DeceptionGrid 7.0 Administration Guide

v. 7.
Administration Guide
TrapX® Security, July 2020

trapx.com
Contents
Contents
Preface ......................................................................................... 4
Overview: DeceptionGrid System Architecture ........................ 5
Getting Started ............................................................................ 6
Logging into TSOC for the First Time..................................................................6
Setting the Management Framework ...................................................................6
Managing Companies or Departments ................................................................7
Licensing ...............................................................................................................8
Configuring TSOC Timeout ................................................................................10
Signing the TSOC Certificate .............................................................................11
Securing DeceptionGrid .....................................................................................11
Configuring Proxy...............................................................................................12
Configuring Email ...............................................................................................12
Configuring TSOC's Clock .................................................................................13
DeceptionGrid Administration ................................................. 14

Integrating with Third-Party IT Systems ............................................................14
User Authentication and Authorization .............................................................18
Setting Up DeceptionGrid Appliances ...............................................................21
Integrating with Third-Party Security Systems .................................................24
Updating DeceptionGrid .....................................................................................43
Enabling CLI / SDK / API .....................................................................................45
Enabling Attack Intelligence ..............................................................................46
Whitelisting Legitimate Connections: Event Exceptions .................................47
Asset Inventory ...................................................................................................48
Network Intelligence Sensor Administration .......................... 50

Deploying Network Intelligence Sensor ............................................................50
Updating NIS Intelligence Feeds ........................................................................51
Full OS Trap Administration ..................................................... 53

Setting Up Full OS Trap ......................................................................................53
Maintaining Full OS Trap ....................................................................................59
Upgrading a Full OS Trap ...................................................................................61
DeceptionGrid Administration Guide, © TrapX 2

Preface
Removing a Full OS Trap ...................................................................................61
Troubleshooting and Maintenance .......................................... 63

Enabling Remote Support Access .....................................................................63
Managing Appliance Routing .............................................................................63
Backup & Restore ...............................................................................................63
Stopping or Restarting the Trap Service ...........................................................65
Administration Menus ........................................................................................65
Repairing or Reconfiguring a Full OS Trap .......................................................71
Viewing TSOC Logs ............................................................................................71
Obtaining Diagnostics ........................................................................................72
Testing Communications ...................................................................................73

Preface
Preface
This Administration Guide is about initial DeceptionGrid™ setup and system administration.
After installing DeceptionGrid main components (TSOC and Appliances) as in the
DeceptionGrid Installation Guide, it is recommended to go over the sections in this guide and
configure as needed.
For understanding DeceptionGrid, and for deploying emulation and deception in your
organizational network, see the DeceptionGrid Security Deployment Guide.
For event management and security analysis, see the DeceptionGrid Security Handling &
Analysis Guide.

Overview: DeceptionGrid System Architecture
Overview: DeceptionGrid System

Architecture
TrapX Security® DeceptionGrid includes a multi-tiered set of mechanisms for deception,
emulation, and interception, to be deployed throughout an organization. For an
understanding of these mechanisms' functions and deployment in an organizational network
see the DeceptionGrid Security Deployment Guide.
The various DeceptionGrid mechanisms are realized through the combination of several
separately-installed software components:
• Appliance: DeceptionGrid's main component is the DeceptionGrid Appliance, which

hosts emulation traps and the (optional) Network Intelligence Sensor (NIS).
For emulation traps, the Appliance's network interfaces are connected to
organizational network switches. You then configure multiple virtual child interfaces
with addresses throughout organizational networks and with relevant emulation.
When attackers connect to these traps, the Appliance responds according to
emulation type and configuration, and records an alert (event).
An Appliance supports up to 512 traps across up to 200 networks (including VLANs).
To deploy more than 512 traps or to more than 200 networks, or to deploy traps in
separate locations, deploy multiple Appliances.
For NIS, one of the Appliance's network interfaces is connected to a relevant
network device such as the firewall. See the DeceptionGrid Administration Guide.
• TSOC: The TrapX Security Operations Console (TSOC) manages Appliances and their
traps. TSOC serves a web user interface, through which administrators and security
personnel can administer Appliances, deploy and manage traps, and monitor security
events.
• Full OS Trap: For a higher level of realism and attack monitoring, install the TrapX Full
OS Trap agent on a full (virtual) computer. The host computer can be configured with
any software, data, and settings. Like Appliances and their emulation traps, Full OS
traps are also managed (but not created) from TSOC.
• Deception Tokens: Produced and distributed from TSOC, deception tokens are
installed on existing organizational endpoints to lure and direct attackers to emulation
traps.
Communications between components are secured.

Getting Started
Getting Started
This section describes initial tasks that should be performed before further configuration and
deployment tasks.
In This Section
Logging into TSOC for the First Time ..................................................6
Setting the Management Framework ................................................6
Managing Companies or Departments ..............................................7
Licensing .............................................................................................8
Configuring TSOC Timeout ...............................................................10
Signing the TSOC Certificate .............................................................11
Securing DeceptionGrid ...................................................................11
Configuring Proxy .............................................................................12
Configuring Email .............................................................................12
Configuring TSOC's Clock ..................................................................13
Logging into TSOC for the First Time

To log in to TSOC and change the initial password, point any browser to:
https://<TSOC IP Address>:8443
TSOC initially has a single user account, with Super Admin role and permissions:
Username: super_admin
Initial password: L0g2tsoc (case sensitive)
Upon first login, change the password:
Passwords must contain at least six characters including at least one upper-case character and
one numerical character.
Setting the Management Framework

TSOC and its managed Appliances and traps can be managed in either of two ways, or
Frameworks:
• MSSP: DeceptionGrid Appliances and their traps are assigned to Companies.

Getting Started
• On Premise: DeceptionGrid Appliances and their traps are assigned to Departments.

The separation between companies or between departments affect various aspects of TSOC,
including user and Appliance assignment and event visibility. Some management aspects are
separated only in MSSP mode, for greater security.
User assignment (depending on Role) to company or department is part of the user's settings;
Appliance assignment is defined at its initialization to TSOC.
To define the framework (MSSP / On Premise), in TSOC go to Settings > License Manager >
Framework:
Managing Companies or Departments

To manage companies or departments, depending on the management framework (see
Setting the Management Framework on page 6), in TSOC go to Settings > Companies /
Departments:
To add a company or department, click Add. To view or edit an existing one's details, click .
Details include a Status of Enabled / Disabled; It is also possible to suspend a company or
department. When enabled but suspended, events continue to be recorded (just not
displayed); when disabled, no events are recorded.
To suspend or delete a company or department, first remove its license (see Licensing on page
8). Then click to suspend, or to remove.
To view a company’s or department's assigned traps and users, from its details page go to the
Resources tab:

Getting Started
Licensing
TrapX provides a global license that defines, specifically for your system, your allowed
numbers of traps and expiration, for your entire framework. After uploading the global license
file (.lic) to TSOC, you need to allocate those allowances to your companies or departments,
depending on your management framework (see Setting the Management Framework on
page 6).
In This Section
Global License.....................................................................................8
Allocating Licenses .............................................................................9
Global License
TrapX provides a global license that defines, specifically for your system, your allowed
numbers of traps and expiration, for your entire framework.
To obtain and upload a global license, in TSOC go to Settings > License Manager > Global
license:

Getting Started
Copy the Unique System Key and send it to TrapX or to your reseller. Once you receive a
license file for your system, Upload it.
Allocating Licenses
After uploading the global license file (.lic) to TSOC as above, you need to allocate those
allowances to your companies or departments, depending on your management framework
(see Setting the Management Framework on page 6).
To manage license allocation to companies or to departments, go to Licenses:
The bottom of the page lists companies or departments with allocated licenses; from above,
you can Search to filter the list.
To allocate a license:
Getting Started
1. Click Add license.

2. Select license details and click Create:
3. Click Apply license (otherwise the license is still disabled!):
Configuring TSOC Timeout

Session timeout causes user login to expire after a specified time of inactivity. To configure
TSOC session timeout, in TSOC go to Settings > General > Login > Login settings:

Getting Started
Signing the TSOC Certificate

You can sign its certificate with your organization's or other recognized CA. This will prevent
your browser from warning you every time you connect to TSOC, and will enable the
deception token installer and/or CLI/SDK/API commands and scripts to require
TSOC validation.
To sign the TSOC certificate:
1. In TSOC, go to Settings > General > SSL Certificate:
2. Provide your organizational information, and click Generate and Download.

3. Once the certificate is signed, under Upload click in each relevant field to upload,
and then click Save.
Securing DeceptionGrid
In production environments, the following steps are recommended to harden security:
• For TSOC:
• Sign the TSOC certificate (see Signing the TSOC Certificate above).
• In the TSOC server's console, log in as mng, and:
• Set a strong password for access to this Administration Menu. To change the
password subsequent to first login, go to Global Settings > Change ‘mng’ User
Password.
• Go to Global Settings > Enable/Disable SSH, and disable SSH. Note that as a
result, access to TSOC's Administration Menu will be only from the server's
direct console.
• Log into TSOC's web interface as super_admin, and:
• Set a strong password. To change the password subsequent to first login, go
to Settings > Users > User info > Change password.
• Set a session timeout (see Configuring TSOC Timeout on page 10).
• For each DeceptionGrid Appliance:
• In the Appliance's console, log in as sensor (default password: Log2sensor ), and:
Getting Started
• Go to Global Appliance Settings > Change setup Password, and set a strong
password for the setup user.
• Go to Global Appliance Settings > Change sensor Password, and set a strong
password for access to this Administration Menu.
• In TSOC, go to Appliances > select Appliance > Configuration > Settings, and set
SSH Service to Disabled (prevents starting upon future reboots) and Stopped
(immediate stop). Note that as a result, access to the Appliance's Administration
Menu will be only from its direct console.
Configuring Proxy
If TSOC is deployed behind your organizational proxy server, you need to provide TSOC with
the organizational proxy settings so TSOC can pull updates and intelligence feeds from TrapX.
To configure proxy settings, in TSOC go to Settings > General > Proxy:
Only Basic Authentication is supported (not NTLM / Kerberos).
Configuring Email
To enable TSOC users to receive emails with reports and alerts, provide TSOC with your
organizational email server details. In TSOC, go to Settings > General > Mail:

Getting Started
By Relay Server provide the mail server address, and provide its connection details.
To customize email message text fields, select Use Custom info.
You can Test Mail. Make sure to Save.
Configuring TSOC's Clock

Appliance clocks must be synchronized with TSOC's clock. To facilitate this, TSOC should either
have an accurate time and time zone from its underlying virtualization environment, or you
can connect it directly to an NTP server.
To connect TSOC to NTP, in TSOC go to Settings > General > Time & Date:

