Tikugashirei kuchinyorwa chechishanu munhevedzano nezve Check Point SandBlast Agent Management Platform mhinduro. Zvakapfuura zvinyorwa zvinogona kuwanikwa nekutevera yakakodzera link: , , , . Nhasi tichatarisa kugona kwekutarisa muManagement Platform, kureva kushanda nematanda, madhibhodhi anodyidzana (Maonero) uye mishumo. Isu tichabata zvakare pamusoro pemusoro weThreat Hunting kuti tione kutyisidzira kwazvino uye zviitiko zvinokatyamadza pamushini wemushandisi.
Logs
Sosi huru yeruzivo rwekutarisa zviitiko zvekuchengetedza chikamu cheLogs, icho chinoratidza ruzivo rwakadzama pane chimwe nechimwe chiitiko uye zvakare inobvumidza iwe kushandisa mafirita ari nyore kunatsiridza maitiro ako ekutsvaga. Semuenzaniso, kana iwe ukadzvanya-kurudyi pane parameter (Blade, Chiito, Severity, nezvimwewo) yelogi yekufarira, iyi parameter inogona kusefa senge. Sefa: "Parameter" kana Sefa kunze: "Parameter". Zvakare, yeChitubu paramende, iyo IP Zvishandiso sarudzo inogona kusarudzwa, maunogona kumhanyisa ping kune yakapihwa IP kero/zita kana kumhanya nslookup kuti uwane kwainobva IP kero nezita.
Muchikamu cheLogs, chekusefa zviitiko, pane chikamu cheStatistics, chinoratidza nhamba pane ese paramita: dhayagiramu yenguva ine nhamba yematanda, pamwe nezvikamu zvepamita yega yega. Kubva muchikamu ichi unogona kusefa matanda nyore pasina kushandisa bhari yekutsvaga uye kunyora kusefa mataurirwo - ingosarudza maparamendi ekufarira uye runyoro rutsva rwematanda runobva rwaratidzwa.
Ruzivo rwakadzama parogi rega rega rinowanikwa muchikamu chekurudyi cheLogs chikamu, asi zviri nyore kuvhura irogi nekudzvanya kaviri kuti uongorore zviri mukati. Pazasi pane muenzaniso welogi (mufananidzo unodzvanya), unoratidza ruzivo rwakadzama pamusoro pekutangisa kweChiito cheDziviriro cheThreat Emulation blade pane ine hutachiona ".docx" faira. Iyo log ine akati wandei zvidimbu zvinotaridza ruzivo rwechiitiko chekuchengetedza: zvakakonzeresa marongero nedziviriro, ruzivo rwe forensics, ruzivo nezve mutengi uye traffic. Mishumo inowanikwa kubva kurogi inofanirwa kutariswa - Kutyisidzira Emulation Report uye Forensics Report. Iyi mishumo inogona zvakare kuvhurwa kubva kuSandBlast Agent mutengi.
Kutyisidzira Emulation Report
Paunenge uchishandisa Threat Emulation blade, mushure mekutevedzera kunoitwa mugore reCheck Point, chinongedzo kune yakadzama mushumo pane emulation mhedzisiro - Kutyisidzira Emulation Report - inoonekwa mune inoenderana log. Zviri mukati memushumo wakadaro zvinotsanangurwa zvakadzama muchinyorwa chedu nezve . Izvo zvakakosha kucherechedza kuti iyi rondedzero inodyidzana uye inokutendera iwe "kunyura mukati" iwo ruzivo rwechikamu chimwe nechimwe. Izvo zvakare zvinogoneka kuona kurekodha kweiyo emulation process mumuchina chaiwo, kudhawunirodha faira rehutsinye kana kuwana hashi yayo, uye zvakare kubata Cheki Point Incident Response Team.
Forensics Report
Kune chero chiitiko chekuchengetedza, Chirevo cheForensics chinogadzirwa, icho chinosanganisira ruzivo rwakadzama nezve faira rakashata: maitiro ayo, zviito, nzvimbo yekupinda muhurongwa uye kukanganisa kwezvinhu zvakakosha zvekambani. Takakurukura chimiro chemushumo zvakadzama munyaya pamusoro . Chirevo chakadaro chitubu chakakosha cheruzivo paunenge uchiongorora zviitiko zvekuchengetedza, uye kana zvichidikanwa, zviri mushumo zvinogona kutumirwa nekukurumidza kuCheck Point Incident Response Team.
