BeyondInsight
User Guide
Version 6.3 – April 2017
Security in Context
Revision/Update Information: April 2017
Software Version: BeyondInsight 6.3
Revision Number: 0
CORPORATE H EADQUARTERS
5090 N. 40th Street
Phoenix, AZ 85018
Phone: 1 818-575-4000
COPYRIGHT NOTICE
Copyright © 2017 BeyondTrust Software, Inc. All rights reserved.
The information contained in this document is subject to change without notice.
No part of this document may be photocopied, reproduced or copied or translated in any manner to another
language without the prior written consent of BeyondTrust Software.
BeyondTrust Software is not liable for errors contained herein or for any direct, indirect, special, incidental or
consequential damages, including lost profit or lost data, whether based on warranty, contract, tort, or any other
legal theory in connection with the furnishing, performance, or use of this material.
All brand names and product names used in this document are trademarks, registered trademarks, or trade names
of their respective holders. BeyondTrust Software is not associated with any other vendors or products mentioned
in this document.
Contents
Contents
Introduction ix
Documentation for BeyondInsight ix
Contacting Support ix
Creating a Support Package x
BeyondInsight Overview 1
Architectural Overview 1
BeyondInsight Components 2
How a Scan Works 4
How Job Scheduling Works 5
Access BeyondInsight 7
Changing the Display 8
Setting Display Preferences 8
Filtering Records 9
BeyondInsight Tools 10
Overview 10
Creating an Address Group 11
Creating a Smart Rule based on an Address Group 12
Updating Address Groups Using Stored Procedures 12
Creating an Active Directory Query 14
Using SSL for Active Directory Queries 16
Working with Attributes 16
Working with Smart Rules 18
Understanding Smart Rule Filters 18
Smart Rule Filters 20
Predefined Smart Groups 22
Creating an Asset Smart Rule 23
Creating a Vulnerabilities Smart Rule 25
Cloning a Smart Rule 27
Marking a Smart Group as Inactive 28
Deleting a Smart Rule 28
Working with Tickets 29
Creating a Ticket 29
Managing Ticket Details 30
Marking a Ticket as Inactive 31
Tracking Open Tickets Using a Smart Rule 31
Managing Users and User Groups 33
Creating a User Group 33
Creating an Active Directory User Group 33
User Guide i © 2017. BeyondTrust Software, Inc.
Contents
User Group Permissions 34
Access Levels 36
Permissions Required for Configuration Options 36
Creating User Accounts 37
Reset BeyondInsight Account Password 38
Auditing BeyondInsight Users 39
Adding Credentials 40
Creating an SSH Credential 40
Creating Oracle Credentials 41
Creating SNMP Credentials 41
Creating Web Essentials Credentials 41
Adding Credentials for Active Directory Access 42
Discovery Scanning 43
Running a Discovery Scan 43
Discovering Assets Using a Smart Group 43
Discovering Assets Manually 44
Running a Vulnerability Scan 45
Reviewing Vulnerability Scan Results 48
Creating a Quick Rule 49
Excluding Vulnerabilities 50
Editing Exclusion Properties 51
Malware Toolkit Vulnerabilities 52
Remediating Vulnerabilities 52
Setting CVSS Metrics 52
Setting CVSS Environmental Metrics 53
Setting Base and Temporal Metrics 53
Editing Scan Settings 55
Working with Audit Groups 57
Exporting an Audit Group 58
Importing an Audit Group 58
Working with Port Groups 59
Creating a Custom Audit 59
Managing Reports 62
Running a Report on Existing Scan Data 62
Creating Scheduled Reports 63
Viewing Scheduled Reports in the Calendar View 63
Reviewing Report Results 64
Creating a Report 65
Creating a Report Category 65
Setting Report Output Options 65
Customizing the Report Logo 66
Viewing and Downloading Reports 67
Managing Report Templates 68
Setting Report Output Options 68
User Guide ii © 2017. BeyondTrust Software, Inc.
Contents
Asset Management 70
Interpreting Scan Results on the Dashboard 70
Reviewing Asset Details 71
Risk Scores 72
Deleting Assets 72
Changing Asset Properties 73
Managing Database Instances 75
Viewing Database Information 75
Deleting the Database Instance 76
Managing Jobs 77
Reviewing Job Details 77
Reviewing Scheduled Job Details 78
Viewing Scheduled Scans in the Calendar View 78
Viewing Scan Event Details 79
Aborting or Pausing a Job 79
Setting a Scan to Complete 80
Troubleshooting a Scan Job 80
Changing Job Page Settings 81
Creating Connectors 82
Overview 82
Configuring a BlackBerry Connector 82
Configuring an Android Connector 83
Deploying the Application to Android Devices 84
Configuring Settings on Android Devices 85
Configuring an ActiveSync Connector 85
Reviewing Mobility Scan Results 86
Creating Custom Audits for Mobile Devices 86
Configuring a Qualys API Connector 88
Cloud Scanning 89
Requirements 89
Amazon EC2 Requirements 89
Azure Requirements 89
Google Cloud Requirements 89
Hyper-V Requirements 89
VMWare VCenter Requirements 90
Configuring a Cloud Connector 91
Scanning Paused or Offline VMWare Images 92
Cloud Connector Smart Groups 93
Configuring BeyondInsight AWS Connector 94
Setting up a Policy 94
Setting up a Role 94
Setting up BeyondInsight AWS Cloud Connection - BeyondTrust 95
Setting up the Role 95
User Guide iii © 2017. BeyondTrust Software, Inc.
Contents
Importing Scans from Third-Party Scanners 96
Overview 96
File Formats 96
Nessus 96
Nexpose 96
Qualys 97
McAfee 97
TripWire 97
Importing a Scan File 97
Importing Larger Scan Files 99
Viewing the Vulnerability Report 99
Changing the File Upload Size 100
Multi Tenant 102
Overview 102
Smart Rules Manager and Browser Pane 102
Working with Scan Credentials 102
Quick Rules 103
Organization Filters 103
Patch Management Module 103
Mobility Connectors 103
Retina Protection Agents 103
Address Groups 104
Migrating Address Groups 104
Setting Up Organizations 106
Step 1 Creating a Workgroup 106
Step 2 Adding an Organization 107
Step 3 Creating a User Group for a Tenant 108
Configuring Authentication 109
Configuring Two Factor Authentication 109
Configuring the RADIUS Server 109
Setting up the User Account 110
Configuring Smart Card Authentication 111
Setting BeyondInsight Options 112
Account Lockout Options 112
Account Password Options 112
Auto Update Options 113
Display Options 113
Clarity Malware Analysis Options 113
Email Notifications 113
Maintenance Options 114
Proxy Settings 115
Radius Settings 116
Refresh Settings 116
Retina Scanner Agents 117
User Guide iv © 2017. BeyondTrust Software, Inc.
Contents
Configuring Retina Agent Scan Options 117
Performance Settings 117
Timeout Values 117
Event Routing 118
Setting Restrictions on Scan Times 119
Configuring General Scan Options 119
Scanner Pooling 121
Viewing Status for Scanners and Agents 122
Determining if a Scanner is Available 122
Restarting Agents 123
Removing Retina Agent Files 123
Configuring a Failover Agent 124
Retina Host Scanning 124
Turn on Host Scanning 124
Creating a Host Scan Group 125
Creating a Smart Rule 125
Running the Scan 126
Displaying Scanner Information 126
Viewing Scan Jobs 128
Patch Management Module 129
Overview 129
How Patching with WSUS Works 129
How a Patch Deployment Works 130
Connecting to a WSUS Server 132
Requirements 132
Adding a Connection 132
Connecting to a Downstream Server 133
Installing the WSUS Administration Console 134
Installing the Console on Windows Server 2012 134
Registering Smart Rules 134
Redeploying Configuration 136
Refreshing WSUS Data in the Database 136
Approving Patch Updates 137
Reviewing Patch Details 139
Deleting Patches 141
Third-Party Patching 141
Generating a Certificate 141
Subscribing to Vendor Patch Updates 142
List of Supported Vendors 143
System Center Configuration Manager 144
Overview 144
How Patching with SCCM Works 144
Requirements 145
Creating a Connection to a SCCM Site Server 146
Deploying a Package to a Collection 146
SCCM and 3rd Party Patching 147
User Guide v © 2017. BeyondTrust Software, Inc.
Contents
Using Group Policy to Configure SCCM Assets for 3rd Party Patches 148
Retina Protection Agents 150
Overview 150
How RP Agent Deployments Work 150
Downloading Retina Protection Agents 151
Configuring a Default Policy 151
Preparing Target Assets 152
Using the 3rd Party Deployment Tool 153
Updating RPA Licenses 153
Deploying the Protection Policies 154
Reviewing Details about Protection Agents 155
Removing Protection Agents 155
Configuring Protection Policies 157
Working with Rules and Rule Groups 157
Creating a Rule Group and Setting Rules 157
Creating a Protection Policy 158
Creating a Dynamic Policy 158
Organizing Your Policies 161
Rules Reference 162
System Firewall Rules 162
Application Firewall Rules 163
IPS Signature Rules 165
Trusted and Banned IPs 167
Registry Protection Rules 168
Execution Protection Rules 169
File Integrity Rules 170
Windows Events Rules 174
Source Names 174
Trusted List Options 175
Miscellaneous Options 176
Regulatory Reports Pack 177
Compliance Scans 178
Healthcare Pack Compliance Scans 178
Finance Pack Compliance Scans 178
Government Pack Compliance Scans 178
Running a Compliance Scan 178
Reviewing Compliance Scan Results 180
Configuration Compliance Pack 181
Setting Permissions for Configuration Compliance 181
Running Benchmark Scans 181
Viewing Benchmark Scan Results 182
Managing Benchmarks 182
Importing Benchmarks 183
Setting OVAL Tests Option 183
BeyondInsight Clarity Analytics 184
User Guide vi © 2017. BeyondTrust Software, Inc.
Contents
Alerts 184
Cluster Maps 186
Cluster Map Numbering 186
Cluster Shading 186
Cluster Attributes 186
Configuring BeyondInsight Clarity 187
Setting Risk Analytics Values 187
Analyzing Cluster Maps 188
Analyzing Cluster Grids 190
Clarity Reports 190
Clarity Dashboard 192
Triggers 192
Risk Events by Threat Level 193
Risk Events by Application 193
Triggers List 194
BeyondInsight Clarity - Malware Analysis 195
Architecture Overview 195
Configuring BeyondInsight 195
Configuring PowerBroker for Windows 196
Reviewing Malware Information in the Management Console 197
Using Reports to Analyze Results 198
Top 10 Assets by Total Threat Level Report 199
Event Review - Malware Report 200
Configuring a Claims-Aware Web Site 201
Create a BeyondInsight User Group 201
Adding Relying Party Trust 201
Setting up Claim Rules 202
Supported Federation Service Claim Types 203
Claims Aware SAML 203
Managing PowerBroker Sudo Events 206
Viewing Run Arguments and IO Logs 206
Creating a PowerBroker Sudo Smart Group 206
Creating a Sudo Client Smart Group 206
Creating a Sudo Events Smart Group 207
Managing BeyondInsight Services 209
Monitoring Services 209
Turn on Debug Logging 209
Changing the Credentials for a Service 209
Appendix A: Preparing Your Database Application for Scans 211
Preparing Your MySQL Database 211
Appendix B: Report Templates and Audit Groups 212
User Guide vii © 2017. BeyondTrust Software, Inc.
Contents
Report Templates 212
Audit Groups 219
Regulatory Reporting Pack Audit Groups 219
User Guide viii © 2017. BeyondTrust Software, Inc.
Introduction
Introduction
This guide provides detailed instructions and procedures for using BeyondInsight.
This section includes the document conventions, list of documentation for the product, and where to get additional
product information.
Documentation for BeyondInsight
The complete BeyondInsightdocumentation set includes the following:
• BeyondInsight Installation Guide
• BeyondInsight User Guide
• BeyondInsight Analytics and Reporting User Guide
• Third Party Integration Guide
If you are working with any of the BeyondInsight modules, refer to the product documentation for additional
information about that module.
Contacting Support
For support, go to our Customer Portal then follow the link to the product you need assistance with.
The Customer Portal contains information regarding contacting Technical Support by telephone and chat, along
with product downloads, product installers, license management, account, latest product releases, product
documentation, webcasts and product demos.
Telephone
Privileged Account Management Support
Within Continental United States: 800.234.9072
Outside Continental United States: 818.575.4040
Vulnerability Management Support
North/South America: 866.529.2201 | 949.333.1997
+ enter access code
All other Regions:
Standard Support: 949.333.1995
+ enter access code
Platinum Support: 949.333.1996
+ enter access code
Online
http://www.beyondtrust.com/Resources/Support/
User Guide ix © 2017. BeyondTrust Software, Inc.
Introduction
Creating a Support Package
Create a support package that can be used by BeyondTrust Technical Support. The package includes:
• All logs in the BeyondInsight Logs folder.
• Storage size statistics on the BeyondInsight database.
• Certain database tables that contain information on Retina protection agents and Retina scanner agents and
their jobs.
• debug_syncit - log file that is used to determine when files are updated (from Auto Update). Useful in
troubleshooting if updates were applied successfully.
Note that credentials are not stored in any of the package files.
To generate the package:
1. Select Help > Generate Support Package.
2. Click Generate Support Package.
3. Click Save File.
4. Save the .zip file and email to your Technical Support representative.
User Guide x © 2017. BeyondTrust Software, Inc.
BeyondInsight Overview
BeyondInsight Overview
Architectural Overview
BeyondInsight architecture follows a top-down, tiered approach to compliance and security management
throughout your organization.
Retina Network Security Scanners run vulnerability assessments, and Retina Protection Agents can perform
endpoint host security. All communication between agents and BeyondInsight is encrypted and stored in a SQL
Server database.
Multiple BeyondInsight servers can replicate data to produce a tiered architecture and all management control and
results are available through an Internet-enabled application.
Architecture
User Guide 1 © 2017. BeyondTrust Software, Inc.
BeyondInsight Overview
BeyondInsight Components
This section provides information on each of the components that BeyondInsight relies on in running scans,
protecting assets, etc.
Retina Network Security Scanner (RNSS agent)
The Retina Network Security Scanner is the scan engine responsible for scanning the assets in your environment.
The RNSS agent receives instructions from the Central Policy service.
A security certificate is required by the Events Client to communicate with the agent. This certificate can be
created during the BeyondInsight installation.
Retina Protection Agent (RP agent)
The agent designed to protect your assets. The Retina Protection agent provides layers of protection, including:
virus and spyware, firewall, intrusion prevention, system protection, and vulnerability assessment.
A security certificate is required by the Events Client to communicate with the agent. This certificate can be
created during the BeyondInsight installation.
Manager Service
This component is the BeyondInsight web interface.
The eEye Manager Service also acts as a background service that gathers information from the Events Client (which
retrieves information from the agents). The events are then encrypted and sent to the database.
AppBus (Application Bus)
Provides communications between BeyondTrust components and receives events to insert in the BeyondInsight
database. This function can also be done by a dedicated Event Server for scalability.
Events Client
The Events Client is responsible for forwarding information gathered by the RNSS agent and RP agent.
The Events Client sends the information to the eEye Manager Service. The Events Client is installed when an RNSS
agent or RP agent is installed.
Events Client Certificate
Generate security certificates to ensure secure transmission of data between clients and BeyondInsight. Use the
BeyondInsight Configuration Tool to generate certificates. For more information, refer to the BeyondInsight
Installation Guide.
Central Policy Server
Central Policy is a service that sends RNSS agents and RP agents their settings. Central Policy is the component
responsible for sending the agents job information.
For example, the RNSS agent needs to know the targets and the audits to run against those targets. This information
is selected in the BeyondInsight management console. When the scan starts, the Central Policy sends the job
information to the agent.
The same for the RP agent policies. The protection policy needs to know the policy to send to the selected
protected assets. Policies are defined in the BeyondInsight management console, and when the policy is deployed,
the Central Policy sends the job information to the RP agent to apply to the target asset.
User Guide 2 © 2017. BeyondTrust Software, Inc.
BeyondInsight Overview
Enterprise Update Server
Using the Enterprise Update Server, you can centrally manage updates for your BeyondTrust applications, receive
updates automatically or manually and distribute updates to client systems on your network.
You can schedule automatic updates to ensure that your assets are protected by the latest vulnerability audits.
Third Party Patch Service
Gathers third party patches and makes them available for distribution using WSUS.
Scheduling Service
Responsible for contacting the Update server and downloading the latest product updates and audit updates.
Shared Services Engine
Receives Retina Protection agent deployment details from the AppBus and sends those details to the assets where
the RP agent is being deployed.
User Guide 3 © 2017. BeyondTrust Software, Inc.
BeyondInsight Overview
How a Scan Works
This section provides the communication workflow between BeyondInsight and the agents.
For a list of ports that BeyondInsight uses, see Ports Used by BeyondInsight.
Create the scan job in BeyondInsight Management Console. The scan job includes details such
u
as the IP addresses to be targeted, scan template, and scheduling information.
The Central Policy service notifies the RNSS agent with the instructions for the scan job.
The RNSS agent goes out to the assets as provided in the scan job details and gathers the data
based on the selected scan template.
Gathered information from the RNSS agent is passed through the Events Client to the
BeyondInsight Event Server. The data sent is in .mmf format.
The BeyondInsight Event Server passes the information to the SQL Server. The gathered info
is normalized.
User Guide 4 © 2017. BeyondTrust Software, Inc.
BeyondInsight Overview
Ports Used by BeyondInsight
Function Components Port
BeyondInsight to SQL Server,
Database connectivity BeyondInsight Reporting to SQL 1433
Server
Event Client RNSS and RPA to BeyondInsight 21690
RPA Central Policy Version 1 – 2000
Endpoint to BeyondInsight
Version 2 – 443
Version 1 – 10001
RNSS Central Policy RNSS to BeyondInsight
Version 2 – 443
Update Servers SyncIt or EUS to BeyondTrust 443 or 80
User to BeyondInsight or
Client Browser 443 or 80
BeyondInsight Reporting
PowerBroker for Windows Connector to Web services 443
Android Mobile Connector Android agents to BeyondInsight 21691
BeyondInsight to BeyondInsight
BeyondInsight replication 21692
for Enterprise tiering
How Job Scheduling Works
The following job scheduling overview assumes multiple scanners are used.
u Create a Smart Rule, includes setting:
l List of scanners
l Choosing the asset distribution algorithm
l Choosing the targets
Targets are determined by:
l Assets that are in the database (Assets are already discovered).
Assets will be discovered if the following are included in the Smart Rule:
l Address groups
l Cloud assets
l LDAP queries
Asset distribution algorithm assigns scanners to assets.
For round robin assignments, targets are assigned first if their IP address is known. Then
targets are assigned to scanners by the name of the target if it is known.
After this assignment occurs, scanners are always associated with assigned assets.
Two .xml files are sent to the Retina scanner agent:
l a file that contains job scheduling information
User Guide 5 © 2017. BeyondTrust Software, Inc.
BeyondInsight Overview
l a file that lists the targets assigned to the scanner
Round robin assignment
User Guide 6 © 2017. BeyondTrust Software, Inc.
BeyondInsight Overview
Access BeyondInsight
When working in the console, note that times displayed match the web browser on the local computer (unless
stated otherwise).
To log on BeyondInsight:
1. Select Start > All Programs > eEye Digital Security > BeyondInsight > BeyondInsight . You can also log on using
the URL provided to you by your Security Administrator.
2. Enter your user name and password.
The default user name is Administrator and the password is the Administrator Password you set in the
Configuration wizard.
3. Click Login.
User Guide 7 © 2017. BeyondTrust Software, Inc.
Changing the Display
Changing the Display
You can change the information displayed on BeyondInsight pages, including:
• Columns
• Number of records displayed at one time
• Create filters to display records that meet the filter criteria
Setting Display Preferences
You can set display preferences on the following pages:
• Assets page
• Vulnerabilities page
• Agents page
• Jobs page
• User Audits page
Note that you can display a Domain and filter by Domain. If the domain name is not known or the asset is not part of
a domain, then the field is blank. The Domain filter is not displayed by default.
To set display preferences:
1. Select the Assets tab.
2. Click the preferences button.
3. On the Preferences dialog box, set the following:
– Columns to Show - Select the check boxes for the columns that you want to display.
– Show Filter - Select to always display the filtering text boxes and lists.
For more information, see Filtering Records.
– Records Per Page - Select the number of records to display at one time.
4. Click OK to close the Preferences dialog box.
5. Click to open the Save Preferences dialog box.
6. Select display settings, and then click Save Preferences.
User Guide 8 © 2017. BeyondTrust Software, Inc.
Changing the Display
Filtering Records
Create a filter to match certain records that you want to view on the page.
To set filtering on assets:
1. Select the Assets tab.
2. Select the show filter button to display the filter options.
3. Enter filter criteria and click .
User Guide 9 © 2017. BeyondTrust Software, Inc.
BeyondInsight Tools
BeyondInsight Tools
Overview
BeyondInsight provides a set of tools to help you organize assets for scanning.
Depending on the number of assets that you want to scan, or the critical nature of some of your assets, consider
organizing the assets using address groups or Active Directory queries which can be part of a Smart Rule.
The following list provides examples on ways you can use these tools:
• Create an IP address group that organizes assets by a range of IP addresses, including CIDR notation and named
hosts.
• Use an Active Directory query that will organize assets by organizational unit. Create a Smart Rule and use the
query as your asset selection criteria.
• Change the properties for assets (after a scan runs), then use the attributes as the selection criteria in the
Smart Rule. For more information, see Changing Asset Properties.
Scans can return a lot of information. To help you review scan results, you can create filters and set preferences on
the Assets page to easily review scan results. For more information, see Changing the Display.
User Guide 10 © 2017. BeyondTrust Software, Inc.
BeyondInsight Tools
Creating an Address Group
Create an address group then use the address group as an IP address filter when creating a Smart Rule.
An address group can contain included or excluded IP addresses. IP addresses are entered as an IP range, named
host, or as a CIDR block.
To work with address groups, the BeyondInsight user must be a member of the Administrators group, or be
assigned the Asset Management permission. See Creating User Groups.
Creating an Always Address Group
You can create an address group and name it Always. The Retina scanner is designed to recognize this address
group name and includes the group in every scan (regardless if the group is selected in the scan job). The address
group can include and exclude IP addresses.
The next time a scan runs, the address group is synchronized with the Retina scanner. The IP addresses, whether
included or omitted are considered part of the scan that is running.
For example, the Always address group is configured with the following: 10.10.10.60 and buffett-laptop (omitted).
A scan tries to scan 10.10.10.50 and buffett-laptop. The results:
• 10.10.10.60 is included in the scan since that IP address is added to the Always address group
• buffett-laptop is excluded from the scan since that asset is explicitly omitted in the Always address group
• 10.10.10.50 is scanned as usual
Note that if an asset was scanned and then later added to the Always address group as Omit, the asset is not
scanned but might still be displayed in the report. This only occurs with some reports.
To create an address group:
1. Click the Configure tab, and then click Address Groups.
2. Click + in the Address Group pane.
3. Enter a name for the address group.
4. Select the address group and then click + in the Type/Entry pane.
5. To create an Address Group filter:
– Click New to open the New Address Group dialog box. Enter IP addresses to include or exclude, and then
click Save.
To exclude IP addresses, enter the IP addresses, and then select the Omit this entry check box.
– Click Import to import a .txt file with a list of IP addresses to include and exclude. The list depends on your
particular needs. The list can include all IP addresses to exclude if that is how you want to create your
filter.
To exclude IP addresses, use the format: 192.x.x.x (1)
The following shows an example of how a CIDR block, an excluded IP address, and excluded named hosts
are displayed after importing:
User Guide 11 © 2017. BeyondTrust Software, Inc.
BeyondInsight Tools
Creating a Smart Rule based on an Address Group
When you are configuring an address group you can choose to create a Smart Group based on the address group.
Create the address group and add IP addresses as described earlier. Click the arrow as shown:
The address group Smart Group is displayed in the Smart Groups browser pane:
Updating Address Groups Using Stored Procedures
Util_VAAdressEdit
@EditAddressErrorMessage Error messages (if any) generated during the execution of this procedure.
@VAAddressIdOut Address group ID.
@Action Action to be performed. Valid actions are -> 1(add/edit)|2(delete)
User Guide 12 © 2017. BeyondTrust Software, Inc.
BeyondInsight Tools
@VAAddressGroupName The parent address group.
@VAScanPolicy_RetinaInfoID Associated scan policy retina info ID.
@Omit Flag used to exclude IP address(es).
@Type Specifies the address type. Valid types are -> single|range|cidr|name|url
Values must be in the following formats:
single : [0-2][0-5][0-5].[0-2][0-5][0-5].[0-2][0-5][0-5].[0-2][0-5][0-5]
range : [0-2][0-5][0-5].[0-2][0-5][0-5].[0-2][0-5][0-5].[0-2][0-5][0-5]-[0-2][0-
@Value 5][0-5].[0-2][0-5][0-5].[0-2][0-5][0-5].[0-2][0-5][0-5]
cidr : [0-2][0-5][0-5].[0-2][0-5][0-5].[0-2][0-5][0-5].[0-2][0-5][0-5]/[0-32]
name : Cannot be NULL or empty
url : Cannot be NULL or empty
Util_VAAddressListByAddressGroup
@VAAddressGroupName The parent address group.