DeceptionGrid Administration
This section describes additional configuration and setup tasks. These are in addition to initial
basic configuration (see Getting Started on page 6).
In This Section
Integrating with Third-Party IT Systems ...........................................14
User Authentication and Authorization ...........................................18
Setting Up DeceptionGrid Appliances ..............................................21
Integrating with Third-Party Security Systems .................................24
Updating DeceptionGrid ..................................................................43
Enabling CLI / SDK / API ....................................................................45
Enabling Attack Intelligence .............................................................46
Whitelisting Legitimate Connections: Event Exceptions ..................47
Asset Inventory.................................................................................48
Integrating with Third-Party IT Systems

Some of TSOC’s functionality is dependent upon integration with the following organizational
systems.
In This Section
Enabling SMB Signing Support .........................................................14
Integrating with Full OS Trap Infrastructure ....................................15
Monitoring Appliance Health ...........................................................16
Enabling SMB Signing Support

The SMB signing protocol may be required for endpoints' SMB connections; in any case
configuring it is recommended, to improve traps’ ability to report additional information on
the attacker. For traps to be able to properly authenticate these connections, configure the
following integration of your DeceptionGrid Appliances with your organizational domain
controller (DC).
If your network uses multiple DCs, integrate each Appliance with the DC that could be used in
the network segments in which its traps are deployed.
To integrate, you’ll need to perform some configuration on both sides: on the DC define a
computer object to represent the Appliance, and in TSOC configure each Appliance’s
connection to the DC and the details of the same computer object, as which the Appliance will
represent itself to the DC. Multiple Appliances can use the same computer object.
To integrate DeceptionGrid Appliances with one or more DCs:
1. On each relevant DC, configure a computer object by running:

net computer \\<computer_name> /add

net user <computer_name>$ *
where <computer_name> is a name for the new object.
At the prompt, provide a new password for the computer object.
2. For each relevant Appliance:
a. In TSOC, go to Appliances > Appliance > Configuration > Settings, scroll down to
Configure SMB Domain and click :
b. Select Enable SMB Domain, provide details of the DC (Domain name, FQDN, DC
IP address and host name), and the details of the above configured computer
object (name and password):
c. For these details to be used for Active Directory tokens, provide the location in
the organizationalAD Schema where the token should be recorded, and select
Use this information for AD tokens.
d. Click Apply.

Integrating with Full OS Trap Infrastructure

To enable maintenance of full OS traps via TSOC (see Maintaining Full OS Trap on page 59),
TSOC must be integrated with your organizational virtual infrastructure. This requires
providing TSOC with connection details and relevant credentials to the virtual infrastructure.
To integrate TSOC with your organizational VMWare vCenter Server:
1. Obtain connection details to the vCenter Server (not directly to ESX!), including a
user account with the VM Administrator role (or another role with privileges for
creating VM templates and deploying VMs from them) for all full OS trap host ESX
servers.
2. In TSOC, go to Settings > General > Eco System > Infrastructure > VMWare ESX, and
provide the connection and credential details:
Save.
Monitoring Appliance Health

DeceptionGrid Appliances monitors system health and performance, and logs results
internally. Optionally, you can also have Appliances send some logged information via syslog.
Specifically, you can configure Appliances to send either or both of:
• Alerts: By specified minimum severity level of current status

• Periodic reports: Sent regardless of current status, containing detailed health and
performance information, at configurable intervals
Monitored indicators include:
• System resources such as CPU, RAM, and disk utilization, and network interfaces
• Essential processes related to Appliance and trap operation
• Control and data connectivity between the Appliance and TSOC

These system health syslogs do not include security events and usually should not be sent to
a SIEM.
The syslogs are sent via the local4 facility and use standard syslog severity levels:
• Emergency: System is unusable

• Alert: Action must be taken immediately
• Critical: Critical conditions
• Error: Error conditions
• Warning: Warning conditions
• Notice: Normal but significant conditions
• Informational: Informational messages
Sent logs may increase in severity as time goes on without resolution. Here's an example of
sent alerts:
May 2 07:45:01 localhost service_watchdog: [172.16.1.99-
WARNING] - service: mwtrap is DOWN ...
May 2 07:45:05 localhost service_watchdog: [172.16.1.99-
WARNING] - service: mwtrap failed to restart and is DOWN ...
May 2 08:00:01 localhost service_watchdog: [172.16.1.99-CRIT]
- service: mwtrap is DOWN ...
May 2 08:00:04 localhost service_watchdog: [172.16.1.99-CRIT]
- service: mwtrap failed to restart and is DOWN
Upon any log of level Warning or above, please contact TrapX support.
To configure Appliance health syslog alerting and/or reporting:
1. In TSOC, go to Appliances > Appliance > Configuration > Settings, and by Syslog
server (monitoring) click :
2. Select to Send and provide the syslog server's address.

3. Configure:

Select interfaces whose status to monitor.

Select minimum severity level which should trigger an alert.
By Report every, set the interval for periodic reports. To disable periodic reports
(leaving only alerts), enter 0.
4. Click Apply.
User Authentication and Authorization

In This Section
Overview of User Authentication and Authorization.......................18
Enabling TSOC SAML Authentication (SSO)......................................19
Enabling TSOC LDAP / Active Directory Authentication...................20
Configuring Users .............................................................................21
Overview of User Authentication and Authorization

TSOC can be configured to authenticate users in one of the following modes:
• Local and LDAP: All users submit their credentials directly in TSOC. Each user's
credentials can either be stored locally in TSOC, or, if TSOC has been integrated with
organizational LDAP / Active Directory (see Enabling TSOC LDAP / Active Directory
Authentication on page 20), the user can be configured for LDAP / Active Directory
authentication. In this case, upon the user submitting credentials to TSOC,
TSOC queries the organizational LDAP / Active Directory server for authentication.
• SAML (single sign-on): Upon attempting to connect to TSOC, users are redirected to
the organizational SAML-based Identity Provider (IdP) system for authentication
(some examples are PingFederate and OneLogin). Users log into the organizational
system, according to whatever security protocols are organizationally required (for
example, multifactor authentication), and are then automatically redirected back to
TSOC, where they are automatically authorized according to TSOC user configuration.
Depending on IdP configuration, users who are already logged into the organizational
system (for example, when they accessed another integrated organizational
application) may be immediately authorized without needing to log in specifically for
TSOC.

In either case, authenticated users are authorized for accessing TSOC as configured in their
user details in TSOC. Each configured user has one of the following Roles:
• Super Admin: Full permissions over entire system

• Global Analyst: Dashboard, Event Analysis (including workflow actions), and Reports
(read-only), for all traps
• Read-Only User: Dashboard, Event Analysis (including workflow actions), and Reports
(read-only), for assigned Appliances and Full OS Traps
• Trap Manager: All tabs except for Settings, for assigned Appliances and Full OS Traps
• Administrator: All highest-level tabs; Settings are limited to Users (for the
Administrator’s own company or department), Logs, and Updates; for assigned
Appliances and Full OS Traps
Enabling TSOC SAML Authentication (SSO)

One of the ways to configure TSOC to authenticate organizational users (see User
Authentication and Authorization on page 18) is via SAML integration: Upon attempting to
connect to TSOC, users are redirected to the organizational SAML-based Identity Provider
(IdP) system for authentication (some examples are PingFederate and OneLogin). Users log
into the organizational system, according to whatever security protocols are organizationally
required (for example, multifactor authentication), and are then automatically redirected
back to TSOC, where they are automatically authorized according to TSOC user configuration.
Depending on IdP configuration, users who are already logged into the organizational system
(for example, when they accessed another integrated organizational application) may be
immediately authorized without needing to log in specifically for TSOC.
To configure SAML authentication:
1. In TSOC, go to Settings > General > Login > SAML Authentication:
Make note of the two SP URLs at the bottom of the page.

2. In your organizational IdP, configure TSOC as an Application or Service Provider. Use
the above two URLs for the relevant fields. Note that field names differ among IdPs.
Make note of the URLs displayed by the IdP as its identity and for SSO.

The user detail fields that the IdP will pass to TSOC upon authentication must
include the user's email address, which will be used to match the authenticated user
with the user's configuration in TSOC, for authorization. Make note of the exact field
name which will contain the email address.
Make sure you have the certificate used by the IdP.
3. Back in TSOC, select Enable SAML authentication and configure the relevant URLs
and certificate. By Email attribute field, provide the exact name of the field that the
IdP will provide containing authenticated users' email addresses.
4. Test the connection, and upon success Save the configuration.
To disable SAML authentication (reverting to Local and LDAP authentication), in the above
SAML Authentication page clear the main check box. If you can't access the TSOC UI (for
example, there's a problem with the IdP), use the TSOC Server Administration Menu (see
Administration Menus on page 65) option to Disable SAML authentication.
Enabling TSOC LDAP / Active Directory Authentication

Organizational users can be authenticated for TSOC access by the organizational Active
Directory or other LDAP server. Users submit their credentials directly in TSOC; each user's
credentials can be configured either locally in TSOC, or, if TSOC has been integrated with
organizational LDAP / Active Directory as below, the user can be configured for LDAP / Active
Directory authentication. In this case, upon the user submitting credentials to TSOC,
TSOC queries the organizational LDAP / Active Directory server for authentication.
Active directory authentication is dependent on TSOC not being in SAML authentication mode
(see User Authentication and Authorization on page 18).
To enable authorizing organizational Active Directory users to access TSOC, provide TSOC with
connection details to the organizational Active Directory:
1. In TSOC, go to Settings > General > Login > LDAP Authentication:
2. Select Enable Active Directory / LDAP authentication, and configure connection

details.

3. Optionally, Test the connection. You’ll be prompted to provide credentials to be

tested.
4. Save.
Configuring Users
Create and manage users at: Settings > Users:
To add a user, click Add user and configure the user's details, including authentication, role,
and personal details. To view or edit an existing user's details, click .
If TSOC is configured for SAML authentication (see Overview of User Authentication and
Authorization on page 18), all users' authentication will be by the organizational IdP rather
than as defined in user details. For authorization, the IdP authorization will be matched to
TSOC user configuration by the Email address as defined in TSOC user details, so make sure to
set the correct email address.
User details include a Status of Enabled / Disabled. It is also possible to temporarily suspend
a user: click to suspend, to resume. You can also lock ( ) or unlock ( ) a user; when a user
tries unsuccessfully to log in too many times, their account is automatically locked.
For users with limited roles, assign Appliances and Full OS Traps, in Appliances > Appliance >
Users > Add user:
Setting Up DeceptionGrid Appliances

This section describes initial and ongoing configuration tasks for DeceptionGrid Appliances.

