section
Integrating with Cisco ISE .................................................................34
Integrating with ForeScout CounterACT ..........................................35
Integrating with Cisco ISE
You can integrate TSOC with Cisco Identity Services Engine (ISE) via the Cisco Platform
Exchange Grid (pxGrid). The integration enables:
• Remediation actions: TSOC events or manual action in TSOC can trigger the network
security system to display the event in its systems and/or automatically disconnect
(divert) the infected endpoint from the network.
• Endpoint details: The Event Analyzer displays an enriched alert, with detailed
endpoint-related information.
Cisco ISE 2.0 or above is supported.
To integrate with Cisco ISE:
1. Make sure organizational firewalls allow the following traffic from TSOC to ISE:
TCP 5222
UDP 5222
ICMP
HTTPS
HTTP
2. In TSOC, go to Settings > General > Eco System > Network Security > Cisco ISE:
You can integrate TSOC with ForeScout CounterACT. With the integration, TSOC events or
manual action in TSOC can trigger the network security system to display the event in its
systems and/or automatically disconnect (divert) the infected endpoint from the network. The
integration can also be used for TSOC asset inventory (see Asset Inventory on page 48).
CounterACT 7.0 or above is supported.
To integrate with ForeScout CounterACT:
1. Enable CounterACT to receive Syslog from TSOC. For each CounterACT appliance in
your environment:
a. In CounterACT, go to Tools > Options > Plugins (in CounterACT 8.x: Modules), and
make sure you have the Syslog plugin (may be under Core Extensions):
d. In the Receive from tab, configure an available syslog source with NTSyslog
security log and TSOC’s IP address, and click OK:
Note: Due to a known CounterACT issue, you may need to make any change
in another tab to be able to save the configuration.
c. Navigate to the downloaded plugin (.fpi file) and click Install. Confirm as needed.
d. Still in Plugins, select TrapX and click Configure:
b. Select TrapX TSOC > TrapX TSOC Threat Detection, and click Next:
a. In TSOC, go to Settings > General > Eco System > Network Security > ForeScout
CounterACT:
d. Save.
5. For asset inventory retrieval, go to Settings > General > Inventory:
In This Section
Integrating with Check Point Gateways ...........................................41
Integrating with Fortinet Firewalls ...................................................42
Integrating with Check Point Gateways
You can connect TSOC to your organizational Check Point deployment. The integration
enables, as a remediation action, event-based configuration of the firewalls to begin
automatically tracking or blocking similar traffic.
Upon an NIS or trap event, TSOC configures the Check Point management server with
Suspicious Activity Monitoring (SAM) rules defined according to the event traffic: for trap
events – according to source IP address; for NIS events – according to destination IP address.
You can optionally configure TSOC to create rules automatically, upon specified event types;
in any case, you’ll have the option to manually create rules from the Event Analyzer.
Check Point R7x or above is supported. The created SAM rules are effective immediately
(including for live connections) on all managed gateways and do not require Install Policy. To
view and manage created rules, in Check Point SmartView Monitor go to Tools > Suspicious
Activity Rules.
Check Point integration cannot be configured along with any other Network Security
integration (as appearing in the TSOC Network Security tab as below).
To integrate with Check Point:
1. Make sure organizational firewalls allow SSH traffic (port 22) from TSOC to the
organizational Check Point Security Management server(s).
DeceptionGrid Administration Guide, © TrapX 41
DeceptionGrid Administration
2. In TSOC, go to Settings > General > Eco System > Network Security > Check Point:
3. Select Enable Check Point SAM Firewall Enforcement, and provide connection
details to one or more Check Point Security Management servers and SSH
credentials with administrative permissions.
4. Optionally, Set rule expiration time.
5. Optionally, select event types, and for each whether the created Check Point rule
should be configured to Drop connections or just Log.
6. Save.
You can Test the connection (below).
You can connect TSOC to your organizational Fortinet FortiGate deployment. The integration
enables, as a remediation action, event-based configuration of the firewalls to begin
automatically blocking similar traffic.
Upon an NIS or trap event, TSOC configures the firewall with rules defined according to the
event traffic: for trap events – according to source IP address; for NIS events – according to
destination IP address. You can optionally configure TSOC to create rules automatically, upon
specified event types; in any case, you’ll have the option to manually create rules from the
Event Analyzer.
FortiGate VM64 version 6.0.3 or above is supported. FortiGate integration cannot be
configured along with any other Network Security integration (as appearing in the
TSOC Network Security tab as below).
To integrate with FortiGate:
1. Make sure organizational firewalls allow API traffic (by default, port 443) from TSOC
to the organizational FortiGate firewall(s).