Example
/*
--TEST
DECLARE @ErrorMessage NVARCHAR(4000) = ''
DECLARE @Result INT = ''
DECLARE @VAAddressIdOut INT = NULL
-- Create a new entry
EXEC @Result = [dbo].[Util_VAAddressEdit] @EditAddressErrorMessage = @ErrorMessage
OUTPUT,
@VAAddressIdOut = @VAAddressIdOut OUTPUT,
@Action = 1,
@VAAddressGroupName = 'New Address Group 1',
@VAScanPolicy_RetinaInfoID = NULL,
@Omit = 0,
@Type = 'range', --@Type = 'single'
@Value = '10.1.2.3-1.25.25.25' --@Value = '10.200.31.70'
SELECT * FROM [dbo].[VAAddress]
PRINT @ErrorMessage
IF(@Result = 0)
BEGIN
-- Edit the newly created entry
EXEC @Result = [dbo].[Util_VAAddressEdit] @EditAddressErrorMessage = @ErrorMessage
OUTPUT,
@VAAddressIdOut = @VAAddressIdOut OUTPUT,
@Action = 1,
@VAAddressGroupName = 'New Address Group 1',
@VAScanPolicy_RetinaInfoID = NULL,
@Omit = 0,
@Type = 'range', --@Type = 'single'
@Value = '10.1.2.3-10.10.10.10' --@Value = '10.200.31.71'
User Guide 13 © 2017. BeyondTrust Software, Inc.
BeyondInsight Tools
SELECT * FROM [dbo].[VAAddress]
PRINT @ErrorMessage
-- Delete the new entry
EXEC @Result = [dbo].[Util_VAAddressEdit] @EditAddressErrorMessage = @ErrorMessage
OUTPUT,
@VAAddressIdOut = @VAAddressIdOut OUTPUT,
@Action = 2
SELECT * FROM [dbo].[VAAddress]
PRINT @ErrorMessage
END
*/
/*
--TEST
EXEC [dbo].[Util_VAAddressListByAddressGroup] 'Localhost' -- return only return addresses
associated with address group with name 'Localhost'
-- OR --
EXEC [dbo].[Util_VAAddressListByAddressGroup] -- return all address groups and their
associated addresses
*/
Creating an Active Directory Query
Create an Active Directory query to retrieve information from Active Directory to populate a Smart Rule. For
example, create a query that uses computer names for a selected domain.
To work with Active Directory queries, the BeyondInsight user must be a member of the Administrators group, or
be assigned the Asset Management permission. See Creating User Groups.
To create an Active Directory query:
1. Click the Configure tab, and then click Directory Queries.
2. Click New.
3. Enter a name for the query.
4. Enter a path name or click Browse to search for a path.
On the Select Active Directory Path dialog box, the forest is automatically detected. The Domain list is
populated with the domains in the forest. Select a container and click OK to close the dialog box.
To query the domain using SSL authentication, select the Use SSL check box.
To use the SSL authentication, you must first turn it on using the BeyondInsight Configuration Tool. See Using
SSL for Active Directory Queries.
5. Select a scope to apply to the container: This Object and All Child Objects, Immediate Children Only.
6. Enter a name and description for the filter.
7. Click Advanced and enter the LDAP query details.
User Guide 14 © 2017. BeyondTrust Software, Inc.
BeyondInsight Tools
8. Click Credentials and provide credentials (optional).
Minimum permissions assigned for the credentials must be Read on the computer assets that you are
enumerating.
9. Click Test to ensure the query returns expected results.
10. Click Save.
User Guide 15 © 2017. BeyondTrust Software, Inc.
BeyondInsight Tools
Using SSL for Active Directory Queries
You can turn on SSL settings for Active Directory queries. You can use SSL for queries when creating Active
Directory queries or creating Active Directory user groups.
You must first turn on the option using the BeyondInsight Configuration Tool. Set the value to True.
Working with Attributes
You can use attributes to label assets. Set an attribute on each asset in a group using a Smart Rule.
You can then select the attribute as a filter when you create a Smart Rule. Select an attribute from the Assigned
Attributes list in the Asset Selection Criteria section. For more information, see Creating a Smart Rule.
BeyondInsight ships with attributes already created. You can also add attribute types and attributes that meet your
particular requirements.
You can use the Criticality attribute to weight the importance of an asset in your environment. Assign the criticality
attribute using a Smart Rule or on the Asset Details page for an asset (see Changing Asset Properties).
To add an attribute type and attribute:
1. Click the Configure tab, and then click Attributes.
2. Click + and then select Attribute Type.
User Guide 16 © 2017. BeyondTrust Software, Inc.
BeyondInsight Tools
3. Type an attribute name.
4. To add an attribute, select an attribute type.
5. Click + and then select Attribute.
6. Type an attribute name.
User Guide 17 © 2017. BeyondTrust Software, Inc.
Working with Smart Rules
Working with Smart Rules
A Smart Rule is a filter that you can use to organize assets. You can organize the assets using one of the following
Smart Rules types:
• Asset Smart Groups – Organizes the assets based on the filters selected.
• Vulnerability Smart Groups – Organizes the vulnerabilities based on the vulnerabilities filter selected.
The user must be a member of the Administrators group, or be granted the Asset Management permission to work
with Smart Rules.
Note: When a non-administrator user creates a Smart Group, that Smart Group will automatically be associated
with:
– Read permissions to all user groups that the user is a member of.
– Write permissions to all user groups the user is a member of and also has the Asset Management
permission. The Asset Management permission allows the user to create a Smart Rule.
Use a Smart Rule to register assets as Smart Groups to:
• Run vulnerability scans against
• Apply protection policies to
• Register for Patch updates
• Monitor and view
A Smart Rule updates results automatically, ensuring that assets that match the criteria in the rule are current.
For example, a simple filter on assets might be finding all assets in the domain EMEA, as shown:
If an asset can no longer be contacted or no longer meets the criteria in the rule, the rule dynamically updates. At
any time when you select the Smart Rule for a scan (for example), you can be sure the list of assets is current.
Understanding Smart Rule Filters
There are many filters available to you to create Smart Rules. For example, you can filter on such properties as
Asset fields, Installed Software, Assigned Attributes, or Operating System.
You can create address groups or an Active Directory query to use as filters. You can create these filters in the
Smart Rule Manager or from the Configure tab. For more information, see Creating an Address Group and Creating
an Active Directory Query.
You can use more than one filter to refine or extend the scope of assets in the Smart Rule. Filters can be joined
with 'and' (Match All Criteria) or 'or' (Match Any Criteria) conditions.
• If you select Match All Criteria, then every indented filter under it must be true for an asset to be included.
• If you select Match Any Criteria, then only one of the indented filter items under it must be true for an asset to
be included.
The following filter example will include all assets in the EMEA domain that are either servers or workstations.
User Guide 18 © 2017. BeyondTrust Software, Inc.
Working with Smart Rules
User Guide 19 © 2017. BeyondTrust Software, Inc.
Working with Smart Rules
Smart Rule Filters
Review the following tables for more information about available Smart Rule filters.
Table 1. Asset Smart Rule Filters
Create an LDAP query to include or exclude assets in the selected
Active Directory Query domain.
For more information, see Creating an Active Directory Query.
Create a group of IP addresses.
Address Group
For more information, see Creating an Address Group.
Group the Smart Group by asset fields, such as, asset name, device
ID, domain or DNS, risk, and kind.
Asset Fields
You can include more than one asset field filter in the Smart Rule to
refine the results.
For ticket tracking, create a Smart Rule that filters on open tickets.
Assets with Open Tickets
The Smart Rule filter can be set to include overdue tickets.
Create a filter based on an attribute.
Assigned Attributes If the attribute is unassigned on a particular asset, you can choose to
include or exclude the asset from the rule.
Filter assets based on attack. Select attacks from a list, or filter on
Attacks
attack name or ID.
You can reuse a Smart Rule to save time when creating new Smart
Rules. This is especially useful if the Smart Rule is a complicated set of
Child Smart Rule filters.
Reusing a Smart Rule further refines the assets that will be a part of
the Smart Group.
Cloud Assets Filter assets on the cloud connector.
Installed Software Filter on any combination of installed software.
MAC Address Filter by MAC address of assets.
Filter assets based on malware. Select malware from a list, or filter
Malware
on malware name or ID.
Filter on any combination of OS. Operating systems included in the
list are those detected in your network.
Operating System
Assets with no OS detected, can be included or excluded from the
rule.
Filter by port group. Assets with open ports in the port group can be
Ports
included or excluded from the rule.
Processes Filter on any combination of processes.
Protection Agents Filter by protection agents.
Services Filter by any combination of service.
Software Version Filter by software version. The software that you can filter on is
User Guide 20 © 2017. BeyondTrust Software, Inc.
Working with Smart Rules
determined by the software that is discovered during the scan.
Filters user accounts by SID or privilege. You can filter on both. If
either value is not selected then it will be ignored.
Using this filter you can determine if any users have administrator
User Account Attribute privileges that might no longer be required.
You can create a Smart Rule using this filter and set the email alert
action to notify you when a user account with admin privileges is
detected.
Filter by vulnerability, CVSS score or vector, PCI severity, or
Vulnerabilities
vulnerabilities from an audit group.
Vulnerability Scanners Filter by scanner. Can filter for responsive or unresponsive scanners.
Filter by Windows events that are available in the Windows Event
Windows Events
Viewer (for example, Application, Security, or System).
Workgroup Filter by workgroup.
Table 2. Vulnerabilities Smart Rule Filters
Child Smart Rule Filter the vulnerabilities by child Smart Rules.
Filter by the vulnerability fields: vulnerability name, description, and
solution.
Vulnerability fields Example: Select Description "contains" and enter the string Microsoft
XML. Save the rule as a Smart Group to use as a filter when viewing
vulnerabilities.
Vulnerability has exploits Filter on vulnerabilities where exploits exist.
Filter by patch updates that are available to remediate the
vulnerability. Filter by:
– Type - Select Combined to apply OS and application patches. Select
Individual to apply a specific patch to either an OS or application.
– Name or url - Enter a string that matches either the name of the
patch or the URL for the patch remediation. For example, enter
Vulnerability has mitigation MS12-068 (the patch name) or part of the URL:
patch https://technet.microsoft.com/en-us/library/security/ms12-068.aspx
– Prerequisite - Enter the CPE information that represents the fix for
the vulnerability. Only CPE data for platforms is accepted. For
example,
cpe:/o:microsoft:windows_server_2003::sp2:x32
– Platform - Enter the operating system that the mitigation patch
applies to.
Filter by audit group. For example, All Audits, Zero Day, or any of the
Vulnerability in audit group
compliance audit groups available.
Vulnerability severity Filter by severity level: low, information, medium, high.
User Guide 21 © 2017. BeyondTrust Software, Inc.
Working with Smart Rules
Filter on vulnerability version. Any audits that are updated (through
Auto Update) are detected when the Smart Rule processes.
Vulnerability version updated Use with the Send email alert action to receive an email notification
when updated audits are available. The email will list updated audits.
Note that the Send email alert action is only available with this filter.
Filter on zero day vulnerabilities. Include or exclude the
Zero day vulnerabilities
vulnerabilities from the Smart Group.
Predefined Smart Groups
By default there are Smart Groups already defined and created.
Predefined Smart Groups cannot be changed or deleted. However, predefined Smart Groups can be marked as
inactive (except for the All Assets Smart Group) to improve performance on large databases. For more information,
see Marking a Smart Group as Inactive.
The predefined Smart Groups are displayed in the Smart Groups browser pane and are organized in the following
categories.
Table 3. Predefined Smart Groups for Assets
Detects assets where protection agents and Retina scanners are
Agents and Scanners
deployed.
Includes default Smart Groups for all assets and all assets labeled as
Assets and Devices
workstations.
Includes Smart Groups that detect assets added since yesterday, and
Intelligent Alerts mobile assets with critical vulnerabilities. Intelligent Alerts are
inactive by default.
Includes Smart Groups that detect assets that are mail servers, web
Servers servers, database servers, domain controllers, and SCADA. Only the
Web Servers Smart Group is marked as active.
Includes Smart Groups for virtual environments, including Microsoft
Hyper-V and Parallels. Assets detected as virtual environments are
part of these Smart Groups.
This default category also includes two Smart Groups, Virtual Servers
Virtualized Devices
and Virtual Workstations. Assets that are servers or workstations
might not be detected, and therefore, not included in the Smart
Group. For example, the asset might be a router or unknown and will
not be part of the Smart Group.
Table 4. Predefined Smart Groups for Vulnerabilities
All Vulnerabilities Includes all assets where there are vulnerabilities detected.
Zero Day Vulnerabilities Includes all assets where zero day vulnerabilities are detected.
User Guide 22 © 2017. BeyondTrust Software, Inc.
Working with Smart Rules
Creating an Asset Smart Rule
You can configure an asset Smart Rule to:
• Create Smart Groups
• Send email alerts with a list of assets
• Set attributes on assets
• Create a ticket with a list of assets
• Enable for Patch management
• Set environmental metrics for CVSS scoring
• Set scanner pooling
To create a Smart Rule:
1. Select the Assets tab.
2. Click Manage Smart Rules.
The Smart Rules Manager displays existing Smart Rules.
3. Select Asset based smart rules from the Smart Rule type list.
4. Click New Rule.
5. Enter a name and description.
6. The Active check box is selected by default. The Smart Rule is always available for processing when Active is
selected. Clear the check box so the rule is not processed.
7. Enter a category name or select a category from the list. Use categories to organize your Smart Rules in the
Smart Groups browser pane.
8. Select the filters in the Asset Selection Criteria section of the manager.
9. From the Perform Actions section of the manager, select one of the following:
– Assign EPP Policy - When selected, deploys a PowerBroker EPP policy to the assets in the Smart Group.
The default policy is always available in the list even if the policy has not yet been downloaded.
When creating the Smart Group, you must also select Protection Agents from the Asset Criteria list.
Ensure the following are in place before you try to deploy policies: EPP license, credentials, and access to
the target assets.
– Create Ticket - Select tickets parameters, including ticket assignment, severity, and email alert. For more
information, see Creating a Ticket.
User Guide 23 © 2017. BeyondTrust Software, Inc.
Working with Smart Rules
– Deploy PBW Policy – Select to deploy PowerBroker for Windows policies to the assets that match the
criteria selected in the Smart Rule.
– Enable for Patch Management - Select to create a Smart Group for managing patch updates to assets. For
more information, see Registering Smart Rules.
– Export Data - Select to manage a Smart Group for the BMC Remedy connector.
– Mark each asset inactive - Assets detected as inactive will no longer be displayed on the Assets page or in
reports.
– Send an email with a list of assets - Select and enter the email addresses for notification when the rule
criteria is matched.
Emails are only sent if the list of assets that match the rule is changed from the last time the rule was
processed.
– Set attributes on each asset - Select the attribute type from the list and then select the attribute.
– Set Environmental CVSS Metrics - Select environmental metrics for CVSS. For more information, see
Setting CVSS Metrics.
– Set Scanner Properties - Select one or more scanners to lock to the Smart Group. See Scanner Pooling.
– Show asset as Smart Group - When selected, the rule is displayed in the Smart Groups pane as a Smart
Group. You can select the Smart Group to filter the list of assets in the Smart Groups pane.
You can also select the default view to display on the Assets page when the Smart Group is selected.
Smart Groups are also used for running scans, applying protection policies, and registering for patch
updates.
10. Click Save.
User Guide 24 © 2017. BeyondTrust Software, Inc.
Working with Smart Rules
Creating a Vulnerabilities Smart Rule
You can configure a vulnerabilities Smart Rule to:
• Manage vulnerabilities
• Use as filters in grids and reports
The following example shows the settings for a high severity Vulnerability Smart Rule and the filter that you can
select on the Assets page. Selecting the filter will display all vulnerabilities with a severity level High.
User Guide 25 © 2017. BeyondTrust Software, Inc.
Working with Smart Rules
To create a vulnerabilities Smart Rule:
1. Select the Assets tab.
2. Click Manage Smart Rules.
The Smart Rules Manager displays existing Smart Rules.
3. Select Vulnerability based smart rules from the Smart Rule type list.
4. Click New Rule.
5. Enter a name and description.
6. The Active check box is selected by default. The Smart Rule is always available for processing when Active is
selected. Clear the check box so the rule is not processed.
7. Enter a category name or select a category from the list. Use categories to organize your Smart Rules in the
Smart Rules Manager.
8. Select the filters in the Asset Selection Criteria section of the manager.
9. From the Perform Actions section of the manager, select one of the following:
– Show vulnerability as Smart Group – When selected, the rule is displayed on the Vulnerabilities page as a
filter for the list of assets selected in the Smart Groups browser pane.
– Create vulnerability audit group – To create a read-only audit group.
10. Click Save.
Example Scenario
Create a Vulnerability Smart Rule that filters on high severity vulnerabilities that excludes Zero Day. Save the Smart
Rule as an audit group.
Run a report and select the audit group for the Smart Rule. The report generated will display all high severity
vulnerabilities and details for assets with the vulnerabilities.
The Audit Groups filter is available with most vulnerability reports. Vulnerability Smart Groups that are configured
as an audit group will be available in the Audit Groups filter for these reports.
User Guide 26 © 2017. BeyondTrust Software, Inc.
Working with Smart Rules
Cloning a Smart Rule
You can clone your custom Smart Rules or the predefined Smart Rules.
An example scenario: you created a Smart Rule where the 'discover assets' option is selected and you run the rule
once a month. You can clone the Smart Rule, turn off 'discover assets', and configure the new Smart Rule to run
more frequently. This saves you time in recreating the filters in the initial Smart Rule.
To clone a Smart Rule:
1. Select the Assets tab.
2. Click Manage Smart Rules.
Select the Smart Rule, and then click the clone icon.
If you are using the Multi Tenant feature, select the organization from the list, and then click OK.
3. On the Smart Rules Manager page, edit the Smart Rule filters as needed.
4. Click Save.
The Smart Rule is active only after you click Save.
User Guide 27 © 2017. BeyondTrust Software, Inc.
Working with Smart Rules
Marking a Smart Group as Inactive
You cannot delete predefined Smart Groups. However, if you have a lot of Smart Groups, you can save on
processing time if you mark unused Smart Groups as inactive.
Note: A Smart Rule that is used in another Smart Rule cannot be deleted or marked inactive.
An inactive Smart Group is no longer displayed in the Smart Group browser pane (until marked active again).
Deleting a Smart Rule
To delete a Smart Rule, go to the Smart Rules Manager, hover on the Smart Rule and then click the icon.
Note: A Smart Rule that is used in another Smart Rule cannot be deleted or marked inactive.
User Guide 28 © 2017. BeyondTrust Software, Inc.
Working with Tickets
Working with Tickets
Use the ticket system to assign tickets to members of your security team. The team can review, remediate, and
resolve vulnerabilities and attacks on protected assets.
You can create tickets to manage the remediation of vulnerabilities, attacks, and malware.
Ensure your user groups have the correct ticket permissions assigned. For more information, see User Group
Permissions.
Note: You can create an Active Directory user group and assign the group ticket permissions.
The users that are members in the Active Directory group must log on to BeyondInsight at least once
before the user name is displayed in the Assigned to list. Logging on also activates the email notification for
the user.
Creating a Ticket
Using the ticket system, you can create tickets for managing the life cycle of vulnerabilities, attacks, and malware.
You can create a ticket from the following pages:
• Assets
• Attacks
• Vulnerabilities
• Malware
To create a ticket:
1. Select the arrow for a vulnerability, and then select Create Ticket.
2. Enter the details for the ticket.
A ticket ID is automatically generated after you save the details for the ticket.
User Guide 29 © 2017. BeyondTrust Software, Inc.
Working with Tickets
3. Click Save.
A Smart Rule is autogenerated when a ticket is saved. This Smart Rule is intended to help you keep track of
assets affected by the vulnerability, attack or malware. No intervention is required by you.
The next time the Smart Rule is processed, affected assets where solutions are applied will no longer be part
of the Smart Rule. When all assets have the solution applied, the Smart Rule autogenerated ticket is removed
from the Smart Rules Manager.
The autogenerated tickets are not displayed in the Smart Rules browser pane.
Managing Ticket Details
To change the details for a ticket:
1. Select the Assets tab, and then select Tickets.
2. Select i.
3. On the Ticket Details dialog box, change the ticket properties as needed.
If you select the Close status, the ticket is no longer displayed on the Tickets pane.
4. If available, click the x revisions link to view details about activity on the ticket.
User Guide 30 © 2017. BeyondTrust Software, Inc.
Working with Tickets
5. Click Back to Ticket Details.
6. Click Save.
Marking a Ticket as Inactive
If a ticket is accidentally created or no longer needed, your security team member can mark the ticket as inactive.
An inactive ticket is essentially a ticket that is deleted.
An inactive ticket is no longer displayed on the Tickets page. However, the BeyondInsight administrator can always
see the tickets (active or inactive).
You can mark a ticket as inactive on the Ticket Details page or from the Smart Rules Manager.
To mark a ticket as inactive:
1. Select the Assets tab, and then select the Tickets tab.
2. Select the ticket and then click i.
3. Clear the Active check box.
4. Click Save.
The ticket is no longer displayed on the Tickets page. The inactive ticket cannot be selected.
Tracking Open Tickets Using a Smart Rule
Use Smart Rules to track open tickets and tickets that are overdue.
To create a Smart Rule:
1. Select the Assets tab, and then click the Manage Smart Rules button.
2. Click New Rule.
3. Enter a rule name and description.
4. Select the criteria and actions as shown.
User Guide 31 © 2017. BeyondTrust Software, Inc.
Working with Tickets
5. Select the Auto-close Ticket check box to close and remove the Smart Group from the Smart Rules Manager.
The ticket is only closed after all assets are remediated.
6. Click Save.
Later, you can run the Tickets report to view a current list of open tickets. Select the ticket Smart Group and
any other relevant parameters.
User Guide 32 © 2017. BeyondTrust Software, Inc.
Managing Users and User Groups
Managing Users and User Groups
Create user groups and user accounts so that your BeyondInsight administrators can log on to BeyondInsight.
BeyondInsight offers a role-based delegation model so that you can explicitly assign certain Read and Write
permissions to a user group based on their role. For a complete list of the Read and Write permissions available,
see User Group Permissions.
You can create a BeyondInsight user group or use an existing Active Directory group.
Note: An Administrators user group is created by default. The permissions assigned to the group cannot be
changed. The user account you created when you configured BeyondInsight is a member in the group.
After a user group is created, create and add user accounts to the group. When a user is added to a group, the user
is assigned the permissions that are assigned to the group.
Creating a User Group
To create a user group:
1. Select the Configure tab then select the Accounts tab.
Select the button to change the view between all users and all groups.
2. Click + in the User Groups pane.
3. Select Group from the list.
4. Enter a name and description for the user group.
5. Select the Active check box to activate the user group. Otherwise, clear the check box and activate later.
6. Select the permissions and access levels.
7. Select the Smart Rules and access levels to the rules.
8. Click Create.
9. Create and add user accounts.
Creating an Active Directory User Group
Active Directory group members can log on to the management console and perform tasks based on the
permissions assigned to the group.
Note: Active Directory users must log on to the management console at least once to receive email notifications.
The group can authenticate against either a domain or domain controller.
To create an Active Directory user group:
1. Select the Configure tab then select the Accounts tab.
2. Click + in the User Groups pane.
3. Select Active Directory Group from the list.
User Guide 33 © 2017. BeyondTrust Software, Inc.
Managing Users and User Groups
If detected, a domain name is automatically populated in the Domain or Domain Controller box.
4. Enter the name of a domain or domain controller.
5. Select the Use SSL check box to use a secure connection when accessing Active Directory. You must turn on
SSL authentication in the Configuration tool. See Using SSL for Active Directory Queries.
6. Click Credentials.
a. Click Add.
b. Enter the credential for the domain or DC.
c. Click Test to ensure the credential can successfully authenticate with the domain or DC.
d. Click OK.
7. After you enter domain or DC and credential information, click Search.
A list of Security Groups in the selected domain is displayed.
For performance reasons, a maximum of 250 groups from Active Directory is retrieved. The default filter is an
asterisk (*) which is a wildcard filter that returns all groups. Use the group filter to refine the list.
8. Set a filter on the groups that will be retrieved. (Optional).
Example filters:
a* (returns all group names that start with a)
*d (returns all group names that end with d)
*sql* (returns all groups that contain 'sql' in the name)
9. Click OK.
10. Enter a name and description for the user group.
11. Select the Active check box to activate the user group. Otherwise, clear the check box and activate later.
12. Select the permissions and access levels.
13. Select the Smart Rules and access levels to the rules.
14. Click Create.
User Group Permissions
Permissions must be assigned cumulatively. For example, if you want a BeyondInsight administrator to manage only
Configuration Compliance scans, then you must assign Read and Write for the following permissions:
Asset Management, Benchmark Compliance, Reports Management, Scan - Job Management, Scan Management.
The following table provides information on the permissions that you can assign to your user groups.
User Guide 34 © 2017. BeyondTrust Software, Inc.
Managing Users and User Groups
Permission Name Apply Read and Write to…
Sign in to the console, generate reports, and subscribe to
reports.
After you create a user group, go to the Configure tab in the
Analytics and Reporting
reporting console and run the process daily cube job.
Data between the management console and the reporting cube
must be synchronized.
Create Smart Rules; edit or delete on the Asset Details window;
Asset Management
create Active Directory queries; create address groups
Attribute Management Add, rename, delete attributes when managing user groups.
Provides access to the Audit Manager tab under the Configure
Audit Manager
tab in the management console.
Audit Viewer Use the Audit Viewer in the Analytics and Reporting console.
Benchmark Compliance Configure and run benchmark compliance scans.
BeyondInsight Login Access the BeyondInsight management console.
Add and change credentials when running scans and deploying
Credential Management
policies.
Provides access to the dashboard on the BeyondInsight
Dashboard
management console.
Deployment Activate the Deploy button.
File Integrity Monitoring Work with File Integrity rules.
Provides access to the Licensing folder in Analytics & Reporting
License Reporting (MSP reports, PowerBroker Windows, PowerBroker Mac true-
up reports, and Assets Scanned report).
Allows the user to manually enter ranges for Scans and
Manual Range Entry Deployments rather than being restricted to Smart Groups.
The specified ranges must be within the selected Smart Group.
Change the application options settings (such as, account lockout
Option Management
and account password settings).
Patch Management Use Patch Management module.
PowerBroker for Unix & Linux Use the PowerBroker Servers module.