In This Section
Initializing Appliances .......................................................................22
Configuring DeceptionGrid Appliances ............................................23
Initializing Appliances
Once a DeceptionGrid Appliance has been set up as in the DeceptionGrid Installation Guide,
you need to initialize it to TSOC. When one or more Appliances is available for initialization,
their number appears in TSOC:
To initialize an Appliance:
1. Either click the above number, or, in the Appliances page click See Pending:
Pending Appliances are displayed:
2. By the Appliance click Initialize, and provide Appliance details:

3. Click Finish.
Configuring DeceptionGrid Appliances

From TSOC, you can view and edit Appliance details and services, including enabling remote
access and sending Appliance Syslogs. You can manage an Appliance’s state, including
rebooting, suspending or shutting it down, and you can remove it from TSOC management.
To configure or manage an Appliance:
1. In TSOC go to Appliances > Appliance > Configuration > Settings:
2. Edit the Appliance’s details and services, or perform actions, as needed:

Appliance clocks must be synchronized with TSOC's clock (see Configuring TSOC's
Clock on page 13), so make sure to set either the Time zone and Time, or NTP
Service.
SSH and NTP services can be immediately Started or Stopped; and, to affect
subsequent reboots can be Enabled or Disabled.
3. When you’re done making changes, make sure to click Apply.
Integrating with Third-Party Security Systems

You can integrate DeceptionGrid with the following organizational security systems.

In This Section
Integrating with Forensic Analysis Systems .....................................25
Integrating with Data Analysis (SIEM / BI) .......................................26
Enabling VirusTotal to Check Suspicious Files ..................................31
Integrating with Endpoint Protection ..............................................31
Integrating with Network Access Control Systems ..........................34
Integrating with Organizational Firewalls ........................................41
Integrating with Forensic Analysis Systems

As part of DeceptionGrid’s Eco System, you can integrate with an existing organizational third-
party system that performs forensic analysis on potential malware (sandbox). When
integrated, TSOC automatically submits suspicious files to the sandbox, and subsequently
receives analysis results from the sandbox. These results are displayed in TSOC.
DeceptionGrid uses the third-party sandbox’s API to integrate with the sandbox for file
submission and result retrieval. Any files uploaded in the context of trap interactions are
automatically submitted for analysis (subject to sandbox support of file type). Retrieved
results are displayed in the TSOC Forensics page and are also available in downloadable PDFs
(see the DeceptionGrid Security Handling and Analysis Guide, Forensic Analysis).
You can integrate with any one of the following supported third-party sandboxes:
• McAfee Advanced Threat Defense (ATD; available from TrapX)

With ATD integration, TSOC provides the analysis results also in ATD-produced STIX
and ZIP formats, in addition to the usual TSOC display and downloadable PDF.
• Cisco Advanced Malware Protection (AMP) Threat Grid
• Palo Alto Networks WildFire
• ThreatTrack ThreatAnalyzer
• Cuckoo
With Cuckoo integration, automatic file submissions are not supported; you’ll need
to manually activate file submission from TSOC.
Note: Only one sandbox can be integrated. Enabling one automatically disables all others.
To configure sandbox integration:

1. From your organizational sandbox administrator, obtain the necessary connection
details. These should include the sandbox’s URL and API authentication key or
credentials (for cloud sandboxes) or IP address and port number (for on-premise
installations). For McAfee ATD, you’ll also need the relevant Analyzer profile ID,
which determines analysis details.
2. In TSOC, go to Settings > General > Eco System > Sandbox:

3. Select the relevant sandbox vendor, select Enable and provide the connection
details.
4. Click Apply.
Integrating with Data Analysis (SIEM / BI)

TSOC trap and NIS events can be brought into organizational data analysis systems such as
Security Information and Event Management (SIEM) or Business Intelligence (BI) applications,
in either of two ways as in the following sections.
In This Section
Sending Events via Syslog .................................................................26
Retrieving Events via ODBC ..............................................................29
Sending Events via Syslog
TSOC can send trap and NIS events to one or more SIEM or other syslog servers. Only UDP (not
TCP) is supported.
As an alternative, you can have DeceptionGrid Appliances directly send their events via syslog.
Send events from TSOC
1. In TSOC, go to Settings > General > Eco System > SIEM > Syslog:

2. For each destination Syslog server, click , provide connection details and click Add.
3. Select which Event Types TSOC should send.
4. Click Apply.
Send events from Appliance
1. In TSOC, go to Appliances > Appliance > Configuration > Settings, and by Syslog
server (security) click :
2. Enable Syslog and provide the syslog server's address. Click Apply.
The sent events are in CEF format, and include the following fields:
Key Description ArcSight

Label
cat The type of the event (reconnaissance, interaction…) deviceEvent
Category


Label
cs1 Geo location, Source Country of the malicious request Custom
String 1
cs2 Geo location, Destination Country of malicious request Custom
String 2
cs3 Attack details: List of commands used during an attack Custom
String 3
cs4 Indication whether is there a PCAP in the transaction Custom
String 4
cs5 The company or the department where the event was found Custom
String 5
cs6 Whether Full OS is proxy or not (Yes / No) Custom
String 6
cs7 Trap emulation type (for example, Linux, Windows Server; empty for NIS) Custom
String 7
cs8 Trap OS version (for example, Windows 2012 R2; empty for NIS) Custom
String 8
deviceExt The ID of the emulation trap deviceExter
ernalId nalId *
deviceFac The name of the appliance that produced the alert deviceFacili
ility ty
deviceNt The emulation trap name deviceNtDo
Domain main
devicePa Indication whether is there a payload to the specific attack devicePaylo
yloadId adId
devicePro TSOC deviceProd
duct uct
deviceVe TrapX deviceVend
ndor or
dhost The destination address of a malicious activity destination
HostName
dpt The port that was being used in attack destination
Port
dst The IP of the victim destination
Address
dvchost The hostname of the attacker machine deviceHost
Name
end Timestamp when the event ended EndTime
externalI The event ID in TSOC externalId
d
fileHash The hash of the file fileHash
fileType The type of the file fileType


Label
fname Name of a malicious file that was saved on a trap fileName
msg Additional information about the attack message
proto The port protocol used in the attack protocol
requestU NIS event payload, first 1024 characters as printable request
RL
rt The start time of an activity deviceRecei
ptTime
spt The source port of request sourcePort
src Source address of malicious activity sourceAddr
ess
start Timestamp when the event started StartTime
* The mapping for deviceExternalId may trigger a sidetable protection in ArcSight due to the
number of possible emulation traps. If you encounter this, the mapping for deviceExternalId
will have been automatically moved to deviceCustomString6. To prevent it from being so re-
mapped, increase the threshold defined in the agent.properties file of the connector receiving
the events, dstprotector[1].maxsize property.
Retrieving Events via ODBC
For a data analysis application to pull TSOC trap and NIS events via ODBC:
1. In TSOC, go to Settings > General > Eco System > SIEM > ODBC:
2. Select Enable ODBC, click Add connection and provide the data analysis
application’s IP address. Connections from this address will be authorized to view
relevant parts of TSOC’s database.
Note: If the connections to TSOC will go through a NAT gateway, provide that
gateway’s IP address, as this is what will appear in the connections as source
address.
3. Click Apply, and Apply.

4. Configure the data analysis application to retrieve relevant data, using the following
credentials:
Username: odbc_nms
Password: odbc_nms88$
The available ODBC views are:
• real_time_monitor : Information on Network Intelligence Sensor (NIS) events,

including the following fields:
ODBC Field TSOC Equivalent Description
SName Trap name
STimezone NA Time zone ID
sid NA Trap ID
cid Event ID
timestamp Timestamp
sig_id NA Used for checking severity level
sig_name Event name
sig_class_name NA Used for checking severity level
source_ip Source IP
destination_ip Destination IP
ip_src_country Source country
ip_dst_country Destination country
tcp_dst_port Port
tcp_src_port Source port
udp_dst_port
payload NA Payload information
• malware_connection_monitor : Information on emulation trap Connection events,

including the following fields:
SName Trap name
SID NA Trap ID
ID Event ID
local_port Port
remote_host Attacker IP
TIMESTAMP Start
• malware_trap_monitor : Information on emulation trap Download events, including

the following fields:

SName Trap name
Id Event ID
download_md5_hash MD5 hash
remote_host Attacker IP
TIMESTAMP Start
virus_name Malware name
The following views appear to the ODBC connection but are not for use:
dxl_malware_trap_monitor
view_white_list_and_false_positive_connections_list
view_white_list_and_false_positive_downloads_list
Enabling VirusTotal to Check Suspicious Files

You can integrate TSOC with the well-known VirusTotal service to be able to submit suspicious
files' MD5s for malware analysis. When integrated, VirusTotal detection ratios are displayed
in the TSOC Monitor and Event Workflow pages for relevant events.
To integrate with VirusTotal:
1. Go to the VirusTotal website, create an account, and obtain the account's API key.
2. In TSOC, go to Settings > General > Eco System > VirusTotal:
3. Provide the API Key and click Apply.
Integrating with Endpoint Protection

You can integrate with the following endpoint protection products.

In This Section
Integrating with McAfee DXL for ePO ..............................................32
Integrating with Carbon Black Cb Response ....................................33
Integrating with McAfee DXL for ePO
TSOC can send malware infection and NIS events to McAfee Data Exchange Layer (DXL) on
McAfee ePolicy Orchestrator (ePO) or on an organizational McAfee Threat Intelligence
Exchange (TIE) for message handling, to be used in McAfee products such as ePolicy
Orchestrator (ePO), Active Response, or custom API scripts.
In addition, an ePO extension is provided to bring the events into ePO and enable appropriate
querying and reporting in ePO. With extension installation, some preconfigured ePO queries
and a TrapX dashboard are added to ePO; you can also configure your own.
To integrate TSOC with McAfee DXL:
1. Make sure organizational firewalls allow the following traffic from TSOC:
• To ePO:
TCP 8443
TCP 443
• To TIE / broker:
TCP 8883
2. Make sure your organizational ePO is running the McAfee Mobile ePO (MePO)
extension. For more information on this extension, see McAfee KB84824.
3. In ePO, go to Menu > User Management > Permissions Sets, and enable (Edit, select
and Save) the following permissions:
• Group Admin > DXL McAfee MePO Certificate Creation > Create DXL McAfee
MePO Certificates
• Group Admin > McAfee DXL Fabric > View Data Exchange Layer Fabric
• DXL MePO Authentication Permission Set > DXL McAfee MePO Certificate
Creation > Create DXL McAfee MePO Certificates
4. Create an ePO user (Menu > Users > New User) with the following Manually
assigned permission sets:
• Group Admin
• DXL MePO Authentication Permission Set
5. In TSOC, go to Settings > General > Eco System > Endpoint Protection > McAfee
DXL, select Enable McAfee DXL, and provide:

• ePO details (to be authenticated to the TIE agent handler, TSOC needs to first
connect directly to ePO):
• ePO IP Address or resolvable name, and its Port
• Username and Password of the user you created in step 4
• TIE agent handler IP address or resolvable name, and Port
Note: Make sure organizational firewalls allow the above traffic.
6. Enable ePO to pull the events from the TIE agent handler:
a. Download the TrapX ePO extension .ZIP file from:
https://share.trapx.com/fl/ZCrffNZBWA
b. In ePO, go to Menu > Software > Extensions and click Install Extension:
c. Click Choose File, navigate to the TrapX extension and click OK.
When the extension installation is complete, the extension will appear in ePO’s left-hand
navigation menu as Third Party > TrapX DXL. Preconfigured queries appear under TrapX and
in the preconfigured TrapX dashboard. You can configure additional relevant queries by going
to Menu > Reporting > Queries & Reports > New Query > Others and selecting TrapX Botnet
detector (for NIS events) or TrapX MD5. You can add queries to any ePO dashboard.