2. In TSOC, go to Settings > General > Eco System > Network Security > FortiGate:
3. Select Enable FortiGate Firewall, and provide connection details to one or more
FortiGate firewalls' API.
4. Optionally, Set rule expiration time.
5. Optionally, select event types for which rules should be automatically created.
6. Save.
You can Test the connection (below).
Updating DeceptionGrid
This section describes several tasks related to updating and upgrading various DeceptionGrid
components.
In This Section
Upgrading DeceptionGrid Components ...........................................43
Checking for Software Upgrades ......................................................44
Upgrading in a Closed Environment .................................................44
Updating NIS Intelligence Feeds.......................................................45
Note: For extra security, it is recommended to save a snapshot of the TSOC server. If your
Appliances are also virtual, save snapshots of them as well.
Note: Before updating, if at any point in the past any DeceptionGrid component was
restored from a snapshot, restart that component.
In addition, notifications of available Appliance and Full OS trap updates appear in the
Appliances page, and non-updated items are marked:
To update, click notifications and follow instructions. The upgrade process may include a
restart.
After updating a full OS trap, return the trap to Active mode (see Setting Maintenance Mode
on page 60) and create a new baseline snapshot (see Setting Baseline and Reverting on page
60).
2. Log in as user mng, and from the Administration Menu select Manage Custom
Updates Source.
3. Select 1 to Enable User.
The upload user account is enabled for 24 hours, and the temporary password is
displayed.
4. Using WinSCP or a similar client, connect to the TSOC server via SFTP over port 222,
with user upload and the above temporary password.
5. Copy the upgrade package and its associated MD5 file into the TSOC Updates
directory.
6. Back in the Administration Menu, select 3 to Move Uploaded Updates.
Wait for the process to be finished. For security purposes, in the Administration Menu select
2 to Disable User.
The upgrade package will appear in TSOC (see Upgrading DeceptionGrid Components on page
43).
by CLI / SDK). To enable this, a single user with the Super Admin role (by default: the
super_admin user account) may be enabled for API.
To enable a Super Admin user for API, in TSOC go to Settings > Users, and by the user click
. In the user's details page, select Use for API:
Click Apply.
The Main API Key is now available; you can Copy it to clipboard.
In cases where you need to Regenerate the key, note that this will impact existing client
scripts.
Here you can also Copy or Regenerate the Token API Key, used by Deception Token packages
to perform connected execution and for TSOC to display installation status.
2. Optionally, select to display the Blotter - a ticker-style notification area with links to
latest unread articles.
3. Save.
In This Section
Manage Exceptions from Appliance Settings ...................................47
Base an Exception on an Existing Event ...........................................48
To copy all of another Appliance's existing exceptions to the current Appliance, by Copy
exceptions from select the source and click Copy.
To add an exception, click , set the exception parameters, and click Apply. For the Exception
to suppress only Scan-stage events including Ping, select Filter Only Scan.
To except SMB connections to emulation traps, click , select Emulation Trap > SMB False
Positive, and by Pattern matching provide a value that if found in an SMB connection will
cause the event to be excepted. If you include a command prefix (as when the Exception is
created from the Event Analyzer; for example, Logon: or Dir:), to have the exception defined
for its value regardless of the specific command in which the value appears, select Filter all
command prefixes.
To whitelist ICMP (ping) connections (to prevent events of ping scan events) from all sources
to an Appliance, go to Appliances > Appliance > Configuration > Settings, and enable Filter
PING events.
To avoid false-positive alerts from organizational scanners, you can enable dark mode, so
emulation traps will not respond at all to TCP connections from IP addresses for which a
regular Exception is configured for all ports. Go to Appliances > Appliance > Configuration
> Settings, and enable Exceptions Dark Mode.
Configure or confirm the exception details and trap scope, and click Apply:
Asset Inventory
TSOC can maintain an inventory of organizational endpoint assets. The inventory can be used
for automatic emulation profile, and/ or for coverage analysis (see the DeceptionGrid Security
Deployment Guide).
Asset inventory can be provided to TSOC in any of the following ways:
• Via API / CLI / SDK (see relevant guides), provide one of:
• Connection details to the organizational Active Directory, from which TSOC will
retrieve endpoint information
• A CSV list of endpoints
• ForeScout CounterACT integration (see Integrating with ForeScout CounterACT on
page 35)
A single inventory is maintained; providing an inventory in any of the above ways will override
it, even if provided differently.