Activates access to the PowerBroker for Windows features,
PowerBroker for Windows including PBW asset details and the exclusions page on the
Configure tab.
Activate the protection policy feature.
Protection Policy Management User groups can deploy policies, and manage protection policies
on the Configure tab.
User Guide 35 © 2017. BeyondTrust Software, Inc.
Managing Users and User Groups
Permission Name Apply Read and Write to…
Reports Management Run scans, create reports, create report category.
Scan - Audit Groups Create, delete, update and revert Audit Group settings.
Activate Scan and Start Scan buttons.
Scan - Job Management Activates Abort, Resume, Pause and Delete on the Job Details
page.
Scan - Policy Manager Activate the settings on the Edit Scan Settings view.
Scan - Port Groups Create, delete, update and revert Port Group settings.
Delete, edit, duplicate, and rename reports on the Manage
Report Templates.
Scan Management
Activate New Report and New Report Category.
Activate Update button on the Edit Scan Settings view.
Session Monitoring Use the Session Monitoring features.
Ticket System View and use the ticket system.
Mark a ticket as Inactive. The ticket no longer exists when
Ticket System Management
Inactive is selected.
User Accounts Management Add, delete, or change user groups and user accounts.
View audit details for management console users. Configure tab,
User Audits
User Audits window.
Select to prevent users from setting exclusions.
Vulnerability Exclusions
For more information, see Excluding Vulnerabilities.
Access Levels
Access Level Description
Neither Read nor Write check boxes are selected.
No Access
Users can only view the dashboard and corresponding views.
Read Users can view selected areas, but cannot change information.
Read and Write Users can view and change information for the selected area.
Permissions Required for Configuration Options
Configure tab option Permission
Everyone can access.
Accounts Users without User Account Management permission can only edit
their user record.
Active Directory Queries Asset Management
User Guide 36 © 2017. BeyondTrust Software, Inc.
Managing Users and User Groups
Configure tab option Permission
Address Groups Asset Management
Attributes Asset Management
Benchmark Management Benchmark Compliance
Connectors Asset Management, BeyondInsight Login
Organizations User Accounts Management
Patch Management Patch Management
Password Safe Connections Member of the built-in BeyondInsight Administrators group
PBW Module BeyondInsight Login, PowerBroker for Windows
Protection Policies Everyone can access
Scan Options Scan Management
SCCM Patch Management
Services Member of the built-in BeyondInsight Administrators group
User Audits User Audits
Workgroups User Accounts Management
Creating User Accounts
User accounts create the user identity that BeyondInsight uses to authenticate and authorize access to specific
system resources.
When you delete a user account or group that is assigned tickets, a dialog box is displayed where you can reassign
the ticket to another user or group.
A user account must be a member in a user group.
Checkpoint
You must create a user group before you can create a user account. For more information, see Creating User
Groups.
To create a user account:
1. Select the Configure tab, and then select the Accounts tab.
2. From the Groups/Users button select the Groups view.
User Guide 37 © 2017. BeyondTrust Software, Inc.
Managing Users and User Groups
3. Select a user group.
4. Click + in the Users pane.
To edit a user, select the user account. The User Details pane is displayed.
5. Complete the First Name, Email Address, User Name, Password, and Confirm Password. These fields are
required.
Note: If you are changing the password, see Reset BeyondInsight Account Password.
6. Enter the user’s phone numbers (optional).
7. Select an Activation Date and an Expiration Date for the user account.
8. Select the User Active check box to activate the user account.
9. Select the Account Locked check box to lock the account.
10. Select one or more user groups from the list and click Add.
11. Click Create.
Later, after you create a user, you can change the group membership. Change the view to the Users view. Select a
user account and change the group membership.
Reset BeyondInsight Account Password
You can change the password for a BeyondInsight user account.
To reset a user password:
1. Select the Configure tab then select the Accounts tab.
2. Select the user name from the Users pane.
3. Click Reset Password.
4. Enter the new password.
5. Click Update.
User Guide 38 © 2017. BeyondTrust Software, Inc.
Managing Users and User Groups
Auditing BeyondInsight Users
You can track the activities of your BeyondInsight administrators.
You can review:
• Logon and log off times
• IP address where the admin logged on from
• Any actions taken. For example, configure user settings.
If there are a lot of audit activities, you can use the search feature to display only those that are relevant. You can
also configure display preferences and filters to refine the information displayed. For more information, see
Changing the Display.
The following screen capture shows an example.
User Guide 39 © 2017. BeyondTrust Software, Inc.
Adding Credentials
Adding Credentials
You can create the following credential types:
• SSH. See Creating an SSH Credential.
• Windows
• MySQL
• Microsoft SQL Server
• Oracle. See Creating Oracle Credentials.
• Web Essentials. See Creating Web Essentials Credentials.
• Active Directory Access
Retina scanner version 5.14 (or later) is required to support this feature.
To add a credential:
1. Click the Configure tab, and then select Credentials Management.
2. Click Add.
3. Select a credential type from the list: Any, Windows, MySQL, MS SQL Server.
4. Enter the user account information: domain, user name, password, and key.
5. If you are creating Microsoft SQL Server credentials, select the authentication type.
6. If you are creating more than one credential, you can use the same confirmation key for all credentials. Select
the Use the same key for all check box, and then enter the key.
7. Click Save.
Creating an SSH Credential
You can create Public Key Encryption credentials to connect to SSH-configured targets. You can select a credential
that contains a public/private key pair used for SSH connections.
DSA and RSA key formats are supported.
Optionally, when configuring SSH, you can select to elevate the credential:
• Use sudo. Using sudo, you can access scan targets that are not configured to allow root accounts to log on
remotely. You can log on as a normal user and sudo to a more privileged account. Additionally, you can use
sudo to elevate the same account to get more permissions.
• Use pbrun. Using pbrun, you can elevate the credential when working with PowerBroker Servers for Unix &
Linux target assets.
To create an SSH credential:
1. Click the Configure tab, and then select Credentials Management.
2. Click Add.
3. From the Credential Type list, select SSH.
4. Enter a description and user name.
5. Select an authentication type from the list:
– Password - Enter a password.
– Public Key - Enter the private key file name and passphrase. Click Browse to navigate to the file.
User Guide 40 © 2017. BeyondTrust Software, Inc.
Adding Credentials
A public key is generated based on the contents of the private key.
6. Enter a description and key.
7. To elevate credentials, select one of the following from the Elevation list:
Elevating credentials is optional.
– sudo – Enter a sudo user name and password. You can use the user name provided in the Username box
and leave the sudo username blank.
– pbrun – Enter the pbrunuser user name.
8. Click Save.
Creating Oracle Credentials
If you are scanning Oracle databases, you can create Oracle credentials.
The tsanames.ora file is updated automatically after you create an Oracle credential.
To create Oracle credentials:
1. Click the Configure tab, and then select Credentials Management.
2. Click Add.
3. From the Credential Type list, select Oracle.
4. Provide a user name, description, and password.
5. Select an access level from the list: Standard, SYSDBA, or SYSOPER.
6. Select additional connection options:
– Connect To - Select from: Database SID, Named Service.
– Database SID - Enter the database SID.
– Protocol - Select a protocol: TCP, TCPS, NMP.
– Host - Enter the host name where the Oracle database resides.
– Port Number - Enter a port number.
7. Enter a key.
8. Click Save.
Creating SNMP Credentials
If you are scanning devices that are managed using an SNMP community, you can add your community strings
here.
To add an SNMP community string:
1. Click the Configure tab, and then select Credentials Management.
2. From the Type list, select SNMP.
3. Enter a description, key and the community string.
4. Click Save.
Creating Web Essentials Credentials
1. Click the Configure tab, and then select Credentials Management.
2. Click Add.
User Guide 41 © 2017. BeyondTrust Software, Inc.
Adding Credentials
3. From the Credential Type list, select Web Essentials.
4. Enter a description for the credentials.
5. Enter a confirmation key.
6. Enter the user names and passwords for the sites.
7. Click Save.
Adding Credentials for Active Directory Access
You can add credentials to access a particular Active Directory domain. Add credentials for each forest/domain
combination.
To add Active Directory credentials:
1. Click the Configure tab then select the Accounts tab.
2. Click + and select Active Directory Group.
3. Click Credentials.
4. Click Add.
5. Enter the forest name, domain name, user name, and password.
Enter the user name using the format: <domain name>\user name. Otherwise, the domain you enter in the
Domain box is used.
6. Click Test.
Success is displayed when the credentials provided can successfully contact the domain.
7. Click OK.
User Guide 42 © 2017. BeyondTrust Software, Inc.
Discovery Scanning
Discovery Scanning
Run a discovery scan to locate network assets, such as workstations, routers, laptops, and printers. A discovery scan
also determines if an IP address is active.
You can periodically repeat the discovery scans to verify the status of devices and programs and the delta between
the current and previous scan.
Note that discovered assets do not count toward your license.
Running a Discovery Scan
You run a discovery scan in the same way as a vulnerability scan. See Running a Vulnerability Scan for a step-by-step
procedure.
Review the following recommended Discovery scan settings:
• On the Set Scan Options page, setting credentials is not required. Typically, setting credentials for other types
of scan templates is recommended. However, for a discovery scan, you want to ensure that all types of
systems are detected and credentials are not necessary.
After assets are detected, you can run audit scans using credentials to ensure more thorough scan results.
• On the Scan Policy Options page, here are some recommended settings:
Perform OS Detection Select this check box.
Perform Traceroute Select this check box.
Enumerate * Clear all enumerate check boxes.
Randomize Target List Select this check box.
Change the settings on the Edit Scan Settings page. See Configuring Scan Settings.
• Discovery ports. The default TCP discovery port list: 21,22,23,25,80,110,139,443,445,554,1433,3389
Use more than one scanner to distribute the coverage across the network.
Discovering Assets Using a Smart Group
You can discover assets when the Smart Group filter is an address group, Active Directory query, or Cloud
connector.
Any assets online since the Smart Group was last processed are detected when the Use to discover new check box
is selected.
The scan results on the Assets page reflects the number of assets found.
If you create an address group that includes /19 CIDR block, that range includes 8190 potential assets
(the discovery scan will always try to discover that many assets). Keep this in mind when you are
reviewing scan results.
Key steps:
• Create an address group or Active Directory query that includes the IP address range or domain. See the step-
by-step procedures: Creating an Active Directory Query or Creating an Address Group.
User Guide 43 © 2017. BeyondTrust Software, Inc.
Discovery Scanning
Alternatively, you can create the address group or query on-the-fly when you are creating the Smart Group.
• Create a Smart Group that includes the address group or query as the filter. Ensure the discover assets check
box is selected.
Note that you can use the Discover New assets check box on any scan. However, the scan is slower when this
option is selected.
It is recommended that you run a discovery scan at a regular interval (for example, monthly or weekly schedule).
Full vulnerability scans can then run only on known targets.
Discovering Assets Manually
You can discover assets manually by entering a host name, IP address or address range when running a discovery
scan.
User Guide 44 © 2017. BeyondTrust Software, Inc.
Running a Vulnerability Scan
Running a Vulnerability Scan
Before setting up your scan settings, ensure the following is in place:
• When you run a scan, you must select a report template to determine the scope of the scanning. For a
complete list of report templates, see Reports Templates and Audit Groups.
• Determine the assets to include in the scan. For example, you can create Smart Groups, enter IP address
ranges, or list named hosts.
Note that on the Assets page, you can individually select the assets to scan.
Tip: Ad hoc Scanning
You can enter any combination of IP address, IP address range, and CIDR
notation in the Named Hosts box. Separate the entries using a comma.
For example, 10.10.10.20, 10.10.10.4-10.10.10.8, 192.168.1.0/24
Note, however, if an IP address is invalid no error message indicates the
address is invalid and will not be scanned.
To run a scan:
1. Select the Dashboard tab and click Assess; or select the Assets tab and click Scan.
2. Select a report and click Scan.
3. Expand Scan and select one of the following:
Currently selected Smart Group, Currently selected Assets, a Single IP, an IP Range, a CIDR Notation, or Named
Hosts for the assets selected.
You can enter more than one named host. Separate the entries using a comma.
If you select Currently selected assets and select a schedule other than Immediate, then BeyondInsight
automatically updates the scheduled job on the agent with the list of assets in the selected Smart Group as they
change.
4. Benchmark scans only. Expand Benchmark Compliance Profile and select a scan profile.
5. Expand Credentials Management and enter the credentials.
Click Test Credential to ensure the correct credentials are entered. You can use Active Directory credentials
or BeyondInsight web server credentials. The test only applies to Windows credentials. Note that the test is not
to ensure access to target assets.
You can store credentials to reuse later. For more information, see Adding Credentials.
User Guide 45 © 2017. BeyondTrust Software, Inc.
Running a Vulnerability Scan
a. To add credentials, click the pencil.
b. Click Add.
c. Enter the password, description, and key.
d. If you are creating more than one credential, you can use the same confirmation key for all credentials.
Select the Use the same key for all check box, and then enter the key.
e. Click Save.
f. Select the new credential and click OK.
6. Expand Report Delivery to select the report delivery options.
– Export type - Select a report format: PDF, DOC, XLS, NONE.
The export types available depend on the report selected.
– Do not create a report for this vulnerability scan - Select this option if you want to only scan and collect
the results. No report will be generated.
– Notify when complete - Select the check box and enter email addresses. Separate entries using a comma.
Alternatively, click + and select users or user groups.
Email notification is sent when the scan and report are complete.
– Email report to - Select the check box and enter email addresses. Separate entries using a comma.
Alternatively, click + and select users or user groups.
The report will be emailed to the users entered.
7. Expand Advanced to select the agent to run the scan.
– Job Name - Type a job name. Otherwise, the default job name is used.
– Agent - Select the computer where the Retina scanner resides.
– Use job-specific Scan Restrictions - Select the check box to display a scheduling grid. Click the squares to
set the restricted time frame. Scans will not run during those times.
If scans are scheduled to run during a scan restriction, the scan can be aborted when the restriction
window starts. Select the check box to apply this setting.
For more information, see Setting Restrictions on Scan Times.
– Benchmark Scans only. Store OVAL Test in database - Select the check box to store OVAL test results to
the database.
8. Expand Schedule to select a schedule:
Note: If the server and client computers are located in different time zones, the scan runs during the server
time zone. This applies to one-time scans and recurring schedules.
– Immediate - Select to run the job now.
– One Time - Select to schedule jobs to run one time. Select the start time and date.
– Recurring - Select one of the following:
– Daily – schedules jobs for weekdays, or every x number of days. Enter the number of days.
– Weekly – schedules jobs every week selected (1-52), starting on the day of the week selected.
User Guide 46 © 2017. BeyondTrust Software, Inc.
Running a Vulnerability Scan
– Monthly – schedules jobs for the day of the month selected for every month selected. Options
include the first/second/third/fourth and last day of the month selected.
You can delete or change the recurring scan job later on the Jobs page. See Managing Jobs.
9. Select the Use the time zone of selected scanner check box if you want to use the time zone where a remote
Retina scanner resides.
10. Select Abort the scan if it takes longer than and enter the time in minutes to restrict the length of time the
scan runs.
11. Click Start Scan.
12. Click Show Status to view the progress of the scan. You can also view the progress on the dashboard or
through the Jobs page.
User Guide 47 © 2017. BeyondTrust Software, Inc.
Running a Vulnerability Scan
Reviewing Vulnerability Scan Results
After you run vulnerability scans you can review the results to determine the assets that are vulnerable and
require remediation. The scan results include the following key details about a particular vulnerability (if the
information is available):
• Audit ID
• CVE IDs
• CWE IDs
• Microsoft Bulletin ID
• CVSS Score
• Ports
• Mitigation
You can view vulnerabilities that can be exploited. For any vulnerability with a CVE-ID, exploit information
associated with the CVE-ID is also displayed. In some cases, exploits are displayed that are not associated with a
CVE-ID.
The Microsoft Exploitability Index is also included in the Exploits information. The index values correspond to the
values that are provided in security bulletins issued from Microsoft. For more information on interpreting the index
values, refer to Microsoft documentation.
You can set display preferences and create filters to change the information displayed on the Vulnerabilities page.
For more information, see Changing the Display.
To review the results:
1. Select the Assets tab.
2. Select Vulnerabilities.
Click and to expand the vulnerabilities pane.
You can create Smart Rules based on vulnerabilities. Using this tool can provide additional filtering for selected
assets.
User Guide 48 © 2017. BeyondTrust Software, Inc.
Running a Vulnerability Scan
3. Click i to view more information about a vulnerability.
4. On the Vulnerabilities Details pane, select the following to review more information:
– Description - Click the button to view information about the vulnerability, including a solution.
– Audits - Lists the ID and name for the audits included in the scan.
– Exploits - The number indicates the exploits on the vulnerability.
Click the button to review the database, module, and module URL.
– References - The number indicates the available resources for remediation of the vulnerability.
Click the button to view the list of references. Select a web site to find out more information on the
vulnerability.
– Assets - The number indicates the assets affected by the vulnerability.
Click the button to review the asset information.
– Patches - The number indicates the patches that can fix the vulnerability.
Click the button to review more information about the patches.
For more information, see Managing Patch Updates.
You can also set or remove an exclusion property on the vulnerability. For more information, see
Excluding Vulnerabilities.
Creating a Quick Rule
After you run a scan, you can organize assets linked to a specific vulnerability, attack, or malware by creating a
Quick Rule.
In the Attacks, Vulnerabilities, or Malware view, you can click the arrow to create a Quick Rule that instantly creates
a grouping of assets in the Smart Groups pane.
User Guide 49 © 2017. BeyondTrust Software, Inc.
Running a Vulnerability Scan
Excluding Vulnerabilities
You can exclude vulnerabilities from the display and only view those that require remediation to satisfy regulatory
compliance.
Depending on your environment, accepted vulnerabilities (a false positive) might be reported in the scan. For
example, if Anonymous FTP is configured on your network, vulnerabilities will be reported in your scan results.
Since this type of vulnerability does not require remediation (patch or compliance updates), you can ignore these
scan results.
Records for exclusions reside in the database. During an audit, you can remove the exclusion on the record.
You can run the Vulnerability Exclusions report to keep track of the exclusions. The report includes the reason for
the exclusion and the expiry date.
In some situations, you might not want all of your users to set an exclusion on a vulnerability. You can set the
permission Vulnerability Exclusions when creating a user group. For more information, see Creating User Groups.
Note: Vulnerability exclusions do not apply to the parent Smart Group when the exclusion is set at a child Smart
Group.
To set or remove the exclusion property on a vulnerability:
1. Select the Assets tab.
2. Select the Vulnerabilities tab.
User Guide 50 © 2017. BeyondTrust Software, Inc.
Running a Vulnerability Scan
3. Click the Exclusions check box for a vulnerability.
4. On the Manage Vulnerability Exclusion dialog box, select the options:
– Action - Select to set or remove the exclusion.
– Exclude Vulnerability - Select the Smart Group where you want to apply the exclusion.
You can also select Globally. The exclusion applies to all assets.
– Reason/Note - Provide a detailed description on why the vulnerability is excluded.
For example, you might want to note that the vulnerability is an accepted false positive.
The reason is required and is displayed in the Vulnerability Exclusions report to help you keep track of the
exclusions.
– Expiration Date - Select the expiration date on the exclusion.
5. Click Save.
Editing Exclusion Properties
You can change the following properties for an exclusion: scope and reason. You can change the properties
without having to create a new exclusion. Click the pencil icon to change the settings.
All of the exclusions set on the vulnerability are listed here.
Note that you cannot change the expiration date.
User Guide 51 © 2017. BeyondTrust Software, Inc.
Running a Vulnerability Scan
Malware Toolkit Vulnerabilities
A malware toolkit can be detected if there is one associated with a vulnerability.
To see if a vulnerability belongs to a malware toolkit:
1. Select the Assets tab.
2. Select the Vulnerabilities tab.
3. Select a vulnerability and click the i.
A red T indicates that the vulnerability is associated with a malware toolkit.
4. Click View Toolkits.
Review more information about the malware toolkit and the recommended mitigation action.
Remediating Vulnerabilities
You can remediate vulnerabilities by viewing solutions on the Vulnerability Details page.
You can use the ticket system to assign a vulnerability or attack to a member of your security team. See Working
with Tickets.
1. Select the Assets tab, and then click Vulnerabilities.
2. Click i for a vulnerability.
A description and solution are displayed.
The Mitigation column provides information on the action to take to remediate the vulnerability.
Setting CVSS Metrics
Depending on your security plan, you might want to change CVSS scores. Changing the score indicates to your
security team the urgency to remediate a vulnerability.
You can change the base and temporal values to change the CVSS score (depending on the weight of the
vulnerability and the urgent nature to remediate the vulnerability).
User Guide 52 © 2017. BeyondTrust Software, Inc.
Running a Vulnerability Scan
You can configure:
• Environmental scores using the Smart Rules Manager.
• Base and temporal scores using the Vulnerability Details page.
You must be familiar with CVSS scoring definitions and concepts. Refer to the CVSS Scoring Guide.
Setting CVSS Environmental Metrics
The environmental metrics are based on your security plans. Determine the level of impact a vulnerability has on
your assets and assign environmental metrics accordingly.
You can create a Smart Group that includes the assets where you want to assign the environmental metrics.
To set the environmental metrics on assets:
1. Select the Assets tab.
2. Click Manage Smart Rules.
3. Click New Rule.
4. Enter a name and description, and set the Smart Rule criteria that determines the scope of the assets.
5. In the Perform Actions area, select Set Environmental CVSS Metrics.
6. Select the metrics from the corresponding lists.
7. Click Save.
Later when you edit the Smart Group, the Show asset as Smart Group list is also displayed, as shown:
Setting Base and Temporal Metrics
After you create a Smart Group that contains the assets with the preferred environmental metrics, you can update
CVSS scores on the Vulnerabilities page.
To change the CVSS metrics for a vulnerability:
1. Select the Assets tab.
2. Select the Smart Group with the environment metrics configured.
3. Click Vulnerabilities.
User Guide 53 © 2017. BeyondTrust Software, Inc.
Running a Vulnerability Scan
4. Select a vulnerability, and then click i.
5. Click the pencil.
6. Change the base and temporal values.
The CVSS score and CVSS vector change as you change the base and temporal metrics.
Click the vector link to go to the National Vulnerability Database CVSS v.2 Calculator web site.
7. Click Save.
User Guide 54 © 2017. BeyondTrust Software, Inc.
Running a Vulnerability Scan
Editing Scan Settings
The following scan settings can be set when you are configuring an audit scan:
• Audits. An audit contains the vulnerabilities and risks that you want to search for on your selected assets. The
audit information is organized in audit groups.
The audit groups provided are industry standard and include: SANS20(All), SANS20(Windows), and Zero-day.
For a complete list, see Audit Groups.
• Ports. Select the port or port group ranges that you want to include in the scan.
• Options. Select scan policy options, advanced options, and remote agent settings.
To configure an audit scan:
1. Click the Reports tab, and then the click Manage Report Templates.
2. Select the report and click the arrow to display the menu.
3. Select Edit Scan Settings.
4. Select Audits, and then drag an audit group to the scan settings pane.
To search for an audit group, type the audit group name in the Search box. For more information, see Audit
Groups.
5. Select Ports, and then drag port groups to the scan settings pane.
To search for a port group, type the port group name in the Search box. For more information, see Port
Groups.
6. Select Options.
7. Expand Scan Policy Options and select the scan options:
– Perform OS Detection - Determines the operating system for the target.
– Get Reverse DNS - Scans for reverse Domain Name System (rDNS) and retrieves the domain name for the
target IP address.
– Get NetBIOS Name - Scans for a Network Basic Input/Output System.
– Get MAC Address - Scans for the Media Access Control address or unique hardware number.
– Perform Traceroute - Determines packet routes across an IP network.
– Enumerate [parameter] Via NetBIOS - Uses the NetBIOS protocol to determine and list audits specified in
the Audit Group.
The parameters include registry, users, shares, files, hotfixes, named pipes, machine information, audit
policy, per-user registry settings, groups, processes, user and group privileges and software.
– Maximum Number of Users to Enumerate - Sets a maximum number of users for providing detailed
descriptions.
All users are enumerated if you set the value to 0.
– Hardware - Determines the hardware for the target.
– Perform Web Scanning - Scans remote web servers and audits installed applications.
– Web Scan Depth - Sets the number of links to follow from the home page.
– Perform Database Scanning - Scans remote database instances.
User Guide 55 © 2017. BeyondTrust Software, Inc.
Running a Vulnerability Scan
8. Expand the Advanced Options and select the scan options:
Note: Performance issues may be experienced when running a Connect Scan, Force Scan, and UDP Scan
simultaneously. These instruct the scanner to negotiate a full connection to each port on each device.
On a Class B network, you could be waiting for 65,535 devices to time-out on a minimum of 65,535
connections each.
– Enable Connect Scan Mode - Run if other methods, such as a slow dial-up, are unreliable.
The operating system is negotiating a full connection to each device. Because multiple port scanning
methods are not used, the scanner cannot determine a number of items, such as operating system.
– Enable Force Scan - Run if the targeted devices are not going to answer SYN or ICMP scanning.
Forces the scanner to run protocol discovery on each port of each device to determine the protocol.
Only use in a highly locked down network where the standard port scanning methods will be filtered or
blocked. Force Scan should not be used in IP ranges.
– Extended UDP Scan - Runs a complete scan on all User Datagram Protocol (UDP) frames without timing
out.
Forces the scanner to expect an answer. The IP will eventually timeout.
– Disable Tarpit Detection - Stops tarpit detection.
A TCP tarpit program intentionally reduces the size of data packets to slow communication transmissions.
This can cause incorrect scan results.
To scan systems running tarpits, set the tarpit to allow unimpeded connections from the scanner.
– Detailed Audit Status - Retrieves data on the port, operating system and protocol scanned and details the
vulnerabilities open, fixed and not verified.
– Randomized Target List - Uses a random list of target assets to scan rather than a sequential list of IP
addresses.