Integrating with Carbon Black Cb Response
TSOC can send malware infection and NIS events to Carbon Black Cb Response, for manual
(from Event Analyzer) and optional automatic isolation of attacking endpoints.
The integration requires connectivity from TSOC to python.org .
To integrate with Cb Response:
1. From the Cb Response user interface, obtain an API token.
2. In TSOC, go to Settings > General > Eco System > Endpoint Protection > Carbon
Black:
3. Select Enable Cb Response integration, and provide the Cb Response server's

address and the API token.
4. Optionally, Enable automatic isolation upon selected events.
Integrating with Network Access Control Systems

You can connect TSOC to your organizational Network Access Control (NAC) system: Cisco ISE
(see Integrating with Cisco ISE below) or ForeScout CounterACT (see Integrating with
ForeScout CounterACT on page 35). The integration enables:
• Remediation actions: TSOC events or manual action in TSOC can trigger the network
security system to display the event in its systems and/or automatically disconnect
(divert) the infected endpoint from the network.
• Endpoint details (Cisco integration only): The Event Analyzer displays an enriched
alert, with detailed endpoint-related information.
In This Section
Integrating with Cisco ISE .................................................................34
Integrating with ForeScout CounterACT ..........................................35
Integrating with Cisco ISE
You can integrate TSOC with Cisco Identity Services Engine (ISE) via the Cisco Platform
Exchange Grid (pxGrid). The integration enables:
• Remediation actions: TSOC events or manual action in TSOC can trigger the network
security system to display the event in its systems and/or automatically disconnect
(divert) the infected endpoint from the network.

• Endpoint details: The Event Analyzer displays an enriched alert, with detailed
endpoint-related information.
Cisco ISE 2.0 or above is supported.
To integrate with Cisco ISE:
1. Make sure organizational firewalls allow the following traffic from TSOC to ISE:
TCP 5222
UDP 5222
ICMP
HTTPS
HTTP
2. In TSOC, go to Settings > General > Eco System > Network Security > Cisco ISE:
3. Select Enable Cisco… and provide connection and authorization details.

4. For event-based automatic endpoint diversion, select Enable automatic Divert
policy and select event types that should cause endpoints to be diverted from their
networks.
5. Save.
Integrating with ForeScout CounterACT
You can integrate TSOC with ForeScout CounterACT. With the integration, TSOC events or
manual action in TSOC can trigger the network security system to display the event in its
systems and/or automatically disconnect (divert) the infected endpoint from the network. The
integration can also be used for TSOC asset inventory (see Asset Inventory on page 48).
CounterACT 7.0 or above is supported.
To integrate with ForeScout CounterACT:

1. Enable CounterACT to receive Syslog from TSOC. For each CounterACT appliance in
your environment:
a. In CounterACT, go to Tools > Options > Plugins (in CounterACT 8.x: Modules), and
make sure you have the Syslog plugin (may be under Core Extensions):
b. Select Syslog and click Configure:
c. Select the CounterACT appliance and click OK:
d. In the Receive from tab, configure an available syslog source with NTSyslog
security log and TSOC’s IP address, and click OK:

Note: Due to a known CounterACT issue, you may need to make any change
in another tab to be able to save the configuration.
e. When configuration is complete, click Close.

Repeat for each CounterACT appliance.
2. Install and configure the TrapX plugin in CounterACT:
a. Download the plugin from:
https://share.trapx.com/fl/ZCrffNZBWA
Extract the plugin.
b. In CounterACT, go to Tools > Options > Plugins (in CounterACT 8.x: Modules) and
click Install:
c. Navigate to the downloaded plugin (.fpi file) and click Install. Confirm as needed.
d. Still in Plugins, select TrapX and click Configure:
e. Provide TSOC’s IP address:

Note: Test is not supported.
f. To enable asset inventory retrieval:

In the API tab select Enable use of TrapX API, and provide connection details to
the TSOC API. The IP address and port are the same as for the TSOC web
interface; get the API key (see Enabling CLI / SDK / API on page 45); the
API version for the current version of TSOC is 1.3.
In the Inventory tab select Collect asset inventory for TSOC.

g. Click Apply.
h. Click Start.
i. Select all CounterACT appliances and click OK.
3. Configure CounterACT policy for messages received from TSOC:
a. In the CounterACT Policy tab, click Add:

b. Select TrapX TSOC > TrapX TSOC Threat Detection, and click Next:
c. Provide a policy Name and Description and click Next.

d. In the IP Address Range window, define the scope of relevant endpoints, alerts
about which should be handled by the policy. Click OK, Next.
e. The Main Rule does not need to be changed – it accepts everything and passes on
to subrules; so click Next.
A subrule is preconfigured for each of the following TSOC directives, and its
Condition does not usually need to be changed. You do need to select and Edit
each subrule and configure its Actions as appropriate for your environment and
needs:
• TSOC Divert: Enable and Edit the existing Assign to VLAN action and set a
relevant VLAN to which to divert, and/or Add other actions as needed.
• TSOC Notify: Enable and Edit the existing Send Email action, and/or Add
other actions as needed.
• TSOC Restore: Not usually needed – the configured Divert actions will be
automatically canceled as relevant. You can Add actions as needed.
f. Click Finish.
If you later need to edit the policy, in Policy select TrapX TSOC Threat Detection and
click Edit:
4. Configure TSOC to send relevant directives to CounterACT:

a. In TSOC, go to Settings > General > Eco System > Network Security > ForeScout
CounterACT:
b. Select Enable ForeScount CounterACT, and provide connection details to

CounterACT.
c. For event-based automatic directives to CounterACT, select Automatic Action
policy, select event types that should cause endpoints to be diverted from their
networks, and for each event type whether to Divert or to Notify:
d. Save.
5. For asset inventory retrieval, go to Settings > General > Inventory:

Select Retrieve asset inventory, provide connection details to the organizational

ForeScout, and configure a schedule for updating the inventory.
Click Save.
Integrating with Organizational Firewalls

You can connect TSOC to your organizational firewall deployment. The integration enables, as
a remediation action, event-based configuration of the firewalls to begin automatically
tracking or blocking similar traffic.
In This Section
Integrating with Check Point Gateways ...........................................41
Integrating with Fortinet Firewalls ...................................................42
Integrating with Check Point Gateways
You can connect TSOC to your organizational Check Point deployment. The integration
enables, as a remediation action, event-based configuration of the firewalls to begin
automatically tracking or blocking similar traffic.
Upon an NIS or trap event, TSOC configures the Check Point management server with
Suspicious Activity Monitoring (SAM) rules defined according to the event traffic: for trap
events – according to source IP address; for NIS events – according to destination IP address.
You can optionally configure TSOC to create rules automatically, upon specified event types;
in any case, you’ll have the option to manually create rules from the Event Analyzer.
Check Point R7x or above is supported. The created SAM rules are effective immediately
(including for live connections) on all managed gateways and do not require Install Policy. To
view and manage created rules, in Check Point SmartView Monitor go to Tools > Suspicious
Activity Rules.
Check Point integration cannot be configured along with any other Network Security
integration (as appearing in the TSOC Network Security tab as below).
To integrate with Check Point:
1. Make sure organizational firewalls allow SSH traffic (port 22) from TSOC to the
organizational Check Point Security Management server(s).
2. In TSOC, go to Settings > General > Eco System > Network Security > Check Point:
3. Select Enable Check Point SAM Firewall Enforcement, and provide connection
details to one or more Check Point Security Management servers and SSH
credentials with administrative permissions.
4. Optionally, Set rule expiration time.
5. Optionally, select event types, and for each whether the created Check Point rule
should be configured to Drop connections or just Log.
6. Save.
You can Test the connection (below).
Integrating with Fortinet Firewalls
You can connect TSOC to your organizational Fortinet FortiGate deployment. The integration
enables, as a remediation action, event-based configuration of the firewalls to begin
automatically blocking similar traffic.
Upon an NIS or trap event, TSOC configures the firewall with rules defined according to the
event traffic: for trap events – according to source IP address; for NIS events – according to
destination IP address. You can optionally configure TSOC to create rules automatically, upon
specified event types; in any case, you’ll have the option to manually create rules from the
Event Analyzer.
FortiGate VM64 version 6.0.3 or above is supported. FortiGate integration cannot be
configured along with any other Network Security integration (as appearing in the
TSOC Network Security tab as below).
To integrate with FortiGate:
1. Make sure organizational firewalls allow API traffic (by default, port 443) from TSOC
to the organizational FortiGate firewall(s).
2. In TSOC, go to Settings > General > Eco System > Network Security > FortiGate:

3. Select Enable FortiGate Firewall, and provide connection details to one or more
FortiGate firewalls' API.
4. Optionally, Set rule expiration time.
5. Optionally, select event types for which rules should be automatically created.
6. Save.
You can Test the connection (below).
Updating DeceptionGrid
This section describes several tasks related to updating and upgrading various DeceptionGrid
components.
In This Section
Upgrading DeceptionGrid Components ...........................................43
Checking for Software Upgrades ......................................................44
Upgrading in a Closed Environment .................................................44
Updating NIS Intelligence Feeds.......................................................45
Upgrading DeceptionGrid Components

TSOC periodically checks with the TrapX update server for available software updates to TSOC
itself, and to other DeceptionGrid components. If TSOC isn't displaying a notification about a
software update but you have reason to believe there may be one, you can have TSOC check
for updates (see Checking for Software Upgrades on page 44). If in your environment TSOC
can't access the TrapX update server, you can still upgrade in a closed environment (see
Upgrading in a Closed Environment on page 44).
Note: For extra security, it is recommended to save a snapshot of the TSOC server. If your
Appliances are also virtual, save snapshots of them as well.
Note: Before updating, if at any point in the past any DeceptionGrid component was
restored from a snapshot, restart that component.
When a software update for any component is available, a notification appears:

In addition, notifications of available Appliance and Full OS trap updates appear in the
Appliances page, and non-updated items are marked:
If a software update to Deception Tokens is provided independently of TSOC itself, a

notification appears also in Settings > Updates > Deception Tokens:
To update, click notifications and follow instructions. The upgrade process may include a
restart.
After updating a full OS trap, return the trap to Active mode (see Setting Maintenance Mode
on page 60) and create a new baseline snapshot (see Setting Baseline and Reverting on page
60).
Checking for Software Upgrades

If TSOC isn't displaying a notification about a software update but you have reason to believe
there may be one, you can have TSOC check for updates.
To check for updates:
1. Open the TSOC server's console, or, using PuTTY or another client connect to the
TSOC server via SSH over port 222.
2. Log in as user mng, and from the Administration Menu select Check for Updates.
TSOC checks for updates, and if available displays a notification (in the TSOC UI).
Upgrading in a Closed Environment

In environments where TSOC cannot connect to TrapX to download product updates, you’ll
need to obtain upgrade packages from TrapX and manually upload them to TSOC.
To upload an upgrade package to TSOC:
1. Open the TSOC server's console, or, using PuTTY or another client connect to the
TSOC server via SSH over port 222.