Smart View
Tarisa Point SmartView chishandiso chiri nyore kugadzira uye kuona ane simba dhibhodhi (Tarisa) uye mishumo muPDF fomati. Kubva kuSmartView iwe unogona zvakare kuona matanda evashandisi uye zviitiko zvekuongorora zvevatariri. Nhamba iri pazasi inoratidza iyo inonyanya kubatsira mishumo uye dashboards ekushanda neSandBlast Agent.
Mishumo muSmartView magwaro ane ruzivo rwehuwandu nezvezviitiko pane imwe nguva yenguva. Inotsigira kurodha mishumo muPDF fomati kumushini uko SmartView yakavhurika, pamwe nekugara uchirodha kuPDF/Excel kune email yemutungamiriri. Uye zvakare, inotsigira kupinza / kutumira kunze kwematemplate matemplate, kugadzira yako mishumo, uye kugona kuvanza mazita evashandisi mumishumo. Nhamba iri pazasi inoratidza muenzaniso weyakavakwa-mukati Threat Prevention report.
Dashboards (Ona) muSmartView inobvumira maneja kuti awane matanda echiitiko chinoenderana - ingodzvanya kaviri pane chinhu chaunofarira, ingave iri chati chati kana zita rezvakaipa faira. Semishumo, unogona kugadzira yako dashboard uye kuvanza data remushandisi. Dashboards zvakare inotsigira kupinza / kutumira kunze kwematemplate, kugara uchiisa kuPDP/Excel kune email yemutungamiriri, uye otomatiki data inogadziridza kutarisa zviitiko zvekuchengetedza munguva chaiyo.
Zvimwe zvikamu zvekutarisisa
Tsananguro yezvishandiso zvekutarisisa muManagement Platform yaizove isina kukwana pasina kutaura nezve Overview, Computer Management, Endpoint Settings uye Push Operations zvikamu. Zvikamu izvi zvakatsanangurwa zvakadzama mu , zvisinei, zvichave zvinobatsira kufunga kugona kwavo kugadzirisa matambudziko ekutarisa. Ngatitangei ne Overview, iyo ine zvikamu zviviri - Operational Overview uye Chengetedzo Overview, ari madhibhodhi ane ruzivo nezve mamiriro emichina akadzivirirwa evashandisi uye zviitiko zvekuchengetedza. Sezvinoita kana uchifambidzana nechero imwe dashboard, iyo Operational Overview uye Chengetedzo Overview zvidiki, kana uchidzvanya kaviri paparameter yekufarira, inokutendera kuti usvike kuComputer Management chikamu nesefa yakasarudzwa (semuenzaniso, "Desktops" kana "Pre- Boot Status: Yakagoneswa "), kana kuchikamu Magodhi echimwe chiitiko. Iyo Chengetedzo Yekutarisisa chikamu i "Cyber ββββAttack View - Endpoint" dashboard, iyo inogona kugadzirwa uye kusetwa kuti igadzirise data.
Kubva paComputer Management chikamu iwe unogona kutarisa mamiriro emumiriri pamakina evashandisi, mamiriro ekuvandudza eAnti-Malware dhatabhesi, matanho edhisiki encryption, nezvimwe zvakawanda. Yese data inovandudzwa otomatiki, uye kune imwe neimwe sefa chikamu chemichina inofananidzwa nemushandisi inoratidzwa. Kutumira kunze kwekombuta data mu CSV fomati kunotsigirwawo.