This load balances the target IP list across the network by distributing the target list across subnets rather
than running all the targets in a subnet at the same time sequentially.
9. Expand Retina Local Scan Service Options to set the following:
– Perform Local Scanning - Deploys a remote scanner to target assets during a scan. Deploy a remote
scanner to run WMI and remote registry scans.
After the scan runs, the deployed remote agent is removed from the asset.
– Enumerate Ports via Local Scan Service - Enumerates local ports using netstat, including active
connections and the program or service using the port. OFF by default.
– Enable WMI Service - Starts (and then stops) the WMI service. The service is only active during the scan.
OFF by default.
– Enable Remote Registry Service - Starts (and then stops) the remote registry on a target. The service is
only active during the scan. OFF by default.
10. Click Update.
User Guide 56 © 2017. BeyondTrust Software, Inc.
Running a Vulnerability Scan
Working with Audit Groups
BeyondInsight ships with audit groups that are populated with audits. Each audit group has a preconfigured set of
audits.
On the Scan settings page for an audit group, you can:
• Change the audits in the audit group
• Create an audit group
• Copy an audit group
• Create an audit. For more information, see Creating a Custom Audit.
• Revert the settings to the default values
Note that you cannot delete an audit group that ships with BeyondInsight.
To manage audit groups:
1. Click the Reports tab and then the click Manage Report Templates.
2. Select a report and click the arrow to display the menu.
3. Select Edit Scan Settings.
4. Select Audits in the Settings pane.
To search for an audit group, type the name in the Search box.
5. Click Manage in the Audit Groups pane to:
– Edit an audit – Select the audit and click the pencil icon. You cannot change all audits. Select All Editable
Audits from the Show list to display all audits that you can change.
– Create an audit group – Click + at the bottom of the Audit Groups pane. Enter the name of the new audit
group.
– Copy an audit group – Click . Enter a name and click Copy.
– Edit an audit group – Select the audit group from the Audit Groups pane. You can also type the name of
the audit group in the box to search for the audit group.
User Guide 57 © 2017. BeyondTrust Software, Inc.
Running a Vulnerability Scan
6. Select the Automatically enable new audits in this group check box to add all the new audits selected when
created.
7. Click Revert to revert to either the last saved version of the selected audit group or the default value.
8. Click Update.
Exporting an Audit Group
You can export an audit group and all audits associated with that audit group (including custom settings for an
audit).
To export an audit group:
1. Select the Configure tab, and then select Audit Manager.
2. Click .
3. Click Yes on the Save Export dialog box.
4. Select the location for the file, and then click Save.
Importing an Audit Group
On the import, you can choose to overwrite the audit group or merge with an existing audit group.
The Audits version that you export from must match the version for the BeyondInsight install you are importing to.
Verify the version from the Help menu: Help > About BeyondInsight .
Note that if you decide to merge audit groups, the settings on the group you are importing take precedence over
the existing group.
To import an audit group:
1. Select the Configure tab, and then select Audit Manager.
2. Click the Import an audit group button.
3. You must select whether to merge or replace an audit group (if one exists with the same name).
4. Select the export file, and then click Open.
User Guide 58 © 2017. BeyondTrust Software, Inc.
Running a Vulnerability Scan
Working with Port Groups
Port groups contain the list of ports to scan. You can change the ports assigned in a port group, add port groups that
will be available to all audit scans, and delete port groups.
BeyondInsight ships with port groups already configured with a range of ports (for example, HTTP Ports and
Discovery Ports). Note that you cannot delete a port group that ships with BeyondInsight.
To change port groups:
1. Click the Reports tab and then click Manage Report Templates.
2. Select the report and click the arrow to display the menu.
3. Select Edit Scan Settings.
4. Select Ports in the Settings pane.
5. Click Manage in the Port Groups pane to:
Use the Grid Size slider to adjust the view.
– Add a port group – Click + on the Port Groups pane. Enter the name of the port group and click Create.
– Edit a port group – Select the port group from the Port Groups pane. You can also type the name of the
port group in the box to search for and display the port group.
– Remove a port from a group – Select the port, and then select Clear from the Protocol menu.
– Add a port or group of ports – Select the ports, and then select the protocol from the list: Both, TCP, UDP.
The grid is updated with the corresponding color of the protocol.
To select multiple ports, drag and click on the range. Alternatively, enter the port number or port number
range in the Select Ports box and click the arrow.
6. Click Revert to cancel your changes.
7. Click Update.
Creating a Custom Audit
You can create an audit that addresses particular risks or vulnerabilities that you want to protect your assets from.
You can select the rule category, risk level associated with the rule, audit type and details. For example, you can
create the following audit: ensure the latest service pack and particular hotfix has been installed for Windows 2003
OS 32-bit/64-bit.
To create customized audit scan settings:
1. Click the Reports tab, and then the click Manage Report Templates.
2. Select the report and click the arrow to display the menu.
3. Select Edit Scan Settings.
4. Select Audits in the Settings pane.
5. Click Manage in the Audit Groups pane.
6. Click +New Audit to start the Audit wizard.
7. Click Next.
8. On the Audit Description page:
a. Type the audit name.
b. Select the audit category, such as Database, Mail Servers, Miscellaneous, or Windows.
User Guide 59 © 2017. BeyondTrust Software, Inc.
Running a Vulnerability Scan
c. From the Risk Level list, select the severity level that corresponds to the severity of the vulnerability:
– High - Risks that allow a non-trusted user to take control of a susceptible host.
Vulnerabilities that severely impact the overall safety and usability of the network.
– Medium - Risks that are serious security threats and would allow a trusted but non-privileged user to
complete control of a host or would permit a non-trusted user to disrupt service or gain access to
sensitive information.
– Low - Risks associated with specific or unlikely circumstances. These vulnerabilities can provide an
attacker with information that could be combined with higher-risk vulnerabilities to compromise the
host or users.
– Information - Host information that does not necessarily represent a security threat, but can be
useful to the administrator to assess the security. These alerts are displayed with the list of
vulnerabilities.
d. Describe the vulnerability.
e. Describe how to remediate, investigate or mitigate the vulnerability.
9. On the Audit Type page, select the type of audit:
– Banner - Determines vulnerabilities in the banner information, such as firewall name, IP addresses and
server name.
– CGI Script - Determines vulnerabilities in the common gateway interface that passes a Web user's request
to an application program and to receive data back to forward to the user.
– Registry - Detects vulnerabilities by scanning registry entries and values.
– Hotfix - Determines vulnerabilities by scanning service packs, hotfixes and patches.
– File Version - Determines if a file exists. The audit can check if the file exists or not.
– File Checksum - Determines vulnerabilities based on file checksum comparisons.
Supported values include: MD5, SHA1, SHA256.
Network performance issues might occur if you use this feature. Use this feature with caution.
– Remote Check - Verifies if a specific Unix program or patch is installed on an operating system.
– Mobile Software - Determines if software exists for mobile devices.
– BlackBerry Device - Determines vulnerabilities based on BlackBerry device specifications.
– Share - Determines if a share is accessed by unauthorized users.
The Audit Details page displays parameters based on the audit type that you select in step 9.
10. Enter the information for the audit type, and then click Next.
– Banner audit details - Select the banner protocol, and then type the banner name.
– CGI Script audit details - Type the URL path to the script name.
– Registry - Select Path, Key, or Value from the menu. Select the operating systems that the vulnerability
affects.
Note that the registry path cannot contain the selected Hive value.
– Service Pack – Hotfix - Determines vulnerabilities by scanning service packs, hotfixes and patches.
User Guide 60 © 2017. BeyondTrust Software, Inc.
Running a Vulnerability Scan
– File Version - Verifies the software version.
Enter the file name, set file version information (optional), and select operating systems to check.
– File Checksum - Select the file checksum from the list.
Enter a file name, checksum value, and file version. Use an asterisk (*) to compare all file versions.
– Remote Check - Verifies if a specific Unix program or patch is installed on an operating system.
– Mobile Software - Enter the name of the software, and set if software exists. Can also audit on the version
number.
– BlackBerry Device - Enter model, serial number, device ID, platform version, and OS version.
– Share - Select user account access on the share, type of access on the share, and OS version. Optionally,
list the accounts by SID.
11. On the Vulnerability Details page, enter the BugTraq and CVE details, as needed.
– BugTraq - A security portal dedicated to issues about computer security, such as vulnerabilities, methods
of exploitation and remediation.
– CVE - Common Vulnerabilities and Exposures is a dictionary of publicly known information security
vulnerabilities and exposures.
CVE’s common identifiers enable data exchange between security products and provide a baseline index
point for evaluating coverage of tools and services.
12. On the Audit Wizard Summary page, click the pencil to change the audit information.
13. Click Finish.
User Guide 61 © 2017. BeyondTrust Software, Inc.
Managing Reports
Managing Reports
There are two report template types available:
Scanning only. For more information, see Managing Scan Report Templates.
Scanning and running reports on existing data. For more information, see Running a Report on Existing Scan Data.
Running a Report on Existing Scan Data
You can run reports on scan information that is stored in the BeyondInsight database.
You cannot run reports on existing data using the Protection reports.
Checkpoint
– Create a Smart Group to scope the assets to include in the report. For more information, see Creating a
Smart Rule.
Reports will open in a new window. Ensure pop-up blockers are disabled for the management console web site.
To run a report on existing data:
1. Select the Assets tab.
2. Select the assets, and then click Scan.
3. Select the report, and then click Report.
4. Select the report parameters:
Note that the NONE export type provides a snapshot of the data and produces results faster than selecting PDF
output.
By default, the All check box is selected. Be sure to clear the All check box if you want to use specific
parameters for your report. Selecting All uses all criteria available for that parameter.
5. Click Run Report.
User Guide 62 © 2017. BeyondTrust Software, Inc.
Managing Reports
Creating Scheduled Reports
To schedule a report:
1. Set the report parameters as described in the preceding procedure (To run a report on existing data).
2. Click Subscription, and then set the following:
– Notify when complete - Select the check box and enter email addresses. Separate entries using a comma.
Alternatively, click + and select users or user groups.
Email notification is sent when the scan and report are complete.
– Email report to - Select the check box and enter email addresses. Separate entries using a comma.
Alternatively, click + and select users or user groups.
The reports will be emailed to the users entered.
– Schedule Type - Select One Time or Recurring.
If you select Recurring, select the frequency of the schedule run times.
3. Click Save after you enter the scheduling information.
Viewing Scheduled Reports in the Calendar View
You can review the scheduled reports in a calendar that shows a summary of the reports scheduled for the month.
To view the scheduled reports for the month:
1. Click the Jobs tab, and then click Scheduled in the Reports section.
2. Click Toggle Calendar.
3. Click the Report icon to open the report for a completed report.
User Guide 63 © 2017. BeyondTrust Software, Inc.
Managing Reports
Reviewing Report Results
Expand the document map to view the list of vulnerabilities.
Click the link for the vulnerability in the document map list or in the main report. You can review more information
about the vulnerability such as: description, fix information, references, and CVSS score.
If you export the report to PDF output, the list of vulnerabilities in the document map is displayed as bookmarks in
the PDF.
User Guide 64 © 2017. BeyondTrust Software, Inc.
Managing Reports
Creating a Report
You can create a report template based on an existing report template.
A report template consists of:
• Report output settings – Select options to determine how information is presented in the report output.
Includes report sections that present the information collected from the scan
• Scan settings – Select options to determine the data to collect from assets. Includes audits, ports, and additional
scan options that make up the scan
Report templates are organized using report categories.
To create a report:
1. Click the Reports tab, and then click Manage Report Templates.
2. Click New Report.
3. Select a template and click Create.
4. Select a section and then drag section parts into the section pane.
You can enter the name of the section part in the text box to select.
Section parts vary based on the report template selected.
5. Select the Shared check box if this report template can be used by other BeyondInsight users.
6. Click Save.
7. Enter the name of the report and the report category.
8. Click Save.
Creating a Report Category
A report category is a container that helps to organize similar reports. Every report that you create must be
assigned to a category.
To create a report category:
1. Click the Reports tab then click Manage Report Templates.
2. Click New Report Category.
3. Enter a name for the report category and click Create.
4. Drag an existing report from another category to populate the new category.
Setting Report Output Options
You can select the sections to include in the report, such as cover page and report content.
To change the report output:
1. Click the Reports tab.
2. Select a report and click the arrow to display the menu.
3. Select Edit Report.
4. Select a report section.
For some reports, you can edit parameters on the Header section. Click the pencil icon to display and select
the parameters.
User Guide 65 © 2017. BeyondTrust Software, Inc.
Managing Reports
The Section Parts pane displays the sections that you can use. Drag a section part into the middle pane. You can
also enter the name of the Section Parts in the Search box.
5. To remove a section from the report, select the section and select the garbage can.
6. Click Save.
7. Enter a name for the report and the report category.
8. Click Save.
Customizing the Report Logo
You can change the logo that displays on the BeyondInsight management console reports.
To replace the default logo:
1. Create your image. Ensure the size is 758 x 128 pixels.
2. Name the image reportlogo.jpg.
3. Copy the image to the following location in the BeyondInsight installation directory:
<Install Path>\eEye Digital Security\Retina CS\WebSite\images
The change occurs immediately. All new reports generated will use the new logo.
Any downloaded reports will not change. Download the report again to include the new logo.
User Guide 66 © 2017. BeyondTrust Software, Inc.
Managing Reports
Viewing and Downloading Reports
On the Reports tab, you can:
• View reports
• Download a report to PDF format
• Access the Manage Report Templates page. For more information, see Managing Report Templates.
To view and download a report:
1. Click the Reports tab.
2. Select one of the following:
– Double-click a report to view. Or, select a report, and then click i.
– Click the download button and then click Save File to save the report in PDF format. Enter the report
name, or use the default, and then click Save.
– Click the delete button to delete the report.
User Guide 67 © 2017. BeyondTrust Software, Inc.
Managing Reports
Managing Report Templates
You can customize template settings, including sections in the report output and scan settings.
To access a report template:
Click the Reports tab, and then click Manage Report Templates.
Select the report template and click the arrow to select a menu item.
– Edit Report. See Setting Report Output Options.
– Duplicate Report. Create a copy of the selected report. Select Edit or Rename from the menu to
continue.
– Rename Report. Enter the new name when prompted.
– Delete Report. Confirm the deletion when prompted.
– Edit Scan Settings. See Configuring Scan Settings.
Setting Report Output Options
You can select the sections to include in the report, such as cover page and report content.
To change the report output:
1. Click the Reports tab.
2. Select a report and click the arrow to display the menu.
3. Select Edit Report.
4. Select a report section.
For some reports, you can edit parameters on the Header section. Click the pencil icon to display and select
the parameters.
User Guide 68 © 2017. BeyondTrust Software, Inc.
Managing Reports
5. The Section Parts pane displays the sections that you can use. Drag a section part into the middle pane. You can
also enter the name of the Section Parts in the Search box.
6. To remove a section from the report, select the section and select the garbage can.
7. Click Save.
8. Enter a name for the report and the report category.
9. Click Save.
User Guide 69 © 2017. BeyondTrust Software, Inc.
Asset Management
Asset Management
Interpreting Scan Results on the Dashboard
To review scan results:
1. Log on to BeyondInsight.
2. Select a date tab to update the view with metrics for the selected date range.
3. Select the Custom dates tab and click the arrow to select a date range.
The middle pane displays the following information:
– Overall Threat Level – Plots attacks and vulnerabilities over time by severity. Change the Counts to display
the results by type. Click on the graph to expand the display.
– Anomalies – Displays higher frequency malware/virus/spyware/attack/vulnerability occurrences, assets
with higher risk, ports/software with lower frequency, expired reports, expired scans, and long scans.
– Asset Risk – Displays the risk for all assets in the environment. Hover over the pie chart to display the
percent call out. The values on the chart are calculated every 4 hours. For more information on risk
scores, see Risk Scores.
The lower pane displays the following information:
– Critical Alerts – The event date and description.
– Operational Status – Information about scheduled scans.
– Completed Reports – The reports that ran.
User Guide 70 © 2017. BeyondTrust Software, Inc.
Asset Management
1. Click Show Status to display status detail, including the names of scans. Hover over the job icon to see more
details.
2. Click the refresh button to update the information on the dashboard.
Reviewing Asset Details
On the Assets tab you can review your protected assets and determine if there are vulnerabilities, attacks, or
malware compromising your assets.
A scan retrieves the following information from an asset:
• Hardware - Displays disk drive information, system manufacturer, memory and processor information.
• Ports - Displays the open port number, protocol, and description.
• Processes - Displays all the running processes and includes the PID and name of the process.
• Scheduled Tasks - Displays information about the scheduled tasks on that particular asset, including task name,
task to run, last time the task ran, schedule type, etc.
• Services - Displays discovered services, and includes name, description, state (for example, Started, Stopped),
log on details, startup type, and dependencies.
• Shares - Name and description of the shares on the asset.
• Smart Groups - Displays the Smart Groups that the asset is associated with.
• Software - Lists all software discovered on the asset, and includes version.
• Users - Includes several attributes for a user account, including: name, privileges, password age, Last logon
date, password expiry status, group membership, and status of the account (Enabled or not).
In addition to the asset properties, the scan includes information about attacks, malware, and detailed information
about vulnerabilities. Depending on additional modules that you might be using: Patch details, information for
PowerBroker for Windows events, PowerBroker Servers details, and File Integrity monitoring rule information.
To review asset information:
1. Select the Assets tab, and then select a Smart Group.
Click and to expand the assets pane.
2. Select an asset, and then click i.
You can change properties for an asset. Click Edit. For more information, see Changing Asset Properties.
On the Assets Details pane, select an item to review more information:
User Guide 71 © 2017. BeyondTrust Software, Inc.
Asset Management
Risk Scores
The risk score indicates the potential for an asset to be attacked. You can use the risk score to determine which
assets need the most urgent attention.
The asset risk score is calculated using factors such as: vulnerability, number of attacks, exposure (open ports,
number of users, shares, for example), and overall threat level.
The update interval for the asset risk score is every 4 hours.
Risk scores range from 0 to 9.99:
• 0 indicates a low risk or there is no data available to determine a potential risk.
• 9.99 indicates the highest risk. Asset is most vulnerable to an attack.
An asset risk score is displayed in the following areas:
• Pie chart on the Dashboard page
• On the Assets tab
• Details page for each asset
Deleting Assets
You can remove assets from the Assets list. The assets are removed from the list immediately and later removed
from the database during the nightly data purge.
To delete assets:
1. Log on to BeyondInsight, and then select the Assets tab.
2. Select the assets, and then click X. You can select more than one asset at a time.
3. Click Yes to confirm.
User Guide 72 © 2017. BeyondTrust Software, Inc.
Asset Management
Changing Asset Properties
You can use the Asset wizard to change the following asset properties: owner, active, and asset attributes such as
business unit.
Assign or change attributes to help organize and identify assets. For more information about attributes, see
Working with Attributes.
Run a discovery scan to populate the Assets pane.
To change the details for an asset:
1. Select the Assets tab.
2. Select an asset, and then click the i.
Alternatively, double-click the asset to open the asset details pane.
3. On the Asset Details pane, click Edit.
4. Click Next on the Welcome page of the Asset wizard.
5. On the Edit Asset Details page, select the asset properties.
6. On the Edit Asset Attributes page, select the attribute values and then click Next.
User Guide 73 © 2017. BeyondTrust Software, Inc.
Asset Management
The default attributes that you can apply are: Geography, Business Unit, Criticality, and Manufacturer.
7. Review the settings, and then click Finish.
User Guide 74 © 2017. BeyondTrust Software, Inc.
Managing Database Instances
Managing Database Instances
Run a credential scan using the All Audits scan template. The All Audits scan template enumerates database
information, and includes the following details:
• Database platform and version
• Asset name where the database instance resides
• Database user names and descriptions
Viewing Database Information
After you run a scan, you can view the database information on the Assets page.
1. In the management console, go to the Assets page.
2. Select Databases from the list.
3. Double-click the instance name (or click i) to open the Database Users dialog box.
4. Click Close.
User Guide 75 © 2017. BeyondTrust Software, Inc.
Managing Database Instances
Deleting the Database Instance
You can delete the database instance from the BeyondInsight database.
1. In the management console, go to the Assets page.
2. Select Databases from the list.
3. Click the arrow icon, and then select Delete Databases.
User Guide 76 © 2017. BeyondTrust Software, Inc.
Managing Jobs
Managing Jobs
On the Jobs page, you can review:
• Active, scheduled, and completed scan jobs
• Active and completed Retina Protection agent deployments
• Active, scheduled, and completed reports
• View scheduled scans and scheduled reports in a calendar view
• SCCM package deployment status
• Windows event details
Reviewing Job Details
You can review job details for a scan (running or complete).
On the Job Details page, you can review the number of assets scanned, the number of processes successfully
scanned, credentials used for the scan, and a drill-down to the assets scanned.
A target is defined in a scan as a combination of: a single IP address, a computer name, a list of IP addresses, a list of
computer names, an IP range, and cloud devices.
An asset is a device that is discovered from the range of targets defined in the scan. For example, the scan
properties include these IP addresses in a range: 10.100.10.20 and 10.100.10.21. During the scan, there might not
be a device attached to 10.100.10.20. That will be reflected in the number shown in the Targets and Assets
displayed on the job details page.
The agent name indicates if the scanner is in a scanner pool. For more information, see Scanner Pooling.
To review job details:
1. Select the Jobs tab.
2. Select the Active tab for the Scans section.
3. Double-click a job to open the Job Details pane.
In the following example, you can review the job details while the job is in progress.
User Guide 77 © 2017. BeyondTrust Software, Inc.
Managing Jobs
Reviewing Scheduled Job Details
You can change the following settings for a scheduled job:
• Job name
• Smart Rule
• Credentials
• Schedule
The Last Refresh Date indicates the date when the Smart Rule was processed. Assets added or removed after the
Last Refresh Date are not reflected in the Smart Rule.
The Smart Rules are processed every 6 hours. Depending on the schedule and how frequently assets change in
your environment, you might want to change the refresh rate. Otherwise, assets might not be included in the scan
as you expect. For more information, see Refresh Settings.
Double-click the scheduled job to open the details page.
Viewing Scheduled Scans in the Calendar View
You can review the scheduled scans in a calendar that shows a summary of the scans scheduled for the month.
To view the scheduled scans for the month:
1. Click the Jobs tab, and then click Scheduled in the Scans section.
2. Click Toggle Calendar.
User Guide 78 © 2017. BeyondTrust Software, Inc.
Managing Jobs
3. Click the Report icon to open the report for a completed scan.
Viewing Scan Event Details
You can review a summary of the gathered scan events.
Aborting or Pausing a Job
Select the respective icons to abort or pause a job.
User Guide 79 © 2017. BeyondTrust Software, Inc.
Managing Jobs
Setting a Scan to Complete
To see this setting, you must be a BeyondInsight Administrator or have the Scan Management permission assigned
to your group.
The setting is only available if there is at least one start job or one stop job event.
To set the scan to complete:
1. Go to the Event Details page on the Jobs page. See Viewing Scan Event Details.
2. Click Set Scan to Complete.
Note: If a scan has stopped running and you click the button, then data that has already been collected might be
lost.
Troubleshooting a Scan Job
You can determine if a scan job is idle on the Jobs page. If the scan job indicates as idle, you can stop the scan. In
this scenario, scan data will not be usable and some data might be lost.
The alert icon is displayed if there has been no action on the scan for at least 24 hours.
1. Go to the Jobs page in the management console.
2. Click the alert icon as shown:
User Guide 80 © 2017. BeyondTrust Software, Inc.
Managing Jobs
3. On the dialog box that opens, click Set Scan to Complete.
Changing Job Page Settings
Click the Job Page settings icon to change display settings.
On the Job Grid Settings dialog box, you can configure the default job type, refresh intervals, and the maximum
number of assets displayed on the page.
User Guide 81 © 2017. BeyondTrust Software, Inc.
Creating Connectors
Creating Connectors
For information about BeyondSaaS connectors, refer to the BeyondSaaS User Guide.
For more information on third party connectors, refer to the BeyondInsight Third Party Integration Guide.
Overview
A mobility scan scans mobile devices against scan templates to determine if there are any vulnerabilities.
You can use the predefined scan templates that ship with BeyondInsight or create a custom scan template. Create a
custom template to scan for particular device software and hardware versions, for example.
Running a mobility scan also retrieves information such as device ID, model, and serial number on BlackBerry,
Android, and mobile devices on ActiveSync server.
After you create a mobility connector, a Smart Group is created. The Smart Group name is the same as the
connector name. The Smart Group is populated with the devices that are detected when a scan runs.
Configuring a BlackBerry Connector
The BES connector, which uses BlackBerry API technology, establishes a connection to the BlackBerry Admin
service to retrieve the device information.
Mobility scans run on the BeyondInsight server, and do not use a scanning agent.
To configure a BlackBerry connector:
1. Click the Configure tab.
2. Click the Connectors tab.
3. Click + in the Connectors pane, and select BlackBerry.
– General - Enter a name and description for the connector.
– Connection Details - Enter the information for the BES host.
Use the port number where BES is configured to listen. Confirm the port number in your BlackBerry
Admin service configuration.
– Scan Options - Select an audit group.
– Synchronization - Select a synchronization schedule.
During a synchronization, all BlackBerry devices connected to the BES host are detected, including software
versions and any vulnerabilities found based on the audit group selected.
User Guide 82 © 2017. BeyondTrust Software, Inc.
Creating Connectors
4. Click Update.
5. To run the scan now, click Scan Now.
Scan Now is only available after you click Update.
A Smart Group is populated with the devices that are detected when the connector is created. Go to the Assets
page to see the new Smart Group.
Configuring an Android Connector
To configure a connection to an Android mobile device:
• Create connection details on the Configure tab.
• Create a configuration file that you can email to your mobile device users.
When a valid connection is established the audits will be downloaded to the mobile device. Scan results are then
uploaded to the BeyondInsight server.