2. Log in as user mng, and from the Administration Menu select Manage Custom
Updates Source.
3. Select 1 to Enable User.
The upload user account is enabled for 24 hours, and the temporary password is
displayed.
4. Using WinSCP or a similar client, connect to the TSOC server via SFTP over port 222,
with user upload and the above temporary password.
5. Copy the upgrade package and its associated MD5 file into the TSOC Updates
directory.
6. Back in the Administration Menu, select 3 to Move Uploaded Updates.
Wait for the process to be finished. For security purposes, in the Administration Menu select
2 to Disable User.
The upgrade package will appear in TSOC (see Upgrading DeceptionGrid Components on page
43).
Updating NIS Intelligence Feeds

Typically, TSOC automatically retrieves intelligence feeds from TrapX knowledge base center
and distributes them to Appliances.
If in your environment TSOC can't access the TrapX update server, you'll need to obtain feeds
packages from TrapX and manually upload them to TSOC.
To update feeds:
1. Go to Settings > Updates > Feeds:
2. Click Update and navigate to and upload the feeds file.

3. When the upload is complete, verify the size, modification, and MD5 Hash.
The NIS intelligence will be distributed to Appliances within a few hours.
If in any case you need to immediately distribute intelligence from TSOC to Appliances, in
TSOC go to Appliances > Appliance > Configuration > Network Intelligence Sensor and click
Update now.
Enabling CLI / SDK / API

If your organization uses CLI / SDK / API commands or client scripts, those commands or scripts
will to need to be authenticated and authorized by TSOC for API (the API is used internally also

by CLI / SDK). To enable this, a single user with the Super Admin role (by default: the
super_admin user account) may be enabled for API.
To enable a Super Admin user for API, in TSOC go to Settings > Users, and by the user click
. In the user's details page, select Use for API:
Click Apply.
The Main API Key is now available; you can Copy it to clipboard.
In cases where you need to Regenerate the key, note that this will impact existing client
scripts.
Here you can also Copy or Regenerate the Token API Key, used by Deception Token packages
to perform connected execution and for TSOC to display installation status.
Enabling Attack Intelligence

You can receive updates on newly-discovered threats, from TrapX analysis experts. The posts
appear directly in TSOC, as long as you've selected to share your sanitized trap event data with
TrapX analysts. Analysts correlate event details to detect new threats and attack patterns,
providing cutting-edge cyber intelligence to participating customers.
Event IP addresses, hostnames, and user credentials are not shared in identifiable form (they
are encoded with only internal relative consistency, and no mapping or decryption key is
stored even locally). Event packet captures (PCAPs) are not shared.
To enable Attack Intelligence:
1. In TSOC go to Settings > Attack Intelligence, and select Send and receive data and
analysis:
2. Optionally, select to display the Blotter - a ticker-style notification area with links to
latest unread articles.

3. Save.
Whitelisting Legitimate Connections: Event

Exceptions
To prevent DeceptionGrid from recording events for known legitimate activity, you can
configure exceptions defined by specified values of various parameters. Depending on trap
type, these parameters may include network connection, files, registry settings, and
processes. For example, you'll probably want to configure an exception for inbound
connections matching organizational network scanners’ source IP ranges.
Exceptions prevent relevant events from being created, and do not apply to existing events.
Exception criteria, when found, cause the entire session to be excepted.
You can manage Exceptions from Appliance Settings, or base an Exception on an existing false-
positive event, from the Event Analyzer.
In This Section
Manage Exceptions from Appliance Settings ...................................47
Base an Exception on an Existing Event ...........................................48
Manage Exceptions from Appliance Settings

Exceptions are configured per-Appliance, including Full OS traps. To manage exceptions, in
TSOC go to Appliances > Appliance > Exceptions:
To copy all of another Appliance's existing exceptions to the current Appliance, by Copy
exceptions from select the source and click Copy.
To add an exception, click , set the exception parameters, and click Apply. For the Exception
to suppress only Scan-stage events including Ping, select Filter Only Scan.
To except SMB connections to emulation traps, click , select Emulation Trap > SMB False
Positive, and by Pattern matching provide a value that if found in an SMB connection will
cause the event to be excepted. If you include a command prefix (as when the Exception is
created from the Event Analyzer; for example, Logon: or Dir:), to have the exception defined
for its value regardless of the specific command in which the value appears, select Filter all
command prefixes.
To whitelist ICMP (ping) connections (to prevent events of ping scan events) from all sources
to an Appliance, go to Appliances > Appliance > Configuration > Settings, and enable Filter
PING events.

To avoid false-positive alerts from organizational scanners, you can enable dark mode, so
emulation traps will not respond at all to TCP connections from IP addresses for which a
regular Exception is configured for all ports. Go to Appliances > Appliance > Configuration
> Settings, and enable Exceptions Dark Mode.
Base an Exception on an Existing Event

To except activity similar to an existing false-positive event, locate the event in the Event
Analyzer, and in its Attack Details, hover over the specific action to be excepted and click :
Configure or confirm the exception details and trap scope, and click Apply:
Asset Inventory
TSOC can maintain an inventory of organizational endpoint assets. The inventory can be used
for automatic emulation profile, and/ or for coverage analysis (see the DeceptionGrid Security
Deployment Guide).
Asset inventory can be provided to TSOC in any of the following ways:
• Via API / CLI / SDK (see relevant guides), provide one of:
• Connection details to the organizational Active Directory, from which TSOC will
retrieve endpoint information
• A CSV list of endpoints
• ForeScout CounterACT integration (see Integrating with ForeScout CounterACT on
page 35)

A single inventory is maintained; providing an inventory in any of the above ways will override
it, even if provided differently.

Network Intelligence Sensor Administration
Network Intelligence Sensor

Administration
This section describes Network Intelligence Sensor (NIS) setup and administration tasks.
In This Section
Deploying Network Intelligence Sensor ...........................................50
Updating NIS Intelligence Feeds.......................................................51
Deploying Network Intelligence Sensor

Network Intelligence Sensor (NIS) monitors and analyzes organizational network traffic to
detect suspicious outbound traffic. NIS is configured on a DeceptionGrid Appliance interface
that is connected to organizational systems. By default, for most environments, eth1 is
dedicated to NIS.
Note: NIS is not supported on Hyper-V.
Note: NIS is not supported in 10 GbE networks.
For NIS to work, an Appliance interface needs to be connected to a network device port
mirroring traffic exiting the organization. The connected device can be the organizational
perimeter firewall, or, if organizational traffic exits through a proxy, that proxy server. In the
latter case, if some organizational traffic circumvents the proxy, connect another interface to
the firewall as well.
The organizational device port must be configured to mirror outbound traffic. The connected
Appliance interface or interfaces need to have NIS Enabled and to be configured for
Promiscuous mode, to monitor traffic; if connected to a proxy server, the Appliance interface
needs to be additionally configured for Proxy mode, so NIS can correctly interpret the traffic.
When the Appliance is connected to both a proxy and a firewall, the interface connected to
the firewall needs to be additionally configured for Upstream mode, so that NIS will correlate
firewall traffic with proxy traffic.
On new DeceptionGrid appliances, eth1 already has NIS enabled.
Known legitimate traffic can be whitelisted, in TSOC (see Whitelisting Legitimate Connections:
Event Exceptions on page 47) or as below. NIS intelligence is periodically updated (see
Updating NIS Intelligence Feeds on page 51).
For other NIS configuration, use the Appliance’s Administration Menu: Connect either to the
Appliance's direct console, or, using PuTTY or another client connect via SSH over port 222.
Log in as user sensor, and select from the NIS Settings category, which includes the following
commands:
Menu Item Description

sniff/scan For troubleshooting scenarios, these commands provide the ability to disable NIS
commands monitoring (sniff) or to enable the discontinued legacy NIS scan detection (scan).
Affects all interfaces.

Menu Item Description

Show NIS Displays per-interface NIS configuration (only interfaces for which NIS is enabled
Configuration appear – see below).
Configure NIS Enables configuring per-interface (available only for interfaces for which NIS is
enabled – see below):
• Promiscuous mode: Whether to perform monitoring
• Proxy mode (If Promiscuous mode = yes): One of:
• Legacy: No longer supported for new deployments.
• Proxy: Interface is connected to proxy.
• Off: Interface is connected to firewall to which traffic does not go
through proxy.
• Upstream: Interface is connected to firewall to which some traffic
goes through proxy.
• Downstream IP and ports (if proxy mode = proxy or upstream): For filtering
and correlation purposes, the proxy’s IP address and ports that organizational
endpoints connect to.
After configuration changes, Restart NIS (below).
NIS Opens a menu for various options relating to NIS whitelisting:
Whitelisting • Privileged source ports: Outbound traffic from source port numbers 0-1023,
Configuration which likely are public server responses to inbound connections. Ignore to
whitelist, Alert to disable whitelisting, Are Ignored? to display current status.
• Scans on port 445: SMB connections on Appliance interfaces that may
generate false-positives, especially if an SMB token is configured for a trap on
one of the interfaces. Ignore to whitelist, Alert to disable whitelisting, Are
Ignored? to display current status.
• Botnet white list: Presents whitelisting options for each of scan (discontinued
legacy NIS scan) and sniff (NIS monitoring): Show current whitelisted traffic,
Add a traffic pattern to be whitelisted, or Remove one.
Enable / Specify an interface for which to enable / disable NIS. If enabled, still depends on
Disable NIS configuration as above.
Stop / Start / Stop, start, or restart the NIS service (monitoring and scan detection) on the
Restart NIS Appliance (affects all interfaces).
Updating NIS Intelligence Feeds

Typically, TSOC automatically retrieves intelligence feeds from TrapX knowledge base center
and distributes them to Appliances.
If in your environment TSOC can't access the TrapX update server, you'll need to obtain feeds
packages from TrapX and manually upload them to TSOC.
To update feeds:
1. Go to Settings > Updates > Feeds:

2. Click Update and navigate to and upload the feeds file.

3. When the upload is complete, verify the size, modification, and MD5 Hash.
The NIS intelligence will be distributed to Appliances within a few hours.
If in any case you need to immediately distribute intelligence from TSOC to Appliances, in
TSOC go to Appliances > Appliance > Configuration > Network Intelligence Sensor and click
Update now.