In This Section
Deploying Network Intelligence Sensor ...........................................50
Updating NIS Intelligence Feeds.......................................................51
For NIS to work, an Appliance interface needs to be connected to a network device port
mirroring traffic exiting the organization. The connected device can be the organizational
perimeter firewall, or, if organizational traffic exits through a proxy, that proxy server. In the
latter case, if some organizational traffic circumvents the proxy, connect another interface to
the firewall as well.
The organizational device port must be configured to mirror outbound traffic. The connected
Appliance interface or interfaces need to have NIS Enabled and to be configured for
Promiscuous mode, to monitor traffic; if connected to a proxy server, the Appliance interface
needs to be additionally configured for Proxy mode, so NIS can correctly interpret the traffic.
When the Appliance is connected to both a proxy and a firewall, the interface connected to
the firewall needs to be additionally configured for Upstream mode, so that NIS will correlate
firewall traffic with proxy traffic.
On new DeceptionGrid appliances, eth1 already has NIS enabled.
Known legitimate traffic can be whitelisted, in TSOC (see Whitelisting Legitimate Connections:
Event Exceptions on page 47) or as below. NIS intelligence is periodically updated (see
Updating NIS Intelligence Feeds on page 51).
For other NIS configuration, use the Appliance’s Administration Menu: Connect either to the
Appliance's direct console, or, using PuTTY or another client connect via SSH over port 222.
Log in as user sensor, and select from the NIS Settings category, which includes the following
commands:
In This Section
Setting Up Full OS Trap .....................................................................53
Maintaining Full OS Trap ..................................................................59
Upgrading a Full OS Trap ..................................................................61
Removing a Full OS Trap ...................................................................61
In This Section
Attended Full OS Trap Installation ...................................................53
Unattended Full OS Trap Installation ...............................................56
The host can have any additional installed or running software, and any data and
configuration as relevant to your network. You can use an organizational image.
• Make sure the following ports are open on organizational network devices:
Source Destination Port
Full OS trap TSOC 7443
8443
9443
2. If the host computer previously had the full OS Trap agent installed and then
uninstalled, restart the computer.
3. On the prepared host computer, from a local drive (not a network share or
removable media) run as an Administrator the provided agent installer (named
NCIAInstaller.msi, for obfuscation).
4. Go through the wizard pages. At the TSOC Integration page, configure the trap’s
connection to TSOC and how the trap will appear in TSOC:
6. At the Agent Obfuscation page, select how the agent should appear on the
computer to a potential attacker. For example, if the trap is meant to appear as an IT
server, select Sysinternals Package:
12. Create a baseline snapshot (see Setting Baseline and Reverting on page 60).
13. Configure services to be monitored, and optionally their tokens, as in the
DeceptionGrid Security Deployment Guide.
14. If you know of legitimate organizational network traffic that will be affecting the
trap, configure relevant exceptions as in the DeceptionGrid Security Handling &
Analysis Guide.
The full OS trap appears in the Appliances page, and relevant events will be displayed for
analysis.
7. Create a baseline snapshot (see Setting Baseline and Reverting on page 60).
8. Configure services to be monitored, and optionally their tokens, as in the
DeceptionGrid Security Deployment Guide.
9. If you know of legitimate organizational network traffic that will be affecting the
trap, configure relevant exceptions as in the DeceptionGrid Security Handling &
Analysis Guide.
The full OS trap appears in the Appliances page, and relevant events will be displayed for
analysis.
In This Section
Setting Maintenance Mode..............................................................60
Setting Baseline and Reverting.........................................................60
The trap agent will continue running and remain connected to TSOC, but event monitoring
will be paused.
To resume event monitoring, click .
In This Section
Enabling Remote Support Access .....................................................63
Managing Appliance Routing ...........................................................63
Backup & Restore .............................................................................63
Stopping or Restarting the Trap Service ..........................................65
Administration Menus......................................................................65
Repairing or Reconfiguring a Full OS Trap ........................................71
Viewing TSOC Logs ...........................................................................71
Obtaining Diagnostics .......................................................................72
Testing Communications ..................................................................73
Appliances’ configurations, including their traps and tokens, are automatically backed up daily
on the TSOC server, from where you can restore them as needed, as below.
Note: Some items such as trap spin data, logs, and undelivered messages are not included
in configuration backup. For Appliances in virtual environments, a more complete
backup solution can be achieved by backing up the whole virtual machine
(snapshot).
You can change the time of day when the automatic backups take place as below. You can
also manually initiate a backup of a specified Appliance’s configuration as below.
The last three backups are maintained; older backups are deleted.