To configure an Android connector:
1. Click the Configure tab.
2. Click the Connectors tab.
3. Click + in the Connectors pane, and select Android.
User Guide 83 © 2017. BeyondTrust Software, Inc.
Creating Connectors
– General - Enter a name and description for the connector.
– Connection Details - Enter the authentication key for the Android connector.
Note that this connector opens the 21691 port to communicate to Android devices. Ensure this port is
available.
– Scan Options - Select an audit group.
– Synchronization - Select a synchronization schedule.
– Distribution - Click Prepare Configuration File to generate a file that contains the server information for
the connector.
The device user needs the password to run the configuration file.
Select the check box to allow Android devices that are using the configuration file to communicate to the
server using an untrusted SSL certificate.
Although this option is available, it is recommended to use a trusted SSL certificate.
4. Click Update.
After you create a connector, an Android connector Smart Group is displayed in the Assets pane.
If you are using a configuration file, you can distribute the file now using email. Be sure to provide the configuration
file password using another method so the BeyondInsight server information in the configuration file remains
secure.
Deploying the Application to Android Devices
BeyondTrust Scanner for Android is available on Google Play.
If you do not want to install the BeyondTrust Scanner using Google Play, you can download the Android Package
(APK) file from the Android Connector page. To install the BeyondTrust Scanner APK on an Android Device, you
must enable the Unknown Sources setting.
You can manually deploy the app in the following ways:
• Email
– Ensure your Android devices are configured to receive email.
– Email the APK file to the user's email address.
– Select the attachment to start the installation. The Android application installation dialog box is displayed.
• USB
User Guide 84 © 2017. BeyondTrust Software, Inc.
Creating Connectors
– Connect the Android device to your workstation. If prompted, enable USB File Sharing and Mass Storage
modes.
– After your workstation recognizes the device, copy the APK file.
– Using a file management app from the Android Market (such as EStrongs File Manager or Linda), open the
APK file to start the installation. The Android app installation dialog is displayed.
– After the application has been manually installed on the device, disable the Unknown Sources setting.
Configuring Settings on Android Devices
After the BeyondTrust Scanner is installed on the device, the device user can run the configuration file. The user
must enter the configuration file password before the BeyondTrust Scanner is automatically configured with the
Server information in the file.
If you chose not to distribute the configuration file to your users, you can manually configure each mobile device
using the BeyondTrust Scanner Application’s Settings.
Note that after the mobile device is configured to communicate with a BeyondInsight Server, the Scan Time is
dictated by the Android Connector. Any Scan Time values that have been previously configured in the BeyondTrust
Scanner Application will be ignored.
To manually configure the Android application:
1. Tap the BeyondTrust Scanner application.
2. Set the following on each device:
– Notifications - Tap to turn on notifications.
Updates on the status of scans are displayed to the user.
– Asset Name - Tap to enter the name for the asset.
This is the name that will be displayed on the Asset Details pane in BeyondInsight. By default, this is the
user’s Google account name.
– Allow Untrusted SSL - Tap to allow untrusted SSL.
– Authentication Code - Enter the authentication code that you entered when configuring the connection
in BeyondInsight.
– Server - Enter the IP address and port for the BeyondInsight server.
Enter the default port (21691) that is opened when a connector is created.
3. Click Synchronize.
If your server settings are correct and your server is accessible, a list of Android Connectors that match the
Authentication Code are displayed.
4. To register the device with the BeyondInsight server, select an Android Connector from the list.
Configuring an ActiveSync Connector
Create a connector to an ActiveSync server to scan all mobile devices associated with the server.
Note that currently, BeyondInsight supports Windows Phone 7, iPhones, and Android mobile devices. While other
mobile device types will be detected and scanned, some information might not be displayed (such as device type,
model, OS).
User Guide 85 © 2017. BeyondTrust Software, Inc.
Creating Connectors
To configure an ActiveSync connector:
1. Click the Configure tab.
2. Click the Connectors tab.
3. Click + in the Connectors pane, and select ActiveSync.
– General - Enter a name and description for the connector.
– Connection Details - Click the Browse button to select the forest and domain where the Exchange Server
resides.
– Credentials - Enter the credentials that can access the Exchange Server.
– Scan Options - Select an audit group.
– Synchronization - Select a synchronization schedule.
4. Click Update.
After you create a connector, an ActiveSync Smart Group is displayed in the Assets pane. The Smart Group will be
populated with assets after a scan runs.
Reviewing Mobility Scan Results
You can review scan results on the Mobile tab.
Double-click a device to open the details page:
Creating Custom Audits for Mobile Devices
You can create a custom audit for your mobile devices.
User Guide 86 © 2017. BeyondTrust Software, Inc.
Creating Connectors
The procedure to create a custom audit is the same as in Creating a Custom Audit.
You can review the following table for details on audit types and audit details that are specific to mobile devices.
Audit Type Audit Details
Provide information, including: software, if the software exists, operating
Mobile Software
systems and versions.
Provide attributes for BlackBerry devices: model, serial number,
BlackBerry Device
device ID, version, and operating systems.
ActiveSync Device Provide a list of device types and operating systems.
Choose from a list of Android attributes, including: model, manufacturer,
Android Device
release.
User Guide 87 © 2017. BeyondTrust Software, Inc.
Creating Connectors
Configuring a Qualys API Connector
You can create a connector to a Qualys API server. You can then export your Qualys data to BeyondInsight to run
reports and analytics on the data.
To create a Qualys API connector:
1. Click the Configure tab.
2. Click the Connectors tab.
3. Click +, and then select Qualys.
– General - Enter a name and description for the connector.
– Endpoint Details - Enter the address and credentials for the Qualys API server.
– Connection Details - Enter a name for the workgroup. You can use the name of the Qualys API workgroup.
– Tag Filter Details - Add tag filters for the data that you want to extract from the API server and view in
BeyondInsight.
– Synchronization - Select a synchronization schedule.
4. Click Update.
User Guide 88 © 2017. BeyondTrust Software, Inc.
Cloud Scanning
Cloud Scanning
You can run scans on the following cloud types: Amazon EC2, VMWare vCenter, GoGrid, Rackspace, IBM
SmartCloud, Microsoft Azure, Microsoft Hyper-V, and Google Cloud.
Requirements
Before you create a cloud connector, ensure the following requirements are in place.
Amazon EC2 Requirements
To use the Amazon EC2 connector, you must adhere to the following recommendation from Amazon:
• User accounts must have minimal permissions assigned (for example, describe instances)
The following minimum permissions are required to successfully enumerate a list of targets and run a scan:
• ec2:DescribeInstances
• ec2:DescribeInstanceStatus
• ec2:StartInstances
• ec2:StopInstances
• ec2:DescribeImages
Azure Requirements
The Azure connector will extract virtual machines and load balancers from Resource Manager.
You must create an Azure Active Directory application. For detailed instructions, go to the following web site:
https://azure.microsoft.com/en-gb/documentation/articles/resource-group-create-service-principal-portal/
Google Cloud Requirements
• Key file – You must download a key file from the Google cloud instance. The key file is uploaded when you
create the connector in BeyondInsight.
Note: The key file is not required if your BeyondInsight server is hosted on your Google cloud instance.
• The BeyondInsight service account that you create in the Google cloud instance requires the Compute Engine
Network Viewer role. For more information, go to the following web site:
https://cloud.google.com/compute/docs/access/iam
Hyper-V Requirements
Authenticating with a Remote Server
Note: The steps required for authentication to be successful will vary depending on your environment. The
following is the instructions to connect to a Hyper-V virtual machine on the CIMV2 namespace off root
(not connecting to a hyper-v server).
User Guide 89 © 2017. BeyondTrust Software, Inc.
Cloud Scanning
Set Firewall
1. Open Windows Firewall (Start > Control Panel > Security > Windows Firewall).
2. Select Allow a program or feature through Windows Firewall.
3. Select the Windows Management Instrumentation (WMI) check box, and then select the Public check box.
At this point you can send requests but receive unauthorized exceptions, previously the host would not be
found.
Add WMI user to COM Security
1. Start Component Services (using the Run command, enter dcomcnfg.exe).
2. Expand Component Services, then Computers.
3. Right-click My Computer, then select Properties.
4. Click the COM Security tab, in Access Permissions click Edit Limits.
5. Explicitly add the user name you are using for WMI and select Local Access and Remote Access check boxes.
6. Click OK.
7. In Launch and Activation Permissions, click Edit Limits.
8. Add the WMI user, and then select Remote Launch and Remote Activation check boxes.
Change WMI Permissions
1. Start the Computer Management snap-in (using the Run command, enter compmgmt.msc).
2. Expand Services and Applications.
3. Right-click WMI Control, and then select Properties.
4. Click the Security tab.
5. Select Root\CIMV2, and then click Security.
6. Add the user, and then click Advanced.
7. Double-click the user, and select the following check boxes: Enable Account, Remote Enable, Read Security.
8. From the Apply to list, select This namespace and subnamespaces.
9. Restart WMI service.
Test Connection
Use WBEMTest on the local machine (not your Hyper-V server) to test your connection.
1. Run wbemtest.exe from the command prompt.
2. Click Connect.
3. Enter the namespace in this format: \\HOST\root\CIMV2 where host is a computer name on a domain or an IP
address.
4. Enter a username and password.
5. Click Connect.
VMWare VCenter Requirements
You can scan VMWare virtual machines.
Ensure the following requirements are in place before you configure the VMWare connector in BeyondInsight.
• Retina 5.17 or later
• BeyondInsight 3.5 or later
• VMWare Tools must be installed on the targets that you want to scan.
User Guide 90 © 2017. BeyondTrust Software, Inc.
Cloud Scanning
– Log on to the VMWare web site and download the Virtual Disk Development Kit (VDDK):
http://www.vmware.com/support/developer/vddk/
– Retina only supports version 5.1 of the VDDK. Ensure you copy the following file: VMware-vix-disklib-
5.1.0-774844.i386.exe
– Run the VDDK installer on the Retina computer using local Administrator credentials.
• BeyondInsight needs access to https://<VMWare server>/sdk through port 443.
Configuring a Cloud Connector
You can configure a cloud connector in one of the following ways:
• On the Configure tab.
• On-the-fly when you are creating a cloud connector Smart Group.
To configure a cloud connector and Smart Group:
1. Select the Assets tab, and then click Manage Smart Rules.
2. Click New Rule, and then enter the name, description, and category.
3. Select Cloud Assets from the Asset Selection Criteria section.
4. Click the browse button to open the Manage Cloud Connections dialog box.
5. Click New.
6. Enter a title, and then select the provider: Amazon AWS, Azure, Hyper-V, VMWare VCenter Server, GoGrid,
Rackspace, or IBM SmartCloud, Google Cloud Platform.
7. Enter the connector information:
– Amazon AWS - For Amazon cloud connections, required fields are: Title, Provider, Region, Access Key ID,
and Secret Access Key.
Instances associated with the region are displayed in the Connection Test Results section.
– Azure - Select the region, enter the client information, tenant ID, and subscription information.
– Hyper-V - Enter the IP address for the server. Provide the logon credential to the Hyper-V server.
– VMWare vCenter - For VMWare cloud connections, enter the VMWare server name and credentials.
Click Advanced to set a network for a VM if that VM needs to be turned on.
If you scan snapshots, the results are displayed as attributes on the details pane for the VM.
– GoGrid - Select the account type, enter the user name and API key.
– Rackspace - Select the account type, enter the user name and API key.
– IBM SmartCloud - Select the region, enter the user name and password.
– Google Cloud Platform - Select the region and project name (the project ID). Click Browse to upload the
key file (the key that you downloaded from the Google Cloud).
After you configure the connector, click Test to ensure the connector works.
8. Click Save.
9. In the Perform Actions area of the Smart Rules Manager, select Show asset as Smart Group, and then click
Save.
User Guide 91 © 2017. BeyondTrust Software, Inc.
Cloud Scanning
After you create a cloud connector, you can run a scan and review the results to determine if any cloud assets are
vulnerable.
Scanning Paused or Offline VMWare Images
By default, paused or offline VMs are turned on during a scan. After the scan runs, the VMs are reverted to the
paused or offline state. To scan offline VMs, see Scanning VMDK Files.
If you suspect that a VM is suspicious, you can turn on the VM in another secure network where other VMs will not
be under potential threat. The scan runs as usual, then the VM is reverted to the paused or offline state.
When creating the connector click the Advanced button. You can configure each host that is a member of the
vCenter instance.
The option that you select applies to all VMs on the host.
Note: The advanced options dialog box varies depending on your vCenter configuration. The list of available
options includes all other networks configured for your vCenter instance or on your ESX server.
Scanning VMDK Files
You can scan a VMDK file rather than turning on a VM. Ensure the check box is selected as shown.
Scan times are faster when VMs remain powered off. However, scan results might differ from scan results for VMs
powered on (for example, open ports and running processes might not be detected for VMs powered off).
User Guide 92 © 2017. BeyondTrust Software, Inc.
Cloud Scanning
Cloud Connector Smart Groups
You can create Smart Groups based on the cloud connectors that you are using.
To create a cloud connector Smart Group:
1. On the Assets page, click the Manage Smart Groups button.
2. Click New.
3. On the Smart Rules Manager page, enter the name and description for the Smart Group.
4. From the asset criteria, select Cloud Assets, and then select the cloud connector type to filter on (Amazon,
Azure, Hyper-V).
5. For the Amazon AWS, Azure and Google Smart Groups, select the Use Private IP Address check box to scan
internal IP addresses.
6. From the Perform Actions section of the page, select Show Asset as Smart Group.
7. Run a discovery scan on the Smart Group to see the cloud assets in reports.
On the Assets page, select the cloud connector, and click i to review the details:
User Guide 93 © 2017. BeyondTrust Software, Inc.
Cloud Scanning
Configuring BeyondInsight AWS Connector
This section provides information on setting up an Amazon AWS connector including details on the AWS
configuration.
Setting up a Policy
1. Log on to the AWS Management Console.
2. Select Identity & Access Management.
3. Select Policies from the Details menu.
4. Select Create Policy.
5. Select Create Your Own Policy.
6. Enter a policy name and description.
7. Paste the following Policy JSON into Policy Document:
{
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeInstanceStatus",
"ec2:DescribeImages"
],
"Resource": "*"
]
}
8. For '"Resource": "*"', you must determine what JSON is required for your current needs.
You may also need a condition with this. For example, if you only want the Group "Dev" to have access to
certain instances.
Setting up a Role
Required from BeyondTrust:
• BeyondTrust Account Number
User Guide 94 © 2017. BeyondTrust Software, Inc.
Cloud Scanning
• BeyondTrust External ID
1. Log on to the AWS Management Console.
2. Select Identity & Access Management.
3. Select Roles from the Details menu.
4. Select Create New Role.
5. Type a Role Name. Remember this for future reference.
6. Select Role for Cross-Account Access.
7. Select Allows IAM users from a 3rd party AWS account to access this account.
8. Enter the Account ID and External ID. Do not select Require MFA.
9. Select the policy created in Setting up the Policy. Click Next Step.
10. Take note of all the information provided. Select Create Role.
You must go through this procedure for each specific group that limits access to certain instances.
Setting up BeyondInsight AWS Cloud Connection - BeyondTrust
Setting up the Role
1. Log on to the AWS Management Console.
2. Select Identity & Access Management.
3. Select Policies.
4. Select Create Policy.
5. Select Create Your Own Policy.
6. Enter a policy name and description.
7. Paste the following Policy JSON into Policy Document:
{
"Version": "2012-10-17",
"Statement":
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::XXXXXXXXXXXX:role/YYYYYYY"
}
}
Note: You must change the account number (XXXX...) and the external ID (YYY...) in the above JSON.
8. Click Create Policy.
9. Under Attached Entities, select Attach.
10. Select the user that was created for the IAM role. (If none is created or available, create one).
11. Select Attach Policy.
After you configure the AWS settings, you can create the connector and Smart Groups in the BeyondInsight
management console. See Configuring a Cloud Connector and Cloud Connector Smart Groups in this chapter.
User Guide 95 © 2017. BeyondTrust Software, Inc.
Importing Scans from Third-Party Scanners
Importing Scans from Third-Party Scanners
If you are using more than one type of scanner, the BeyondInsight importing feature provides:
• One reporting console for all scan file types supported
• One management console to view collected data
• Import legacy scan data to view collected data and run reports if you are migrating to the BeyondInsight
solution
Overview
You can import scan files from third-party scanners, process the data in the BeyondInsight database, and then
review the scan results in a Vulnerability report (generated automatically after the data is processed).
Scan files from the following third-party scanning software can be imported:
• Metasploit – .xml scan file. Metasploit Version 4 files supported.
• Nessus – .csv scan file.
• Nexpose – .csv or .xml scanfiles.
For the .xml files, Nexpose Version 1.0 and 2.0 supported.
• QualysGuard – .csv or .xml scan files.
• TripWire – .csv scan file.
Additionally, you can import Retina scanner files (.rtd).
File Formats
Notes:
• The first .csv row must be the header declarations for the proceeding .csv data rows.
• Avoid including blank rows or non-standard content such as summary report information.
• The header names are case-sensitive.
Nessus
Supported header format (12 columns):
PluginID CVE CVSS Risk Host Protocol Port Name Synopsis
Description Solution Plugin Output
Nexpose
Note: The Asset IP Address column must be the first column in the .csv file. Before you import your file, ensure
that the Asset IP Address column is the first column. Otherwise, the import fails.
Asset IP Service Vulnerability Test Vulnerability Vulnerability Vulnerability Vulnerability
Address Port Result Code ID CVE IDs Severity Level Title
User Guide 96 © 2017. BeyondTrust Software, Inc.
Importing Scans from Third-Party Scanners
Qualys
Supported header format (22 columns):
IP Hostname Last Scan QID Vuln Title Type Severity Port
Protocol Operating System IS_PCI False Positive Status CVSS_Base Q_Severity Threat Impact
Solution CVSS_Temporal Category Result BugTraqID CVEID
McAfee
Supported header format (17 columns):
Asset Asset Operating Asset
IP Address DNS Name NetBios
Label Criticality System Owner
Vulnerability Vulnerability Risk
Vulnerability ID Observation
Name Description Rating
Common Vulnerabilities Last
Recommendation First Found Services
Exposures (CVE) ID Found
TripWire
Supported header format (23 columns):
Score 2 CVSS Base Score Hostname IP address OS Advisories Description Last Scan
Risk Skill Strategy Remediation IP360 Network Vne DP Pace Group
Location First Name Last Name Scan ID Host ID Vuln ID Owner ID
Importing a Scan File
The data imported includes asset information and vulnerability data.
To import third-party scan files:
1. Select the Assets tab, and then click Scan.
2. Scroll to 3rd Party Imports, and select an import type.
User Guide 97 © 2017. BeyondTrust Software, Inc.
Importing Scans from Third-Party Scanners
3. Click Import.
4. Select the assets that you want to import.
Similar to vulnerability scanning, you can filter the assets by the following: single IP address, IP address range,
or CIDR notation.
5. Select a scan date. This scan date is used if one is not available in the scan file.
6. Select an existing workgroup or create a workgroup.
It is recommended that you create a workgroup based on the import type.
7. Click Add File and add the scan files.
You can add more than one file. Each scan file is processed separately (a Vulnerability report is generated for
each scan file uploaded).
The maximum file size that you can upload is set to 10 MB by default. To change the default value, see
Changing the File Upload Size.
8. Click Import.
You can view the status of the import on the Jobs page. If the state is either Process or Error, you can click the icon
to view more information about the import.
The information on the Imports page is purged after 90 days. You can configure the number of days, see
Maintenance Options.
User Guide 98 © 2017. BeyondTrust Software, Inc.
Importing Scans from Third-Party Scanners
Importing Larger Scan Files
If you are working with larger scan files (see Changing the File Upload Size), then you can copy larger files to a
temporary directory that is automatically created by BeyondInsight. The BeyondInsight service monitors the
directories for new files that need to be processed.
The following directory structure is created when the BeyondInsight service starts:
C:\Windows\TEMP\BeyondTrust\Imports\NESSUS
C:\Windows\TEMP\BeyondTrust\Imports\NESSUSSECCEN
C:\Windows\TEMP\BeyondTrust\Imports\NEXPOSE
C:\Windows\TEMP\BeyondTrust\Imports\METAPLOIT
C:\Windows\TEMP\BeyondTrust\Imports\QUALYSGUARD
C:\Windows\TEMP\BeyondTrust\Imports\RETINARTD
C:\Windows\TEMP\BeyondTrust\Imports\TRIPWIRE
To upload a scan file:
1. Copy the scan file to the appropriate directory. Ensure that the correct extension is used depending on the
scan file. See the Overview for a list.
Note: If the file extension is incorrect, the file will be deleted from the temporary directory and noted in
the REM Manager Service log. The text will be similar to the following:
TPC_IMPORTS: Invalid file type found in import folder: NEXPOSE | Deleting
File: C:\Windows\TEMP\BeyondTrust\Imports\NEXPOSE\Licence Key.txt
A status is provided on the Jobs page in BeyondInsight. The file is deleted from the temporary directory after
the file is successfully processed.
2. Go to the Assets page to manage the assets and vulnerabilities as usual.
Viewing the Vulnerability Report
Go to the Jobs page, and open the reports from the Completed tab in the Reports section.
User Guide 99 © 2017. BeyondTrust Software, Inc.
Importing Scans from Third-Party Scanners
The Vulnerabilities report includes summary of the vulnerabilities, a detailed description of vulnerability, and a list
of assets affected.
Changing the File Upload Size
The file size that you can upload is set to 10240 KB.
Microsoft recommends setting the file size between 10–20 MB, but not exceeding 100 MB. See
http://support.microsoft.com/?id=295626.
If your file exceeds the recommended values, you can copy the file to a temporary directory to upload to
BeyondInsight. See Importing Larger Scan Files.
Note: If you increase the size of the file that you can upload, be sure to also increase the HTTP Timeout value
since it will take longer to upload the file.
You can change the settings using the BeyondInsight Configuration Tool.
User Guide 100 © 2017. BeyondTrust Software, Inc.
Importing Scans from Third-Party Scanners
User Guide 101 © 2017. BeyondTrust Software, Inc.
Multi Tenant
Multi Tenant
Overview
The Multi Tenant feature in BeyondInsight allows you to define multiple organizations (or tenants) where each
organization’s asset data is kept isolated from all other organizations. Only Smart Rules marked as Global can
combine asset data across multiple organizations.
Most BeyondInsight features are available with Multi Tenant, including:
• Smart Rules
• Patch management module
• Mobility connectors
Features not available, include: exclusions, tickets, and report templates.
Smart Rules Manager and Browser Pane
All of the pre-packaged Smart Rules are part of the Global rules. When a pre-packaged Smart Rule is turned on,
then the Smart Rule applies to all assets in every organization. You can select the Global rules from the Smart
Groups browser pane.
When you initially create an organization:
• The Default Organization is provisioned with an All Assets Smart Rule.
• The new organization is provisioned with an All Assets Smart Rule.
Create Smart Rules in the usual way. For more information, see Creating a Smart Rule.
You can easily switch between tenants on the Smart Groups browser pane and on the Smart Rules Manager page.
Working with Scan Credentials
You can create credentials when running a scan. However, when using the multi-tenant feature, you can create
global credentials or credentials for an organization.
All users can see global credentials. Correct permissions are needed to see tenant-specific credentials.
It is recommended to create credentials specific to each tenant.
In the following scenario, while XYZ Financial is the organization selected, you can choose to create credentials only
for XYZ or select the Set as Global check box.
User Guide 102 © 2017. BeyondTrust Software, Inc.
Multi Tenant
For more information about credentials, see Adding Credentials.
Quick Rules
When you create a quick rule from the Vulnerabilities page or the Attack page the rule applies to whichever
organization is selected in the Smart Groups browser pane.
When you create a quick rule from the Address Group, you can select the organization.
Organization Filters
When working with more than one customer, use the Organization filters to see only assets, Retina scan agents, or
Retina protection agents associated with a particular customer.
The Organization filter is only displayed if more than one active organization is available to the currently logged-on
user.
Additionally, when managing your user groups, you can filter Smart Rules by organization.
Patch Management Module
If you are using Multi Tenant, note the following when using the Patch Management Module:
• For each WSUS server connection, you must select an organization.
• When creating a Smart Rule, the credentials displayed are only for the selected organization.
• Credentials created when you create the Smart Rule are only associated to that organization.
• The list of available WSUS servers includes all global connections plus any specific to the organization.
For more information, see Patch Management Module.
Mobility Connectors
You can associate an organization with any of the mobility connectors. Select the organization when creating the
connector.
For more information, see Mobility Scanning.
Retina Protection Agents
A workgroup is required when deploying Retina protection agents in a Multi Tenant environment.
User Guide 103 © 2017. BeyondTrust Software, Inc.
Multi Tenant
For more detailed information about deployment, see Deploying the Protection Policies.
Address Groups
You can organize address groups by organization.
When working in the Smart Rules Manager, you can select an organization and see the address groups specific to
that organization.
Migrating Address Groups
To migrate existing address groups to a different organization, use the following utility stored procedure:
PROCEDURE [dbo].[Util_MoveAddressGroupToNewOrganization]
@OrganizationID uniqueidentifier, /* OrganizationID that the Address Group will be
moved to */
@CsvListOfAddressGroupIDs text /* comma separated list of Address Group IDs to
migrate*/
Example
exec Util_MoveAddressGroupToNewOrganization 'F7D70943-4782-4AE0-BDD6-2A234EA4045F',
'10014,10015, 10016'
User Guide 104 © 2017. BeyondTrust Software, Inc.
Multi Tenant
Selecting a Workgroup
For unknown assets (assets not scanned by BeyondInsight), you must select a workgroup associated with the
organization. Assets might be unknown when using the settings:
• Single IP address
• IP range
• CIDR notation
• Named Hosts
For known assets (assets detected and in the BeyondInsight database), a workgroup does not need to be selected.