Full OS Trap Administration

This section describes setup and administration tasks for Full OS traps.
In This Section
Setting Up Full OS Trap .....................................................................53
Maintaining Full OS Trap ..................................................................59
Upgrading a Full OS Trap ..................................................................61
Removing a Full OS Trap ...................................................................61
Setting Up Full OS Trap

You can perform a local attended installation (see Attended Full OS Trap Installation below),
or use standard distribution systems or scripts to perform unattended command-line
installation (see Unattended Full OS Trap Installation on page 56).
In This Section
Attended Full OS Trap Installation ...................................................53
Unattended Full OS Trap Installation ...............................................56
Attended Full OS Trap Installation

This section describes local, attended installation; an alternative is unattended installation
(see Unattended Full OS Trap Installation on page 56).
To set up a full OS trap (attended):
1. Prepare the following prerequisites:
• Fully deployed and configured DeceptionGrid TSOC of the current version;
specifically, make sure that TSOC has been properly integrated with your
organizational virtual infrastructure (see Integrating with Full OS Trap
Infrastructure on page 15) – otherwise, you won’t be able to configure Host
connection (as below), and so won’t be able to set a trap baseline snapshot or to
revert (see Setting Baseline and Reverting on page 60).
• A host virtual machine in the above virtualized environment, meeting the
following minimum requirements:
• Latest available VM version (for example, for ESX 6.0: VM version 11)
• OS: Windows 7 / 10 / Server 2008 R2 SP1 / 2012 R2 / 2016
• RAM: 4 GB
• Virtual hardware meeting Microsoft requirements for the operating system
• Computer clock exactly synchronized with TSOC’s clock (see Configuring
TSOC's Clock on page 13)
• Any services to be monitored, as supported (see the DeceptionGrid Security
Deployment Guide)

The host can have any additional installed or running software, and any data and
configuration as relevant to your network. You can use an organizational image.
• Make sure the following ports are open on organizational network devices:
Source Destination Port
Full OS trap TSOC 7443
8443
9443
2. If the host computer previously had the full OS Trap agent installed and then
uninstalled, restart the computer.
3. On the prepared host computer, from a local drive (not a network share or
removable media) run as an Administrator the provided agent installer (named
NCIAInstaller.msi, for obfuscation).
4. Go through the wizard pages. At the TSOC Integration page, configure the trap’s
connection to TSOC and how the trap will appear in TSOC:
The agent name must be 5-15 alphanumeric characters.

5. In the CryptoTrap Configuration page, select whether to install a CryptoTrap
network share, and its location:
6. At the Agent Obfuscation page, select how the agent should appear on the
computer to a potential attacker. For example, if the trap is meant to appear as an IT
server, select Sysinternals Package:

7. Complete the wizard.

8. When installation is complete, to prevent user actions in existing sessions from
being missed by the full OS trap (for example, an open SMB session, or the RDP
session from which you’re performing the installation), restart the host computer.
9. Log into TSOC with administrative permissions, and click the Pending notification:
10. By the relevant full OS trap, click Initialize:
11. Configure trap details as relevant, and click Finish:

12. Create a baseline snapshot (see Setting Baseline and Reverting on page 60).
13. Configure services to be monitored, and optionally their tokens, as in the
DeceptionGrid Security Deployment Guide.
14. If you know of legitimate organizational network traffic that will be affecting the
trap, configure relevant exceptions as in the DeceptionGrid Security Handling &
Analysis Guide.
The full OS trap appears in the Appliances page, and relevant events will be displayed for
analysis.
Unattended Full OS Trap Installation

This section describes using standard distribution systems or scripts to perform unattended
command-line installation; an alternative is attended installation (see Attended Full OS Trap
Installation on page 53).
To set up a full OS trap (unattended):
1. Prepare the following prerequisites:
• Fully deployed and configured DeceptionGrid TSOC of the current version;
specifically, make sure that TSOC has been properly integrated with your
organizational virtual infrastructure (see Integrating with Full OS Trap
Infrastructure on page 15) – otherwise, you won’t be able to configure Host
connection (as below), and so won’t be able to set a trap baseline snapshot or to
revert (see Setting Baseline and Reverting on page 60).
• A host virtual machine in the above virtualized environment, meeting the
following minimum requirements:
• Latest available VM version (for example, for ESX 6.0: VM version 11)
• OS: Windows 7 / 10 / Server 2008 R2 SP1 / 2012 R2 / 2016

• RAM: 4 GB
• Virtual hardware meeting Microsoft requirements for the operating system
• Computer clock exactly synchronized with TSOC’s clock (see Configuring
TSOC's Clock on page 13)
• Any services to be monitored, as supported (see the DeceptionGrid Security
Deployment Guide)
The host can have any additional installed or running software, and any data and
configuration as relevant to your network. You can use an organizational image.
• Make sure the following ports are open on organizational network devices:
Source Destination Port
Full OS trap TSOC 7443
8443
9443
2. If the host computer previously had the full OS Trap agent installed and then
uninstalled, restart the computer.
3. On the prepared host computer, from a local drive (not a network share or
removable media) run as an Administrator the provided agent installer (named
NCIAInstaller.msi, for obfuscation) as follows:
msiexec /i NCIAInstaller.msi /quiet TSOC_ADDRESS=<tsoc_IP>
TSOC_TRAP_ID=<trap_name> </forcerestart | /norestart>
[FULL_OS_OBFUSCATION_PROFILE=<profile_index>]
[MSBUILD_INSTALLLOCATION="<install_dir>"]
The above arguments are:
• TSOC_ADDRESS : TSOC’s IP address
• TSOC_TRAP_ID : Trap name to appear in TSOC. Must be 5-15 alphanumeric
characters
• </forcerestart | /norestart > (required): One of:
• /forcerestart (recommended): Restart when complete
• /norestart (not recommended): Don’t restart
• FULL_OS_OBFUSCATION_PROFILE (optional): Defines the program name and
other associated settings, for agent obfuscation. The <profile_index> is one of the
following numbers, according to the desired profile. For example, if the trap is
meant to appear as an IT server, for Sysinternals Package specify
FULL_OS_OBFUSCATION_PROFILE=5 . If the argument is omitted, one of
the available profiles will be randomly selected.
Asset Manager Service 1
Driver Manager 2
Device Scanner 3

Network Monitor Control 4

Sysinternals Package 5
Control Panel Monitor 6
Management Network Service 7
Driver Loader 8
Asset Server Configurator 9
IIS Manager 10
Service Remover 11
Server Handler 12
Packet Tracer PRO 13
Packet Sniffer 14
Traffic Controller 15
Outbound Monitor 16
• MSBUILD_INSTALLLOCATION (optional): Installation directory. If omitted, the

agent will be installed in a profile-appropriate directory inside C:\Program Files\ .
4. Log into TSOC with administrative permissions, and click the Pending notification:
5. By the relevant full OS trap, click Initialize:
6. Configure trap details as relevant, and click Finish:

7. Create a baseline snapshot (see Setting Baseline and Reverting on page 60).
8. Configure services to be monitored, and optionally their tokens, as in the
DeceptionGrid Security Deployment Guide.
9. If you know of legitimate organizational network traffic that will be affecting the
trap, configure relevant exceptions as in the DeceptionGrid Security Handling &
Analysis Guide.
The full OS trap appears in the Appliances page, and relevant events will be displayed for
analysis.
Maintaining Full OS Trap

You can change the details that you configured when adding the full OS trap (see Setting Up
Full OS Trap on page 53). In the TSOC Appliances page select the trap and in its Settings tab
configure details as relevant. When you’re done, click Save.
To be able to install, change and edit the trap host without generating unnecessary events,
you can put the trap into maintenance mode (see Setting Maintenance Mode on page 60).
The trap agent will continue running and remain connected to TSOC, but event monitoring
will be paused.
If a full OS trap becomes infected, you can revert the trap host computer to a baseline
snapshot. To enable this, upon changes update the baseline snapshot (see Setting Baseline
and Reverting on page 60).

In This Section
Setting Maintenance Mode..............................................................60
Setting Baseline and Reverting.........................................................60
Setting Maintenance Mode

To be able to install, change and edit the trap host without generating unnecessary events,
you can put the trap into maintenance mode.
To put a full OS trap into maintenance mode, in the TSOC Appliances page select the trap and
in its Maintenance tab click :
The trap agent will continue running and remain connected to TSOC, but event monitoring
will be paused.
To resume event monitoring, click .
Setting Baseline and Reverting

If a full OS trap becomes infected, you can revert the trap host computer to a baseline
snapshot. To enable this, upon changes update the baseline snapshot.
To be able to manage a full OS trap’s baseline snapshot and to revert, the trap’s Host
connection must be configured (see Maintaining Full OS Trap on page 59).
To set a new baseline snapshot, in the TSOC Appliances page select the trap (which must be
Active, not in Maintenance mode) and in its Maintenance tab click .
To subsequently revert to the latest baseline, click :

Upgrading a Full OS Trap

Full OS traps are upgraded from TSOC, in a similar manner to DeceptionGrid Appliances (see
Upgrading DeceptionGrid Components on page 43).
After updating a full OS trap, return the trap to Active mode (see Setting Maintenance Mode
on page 60) and create a new baseline snapshot (see Setting Baseline and Reverting on page
60).
Removing a Full OS Trap

To remove a full OS trap:
1. Set the trap to Maintenance mode (see Setting Maintenance Mode on page 60).
2. On the agent host computer, do one of the following:
• Run the installer and select the option to remove. A copy of the installer is located
on the host computer, at:
<FOS_home>\Data\
where <FOS_home> is the full OS agent's installation directory, named according
to the selected obfuscation profile.
Note: If for some reason you cannot set the trap to maintenance mode, the
agent will not allow remote removal. In this case open a direct console
to the agent host and run the installer and you’ll be presented with an
option for maintenance mode. Select it, click Submit, and then remove.
• Run the installer via the following command line:

msiexec /x /quiet </forcerestart | /norestart>
NCIAInstaller.msi

</forcerestart | /norestart> (required) is one of:

agent will not allow remote removal. In this case you must run the
command from a direct console to the agent host.
3. If CryptoTrap is present, to remove it use Windows’ Add/Remove Programs.