Chinhu chakakosha chekutarisa kuchengetedzwa kwenzvimbo dzekushandira kumisa zviziviso nezve zviitiko zvakakosha (Alerts) uye kutumira matanda (Export Zviitiko) zvekuchengetedza pane yekambani server server. Zvose zviri zviviri zvinogadzirwa muEndpoint Settings chikamu, uye che Alerts Zvinogoneka kubatanidza sevha yetsamba kutumira zviziviso zvezviitiko kune maneja uye kugadzirisa zvikumbaridzo zvekukonzeresa / kudzima zviziviso zvinoenderana nechiyero / nhamba yezvishandiso zvinosangana nemaitiro echiitiko. Export Zviitiko inokutendera kuti ugadzirise kutamiswa kwematanda kubva kuManagement Platform kuenda kune yekambani server server kuti uwedzere kugadziridzwa. Inotsigira SYSLOG, CEF, LEEF, SPLUNK mafomati, TCP/UDP mapuroteni, chero SIEM masisitimu ane inomhanya syslog agent, kushandiswa kweTLS/SSL encryption uye syslog mutengi kuvimbiswa.
Kuongorora kwakadzama kwezviitiko pane mumiriri kana kuti kubata rubatsiro rwehunyanzvi, unogona kukurumidza kuunganidza matanda kubva kuSandBlast Agent mutengi uchishandisa kumanikidzwa kushanda muPush Operations chikamu. Iwe unogona kugadzirisa kuendeswa kweiyo yakagadzirwa archive nematanda kuCheck Point maseva kana maseva emakambani, uye dura rine matanda rinochengetwa pamushini wemushandisi muC:UseruseernameCPInfo dhairekitori. Inotsigira kuvhura iyo log yekuunganidza maitiro panguva yakatarwa uye kugona kumisikidza kushanda nemushandisi.
Kutyisidzira Kuvhima
Threat Hunting inoshandiswa kutsvaga zvine hutsinye zviitiko uye hunhu husina kunaka muhurongwa hwekuenderera mberi nekuferefeta chiitiko chekuchengetedza. Chikamu cheKutyisidzira Kuvhima muManagement Platform chinokutendera kuti utsvage zviitiko zvine maparamendi akatsanangurwa mune data yemuchina wemushandisi.
Iyo Threat Hunting chishandiso ine yakati wandei yakafanotsanangurwa mibvunzo, semuenzaniso: kuisa hutsinye madomasi kana mafaera, kuteedzera zvisingawanzo zvikumbiro kune mamwe makero eIP (zvinei nehuwandu hwehuwandu). Chikumbiro chimiro chine matatu parameters: chiratidzo (network protocol, process identifier, file type, etc.), Anoshanda (βisβ, βhaisiβ, βinosanganisiraβ, βimwe yeβ, zvichingodaro) uye kukumbira muviri. Iwe unogona kushandisa zvinogara zvichitaurwa mumuviri wechikumbiro, uye unogona kushandisa akawanda mafirita panguva imwe chete mubhari yekutsvaga.
Mushure mekusarudza sefa uye nekupedzisa chikumbiro chekugadzirisa, iwe unokwanisa kuwana kune ese akakodzera zviitiko, nekugona kuona ruzivo rwakadzama nezve chiitiko, kugadzika chinhu chekukumbira, kana kugadzira yakadzama Forensics Report ine tsananguro yechiitiko. Parizvino, chishandiso ichi chiri mubeta vhezheni uye mune ramangwana rakarongwa kuwedzera seti yekugona, semuenzaniso, kuwedzera ruzivo nezve chiitiko muchimiro cheMiter Att&ck matrix.
mhedziso
Ngatipfupikisai: muchinyorwa chino takatarisa kugona kwekutarisa zviitiko zvekuchengetedza muSandBlast Agent Management Platform, uye tikadzidza chishandiso chitsva chekutsvaga nekutsvaga zviito zvakaipa uye kusawirirana pamakina evashandisi - Kutyisidzira Kuvhima. Chinyorwa chinotevera chichava chekupedzisira mune ino nhevedzano uye mairi tichatarisa iyo inowanzo bvunzwa mibvunzo nezve Management Platform mhinduro uye titaure nezvemikana yekuyedza chigadzirwa ichi.
. Kuti urege kupotsa zvinyorwa zvinotevera pamusoro weSandBlast Agent Management Platform, tevera zvigadziriso pasocial network (, , , , ).
Source: www.habr.com