The assets are already associated with a workgroup. Assets are known when using the settings:
• Currently selected Smart Group
• Currently selected Assets
Creating a Workgroup
When an organization is selected in the Smart Groups browser pane, then you can enter a workgroup name if one
is not already created for the organization.
The workgroup name must be unique across all organizations. If you enter a name that exists, an error message is
displayed.
Note that you cannot enter a workgroup name when Global is selected in the Smart Groups browser pane.
Viewing the Workgroups Available
The workgroups displayed depend on the item selected in the Smart Groups browser pane.
• Global - All workgroups are displayed. The organization is in parentheses.
• Organization - Only workgroups associated with the organization are displayed.
User Guide 105 © 2017. BeyondTrust Software, Inc.
Multi Tenant
Setting Up Organizations
Key steps in setting up the organization
• Create a workgroup
• Create an organization
• Create a User Group
Step 1 Creating a Workgroup
Permissions: Users Accounts Management permission needed to assign workgroups to an organization.
Every Retina scanner agent or Retina protection agent must be assigned a workgroup. A workgroup is typically
created when the agent is initially deployed.
You can add and delete workgroups. However, you cannot rename workgroups.
You can only delete a workgroup if it is not associated with an organization, mobility connector, Retina scanner or
Retina protection agents.
Use the Events Client Configuration tool to create a workgroup.
To create the workgroup:
1. Log on to the asset where the agent resides.
2. Start the Events Client Configuration Tool.
3. Select the Enabled Application tab, and select the check box for the agent.
4. Select the Workgroup tab and enter a name and description.
User Guide 106 © 2017. BeyondTrust Software, Inc.
Multi Tenant
5. Click OK.
Step 2 Adding an Organization
An organization is automatically populated with an All Assets Smart Group.
To create an organization and associate with a workgroup:
1. Click the Configure tab, and then click the Organizations tab.
2. Click the Create New Organization button.
3. Enter the name of the organization.
The Active check box is selected by default and must be selected to successfully run scans on the tenant's
assets.
4. Click the Create button.
5. Scroll to the Workgroups tab.
6. Click the edit icon for the organization, and then select the organization.
User Guide 107 © 2017. BeyondTrust Software, Inc.
Multi Tenant
7. Click the check mark to save the changes.
Step 3 Creating a User Group for a Tenant
You can create a user group for a tenant. The users in the group can then log on to BeyondInsight and run reports.
When creating the user group, ensure that you assign the BeyondInsight permission. Additionally, assign Read
permissions to the tenant's Smart Rules. The users can then run reports based on the Smart Rules.
Creating a user group for a tenant is optional and only required if your client wants to run reports from
BeyondInsight. For more information, see Managing Users.
As a security measure, a tenant cannot log on to BeyondInsight.
User Guide 108 © 2017. BeyondTrust Software, Inc.
Configuring Authentication
Configuring Authentication
You can use set up Smart Card authentication or two-factor authentication using a RADIUS server.
Configuring Two Factor Authentication
You can configure two-factor authentication to log on to the following: PowerBroker Password Safe, BeyondInsight
Analytics and Reporting, and BeyondInsight management console.
After you set up two-factor authentication, your BeyondInsight users must log on to any of your BeyondInsight
modules using the two-factor authentication method.
To set up two factor authentication, you must:
• Configure the RADIUS server
• Select two-factor authentication settings for the user
Configuring the RADIUS Server
You can configure more than one RADIUS server.
To configure a RADIUS Server:
1. In the BeyondInsight management console, click the Configure tab.
2. Click the Authentication tab.
3. Select RADIUS, and then select the + sign.
4. Set the following:
– Alias - Name used to represent the RADIUS server instance in Password Safe and will be displayed in the
RADIUS server grid. This name must be unique.
– Filter - Select a filter that will be used to determine if this RADIUS server instance should be used. If you
select one of the domain filters you must enter a Filter Value.
– Filter Value - Enter a value that will identify the domain. This should be a domain or comma separated list
of domains depending on the setting selected in Filter. When the Filter selected is All User, All Local Users,
or All Domain Users the Filter Value is not required.
– Host - Enter the DNS name or the IP address for your RADIUS server.
– Authentication Port - The listening port for the RADIUS server to receive authentication requests. The
default port is 1812.
– Authentication Request Timeout - The period of time that Password Safe will wait for a response from
the RADIUS server before the request times out. The default value is 10 seconds.
– Shared Secret - Enter the shared secret that is configured on your RADIUS server.
– Initial Request - The value passed to the RADIUS server on the first authentication request. Select from
the following:
– Forward User Name and Token
– Forward User Name and Password
– Forward User Name and Token - This is the default setting.
User Guide 109 © 2017. BeyondTrust Software, Inc.
Configuring Authentication
– Initial Prompt - The first message that displays to the user when they log on to the application. This
setting is available only when Forward User Name and Token is selected.
– Transmit NAS Identifiers - When the check box is selected, NAS identifiers are transmitted to permit
access. In some cases, a RADIUS server will not permit access if NAS identifiers are not transmitted.
In BeyondInsight, the attributes that are transmitted:
– NAS IP Address - This is the IP address where BeyondInsight is installed.
– NAS Identifier - This is the string BeyondInsight.
5. Click Create.
Setting up the User Account
Two-factor authentication can be configured for either a local BeyondInsight user account or an Active Directory
account.
To configure the user account.
1. In the BeyondInsight management console, click the Configure tab.
2. Click the Accounts tab.
3. Create the user account and configure the typical settings. See Creating User Accounts.
4. On the User Details page, select Radius from the Two Factor Authentication list.
5. From the Map Two Factor User list, select one of the options listed. The user type selected maps to a user on
the Radius server.
The options displayed in the list change depending on the user logging on. BeyondInsight users options:
– As Logged in - Uses the BeyondInsight user account logon.
– Manually Specified - Enter the user name that the user will log on as. Active Directory users options:
– SAM Account Name - Default value.
– Manually Specified - Enter the user name the user will use to log on.
– Alternate Directory Attribute - This can be any attribute from Active Directory. The attribute is set when
you configure the Radius server. See Configuring the Radius Server.
– Distinguished Name
– User Principal Name
The information for any of these is drawn from the Active Directory setting for the user account logging on.
Note: The following screen capture shows the options for Active Directory users.
User Guide 110 © 2017. BeyondTrust Software, Inc.
Configuring Authentication
6. Click Update.
Configuring Smart Card Authentication
Your network must already be configured to use Smart Card technology to use this feature.
You can configure Smart Card authentication to log on to BeyondInsight and PowerBroker Password Safe. To turn
on Smart Card authentication:
1. Log on to BeyondInsight.
2. Click the Configure tab, and then click Authentication.
3. Select the Enable Smart Cards check box.
4. Optionally, you can select the Allow UPN Override On User check box.
This allows the user to log on using their Active Directory user account rather than the BeyondInsight local user
account.
Note: You must also select the Override Smart Card User check box and enter the UPN when you are
creating the local user account.
5. Click Save.
User Guide 111 © 2017. BeyondTrust Software, Inc.
Setting BeyondInsight Options
Setting BeyondInsight Options
If you are using BeyondInsight Clarity, refer to the BeyondInsight Analytics & Reporting User Guide for information
on the analytics configuration settings.
Account Lockout Options
You can set lockout options, such as lockout threshold and duration.
To set account lockout parameters:
1. Select Options.
2. On the Application Options dialog box, expand Account Lockout Options.
3. Set the following account lockout options:
– Account Lockout Duration - Sets the number of minutes the user is locked out.
– Account Lockout Threshold - Sets the number of times a user can try their password before the account is
locked out.
– Account Lockout Reset Interval - Sets the number of unsuccessful password entry attempts before
generating a reset notification.
– Unlock Account upon Password Reset Notification - Select the Yes check box to email a new password
and unlock the account when Forgot Your Password is selected.
If not selected, an email is sent with a new password but the account is not unlocked.
– Send Lockout Notification - Select the Yes check box to send notifications when a user account is locked
out.
– Lockout Notification Recipients - Enter the email addresses that will be notified when a user account
lockout occurs.
4. Click Update.
Account Password Options
You can set account password parameters, such as a complexity requirement and password length.
To set account password parameters:
1. Select Options.
2. On the Application Options dialog box, expand Account Password Options.
3. Set the following password options:
– Password Must Meet Complexity Req. - Requires users to adhere to complex password rules when
creating a password.
– Enforce Password History - Enter the number of passwords a user must create before an old password
can be reused.
Enter 0 to not enforce a password history. There are no restrictions on using past passwords when 0 is
entered.
– Minimum Password Length - Enter the minimum number of characters for the password.
User Guide 112 © 2017. BeyondTrust Software, Inc.
Setting BeyondInsight Options
– Maximum Password Age - Enter the maximum number of days before a password must be changed.
– Minimum Password Age - Enter the minimum number of days that a password must be used before it can
be changed.
4. Click Update.
Auto Update Options
BeyondInsight contacts the Update Server to retrieve the latest product and audit updates. Downloading updates
ensures your assets are secure against the latest vulnerabilities.
By default, Auto Update is turned on.
To activate Auto Update:
1. Select Options.
2. On the Application Options dialog box, expand Auto-Update Options.
3. Select the Yes check box.
4. Click Update.
Display Options
You can turn on auto-expansion and set the number of items to display per page.
To set display options:
1. Select Options.
2. On the Application Options dialog box, expand Display Options.
3. Select the Yes check box to open the report in a new window.
This feature is available only with reporting on existing data.
4. Enter the number of items to display per page.
5. Select the Yes check box to turn on auto-expansion.
6. Click Update.
Clarity Malware Analysis Options
Clarity Malware evaluates events from BeyondTrust solutions and determines if there are any risk or malware
associated with the events. Any malware detected will be populated on the Malware tab of the Assets page on the
BeyondInsight management console.
Clarity Malware is turned on by default.
For more information, see Clarity Malware Analysis.
Email Notifications
The email notification sends an email when an error occurs while running reports.
The email address is stored in the BeyondInsight database.
Note: Email settings are initially set in the BeyondInsight configuration tool. Ensure that you use the same
information here.
To add an email address for notification:
User Guide 113 © 2017. BeyondTrust Software, Inc.
Setting BeyondInsight Options
1. Select Options.
2. On the Application Options dialog box, expand Email Notification Options.
3. Enter an email address in the From Email Address box.
4. Verify the SMTP server name and port.
5. Enter the user name and password.
6. Click Update.
Maintenance Options
When data is initially collected it is stored as unprocessed data in the BeyondInsight database. After the data is
processed (and can then be viewed in the management console and in reports), the unprocessed data is no longer
needed. To maintain a manageable database size the unprocessed data is purged at regular intervals.
To set maintenance options:
1. Select Options.
2. On the Application Options dialog box, expand Maintenance Options.
3. Enter the number of days that pass before data is purged.
– Purge General Events Older Than - Purges the data sent by the protection agents and scanners. The
default number of days is 7.
General events can include: Auto updates checking in and trying to connect to the asset; firewall events
(which might indicate that the scan cannot process because of a firewall blocking the connection).
– Purge Vulnerabilities Older Than - The vulnerabilities are displayed on the Vulnerabilities page until fixed
or purged.
Recommended: 90 days. However, this can vary for different environments. Once the data is purged, the
vulnerabilities are removed from the database.
– Purge Attacks Older Than - Attacks are discovered by the protection agent.
Recommended: 90 days.
– Purge Assets Older Than - This covers assets that were discovered once, but are never discovered again
(the asset might be inactive or removed). Recommended: 30 days.
– Purge Audit Data Older Than - Audit data is the information that is provided in the audit feed and includes
the audit details that determine if there are vulnerabilities. Recommended: 7 days.
– Purge Retina Agent Jobs every N days - Purges jobs. The default value is every 30 days.
Enter 0 if you do not want to purge the jobs.
– Purge Chart Data Older Than - Chart data is the data used to calculate the charts displayed in the
management console. Charts are displayed on the console and in other areas of the console including the
Overall page and Vulnerabilities page. The default value is 90 days.
– Purge Application Events Older Than - Purges the application events sent by the protection agents and
scanners. The default value is 7.
– Purge Application Log Files Older Than - Purges the data sent by the protection agents. The default value
is 30.
– Purge Asset Attributes Older Than - Purges the data sent by the protection agents and scanners.
Recommended: 7 days.
User Guide 114 © 2017. BeyondTrust Software, Inc.
Setting BeyondInsight Options
– Purge Scans Older Than - The scans data is the information defined in the scan settings. Recommended: 7
days.
– Purge Scan Events Older Than - Scan events is the data collected in the scan. Recommended: 7 days.
– Purge Attack Events Older Than - Purges the data sent by the protection agents.
Recommended: 7 days.
– Purge Windows Events Older Than - Purges the information sent by the protection agents. The default
value is 90 days.
– Purge Closed Tickets Older Than - Enter the number of days before closed or inactive tickets are deleted.
The calculation for purging ensures the ticket is closed and uses the date the ticket was last updated, not
the due date.
For example, a ticket has a due date 60 days in the future but the ticket was closed and not edited for over
a week. If the purge setting is set to 7, then the ticket is purged even though the due date is in the future.
– Server Localization - en-US. Reserved for future use.
– Purge PBUL Events Older Than - Purges the events sent by PowerBroker Servers.
– Purge FIM Events Older Than - Purges the File Integrity events captured by PowerBroker for Windows.
– Purge Session Monitor Events Older Than - Purges the events collected when session monitoring is used.
– Purge Scan Diagnostics Older Than - Purges the scan data that is collected when Scan Diagnostics is turned
on.
– Enable Scan Diagnostics - Reserved for BeyondTrust Technical Support.
The Scan Diagnostics tool is used by BeyondTrust Technical Support for troubleshooting scans that are
processing but not completed.
– Purge 3rd party Uploads Older Than - Purges the information about the scan files that you upload.
Note that the data in the scan file is not purged.
– Mark Aged Vulnerabilities Fixed After - Set the number of days before older vulnerabilities are tagged as
fixed.
– Purge PBW Events Older Than - Purges the PowerBroker for Windows events.
4. Click Update.
Proxy Settings
You can configure a proxy server if the BeyondInsight server does not have direct Internet access.
To set up a proxy server:
1. Select Options.
2. On the Application Options dialog box, expand Proxy Settings.
3. Select the Yes check box.
4. In the Address box, enter the IP address or domain name of the proxy server.
5. Enter the user name and password for the proxy server.
6. To override any local proxies, select the Yes check box.
7. Click Update.
User Guide 115 © 2017. BeyondTrust Software, Inc.
Setting BeyondInsight Options
Radius Settings
To configure the RADIUS server settings, see Configuring the RADIUS Server.
To configure additional, optional Active Directory settings for RADIUS authentication:
1. Select Options.
2. On the Application Options dialog box, expand RADIUS Two-Factor Authentication.
– Alternate Directory Attribute - The Active Directory attribute that will be matched on the RADIUS server
to identify the user account. This can be any attribute in Active Directory. The default value is
extensionName.
– Enable for new Directory Account - Select the check box to turn on two-factor authentication for new
accounts when they are discovered.
3. Click Update.
Refresh Settings
You can set refresh intervals for scan jobs and Smart Rules.
Scans can run more efficiently when Smart Rules are set to refresh at longer intervals.
To set refresh settings:
1. Select Options.
2. On the Application Options dialog box, expand Refresh Settings.
– Maximum job refresh frequency (minutes) - BeyondInsight jobs are refreshed at the interval entered
here. When the refresh occurs, updates to schedules, scanners, and Smart Rules will be updated for the
job.
The default value is 360 minutes (6 hours).
– Maximum Smart Rule Refresh Frequency for asset updates (minutes) - Set the number of minutes for
the refresh interval for Smart Rules.
Asset changes (assets added or removed from the Smart Rule) that occur between the refresh interval are
reflected in the rule.
The default value is 60 minutes.
User Guide 116 © 2017. BeyondTrust Software, Inc.
Retina Scanner Agents
Retina Scanner Agents
Configuring Retina Agent Scan Options
You can configure Retina scan options to improve performance and reliability.
Performance Settings
The number of scan targets can affect server performance and scan quality. The result is an unresponsive or slow
server or poor scan quality, such as known services not being found or known open ports not being identified.
To improve performance, you can:
• Reduce the number of targets
• Adjust the scan speed downward
• Override the TCP connection limit to increase the scan speed
If you override the TCP connection limit, the TCP incomplete connections limits are removed for all
applications during the scan.
Timeout Values
Configure ping and data timeout values to compensate for network latency.
If a ping is not returning in time for Retina to detect, increase the ping timeout value.
To configure scan options:
1. Click the Configure tab.
2. Click the Scan Options tab.
3. Click the Scanner tab.
4. In the Performance area, configure the following settings:
– Number of Simultaneous scan targets - Set the number of targets to scan simultaneously.
The maximum is 128 targets.
– Adaptive Scan Speed - Set the delay between bursts of packets sent during a SYN scan.
1 = longest delay
5 = almost no delay
– Enable TCP connection limit override - Select the check box to override the TCP connection limit.
Note: The TCP Connection Limit Override is available on Windows XP SP2 and later and Windows 2003
SP1 only. This is not available for Windows NT or Windows 2000.
5. In the Reliability area, configure the following settings:
– Ping Timeout - Enter the number of seconds.
– Data Timeout - If the scanner is not receiving complete data from assets or hosts when services are under
heavy load, increase the timeout value.
6. Click Save.
User Guide 117 © 2017. BeyondTrust Software, Inc.
Retina Scanner Agents
Event Routing
Turn on event logging to send scan data to BeyondInsight, including:
• Port information
• Services
• General scan information
To turn on event routing:
1. Click the Configure tab.
2. Click the Scan Options tab.
3. Click the Event Routing tab.
4. Select the Enable Event Logging check box.
5. Select the risk level of the audits to include in routing to BeyondInsight.
Audits include a risk level that corresponds to the severity of the vulnerability detected.
– Information - Details host information that does not necessarily represent a security threat, but can be
useful to the administrator to assess the security.
– Low - Defines risks associated with specific or unlikely circumstances.
– Medium - Describes serious security threats that would allow a trusted but non-privileged user to gain
access to sensitive information.
– High - Indicates vulnerabilities that severely impact the overall safety and usability of the network.
6. Click Save.
User Guide 118 © 2017. BeyondTrust Software, Inc.
Retina Scanner Agents
Setting Restrictions on Scan Times
You can set a scan restriction so that scans will not run during the restricted time frame.
Apply scan restrictions on:
• One scan only. Configure the restricted scan time when you are configuring the scan.
• Global. Configure the restricted scan time on the Configure tab.
To set a scan restriction on all scans:
1. Select the Configure tab.
2. Select the Scan Options tab.
3. From the Agent list, select an agent or select Global.
If you select an agent, you might want to override scan restrictions already set for that agent. Select the Use
Global Settings check box to apply the global settings.
4. Click the squares to set the restricted time frame.
5. Select the Abort in progress scans when restriction windows starts check box to stop all scans that are
running when the scan restriction window starts, otherwise running scans are paused and then resume when
the scan restriction ends.
Configuring General Scan Options
You can configure the following general scan settings: logging, auto update, time intervals for central policy and
failover agents, and maintenance settings.
To configure general scan options:
1. Click the Configure tab.
2. Click the Scan Options tab.
3. Click the General tab.
4. To turn on logging, select the logging check box.
5. To automatically check for updates, configure the following settings:
– Check for updates to a schedule - Select a start time and frequency.
– Check for updates when launching Retina - Select the check box to check for updates when you start
Retina.
– Number of seconds to prompt before launching - Enter the number of seconds to wait before starting the
updater.
6. Set a timeout value for a failover agent. To configure a failover agent, see Configuring a Failover Agent.
7. Set the following maintenance options:
User Guide 119 © 2017. BeyondTrust Software, Inc.
Retina Scanner Agents
– Enter the number of days that pass before the data is purged. The default value is 7 days.
– Select the Disable RTD file generation check box if you do not want to create the RTD files.
By default, a scanner creates an RTD file that contains the scan results data.
8. Configure Central Policy options:
– Central Policy Interval (V1) - Set the minutes that pass before the scanner checks for updates from the
Central Policy server. The default value is 15 minutes.
– Central Policy Interval (V2) - Set the minutes that pass before the scanner checks for updates from the
Central Policy server. The default value is 30 minutes.
– Update Records Interval (V2) - When Central Policy v.2 is used. Default value is 3 minutes.
– Engine Info Interval (V2) - Checks in for the scanner version. When Central Policy v.2 is used. Default
value is 6 minutes.
9. Click Save.
User Guide 120 © 2017. BeyondTrust Software, Inc.
Retina Scanner Agents
Scanner Pooling
You can use scanner pooling to select more than one scanner when scanning a large number of assets. When more
than one scanner is selected for a scan job, the list of target assets is divided among the selected scanners in a
round-robin style, evenly distributing the target scan range.
To use scanner pooling, select more than one scan agent when running a scan, or use the "Set Scanner" action in a
Smart Rule to lock a set of scanners to that Smart Group.
Note that when using scanner pooling, you cannot automatically generate a report when a scan finishes.
To lock a scanner agent to a Smart Group:
1. Select the Assets tab, and then click Manage Smart Rules.
2. Click New Rule.
3. Enter a name and description.
4. From the Perform Actions area, select Show asset as Smart Group.
5. Click the +, and then select Set Scanner.
6. Click the browse button to select the scanners to associate with the Smart Group.
7. Select the distribution algorithm.
– Round Robin Asset Distribution - Targets are assigned to scanners one-by-one. This method balances the
distribution of scan targets.
– Rule Locked Asset Distribution - The Rule Locked distribution algorithm is designed and recommended for
multiple scanner jobs where child Smart Rules are defined in a parent Smart Rule.
Each child Smart Rule will always use the scanner assigned in the child Smart Rule when this distribution
algorithm is used.
This ensures that scanners assigned in child Smart Rules will not scan across other child targets.
8. Click Save.
Note that on the Job Details page, the agent name indicates if the scanner is part of a pool.
User Guide 121 © 2017. BeyondTrust Software, Inc.
Retina Scanner Agents
Viewing Status for Scanners and Agents
You can review details about your deployed scanners and protection agents.
Use the Agent Details page to determine if scanners or agents are out of date.
To view asset details:
1. Select the Assets tab.
2. Select Agents.
3. Click the i button to review additional information.
The Agent Details page displays the following: IP address, computer name, OS, workgroup, domain, and agent
name and versions.
Note that you can change viewing preferences for the Agents page. You can select preferences and create
filters to determine the list of agents and scanners that are displayed. For more information, see Changing the
Display.
Determining if a Scanner is Available
A scanner might lose connectivity to Central Policy. You can determine connectivity in the following places:
• When you are setting up a scan, there is a warning icon next to an agent name.
• On the Agents page for Vulnerability Scanners, there is a warning icon in the RetinaLast Updated column.
The agent might not be able to accept the job request.
Ensure the computer hosting the scanner is online.
User Guide 122 © 2017. BeyondTrust Software, Inc.
Retina Scanner Agents
Restarting Agents
You can restart one or more scanners.
1. Go to the Assets page, and select Vulnerability Scanners in the browser pane.
2. Select the check boxes for the assets that you want to restart, and then click .
3. Select one of the following: Safe, Normal, or Force.
4. Click Restart.
Removing Retina Agent Files
Clean BeyondInsight records for scheduled, queued, and completed jobs.
Ensure your BeyondInsight administrators are assigned the Scan Management permission. For more information,
see Creating User Groups.
To clean BeyondInsight agent files:
1. Select the Assets tab, and then select the Agents tab.
2. Select the agent in the list, and then click i.
3. Click Agent Maintenance.
– Clean Retina Files - Deletes files from the following directory:
C:\Program Files (x86)\BeyondTrust\Retina 5\Scans
– Clean RCS Files - Removes all jobs for the selected agent, including scheduled, queued, and completed
jobs.
– Reschedule existing scheduled jobs - When the Clean RCS Files check box is selected, you can select this
check box to reschedule jobs automatically.
4. Click OK to save the settings.
5. Click Reset Engine to restart the BeyondInsight services.
User Guide 123 © 2017. BeyondTrust Software, Inc.
Retina Scanner Agents
Configuring a Failover Agent
You can configure a backup agent to provide redundancy in case an agent fails.
To configure a failover agent:
1. Click the Assets tab.
2. Expand Agents and Scanners, and then click Vulnerability Scanners.
3. Click the Agents tab.
4. Select an agent, and then click i.
5. On the Agent Details pane, click Configure Failover Agent.
6. Select an agent. The Failover Agent field displays the name of the agent that you select.
7. Click OK.
You can configure a failover agent timeout on the Configure tab. The default timeout is 15 minutes.
Retina Host Scanning
To use Retina host scanners, you must:
• Turn on Retina host scanning
• Create a host scan group
• Create a Smart Rule
• Run the Scan
• View scan details
Turn on Host Scanning
To turn on host scanning:
User Guide 124 © 2017. BeyondTrust Software, Inc.
Retina Scanner Agents
1. Select the Options menu.
2. Expand Host Scan Options.
3. Select the check box.
Creating a Host Scan Group
You can create the host scan group either through the Configure tab, or on-the-fly when you are creating the Smart
Rule.
To create a host scan group:
1. Click the Configure tab, and then select Host Scan Options.
2. Click Manage Host Scan Groups.
4. Click New, and then enter a name for the group.
5. Click Create.
The properties of the group include the group ID, group name, and last updated date.
Creating a Smart Rule
To create the Smart Rule:
1. Create the Smart Rule. For details, see Creating an Asset Smart Rule.
2. Select the matching criteria.
3. In the Perform Actions section, select Assign to Host Scan Group.
4. Select a group from the list.
5. Select Show asset as Smart Group.
User Guide 125 © 2017. BeyondTrust Software, Inc.
Retina Scanner Agents
6. Click Save.
Running the Scan
To run the scan:
1. Select the Assets tab, and then click Scan.
2. Select the audit template, and then click Host Scan.
3. Select the host scan group for the list.
4. Select the schedule: Immediate, Recurring, One Time. Set the scheduling options as appropriate.
5. Click Start Host Scan.
Displaying Scanner Information
You can view information about host-based scanners on the Asset details page.