4. In the TSOC Appliances page select the trap and in its Settings tab click Remove
now.

Troubleshooting and Maintenance

This section describes several tools and options for troubleshooting and maintenance
purposes.
In This Section
Enabling Remote Support Access .....................................................63
Managing Appliance Routing ...........................................................63
Backup & Restore .............................................................................63
Stopping or Restarting the Trap Service ..........................................65
Administration Menus......................................................................65
Repairing or Reconfiguring a Full OS Trap ........................................71
Viewing TSOC Logs ...........................................................................71
Obtaining Diagnostics .......................................................................72
Testing Communications ..................................................................73
Enabling Remote Support Access

Appliance remote access allows TrapX support personnel to access the Appliance remotely.
Remote access was enabled or disabled at Appliance setup; you can subsequently change this
setting from TSOC.
To enable or disable remote access, in TSOC go to Appliances > Appliance > Configuration >
Settings, and change the Remote Access status:
Managing Appliance Routing

In most cases, Appliance routing is properly automatically configured according to network
connections and interface configuration.
For cases where additional routing configuration is required, routes and gateways can be
configured from TSOC, at Appliances > Appliance > Configuration > Routing.
Backup & Restore

To back up TSOC, back up the whole virtual machine (snapshot).

Appliances’ configurations, including their traps and tokens, are automatically backed up daily
on the TSOC server, from where you can restore them as needed, as below.
Note: Some items such as trap spin data, logs, and undelivered messages are not included
in configuration backup. For Appliances in virtual environments, a more complete
backup solution can be achieved by backing up the whole virtual machine
(snapshot).
You can change the time of day when the automatic backups take place as below. You can
also manually initiate a backup of a specified Appliance’s configuration as below.
The last three backups are maintained; older backups are deleted.
In special troubleshooting scenarios, when it may be necessary to create a more complete
backup, TrapX support may direct you to perform an Appliance Interface Configuration
backup (not discussed here).
In This Section
Setting the Daily Backup Time ..........................................................64
Restoring an Appliance’s Configuration ...........................................64
Manually Backing up an Appliance ..................................................64
Setting the Daily Backup Time

To change the time of the daily backup, in the TSOC server’s Administration Menu (see
Administration Menus on page 65) go to Appliance Configuration Backup and Restore > Set
Mass Appliance Backup Schedule, and as prompted provide the desired time in format
hh:mm .
Restoring an Appliance’s Configuration

To restore an Appliance’s configuration (not interface configuration) from a backup:
1. In the TSOC server’s Administration Menu (see Administration Menus on page 65)
go to Appliance Configuration Backup and Restore > Restore Appliance
Configuration.
2. As prompted, provide the Appliance’s Unique ID (as appearing in TSOC Appliances >
Appliance > Configuration > Settings, > Name) and its Group ID (as appearing in that
same Settings page).
3. As prompted, select from which of the displayed configuration backups to restore.
Manually Backing up an Appliance

To manually initiate a backup of a specified Appliance’s configuration, in the TSOC server’s
Administration Menu (see Administration Menus on page 65) go to Appliance Configuration
Backup and Restore > Backup Appliance Configuration, and as prompted, provide the
Appliance’s Unique ID (as appearing in TSOC Appliances > Appliance > Configuration >
Settings, > Name) and its Group ID (as appearing in that same Settings page).

Stopping or Restarting the Trap Service

To start, stop, or restart an Appliance’s service for its emulation traps, in the Appliance’s
Administration Menu (see Administration Menus below) go to Malware Trap Settings > Stop
/ Start / Restart Malware Trap.
Administration Menus
Both the TSOC server and individual Appliances provide special administration menus for
advanced commands.
To access the Administration Menu:
1. Connect to the Appliance or TSOC server either at its console, or via SSH (for
example, using PuTTY) over port 222.
Note: In the case of Appliances, if the connection fails make sure SSH is enabled.
In TSOC’s Appliances page, select the Appliance and go to Configuration >
Settings > SSH Service.
2. On the TSOC server, log in as user mng; On an Appliance, log in as user sensor
(default password: Log2sensor ).
Note: These users do not have full-fledged shell accounts. They are restricted
sudoers and can invoke only commands available in the presented menu.
At any time during configuration you can return to the main menu: On an Appliance, press
Ctrl+C ; on the TSOC server, press Escape.
In This Section
TSOC Server Administration Menu Items ........................................65
Appliance Administration Menu Items ............................................67
TSOC Server Administration Menu Items

The following items are available in the TSOC server’s Administration Menu (see
Administration Menus above):
Category / Item Description

Network Network Show IP Address and Display the TSOC server’s IP and subnet as
Configuration Information Subnet configured in setup
Show Routes Display server routes and gateways
Ping For maintenance and troubleshooting
purposes, ping a specified host
Show netstat For maintenance and troubleshooting
purposes, display established connections
Configuration Set to DHCP
Change IP Address


Add / Remove Disabled. Instead, to perform these tasks,
Default Gateway log into TSOC as setup (default password
Log2Setup )
Add / Remove Route Edits the TSOC server’s routing table (in
case the default gateway is insufficient to
reach some required destination)
Save Static IP Disabled. Instead, to perform this task, log
Configuration into TSOC as setup (default password
Log2Setup )
Appliance Configuration Backup and Restore Backup & restore Appliance configurations
(see Backup & Restore on page 63)
Middleware Status For troubleshooting scenarios, status
details for support
Restart For troubleshooting scenarios, restarts
TSOC middleware
Consumers For each Appliance and Full OS trap, lists in
JSON format:
• name:
consumer_<group>_<Appliance>
• stats:
Total (failed and successful)
numbers of (in order): sent events;
keep alive messages; and manual
(see Testing Communications on
page 73) or automatic tests
Failed numbers of: sent events;
keep alive messages; and manual
(see Testing Communications on
page 73) or automatic tests
Waiting: Total number of events,
messages or files stuck in queue
• status: Should be Running
If you find any problems, test (see Testing
Communications on page 73) the Appliance
and send results to TrapX support.
Clients For each Appliance and Full OS trap,
displays status. All should be Active or Idle.
Queues The Messages column indicates the
number of messages stuck in queue. They
should be all 0.


Test Test communications to specified Appliance
or Full OS trap, for events channel or file
channel
Restore credentials For troubleshooting purposes, reset
communications with a specified Appliance
or Full OS trap
Global Settings Create CSR File For certificate signing (see Signing the TSOC
Certificate on page 11)
Services status For troubleshooting purposes, lists current
statuses of services
Restart For troubleshooting purposes, restarts
Communication TSOC’s control communication channel
Services with Appliances. Note that Appliances will
be disconnected for a short while
Change ‘mng’ User Changes the password of the mng user that
Password you’re logged in with now.
Manage Custom For closed-environment upgrade (see
Updates Source Upgrading in a Closed Environment on page
44)
Check for Updates Upgrade check (see Checking for Software
Upgrades on page 44)
Pull Latest Feeds Generally should only be used for
troubleshooting scenarios, otherwise do in
UI (see Updating NIS Intelligence Feeds on
page 51)
Enable/Disable SSH Disable SSH access to this menu. If disabled,
access will be only via console
Enable debug mode For troubleshooting purposes, causes
for Deception Tokens subsequent deception token installations to
record debug logs on target endpoints
List last event ID sent For troubleshooting purposes, lists per-type
by syslog details of last sent event syslogs, by ID (for
events from Appliances) / MID (for events
from Full OS traps)
Disable If TSOC is in SAML authentication mode
SAML authentication (see Overview of User Authentication and
Authorization on page 18), and there's a
problem with the IdP so you can't access
the TSOC UI, disable SAML here.
Generate Privileged For high-privilege API / SDK / CLI commands
API Key
Reboot Reboots the TSOC server
Shutdown Shuts down the TSOC server

Appliance Administration Menu Items

The following items are available in DeceptionGrid Appliances' Administration Menus (see
Administration Menus on page 65):

Network Configuration Show Interface Generally should only be used for
Settings troubleshooting scenarios. Otherwise, in TSOC
go to Appliances > Appliance > Configuration
> Interfaces
Show Routes Generally should only be used for
troubleshooting scenarios. Otherwise, in TSOC
go to Appliances > Appliance > Configuration
> Routing
Ping Standard well-known network tools for
maintenance and troubleshooting purposes
Telnet
Traceroute
Show netstat
Add / Remove Generally should only be used for
Network / Host Route troubleshooting scenarios. Otherwise, in TSOC
go to Appliances >Appliance > Configuration >
Routing
Configure VLANs Generally should only be used for
Interfaces
Restore Malware Trap State Deletes the Appliance’s configured settings
and internal data, and restores them to their
defaults (factory defaults). Does not delete
network settings, i.e., VLANs, sub interfaces,
aliases
Note: It may take some time for
restoration results to appear in
TSOC.
Global Appliance Settings Services Status For troubleshooting purposes, lists current
statuses of services
Run packet analyzer For maintenance and troubleshooting
purposes, displays network traffic on a specific
interface
Check Connectivity to For maintenance and troubleshooting
TSOC purposes, display per-port and per-service
connectivity status.
Enable / Disable Enables / disables TrapX support remote
Support Access access. Same as from TSOC (see Enabling
Remote Support Access on page 63)
Change setup Change the password for the setup user, used
Password for initial Appliance configuration


Change sensor Change the password for the sensor user that
Password you’re using now
Restart Appliance For troubleshooting purposes, restarts the
Controller Appliance’s control communication channel
with TSOC
Reboot Appliance Generally should only be used for
Settings > Reboot the Appliance
Shutdown Appliance Generally should only be used for
troubleshooting scenarios or other special
situations. Otherwise, in TSOC go to
Appliances >Appliance > Configuration >
Settings > Shut down the Appliance
Show Appliance Serial Show the Appliance host serial number (VPD)
Show Appliance Shows the DeceptionGrid version installed on
Software Version the Appliance
Upgrade NIC Firmware Use only when and as directed
View Last Upgrade Log If you upgraded an appliance’s version, view a
(Brief) digest of the upgrade log, including the
upgrade status (whether the upgrade was
successful or unsuccessful)
View Last Upgrade Log Same as previous but includes entire log
(Full) contents
Middleware event and
log cleanup
Middleware Status For troubleshooting scenarios, status details
for support
Restart For troubleshooting scenarios, restarts
Appliance middleware