In special troubleshooting scenarios, when it may be necessary to create a more complete
backup, TrapX support may direct you to perform an Appliance Interface Configuration
backup (not discussed here).
In This Section
Setting the Daily Backup Time ..........................................................64
Restoring an Appliance’s Configuration ...........................................64
Manually Backing up an Appliance ..................................................64
Administration Menus
Both the TSOC server and individual Appliances provide special administration menus for
advanced commands.
To access the Administration Menu:
1. Connect to the Appliance or TSOC server either at its console, or via SSH (for
example, using PuTTY) over port 222.
Note: In the case of Appliances, if the connection fails make sure SSH is enabled.
In TSOC’s Appliances page, select the Appliance and go to Configuration >
Settings > SSH Service.
2. On the TSOC server, log in as user mng; On an Appliance, log in as user sensor
(default password: Log2sensor ).
Note: These users do not have full-fledged shell accounts. They are restricted
sudoers and can invoke only commands available in the presented menu.
At any time during configuration you can return to the main menu: On an Appliance, press
Ctrl+C ; on the TSOC server, press Escape.
In This Section
TSOC Server Administration Menu Items ........................................65
Appliance Administration Menu Items ............................................67
Global Appliance Settings Services Status For troubleshooting purposes, lists current
statuses of services
Run packet analyzer For maintenance and troubleshooting
purposes, displays network traffic on a specific
interface
Check Connectivity to For maintenance and troubleshooting
TSOC purposes, display per-port and per-service
connectivity status.
Enable / Disable Enables / disables TrapX support remote
Support Access access. Same as from TSOC (see Enabling
Remote Support Access on page 63)
Change setup Change the password for the setup user, used
Password for initial Appliance configuration
Note: Due to a known issue in the current release, it is required for repair (or reinstall) to
change the configured TSOC address and/or the trap ID. Otherwise communication
with TSOC will be lost.
1. From TSOC, set the trap to Maintenance mode (see Setting Maintenance Mode on
page 60).
2. On the agent host computer, do one of the following:
• Run the installer and select the option to repair. A copy of the installer is located
on the host computer, at:
<FOS_home>\Data\
where <FOS_home> is the full OS agent's installation directory, named according
to the selected obfuscation profile.
Note: If for some reason you cannot set the trap to maintenance mode, the
agent will not allow remote repair. In this case open a direct console to
the agent host, run the installer and you’ll be presented with an option
for maintenance mode. Select it, click Submit, and then repair.
3. If you made changes to the TSOC IP address and/or trap ID, you’ll need to initialize
the trap from TSOC as after installing the trap (see Setting Up Full OS Trap on page
53).
You can filter the displayed logs by Message strings and by date range.
Audit logs are cleared every 30 days; WebApp and Distribution logs are cleared every 7 days.
To keep logs longer, you can Export to CSV. Or, for Audit logs, you can automate periodic
retrieval via API (see the TSOC API Developer's Guide) or CLI/SDK (see the DeceptionGrid
CLI/SDK Developer's Guide). Alternatively, contact TrapX support to extend the period of log
retainment.
Obtaining Diagnostics
For troubleshooting and maintenance purposes, TrapX support may ask you to download and
send a package of TSOC or Appliance logs or configuration files.
DeceptionGrid Administration Guide, © TrapX 72
Troubleshooting and Maintenance
• For TSOC logs or configuration files, in TSOC go to Settings > Logs > Diagnostics.
• For Appliance logs or configuration files, in TSOC go to Appliances > Appliance >
Diagnostics.
In the relevant section, first have TSOC Retrieve and build the package; when an availability
message appears, Download the package:
Testing Communications
You can test communications between an Appliance and TSOC.
To test, in TSOC go to Appliances > Appliance > Diagnostics, and by Infrastructure test click
Run:
TSOC will display an informative message including status and recommendations as relevant.
• support.trapx.com
• support@trapx.com
• Americas: 1-855-249-4453
EMEA & Asia Pacific: +44-208-819-9849
Documentation Feedback
TrapX Security continually strives to produce high quality documentation. If you have any
comments, please contact Documentation@trapx.com.
Disclaimer
Product specifications are subject to change without notice. This document is believed to be
accurate and reliable at the time of printing. However, due to ongoing product improvements
and revisions, TrapX cannot guarantee accuracy of printed material after the Date Published
nor can it accept responsibility for errors or omissions. Before consulting this document, check
the corresponding Release Notes regarding feature preconditions and/or specific support in
this release. In cases where there are discrepancies between this document and the Release
Notes, the information in the Release Notes supersedes that in this document. Updates to this
document and other documents as well as software files can be obtained by TrapX customers.