Turn on the following settings on the Preferences dialog box:
User Guide 126 © 2017. BeyondTrust Software, Inc.
Retina Scanner Agents
User Guide 127 © 2017. BeyondTrust Software, Inc.
Retina Scanner Agents
The columns indicate if the host scanner is installed on the asset and the host scan group that the asset belongs to.
Viewing Scan Jobs
You can view the status of the scan jobs.
Host Scans is only displayed on the Jobs tab when the Host Scan Options is turned on. See Turn on Host Scanning.
User Guide 128 © 2017. BeyondTrust Software, Inc.
Patch Management Module
Patch Management Module
Note: The Patch Management module requires a license to activate the feature set. Contact your BeyondTrust
representative.
Overview
Use the Patch Management Module to deploy important patches to selected assets.
Note: Using the Patch Management Module does not override any automation policies you might have in place
with your existing Windows Server Update Services (WSUS) configuration. Those policies are retained and
applied as usual.
How Patching with WSUS Works
BeyondInsight integrates with WSUS to facilitate Microsoft and third-party patching. BeyondInsight uses WSUS as
the patching engine and effectively becomes a management console to WSUS.
You must be familiar with WSUS features to understand the BeyondInsight integration with WSUS. The WSUS client
is built into the Microsoft OS, however, it needs to be enabled and configured. In typical WSUS-only environments
this is accomplished through GPOs. When using BeyondInsight, clients are enabled and configured through
BeyondInsight.
The BeyondInsight configuration and patch deployment process is outlined here.
Configure a BeyondInsight connection to an existing WSUS Server; BeyondInsight becomes a
u
management console for WSUS.
Configure Smart Groups for patch management. This configures members of the Smart
Group (the clients) for WSUS by making changes to the registry.
Identify and approve patches.
Clients periodically check WSUS for approved patches which are then subsequently
downloaded and installed.
User Guide 129 © 2017. BeyondTrust Software, Inc.
Patch Management Module
How a Patch Deployment Works
Patches are approved in BeyondInsight; consequently, they are marked as approved in
u
WSUS.
The client polls WSUS for any relevant, approved patches.
Patches are downloaded to the client. Optionally, per the Smart Group settings, the client
may be notified that approved patches are available and then prompted to download and
install them.
Patches are automatically installed based on the default settings. Optionally, per the Smart
Group settings, the client may be notified that patches have been downloaded and then
prompted to install them.
The new patch status is sent to WSUS.
BeyondInsight retrieves the current patch status from WSUS.
User Guide 130 © 2017. BeyondTrust Software, Inc.
Patch Management Module
Third-party Patch Deployment
Third-party patching is the same as Windows patching with the following differences at these steps.
Third-party patches are sent to the client with the third-party certificate that was generated
when the connection to WSUS was created.
The certificate from WSUS is verified against the existing certificate on the client that it
received when its associated Smart Group was enabled for patch management. Trust is now
established for third-party patch deployment per Microsoft requirements.
User Guide 131 © 2017. BeyondTrust Software, Inc.
Patch Management Module
Connecting to a WSUS Server
To deploy patch updates, you must connect to a Windows Server Update Services (WSUS) server.
If you are working in a larger environment and use downstream servers to apply patch updates, you can create
connections to the downstream servers in the Patch Management configuration. This helps distribute the workload
of applying patches to many assets.
Requirements
Installing on Windows Server 2008
• Microsoft IIS 7.0. Ensure the following components are turned on:
– Windows Authentication
– ASP.NET
– 6.0 Management Compatibility
– IIS Metabase Compatibility
• Microsoft Report Viewer Redistributable 2005 (http://go.microsoft.com/fwlink/?LinkID=70410)
• Microsoft SQL Server 2005 SP1
Note that .NET Framework 2.0 and BITS 2.0 update are part of the Windows Server 2008 OS.
Installing on Windows Server 2012
• IIS
• .NET 4.5
• ASP .NET 4.5
Adding a Connection
You can create a connection to an upstream and downstream server.
The downstream server synchronizes with the upstream server to manage patch updates. Note that downstream
servers are configured in WSUS.
To connect to a WSUS server:
1. On the BeyondInsight console, select Configure, and then click the Patch Management tab.
Alternatively, on the Dashboard, click Mitigate.
2. Click +, and then enter the server name, port number, and credentials for the server.
Ports available: 80, 8530, 443 (SSL), or 8531 (SSL).
3. Click Test Connection to ensure the information is correct.
Note: The WSUS Administration Console must be installed if WSUS and BeyondInsight are not on the same
server. For more information, see Installing the WSUS Administration Console.
4. Click Save.
5. After you connect to a WSUS server, set the following options.
– Synchronization - Select the time that you want to synchronize the patches with the WSUS server.
User Guide 132 © 2017. BeyondTrust Software, Inc.
Patch Management Module
The schedule determines the frequency that WSUS checks with Microsoft Update Servers for new
patches.
If this is a new installation, the initial synchronization can take several hours depending on the number of
items selected in the Products and Classification section.
If you are using downstream servers, increase the frequency of the synchronizations per day. All updates
and approvals occur on the upstream server. Increasing the frequency ensures that all assets receiving
updates from the downstream server are updated when the approvals are applied on the upstream
server.
– Products and Classifications - Select the updates to subscribe to.
– Downstream Servers - Displays the downstream servers for the selected server.
– Third Party Certificate - Generate or import a certificate to subscribe to vendor patch updates.
For more information, see Third-Party Patching.
Note that the Groups feature is not supported in BeyondInsight Community.
– Groups - Select the check boxes for the groups that already exist in WSUS. Additionally, select
synchronization frequency, credentials, and how you want patches applied.
After you click Save, a patch-enabled Smart Group for each WSUS group that you selected is displayed in
the Smart Groups browser pane.
Connecting to a Downstream Server
When you configure assets for patch updates in the Smart Rule, you can choose the downstream server that will
apply the updates and patches to the assets.
In the Patch management Configure area, you can view information on upstream servers and if there are any
downstream servers configured on that upstream.
A downstream server is displayed with a green arrow.
User Guide 133 © 2017. BeyondTrust Software, Inc.
Patch Management Module
Installing the WSUS Administration Console
You must install the WSUS Administration Console if you want to connect to an installation of WSUS on a different
server.
Download the WSUS 3.0 Administration Console installer file: http://go.microsoft.com/fwlink/?LinkId=88321
You must restart the BeyondInsight server after you install the console.
After you install the administration console, start the console and verify that you can connect to the WSUS server
that will be configured as the active software update point.
Installing the Console on Windows Server 2012
To install the WSUS Administration Console Using PowerShell:
1. Open a Windows PowerShell console as an administrator.
2. Execute the following command:
Install-WindowsFeature -Name UpdateServices-Ui
This command installs the console only and will not run a post-install task.
Registering Smart Rules
Registering the group adds the group to the WSUS server database. The assets in the group are then available for
the updates. If an asset is a member in two groups, the patch update applied will be the most recent one.
You can review the status of a patch group on the Asset Details pane (select the Assets tab, click i). If the status is
registered, patches can be approved and installed on the patch group.
Checkpoint
– Create a Smart Rule to associate with the patch update schedule. A Smart Rule is required. For more
information, see Creating a Smart Rule.
To register patch updates for a Smart Group:
1. Select the Assets tab.
2. Click Manage Smart Rules and then click New.
3. Enter a name and description for the patch group.
4. Select an existing category or create a new category.
5. Select the asset matching criteria. Select Asset fields from the list then select matching criteria: Last Updated
Date, Status, Current Policy, Pending Policy, Wsus Status, or Patch Install Schedule.
6. From the Perform Actions area, select Enable for Patch Management, then select values for the following:
– Credentials - Click the browse button to open the Manage Patch Credentials page. Create or select the
preferred patch credentials.
Ensure the credentials provided can access the registry and install the certificate on the target asset.
The credentials apply only to the Patch module. The credentials are not related to vulnerability scans or
the WSUS server connection.
– WSUS Servers - Select the WSUS servers from the list.
– Important Updates - Select if you want to:
User Guide 134 © 2017. BeyondTrust Software, Inc.
Patch Management Module
Download and install updates automatically – Client computers poll WSUS at the selected day and time
and download and install approved updates.
Download updates but let me choose if the updates are installed – Client computers poll WSUS at regular
intervals (1 hour by default), and download approved and relevant updates. After downloaded,
notifications are sent to the system log and notification area of BeyondInsight.
Check for updates but do not download.
– Every / At - Select a day and time the client computers will poll the WSUS server.
– Detection Frequency - Enter the number of hours that pass before Patch-enabled assets check in with the
WSUS server for updates. Similar to WSUS, the default is 22 hours.
– Retry registration of errored Patch Management assets - Select the check box to try registration again if
the initial registration attempt fails.
7. Click Save.
After clicking Save, the following occurs:
• The client is contacted by one of three methods, listed in priority:
– If the client has the Retina Protection Agent (v. 4.7 or greater), registry changes occur through the Central
Policy connection.
– If the client does not have the RPA, registry changes occur through the Remote Registry API. Remote
Registry service must be enabled on the client. The supplied credentials must have permissions for
Remote Registry.
– If the first two fail, then registry changes are facilitated through WMI, a service running on the endpoint.
• BeyondInsight uses the supplied credentials to access and edit the client’s registry. The client is configured for
WSUS and then pointed to the WSUS Server. All other relevant registry parameters are set, see:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
• Optionally, BeyondInsight downloads the third party certificate to the client.
The client is now configured to poll WSUS for any approved updates; this is standard WSUS client behavior. Note
that polling may not occur immediately and it may take up to 6 hours for WSUS clients to display as patch-enabled
assets in BeyondInsight.
The patch group is displayed in the Smart Groups browser pane.
After the group is registered, you must approve the patches that you want to apply to the assets.
Updates are installed during the time that you selected in step 6.
User Guide 135 © 2017. BeyondTrust Software, Inc.
Patch Management Module
Redeploying Configuration
You might need to redeploy the Smart Rule configuration settings in the following scenarios:
• Registry settings are not properly set on the client
• Certificate for 3rd party patching not properly set
Select Redeploy Configuration to apply the settings in the Patch-enabled Smart Rule.
Refreshing WSUS Data in the Database
After you create a Patch-enabled Smart Group, the BeyondInsight service imports WSUS data into the
BeyondInsight database.
Note: The import will not run when the WSUS server is synchronizing with the Microsoft Update server or an
upstream server.
The BeyondInsight service polls the WSUS server every 4 hours to retrieve the latest data. You can, however,
refresh the data on demand.
To refresh the data on demand:
1. 1. Select the Configure tab, and then select Patch Management.
2. 2. Select the Data Import tab.
3. 3. Click the Trigger Import for Group icon.
User Guide 136 © 2017. BeyondTrust Software, Inc.
Patch Management Module
Approving Patch Updates
After you register a Smart Group for patch updates, you can approve the patches for installation.
Track the status of patch updates on the Patch pane. Select the Assets tab, and then select Patch from the list.
On the Approvals page, you can filter the patch status to determine the patches that are installed, not installed,
failed, and more.
Note that on the Approvals page, the most recent patches available are always displayed. Any older patches
superseded by new patches are no longer displayed. You can however, select the Show Superseded Patches check
box to review older patches not applied.
To display the Superseded column, click the Preferences button, and then select Superseded.
User Guide 137 © 2017. BeyondTrust Software, Inc.
Patch Management Module
To approve patch updates for registered Smart Groups:
1. Select the Assets tab, and then select Patch from the list.
After a patch group is registered, you can access the last accessed group through the Mitigate button on the
Dashboard.
2. Select a registered Smart Group from the browser pane.
To view the number of patch updates installed and not installed, hover on the icon.
3. Select an asset, and then click i.
By default, only critical updates are displayed. You might need to change the filters to display the relevant
patches. Click the Filters button and select the filters.
To view superseded patches, select the Show Superseded Patches check box.
Patches are superseded when a new patch is available.
Microsoft patches are superseded automatically when a synchronization occurs with WSUS.
4. Select a patch, and then select Approve.
User Guide 138 © 2017. BeyondTrust Software, Inc.
Patch Management Module
5. Select the All Groups check box to apply the patch to all registered patch Smart Groups; or select the check
box for a particular Smart Group.
The assets are set to check in with the WSUS server every hour.
If you select All Groups, and a group already has approved patches, the menu changes to Keep existing approvals.
This ensures that all previously approved patches will still be deployed at the scheduled time.
Select Decline to remove the patch from the Not Installed list.
Select Not Approved will not apply the patch to the selected Smart Group. However, the patch is still displayed in
the Not Installed list.
Reviewing Patch Details
Click i to review more information about the update.
Click Apply Patch Now to install the update to the designated assets. When selected, the clients are forced to check
in with WSUS. The patch is applied immediately regardless of the installation settings in the Smart Group associated
with the clients. The credentials in the Smart Group are used to apply the patch.
Note that the client evaluates and downloads the patch before the installation occurs.
User Guide 139 © 2017. BeyondTrust Software, Inc.
Patch Management Module
User Guide 140 © 2017. BeyondTrust Software, Inc.
Patch Management Module
Deleting Patches
You can delete patches either on the Asset details page or on the approval page where patches are listed.
Third-Party Patching
You can download and deploy patches for third-party products such as Adobe, WinZip, and Apple. For a complete
list, see List of Supported Vendors.
You can subscribe to vendor patches through the BeyondInsight Configure tab.
Generating a Certificate
Note: Windows Server 2012 R2 Support.
WSUS no longer supports generating self-signed certificates. Visit the following web site for more
information and a workaround:
http://blogs.technet.com/b/wsus/archive/2013/08/15/wsus-no-longer-issues-self-signed-certificates.aspx
After setting up a connection to WSUS, a Third Party section is available.
A message indicates that a certificate is required when you initially log on and go to the Third Party section. The
certificate establishes trust between the WSUS server and the client.
If the WSUS connection is configured to use SSL, you can use the Import button on the Third Party Certificate tab to
import an external certificate or use the Generate button to create a self-signed certificate.
Note that if the upstream server has a third-party certificate, then the downstream server automatically receives
the certificate. The certificate feature is not available for only downstream servers.
Click Generate.
User Guide 141 © 2017. BeyondTrust Software, Inc.
Patch Management Module
Note: In some scenarios, generating a self-signed certificate might not work. Additional configuration might be
required on the Windows Server 2012 computer. Visit the following web site for more information:
http://technet.microsoft.com/en-us/library/hh134747.aspx#PublishToServer2012
Self-signed Certificates
If you are using a self-signed certificate for 3rd Party Patching, sometimes Windows will automatically delete it.
If Windows finds a discrepancy with an intermediate certificate on the server it will check it against their list of
approved SSL’s. If it does not match Windows will remove it and log the following in the application log:
Event ID: 4108
Successful auto delete of third-party root certificate
To disable this feature and keep your root certificate installed:
1. Click Start > Run > “gpedit.msc” > OK.
2. Double-click Administrative Templates > System > Internet Communication Management.
3. Select Internet Communication settings.
4. Double-click Turn off Automatic Root Certificates Update.
5. Select Enabled, and then click OK.
Subscribing to Vendor Patch Updates
To subscribe to vendor patch updates:
1. Select the Configure tab, and then select Patch Management.
2. In the Products and Classifications section, select the vendor patches that you want to subscribe to.
Note that the patch classifications apply to Microsoft updates only.
3. Select the check boxes for the vendor products, and then click Save.
User Guide 142 © 2017. BeyondTrust Software, Inc.
Patch Management Module
List of Supported Vendors
Adobe Flash Player
Adobe Acrobat
Adobe Systems Incorporated
Adobe Reader
Adobe Shockwave - Firefox/IE
Apple Incorporated Safari
Foxit Corporation Foxit Reader
Google Incorporated Chrome
Igor Pavlov (LGPL) 7-Zip
Mozilla Foundation Mozilla Firefox
Opera Software ASA Opera Browser
Oracle Corporation Sun Java
win.rar GmbH WinRAR
WinZip International LLC WinZip
User Guide 143 © 2017. BeyondTrust Software, Inc.
System Center Configuration Manager
System Center Configuration Manager
In BeyondInsight, you can create a connection to your Microsoft System Center Configuration Manager (SCCM) site
server and manage the software updates to the collections.
Overview
The SCCM feature in BeyondInsight offers you a way to create a connection to your SCCM server and manage
deploying software packages to selected collections.
An important difference between traditional Smart Groups in BeyondInsight and the SCCM Smart Groups is that
asset data is gathered from the collections in SCCM and is stored in the BeyondInsight database. The assets have not
been scanned by BeyondInsight. You can use the synchronize feature on the SCCM configure page to ensure the
most current data resides in the BeyondInsight database.
The package deployment feature in BeyondInsight is similar to SCCM and offers most of the options that you are
already familiar with.
How Patching with SCCM Works
u BeyondInsight connects to an existing SCCM server for Patch Management.
SCCM Computer Groups can be imported from SCCM (as ‘Read Only’ Smart Groups).
Patches (Software Updates) are identified and selected to include in a SCCM deployment
package. This includes 3rd party applications.
For 3rd party applications to be deployed, you must:
– establish a connection between the SCCM server and the configured WSUS server .
– deploy the WSUS server 3rd Party certificate to the SCCM client. You can use a GPO for the
certificate deployment. See SCCM and 3rd Party Patching.
The SCCM client retrieves the deployment package and installs the applicable patches.
User Guide 144 © 2017. BeyondTrust Software, Inc.
System Center Configuration Manager
Requirements
• The client must have SCCM installed or patches cannot be deployed and applied.
• The SCCM Smart Groups are not patch-enabled like the WSUS Smart Groups.
• The SCCM instance must have an Active Software Update Point component configured prior to making a
connection from BeyondInsight.
User Guide 145 © 2017. BeyondTrust Software, Inc.
System Center Configuration Manager
Creating a Connection to a SCCM Site Server
You must create a connection to the SCCM site server in the BeyondInsight management console.
To connect to a SCCM site server:
1. On the BeyondInsight console, select Configure, and then click the SCCM tab.
2. Click +, and then enter the server name, domain, user name and credentials for the server.
3. Click Test Connection to ensure the information is correct.
4. Click Save.
5. After you create the connection to a SCCM site server, additional tabs are available.
You must select the collections to include in the Smart Group.
6. Click the Collections tab.
7. Select the collections, and then click Save.
A collection includes the assets that you want to apply patches to. Collections are displayed here if at least one
asset is detected in the collection.
Note: You cannot change the autogenerated Smart Group.
A unique identifier (the site code) is added to every SCCM Smart Group. This helps to identify the SCCM Site Server
where the collection is from.
Deploying a Package to a Collection
After you create a connection to the SCCM server and the autogenerated Smart Group is created, you can create
and deploy packages.
To deploy a package:
1. Select the collection in the Smart Groups browser pane.
2. Select SCCM from the list.
Review the client list to ensure that all targets have the SCCM client installed.
3. Click Updates.
4. Review and select updates, and then click Deploy.
The page identifies the software available to deploy and the status of the software on the assets in the
collection: Installed, Required, N/A, and Unknown.
User Guide 146 © 2017. BeyondTrust Software, Inc.
System Center Configuration Manager
5. On the Deployment Package Details page, enter the following information:
– Package name, description and deployment package location.
Note: The package source location must be entered as a UNC path (\\servername\share\package name)
and must be unique for every package that you deploy. The share must already be created on the
server. This is SCCM behaviour.
6. Select the optional additional settings:
– Software Distribution Points
– Enforce an installation deadline for this deployment
– Set an expiration time for this deployment
– Enable Wake On Lan when the deadline for this deployment has been reached
– Enable user notifications
– Enable reboot of client machines outside of maintenance window
– Suppress system restart on Workstations
– Suppress system restart on Servers
7. Click Deploy.
You can keep track of the successfully deployed packages on the Jobs page.
SCCM and 3rd Party Patching
If you are using SCCM, you can publish 3rd party patches to an Active Software Update Point (SUP) by configuring
the Update Point (WSUS server) on the Configure > Patch Management tab in BeyondInsight.
Any SUP that has an active WSUS connection in RCS should not be used to create Patch-enabled Smart Rules. For
more information, see Connecting to a WSUS Server.
User Guide 147 © 2017. BeyondTrust Software, Inc.
System Center Configuration Manager
Using Group Policy to Configure SCCM Assets for 3rd Party Patches
Configuring SCCM assets to accept 3rd Party Patches involves two steps:
• Exporting the WSUS Certificate
• Configuring the Group Policy Object
Exporting the WSUS Certificate
Go through the steps in this section on the WSUS server that is the Active Software Update Point for SCCM.
For detailed information on exporting a certificate, refer to the Help file available with the Certificates snap-in.
To export a WSUS certificate:
1. Run .mmc, and then add the Certificates snap-in.
Be sure to select Computer account, and Local computer.
2. Expand the WSUS node.
3. Right-click WSUS Publishers Self-signed and select All Tasks > Export.
4. In the Certificate Export Wizard, select the following:
– No, do not export the private key
– DER encode binary X.509 (.CER)
– Enter a file name for the certificate and go through the remaining pages of the wizard.
Configuring the GPO
Use the following procedures to configure the Group Policy Object (GPO) to deploy configuration to SCCM enabled
assets. The GPO saves the WSUS certificate to the appropriate certificate stores and configures the assets to accept
third-party patches from non-Microsoft sources.
After the GPO is created, it must be linked to an OU that contains the SCCM assets that you want to receive 3rd
party patches.
To configure assets using Group Policy on Windows Server domains:
1. Open Group Policy Management Console (GPMC) on a domain controller.
2. Create a GPO for the certificate at the domain level:
User Guide 148 © 2017. BeyondTrust Software, Inc.
System Center Configuration Manager
a. Select the domain you want to use, and then click Action > Create a GPO in this domain, and Link it here.
b. Enter a name for the GPO, and then click OK. For example, enter Patch Management Client Configuration
Policy.
3. Select the new object, and then click Action > Edit.
4. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
5. Import the WSUS publishing certificate to the Trusted Root Certification Authorities and Trusted Publishers
stores.
6. Turn on signed updates in the Windows Update administrative template:
a. Expand Computer Configuration > Policies > Administrative Templates > Windows Components, and
then select Windows Update.
b. Double-click Allow signed updates from an intranet Microsoft update service location.
c. Select Enabled, and then click OK.
7. Select an OU or domain and create a link to this new GPO.
User Guide 149 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
Retina Protection Agents
Overview
This section provides information on how the Retina Protection agent deployment works.
How RP Agent Deployments Work
The Application Bus service receives a message from BeyondInsight to start a deployment. A
deployment package is created and includes these files:
l BlinkSetup.exe
l #deploy.xml
l deployc.pfx
u
l msxml3.dll
l msxml3r.dll
l startdeplservice.exe
To ensure secure deployment, the deployc.pfx file includes a security certificate,
EmsClientCert.pfx.
The package is queued and ready to be copied to a share on the target asset.
This starts the deployment service (startdeplservice.exe).
This service sends a message to BeyondInsight indicating the job status.
When the deployment is complete, the startdeplservice.exe is removed from the asset.
The service runs BlinkSetup.exe and installs:
l The VS2008 runtime environment if required.
l RPA
Reports to BeyondInsight that installation was successful.
User Guide 150 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
Downloading Retina Protection Agents
The Retina Protection Agent must be downloaded before you can deploy policies to selected assets.
You can download Retina Protection Agents using one of the following ways:
• Copy the Retina protection agent installer to the following directory: $Common Files\eEye Digital
Security\Shared Services Host\data\Setups\Blink\4.0.0. Change the name of the installer file to: BlinkSetup.exe
• Use the 3rd Party Deployment tool. See Using the 3rd Party Deployment Wizard.
Air Gapped Connectivity to BeyondInsight
If the server where BeyondInsight resides does not have an Internet connection, you can download Blink
Professional and Blink Server from the client portal.
• Change the name of Blink Professional to BlinkSetup.exe and copy to the following directory: C:\Program Files
(x86)\Common Files\eEye Digital Security\Shared Services Host\data\Setups\Blink\4.0.0\
• Change the name of Blink Server to BlinkSetup.exe and copy to the following directory: C:\Program Files
(x86)\Common Files\eEye Digital Security\Shared Services Host\data\Setups\Blink Server\4.0.0\
Configuring a Default Policy
You must configure the Default policy to use the BeyondInsight server as the central policy agent.
To configure the Default policy:
1. Select the Configure tab.
2. Click Protection Policies.
3. Select Default policy, and then select Edit Policy.
4. Click the pencil icon next to Master Rules.
5. Expand Misc Options then select General.
User Guide 151 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
6. Expand Central Policy.
7. Select the Yes check box to use central policy.
8. Use the default protocol, https.
9. Enter the BeyondInsight server name and password.
10. Click Update.
Preparing Target Assets
Assets must have appropriate permissions in place so that the protection policies can be copied to the asset.
User Guide 152 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
Using the 3rd Party Deployment Tool
Use the 3rd Party Deployment wizard to create Retina Protection Agent deployment packages. You can create a
directory, executable, or .msi.
To create a deployment package:
1. Select Start > All Programs > eEye Digital Security > Tools > 3rd Party Deployment Wizard.
2. Select the directory where you want to create the package files and where the package will be deployed.
3. Select the check boxes for the type of deployment package: Create Directory, Create Executable, Create
MSI.
4. Select Retina Protection Agent Setup information:
– Setup filename - Displays the name for the .exe. The default value is BlinkSetup.exe.
– Serial number - Enter the serial number for the Retina Protection Agent.
– Mode - Select a mode: Interactive, Alert Only, Silent, Hidden.
– Administrator password/confirm password - Enter a password.
– Enable Firewall - Select to turn on firewall protection.
– Enable Virus and Spyware Protection - Select to turn on virus and spyware protection.
– Enable Intrusion Prevention - Select to turn on intrusion prevention.
– Enable System Protection - Select to turn on system protection.