Consumers Lists in JSON format:
• name:
consumer_<group>_<Appliance>
• stats: Aggregated from individual traps,
NIS, and Asset Discovery:
Total (failed and successful) numbers
of (in order): sent events; null
placeholder; and manual (see Testing
Communications on page 73) or
automatic tests
Failed numbers of: sent events; null
placeholder; and manual (see Testing
Communications on page 73) or
automatic tests
Waiting: Total number of events or
files stuck in queue
• status: Should be Running
Clients status should be Active or Idle.
Queues The Messages column indicates the number of
messages stuck in queue. They should be all 0If
you find any problems, test (see Testing
Test Test communication with TSOC, including per-
port connectivity (port open), and credentials
(actual ability to send messages/files)
NIS Settings Actions for Network Intelligence Sensor (NIS)
(see Deploying Network Intelligence Sensor on
page 50)
Malware Trap Settings Check Network Use Ping to test IP connectivity from Appliance
Connectivity interfaces to the configured gateway. You can
test parent interfaces connected to single
networks (for example, eth0; but not its
subinterfaces), and virtual VLAN interfaces in
trunk connections (but not their child VLAN
Alias interfaces)
Select to test all relevant interfaces, or, to test
just one, provide its name (for example, eth0
or vlan42 ).
Enable / Disable / RunGenerally should only be used for
Network Discovery troubleshooting scenarios or other special
situations. Otherwise, do in TSOC as in
Set Network Discovery
DeceptionGrid Security Deployment Guide
Subnet


Configure SMB Generally should only be used for
Domains troubleshooting scenarios or other special
situations. Otherwise, do in TSOC (see Enabling
SMB Signing Support on page 14)
Check SMB Domain For troubleshooting scenarios
Connectivity
Configure SMB Share For internal use. See DeceptionGrid Security
False Positives Handling & Analysis Guide, Exceptions
Stop / Start / Restart Start, stop, or restart the Appliance’s service
Malware Trap for emulation traps
Disable / Enable OS For troubleshooting scenarios, can disable
Fingerprint traps' OS emulation component. Use only by
direction of TrapX support
Configure special For troubleshooting scenarios. Use only by
parameters direction of TrapX support
Repairing or Reconfiguring a Full OS Trap

To solve issues with a full OS trap agent’s installation, upon a change to the TSOC address,
and/or to change the name by which TSOC identifies a full OS trap agent:
Note: Due to a known issue in the current release, it is required for repair (or reinstall) to
change the configured TSOC address and/or the trap ID. Otherwise communication
with TSOC will be lost.
1. From TSOC, set the trap to Maintenance mode (see Setting Maintenance Mode on
page 60).
2. On the agent host computer, do one of the following:
• Run the installer and select the option to repair. A copy of the installer is located
on the host computer, at:
<FOS_home>\Data\
where <FOS_home> is the full OS agent's installation directory, named according
to the selected obfuscation profile.
agent will not allow remote repair. In this case open a direct console to
the agent host, run the installer and you’ll be presented with an option
for maintenance mode. Select it, click Submit, and then repair.
• Run the installer via the following command line:

msiexec /fvomus /quiet </forcerestart | /norestart>
NCIAInstaller.msi TSOC_ADDRESS=<tsoc_IP>
TSOC_TRAP_ID=<trap_name>
The above arguments are:
• TSOC_ADDRESS : TSOC’s IP address

• TSOC_TRAP_ID : Trap name to appear in TSOC. Must be 5-15 alphanumeric

characters
• </forcerestart | /norestart> (required): One of:
agent will not allow remote repair. In this case you must run the
command from a direct console to the agent host.
3. If you made changes to the TSOC IP address and/or trap ID, you’ll need to initialize
the trap from TSOC as after installing the trap (see Setting Up Full OS Trap on page
53).
Viewing TSOC Logs

For troubleshooting and maintenance purposes, TSOC displays several types of logs:
• WebApp: TSOC backend operations

• Audit: TSOC user actions
• Distribution: Deception token distribution operations
To view logs, in TSOC go to Settings > Logs:
You can filter the displayed logs by Message strings and by date range.
Audit logs are cleared every 30 days; WebApp and Distribution logs are cleared every 7 days.
To keep logs longer, you can Export to CSV. Or, for Audit logs, you can automate periodic
retrieval via API (see the TSOC API Developer's Guide) or CLI/SDK (see the DeceptionGrid
CLI/SDK Developer's Guide). Alternatively, contact TrapX support to extend the period of log
retainment.
Obtaining Diagnostics
For troubleshooting and maintenance purposes, TrapX support may ask you to download and
send a package of TSOC or Appliance logs or configuration files.
• For TSOC logs or configuration files, in TSOC go to Settings > Logs > Diagnostics.
• For Appliance logs or configuration files, in TSOC go to Appliances > Appliance >
Diagnostics.
In the relevant section, first have TSOC Retrieve and build the package; when an availability
message appears, Download the package:
Testing Communications
You can test communications between an Appliance and TSOC.
To test, in TSOC go to Appliances > Appliance > Diagnostics, and by Infrastructure test click
Run:
TSOC will display an informative message including status and recommendations as relevant.

Support
Support for TrapX products is provided by TrapX or by an authorized TrapX Service Partner.
More information and technical support for TrapX products are available at:
• support.trapx.com
• support@trapx.com
• Americas: 1-855-249-4453
EMEA & Asia Pacific: +44-208-819-9849
Documentation Feedback
TrapX Security continually strives to produce high quality documentation. If you have any
comments, please contact Documentation@trapx.com.
About TrapX Security®

TrapX Security is the pioneer and global leader in cyber deception technology, with flagship
solution DeceptionGrid effectively detecting, deceiving, and defeating advanced cyber attacks
and human attackers in real-time. DeceptionGrid provides automated, highly accurate insight
into malicious activity unseen by other types of cyber defenses. Deploying DeceptionGrid
sustains a proactive security posture, fundamentally halting the progression of an attack.
DeceptionGrid changes cyber-attack economics by shifting the cost to the attacker.
The TrapX Security customer base includes worldwide Forbes Global 2000 commercial and
government customers in key industries including defense, healthcare, finance, energy, and
consumer products. Learn more at www.trapx.com .
Disclaimer
Product specifications are subject to change without notice. This document is believed to be
accurate and reliable at the time of printing. However, due to ongoing product improvements
and revisions, TrapX cannot guarantee accuracy of printed material after the Date Published
nor can it accept responsibility for errors or omissions. Before consulting this document, check
the corresponding Release Notes regarding feature preconditions and/or specific support in
this release. In cases where there are discrepancies between this document and the Release
Notes, the information in the Release Notes supersedes that in this document. Updates to this
document and other documents as well as software files can be obtained by TrapX customers.
Trademarks and Copyright

© Copyright 2020 TrapX Security Ltd. All rights reserved. This document is subject to change
without notice. TrapX, TrapX Security, DeceptionGrid and CryptoTrap are trademarks or
registered trademarks of TrapX Security in the United States and other countries. Other
trademarks used in this document are the property of their respective owners.
Updated 29/7/20

DeceptionGrid 7.0 Administration Guide

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

DeceptionGrid 7.0 Administration Guide

Hochgeladen von

Copyright:

Verfügbare Formate

v. 7.

TrapX® Security, July 2020

DeceptionGrid Administration ................................................. 14

Network Intelligence Sensor Administration .......................... 50

Full OS Trap Administration ..................................................... 53

DeceptionGrid Administration Guide, © TrapX 2

Removing a Full OS Trap ...................................................................................61

Troubleshooting and Maintenance .......................................... 63

DeceptionGrid Administration Guide, © TrapX 3

DeceptionGrid Administration Guide, © TrapX 4

Overview: DeceptionGrid System

• Appliance: DeceptionGrid's main component is the DeceptionGrid Appliance, which

DeceptionGrid Administration Guide, © TrapX 5

Logging into TSOC for the First Time

Setting the Management Framework

• MSSP: DeceptionGrid Appliances and their traps are assigned to Companies.

DeceptionGrid Administration Guide, © TrapX 6

• On Premise: DeceptionGrid Appliances and their traps are assigned to Departments.

Managing Companies or Departments

DeceptionGrid Administration Guide, © TrapX 7

DeceptionGrid Administration Guide, © TrapX 8

1. Click Add license.

3. Click Apply license (otherwise the license is still disabled!):

Configuring TSOC Timeout

DeceptionGrid Administration Guide, © TrapX 10

Signing the TSOC Certificate

2. Provide your organizational information, and click Generate and Download.

Only Basic Authentication is supported (not NTLM / Kerberos).

DeceptionGrid Administration Guide, © TrapX 12

Configuring TSOC's Clock

DeceptionGrid Administration Guide, © TrapX 13

Integrating with Third-Party IT Systems

Enabling SMB Signing Support

DeceptionGrid Administration Guide, © TrapX 14

net computer \\<computer_name> /add

DeceptionGrid Administration Guide, © TrapX 15

Integrating with Full OS Trap Infrastructure

Monitoring Appliance Health

• Alerts: By specified minimum severity level of current status

DeceptionGrid Administration Guide, © TrapX 16

• Emergency: System is unusable

2. Select to Send and provide the syslog server's address.

DeceptionGrid Administration Guide, © TrapX 17

Select interfaces whose status to monitor.

User Authentication and Authorization

Overview of User Authentication and Authorization

DeceptionGrid Administration Guide, © TrapX 18

• Super Admin: Full permissions over entire system

Enabling TSOC SAML Authentication (SSO)

Make note of the two SP URLs at the bottom of the page.

DeceptionGrid Administration Guide, © TrapX 19

Enabling TSOC LDAP / Active Directory Authentication

2. Select Enable Active Directory / LDAP authentication, and configure connection

DeceptionGrid Administration Guide, © TrapX 20

3. Optionally, Test the connection. You’ll be prompted to provide credentials to be

Setting Up DeceptionGrid Appliances

DeceptionGrid Administration Guide, © TrapX 21

Pending Appliances are displayed:

2. By the Appliance click Initialize, and provide Appliance details:

DeceptionGrid Administration Guide, © TrapX 22

Configuring DeceptionGrid Appliances

2. Edit the Appliance’s details and services, or perform actions, as needed:

DeceptionGrid Administration Guide, © TrapX 23

Integrating with Third-Party Security Systems