– 3rd party AV uninstall password - Enter the password to uninstall existing anti-virus and intrusion
prevention applications if detected during deployment.
5. Click Next.
6. To activate central policy, select the Use Central Policy check box.
a. Select the protocol: https, rem.
b. Select the server name where BeyondInsight resides.
c. Select the default policy.
d. Enter the password for central policy.
e. Enter the time interval to check for updates.
7. Click Next.
8. Select the Send REM events check box to activate REM events.
9. Click Next.
10. Enter your registration information and click Next.
11. Enter the URL to download updates. Click Next.
12. Click Finish.
Updating RPA Licenses
When your Retina protection agents (RPA) serial numbers are close to expiry, you can deploy a serial number to all
assets where RPAs are deployed.
To update the serial number:
User Guide 153 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
1. Select the Assets tab.
2. Select Agents, and then click Relicense.
3. Select the assets from the Smart Groups browser pane.
4. In the Deploy section, select: currently selected assets, single IP address, IP range, CIDR notation or named
host.
5. Select the check box to skip the assets that do not have an RPA deployed.
6. Enter credentials.
7. Enter the serial number.
8. Click Run.
Deploying the Protection Policies
Use the following procedure to deploy protection policies to selected assets and agents.
Checkpoint
– Policies are only available after you deploy Retina protection agents. For more information, see
Downloading Retina Protection Agents.
– Before proceeding, you might want to customize your policies. For more information, see Configuring
Protection Policies.
Note: Turn off the Require SSL setting in IIS Manager for the BeyondInsight default web site.
Otherwise, the status displayed does not indicate when the deployment has successfully completed.
To deploy protection policies:
1. Create a Smart Group that includes the assets where you want to deploy the Retina Protection Agent.
The settings that you must include are the Protection Agents, Show asset as Smart Group, and Assign EPP
Policy.
Additionally, you must also include the assets. The following example shows the Address Group as the
container
User Guide 154 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
Reviewing Details about Protection Agents
You can review the following information for a protection agent on the Agents tab:
• Policy name
• Protection agent version
• Computer name where the agent is deployed
• Operating system
To review protection agent details:
1. Select the Assets tab, and then select Agents from the list.
2. To review only protection agent information, click the Preferences button and clear any Retina scanner check
boxes (for example, Retina Version and Agent Name). This is optional.
3. Click the Filters button to set sorting information on the protection agents. This is optional. This is helpful if
there are a lot of protection agents deployed in your environment.
Note that you cannot sort by Protection Agent Policy name.
Removing Protection Agents
You can remove a deployed protection agent from an asset.
To remove a protection agent:
1. Click the Assets tab.
2. Select Agents from the list.
3. Click Uninstall.
User Guide 155 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
4. Enter the IP addresses for the assets.
5. Enter the credentials, and then click Run.
User Guide 156 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
Configuring Protection Policies
When setting up a protection solution using BeyondInsight, you need to determine the rules that you want to use to
protect your assets. BeyondInsight ships with a set of default rules and rule groups.
After you determine the rule set and configure rules, you can attach the rule groups to a policy. The policy is then
deployed to your assets.
Working with Rules and Rule Groups
When creating rules and rule groups, review the following sections to understand how they work.
Rule Group Ordering
When there is more than one rule group attached to a policy, the rules for all attached groups are automatically
merged into an effective set of rules for the policy.
In the case where a specific rule is set in more than one attached group, the group that is located higher in the list
of attached groups takes priority. You can click and drag on attached Rule Groups to modify their ordering and thus
their resulting relative priority.
BeyondInsight ships with a set of default rules. Each new policy automatically inherits these default settings. Some
rules are “on” while others are “off.” Changing a default value is considered an override even if that setting is later
changed to its default state. This is important to understand since a rule setting override is considered when
multiple Rule Groups are merged in a given Policy, but rules considered to be in their “factory default” state are
not.
To remove all rule setting overrides, from a rule category in a Rule Group, select that category and click the arrow
next to the category title. In the context menu that appears, select “Revert to factory.”
For example, consider three cases where two Rule Groups are attached to a policy, Group A (highest priority) and
Group B. The factory default setting for a particular rule is “off”.
o Case 1: In Group B, that rule is set to on. The rule in Group A has never been changed and is considered the
“default.” The effective merged rule setting will be “on”.
o Case 2: The rule in Group B is set to “on”, but in Group A that rule has been set to “on” previously, but later set
to “off”. Since this “off” setting is now considered an override over the default setting, the effective merged
rule setting will now be “off.”
o Case 3: The rule category where this rule resides is “reverted to factory default” for Group A and now the
effective merged setting is once again “on”, this case now being identical to the first.
Master Rules
Every policy has a set of Master Rules which can be considered a non-shared Rule Group (it is specific to one policy
only) that always has the highest priority when rules are merged. Any rule set in the Master Rules section will
override the same rule setting in any attached groups.
Creating a Rule Group and Setting Rules
A Rule Group is a container for the rules that you want to apply to protect your assets. In BeyondInsight, a rule
group can contain any combination of rule categories that includes: system firewall, application firewall, IPS
signatures, and Trusted and Banned IPs. In each rule category, there are particular rules that you can activate if you
want to provide that specific protection to your asset.
User Guide 157 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
Rule groups provide proactive and reactive protection against intruder, internal attack and machine misuse. When
assigned to a policy, rule groups are applied to assets, such as networks, servers, workstations and laptops.
To create a rule group:
1. Select the Dashboard tab and click Protect; or select the Assets tab, and then click Protect.
2. Click Manage Rule Groups.
3. On the Manage Rule Groups page, you can:
– Click + to add a rule group. Enter a name for the rule group.
– Select the rule group from the Rule Groups pane to change the rule group properties. You can type the
name of the rule group in the box to search for the rule group.
– Select the rule group and click - to delete the rule group.
4. Select a rule group, then select a rule category to display the associated rules.
Rule categories with arrows contain subcategories. Click the arrow to display the subcategories; select the
subcategory to display the rules.
5. Select a rule name check box to activate the rule. To create a rule, go to Rules.
6. Click Revert to revert to either last saved or the default value for the rule category.
7. Click Update.
Creating a Protection Policy
Create a policy that defines the rules you want to apply to your assets.
You can create a dynamic protection policy. A dynamic policy includes conditions that determine the assets where
the protection policy will be applied. For more information, see Creating a Dynamic Protection Policy.
Checkpoint
– At least one policy category must be created to create a policy. See Organizing Policies.
To create a protection policy:
1. Select the Assets tab.
2. Click Protect.
You can also create a policy from the Configure tab.
3. Click New Policy.
Drag rule groups to the rules pane. For more information, see Rule Groups.
4. Click Create.
5. Enter the name of the policy and the policy group to which it is a member. Click Update when editing an
existing policy.
Creating a Dynamic Policy
You can attach a location to a policy. When a policy is processed, rule groups and locations in the policy are also
processed.
Locations and conditions define when a policy will be deployed to particular assets.
• Location – One or more conditions.
User Guide 158 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
• Condition – A set of criteria that determines the assets.
Assets in an environment can change or be removed. The policy is dynamic since only those assets that meet the
criteria in the condition are included.
To manage locations, you must access an existing policy or through a new policy.
The following procedure shows you how to create a condition and add the condition to a location.
To create a dynamic policy:
1. Select the Dashboard tab, and then click Protect; or select the Assets tab and click Protect.
2. Click New Policy.
You can also add locations to existing policies.
3. Click Add Location.
4. From the Location menu, select Manage Locations.
5. Click the + sign. Enter a name and click Create.
To edit an existing location, select the location from the Location pane. To delete a location, select the location
from the Location pane and click the - sign.
6. Click Manage.
On the Manage Conditions window, you can create and delete conditions.
a. Click + to create a condition. Enter a name and click Create.
b. Select Command or Script from the Command Type list.
Command options:
– Check Reachable – In the Command Parameters box, type the IP address or domain name.
Pings the IP address or domain name to verify access in the network. For example, if the IP address or
domain is reachable, then the policy can be applied.
– Compare Version – Verifies which version of protection agent is installed on the assets. This feature will
be available at a later date.
– Verify DNS – In the Command Parameters box, type the IP address. Confirms the Domain Name System
server.
– Verify DHCP – In the Command Parameters box, type the IP address.
Confirms the Dynamic Host Configuration Protocol server.
Script options:
– Script Name – Java or Visual Basic script file. Click Upload Script to upload a script.
– Script Parameters – Script file location.
c. Select the Network Status Change Events check box if you want to log network status changes.
d. Click Update.
7. Drag the condition from the Conditions pane.
8. More than one condition can apply to a location. The following operators are available:
And = &
Or = |
Not = !
Parentheses group conditions
User Guide 159 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
9. Click Update.
User Guide 160 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
Organizing Your Policies
A policy category is a set of similar policies. A policy must be assigned to a category when the policy is created.
To organize policies:
1. Select the Dashboard tab and click Protect; or select the Assets tab and click Protect.
You can also create a category from the Configure tab.
2. Click New Policy Category.
3. Enter the policy category name and click Create.
4. Drag policies from other policy categories to populate the new policy category.
User Guide 161 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
Rules Reference
As mentioned earlier, a protection policy contains the security rules that are deployed to your assets.
This section details the rules available to you.
You can create, copy, edit, and delete rules. You cannot create rules for the following rule categories: Identity Theft
and Analyzers.
To copy, edit, or delete a rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab and click Protect.
2. Click Manage Rule Groups.
You can also manage rule groups from the Configure tab (Protection Policies).
3. Select a rule group from the Rule Groups pane. You can also type the name of the rule group in the box to
search for a rule group.
4. Select the rule category.
5. Select a rule name check box to activate the rule.
6. Select the rule, click the arrow and select one of the following menu items:
– Edit Rule – to edit the selected rule. Click the pencil icon to change the settings.
– Duplicate Rule – to create a copy of the rule. Edit the new rule as needed.
– Delete Rule – to delete the selected rule.
Note that menu items are not available on all rules.
System Firewall Rules
System firewall rules control the flow of data by examining each packet and determining whether to forward the
packet toward a specific destination.
To create system firewall rules:
1. Select the Dashboard tab and click Protect; or select the Assets tab and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can also type the name of the rule group in the box to
search for a rule group.
4. Select the System Firewall rule.
5. Click Create New Rule to start the wizard.
6. Complete the following pages.
a. Action
– Allow – traffic that matches the rule can pass through the firewall.
– Deny – traffic that matches the rule cannot pass through the firewall.
– Ask – a message is displayed requesting permission to pass through the firewall.
User Guide 162 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
– Log event – select to create an event log when the rule is matched.
– Alert user – receive and log alerts from Blink when the rule is matched. This can create a flood of
alerts and increase the size of the log file.
b. Protocol
– Select a protocol – TCP, UDP, TCP or UDP, ICMP, IP
c. Traffic Direction
– Traffic from Other Computers – filters only inbound traffic received by your computer.
– Traffic from This Computer – filters only outbound traffic sent from your computer.
– Any Direction – filters both inbound and outbound traffic.
d. Local IPs & Ports
– Rule applies to all IP addresses – Create a rule for all local IP addresses.
– Specific local IP addresses – Click +, and then select: Determine IP(s) at run-time, Single IP, IP Range,
or Subnet. Click Set.
– Rule applies to all ports – Create a rule for all ports.
– Specific ports – Click +, and then enter a port number, port list, or port range.
Use a comma to separate values. Ports in a range are separated with a hypen.
e. Remote IPs & Ports
Options on this page are the same as Local IPs & Ports page.
f. Rule Summary
– Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list – select to run the rule first.
Application Firewall Rules
Application Firewall rules tailor the protection closer to the applications and the specific network environment
being protected.
To create an Application Firewall rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can also type the name of the rule group in the text box to
search for the rule group.
4. Select the Application Firewall rules category.
5. Click Create New Rule to start the rule wizard.
User Guide 163 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
a. Application
– Full Path – BeyondInsight compares the path stored in the firewall rule to the path of the application
requesting network access.
The rule triggers when there is a match. Select this option for applications that are typically updated
during normal use.
– Process Name – BeyondInsight compares the application process name to the process that is
requesting network access.
The rule triggers when there is a match. This is the least secure option.
– MD5 – BeyondInsight creates and stores an MD5 checksum of the specified application. The MD5
algorithm is a method for signing and verifying a file and its contents mathematically. At run-time,
BeyondInsight compares this MD5 checksum to the checksum of the application that is requesting
network access.
The rule triggers when there is a match. This is the default value and the most secure option;
however, if the application changes during an auto-update, the rule becomes invalid. If selected,
enter the MD5 value.
– System Process – filters the system process requests from the Operating System or Kernel Drivers
running under a system context. Typical system processes include printing and file sharing.
b. Action
– Allow – traffic that matches the rule can pass through the firewall.
– Deny – traffic that matches the rule cannot pass through the firewall.
– Ask – a message is displayed requesting permission to pass through the firewall.
– Log event check box – select to create an event log when the rule is matched.
– Alert user check box - receive and log alerts from Blink when the rule is matched. This can create a
lot of alerts and increase the size of the log file.
c. Protocol
– Select a protocol – TCP, UDP, or TCP or UDP
d. Traffic Direction
– Traffic from Other Computers – filters only inbound traffic received by your computer.
– Traffic from This Computer – filters only outbound traffic sent from your computer.
– Any Direction – filters both inbound and outbound traffic.
e. Local IPs & Ports
– Rule applies to all IP addresses – Create a rule for all local IP addresses.
– Rule applies to all ports – Create a rule for all ports.
– Specific ports – Click +, and then enter a port number, port list, or port range.
Use a comma to separate values. Ports in a range are separated with a hypen.
f. Remote IPs and Ports
Options on this page are the same as Local IPs & Ports page.
g. Rule Summary
User Guide 164 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
– Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list – select to run the rule first.
IPS Signature Rules
You can create IPS network signatures that filter a specific protocol, such as FTP, ICMP, and SMTP. For example, you
can create an application layer IPS signature that filters traffic from the subject line of all incoming or outgoing
email messages associated with the EMAIL protocol.
When you create an IPS signature rule, you can choose the Network Layer or Application Layer protocol. The
wizard pages change depending on the protocol that you select.
For the following procedure, the wizard pages described assume CGI Scripts and Network Layer options are
selected.
To create an IPS signature rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can type the name of the rule group in the box to search
for the rule group.
4. Expand IPS Signatures and select a subcategory to display the associated rules.
5. Click Create New Rule to start the wizard.
a. Protocol
– Select a protocol.
b. IP Protocol
– Fragment Flags – Select the check box then select: More Fragment, Don't Fragment Bit, Reserved Bit.
– Don't Care – The value is ignored.
– Set – The binary value of the corresponding flag for 1s only is verified.
– Not Set – The binary value of the corresponding flag for 0s only is verified.
– IP ID – Select Less Than, Equal To, or Greater Than and set the ID number.
– IP Protocol – Select Less Than, Equal To, or Greater Than and set the protocol.
– Time to Live – Select Less Than, Equal To, or Greater Than and set the time.
– IP Options – Select Record Route, End of Option List, No Operation, Internet Timestamp, Security, Loose
Source Routing, or Strict Source Routing.
– Type of Service – Select the service: Minimize Delay, Maximize Throughput, Maximum Reliability, or
Minimize Monetary Cost.
c. Traffic Direction
– Inbound – Filters only inbound traffic received by your computer.
– Outbound – Filters only outbound traffic sent from your computer.
– Both – Filters both inbound and outbound traffic.
d. Local IPs & Ports
User Guide 165 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
– Rule applies to all IP addresses – Create a rule for all local IP addresses.
– Specific local IP addresses – Click +, and then select: Determine IP(s) at run-time, Single IP, IP Range, or
Subnet. Click Set.
– Rule applies to all ports – Create a rule for all ports.
– Specific ports – Click +, and then enter a port number, port list, or port range.
Use a comma to separate values. Ports in a range are separated with a hyphen.
e. Remote IPs & Ports
Options on this page are the same as Local IPs & Ports page.
f. Search Pattern
– Click +, and then type the pattern to search on.
You can create patterns using hex characters or a combination of ASCII and hex characters. A hex
sequence must be enclosed in < >.
– Start – (Optional) Enter the number of bytes to skip from the beginning of the packet’s payload.
– Depth – Enter the total number of bytes to search in the packet’s payload.
– Trigger rule if pattern not found – (Optional) Stop the action from completing when the pattern is
matched.
– Use regular expressions – (Optional) Find a specific word followed by an alphanumeric.
– Match case on pattern – (Optional) Find a pattern that matches the case in the Pattern field.
– Match only on patterns of same size – (Optional) Find a pattern that matches the size in the Pattern field.
g. Action
– Stop attack – Stop the attack by terminating the session or dropping packets.
– Capture Packets – Hold the packet for review by the user.
– Block IP for – Stop the attack for the specified number of minutes. Available only for TCP-based IPS
signatures.
This is not recommended for spoofable protocols, such as IP, UDP and ICMP. In a spoofable attack, an
attacker mimics the IP address of critical systems and then forces the IP address to be added to the
banned list.
– Log event – Create an event log when the rule is matched.
– Alert user – Receive and log alerts from RPA when the rule is matched. This can create a flood of alerts
and increase the size of the log file.
h. Specify Threshold
– Take action for every occurrence of the event – When the pattern is found, the action defined on the
Action page occurs.
– Take action when the threshold is exceeded – When the threshold is exceeded, the action defined on
the Actions page occurs.
The default is one event every one second.
i. Specify References
User Guide 166 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
– (Optional) Enter more information about the vulnerabilities and exploits.
The information helps to define what the IPS signature protects against.
j. Set More Details
– Enter more information about the rule.
– Rule severity – Select a severity between 0 and 9 (highest severity). The severity level is included in the
event log.
k. Rule Summary
– Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list – select to run the rule first.
Trusted and Banned IPs
You can set trusted and banned IP addresses to manage lists of hosts processed by the Firewall and IPS protection
engines. You must activate Intrusion Prevention or System Firewall to use the Trusted and Banned IPs feature.
• Trusted IPs – Add the IP address or range of IP addresses of trusted critical machines. All data is then allowed
from the trusted systems.
Note that if a trusted system attacks your BeyondInsight-protected server or workstation, the attack will not be
detected.
• Banned IPs – Provides time-based traffic blocking from an IP address. You can ban an IP for a period of time or
indefinitely. Data flowing from known problematic hosts can be discarded without further processing.
If an IP address is added to the Trusted list and Banned list, that IP address is banned.
All IPS Analyzer rules and signatures can be configured to ban the attacker IP for a certain amount of time. For
example, you may want to slow down someone trying to guess your FTP password account by stopping them from
accessing the server for 10 minutes after each 10 failed attempts occurring in less than three minutes.
To create a Trusted IP or Banned IP rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can also type the name of the rule group in the box to
search for a rule group.
4. Select the Trust IPs or Banned IPs rule category.
5. Click Create New Rule to start the wizard.
6. Enter the IP address, IP address range, or subnet.
7. Specify the time the IP remains on the list as either Permanent or Keep for [n] Minutes. You can also include a
date and time. The IP address is automatically deleted from the IP list after the time period elapses.
8. Enter a description for the IP address.
9. Click Set. The IP address displays in either Trusted IPs or Banned IPs list.
10. Click Update.
User Guide 167 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
Registry Protection Rules
Registry rules protect registry resources against unauthorized modifications.
To create a Registry rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can type the name of the rule group in the text box to
search for the rule group.
4. Select the Registry rule category.
5. Click Create New Rule to start the wizard.
a. Select Resource Type
Registry is selected.
b. Resource Path
– Registry Key Path – Enter the registry path.
– Match Type – Select a matching type. See Caller Path page details for descriptions.
c. Caller Path
– Caller Path – Enter the path.
– Match Type – Select a matching type.
Exact – Matches only the exact path. This is the fastest matching.
Partial – Matches if the pattern is found anywhere in the path. This is the second fastest matching.
Wildcard – Creates more complex rules that use * for any sequence of characters, # for any single
numerical character and ? for any single alpha character.
Regex – Creates the most complex matching rules. This can be the slowest and should be used with
care.
– MD5 Validation
Do not use caller MD5.
Auto-calculate caller MD5 – Calculates MD5 if access to the file is provided on disk.
User specified caller MD5 – Enter a hex MD5 caller.
The MD5 algorithm is a method for signing and verifying a file and its contents mathematically. At run-
time, BeyondInsight compares this MD5 checksum to the checksum of the application that is
requesting network access. There is an implicit OR between the two types of matching, such as
location and MD5 checksum. If either matches, the rule is triggered.
d. Specify an Action
Select a Read or Write action to be matched by this rule.
– Allow – Traffic that matches the rule can pass through the firewall. This is the default.
– Deny – Traffic that matches the rule cannot pass through the firewall.
User Guide 168 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
– Log – Select to create an event log when the rule is matched.
– Alert – Receive and log alerts from Blink when the rule is matched. This can create a lot of alerts and
increase the size of the log file.
e. Rule Summary
– Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list – select to run the rule first.
Execution Protection Rules
Execution rules prevent the system from executing unauthorized processes.
To create an Execution rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can also type the name of the rule group in the text box to
search for, display, and select that Rule Group.
4. Select the Execution rule category.
5. Click Create New Rule to start the wizard.
a. Select Resource Type
Execution is selected.
b. Resource Path
– Registry Key Path – Enter the registry path.
– Match Type – Select a matching type. See Caller Path page details for descriptions.
c. Caller Path
– Caller Path – Enter the path.
– Match Type – Select a matching type.
Exact – Matches only the exact path. This is the fastest matching.
Partial – Matches if the pattern is found anywhere in the path. This is the second fastest matching.
Wildcard – Creates more complex rules that use * for any sequence of characters, # for any single
numerical character and ? for any single alpha character.
Regex – Creates the most complex matching rules. This can be the slowest and should be used with
care.
– MD5 Validation
Do not use caller MD5
Auto-calculate caller MD5 – Calculates MD5 if access to the file is provided on disk.
User Guide 169 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
User specified caller MD5 – Enter a hex MD5 caller.
The MD5 algorithm is a method for signing and verifying a file and its contents mathematically. At run-
time, BeyondInsight compares this MD5 checksum to the checksum of the application that is
requesting network access. There is an implicit OR between the two types of matching, such as
location and MD5 checksum. If either matches, the rule is triggered.
d. Specify an Action
The Execute check box is selected and cannot be changed.
– Allow – Traffic that matches the rule can pass through the firewall. This is the default.
– Deny – Traffic that matches the rule cannot pass through the firewall.
– Log – Select to create an event log when the rule is matched.
e. Rule Summary
– Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list – select to run the rule first.
File Integrity Rules
There are three types of integrity rules:
• Protected files – Folders and files that you want to monitor for changes.
• Authorized applications – Applications which are allowed to modify any file.
• Custom rules – Exceptions to any other rules. Custom rules are processed first.
A file protection rule activates when the protected file is changed, renamed, or deleted.
Add a Protected File Rule
A protected file rule applies PowerBroker EPP protection on the file.
To create a protected file rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can type the name of the rule group in the text box to
search for the rule group.
4. Select the File Integrity rule category and select the Protected Files subcategory to display the associated
rules.
5. Select Create New Rule.
6. Complete the following pages.
a. Specify File/Folder Path
– Protect a file
User Guide 170 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
Enter the file that you want to protect.
– Protect files inside a directory
Enter a folder name that you want to protect.
Enter a list of file extensions that you want to protect.
Select the Also Protect Subfolders check box to protect all folders in the directory.
b. Specify an action
Select the Log check box to track the rule activities.
Set the rule severity. The severity level is included in the event log. The default value is 1.
You can also create a category to organize rules.
c. Rule Summary
– Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list – select to run the rule first.
Add an Authorized Application Rule
An authorized application rule allows an application to access protected files.
To create an authorized application rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can type the name of the rule group in the text box to
search for the rule group.
4. Select the File Integrity rule category and select the Authorized Applications subcategory to display the
associated rules.
5. Select Create New Rule.
6. Complete the following pages.
a. Specify Authorized Application Path
Enter the caller attributes:
– File Path – Browse to the executable location for the caller, and then select the matching type:
– Exact – Matches only the exact registry key. This is the fastest matching.
– Contains – Matches if the pattern is found anywhere in the key. This is the second fastest matching.
– Not Contains – Matches when the pattern is not found.
– Wildcard – Creates more complex rules that use * for any sequence of characters, # for any single
numerical character and ? for any single alpha character.
– Regex – Creates the most complex matching rules. This can be the slowest matching.
User Guide 171 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
– Process Arguments – Add process arguments to filter the scope of the rule.
For example, if the file path is c:\Windows\System32\svchost.exe, then an argument might be -k
tapisvr. The rule then only applies to the TapiSvr service.
– MD5 or SHA1 – Enter a hex MD5 or SHA1 caller. The MD5 or SHA1 checksum algorithm is a method
for creating a file content checksum and verifying the content has not changed.
SHA1 is a more secure hashing algorithm and is recommended over MD5.
PBEPP can detect the type of hash used (MD5 or SHA1). Use MD5 or SHA1 when you can access the
file and you are certain the file does not normally change (for example, due to user changes or
software updates).
– File Size – Enter the file size.
– Executable is packed – Select True to pack the executable.
– File Location – Select from: Hard drive, USB,
CD-ROM and Network Share.
– Product Name, Product Description, Company – Enter the product information.
– Digital Signature Name, Digital Signature Validity – Select the signature parameters.
– Process Owner – Enter the name of the user account running the executable.
Alternatively, enter the SID for the process owner.
– User Group – Enter one or more user groups. If the user running the executable belongs to one of
the listed groups, the property will match.
Alternatively, enter the SID for the user group.
b. Specify Severity
Set the rule severity. The severity level is included in the event log. The default value is 1.
You can also create a category to organize rules.
c. Rule Summary
– Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list – select to run the rule first.
Add a Custom Rule
A custom rule applies protection on a folder (all files in the folder are protected regardless of the file type). Files
and folders included in the rule are not included in the scheduled scan.
To create a custom rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can type the name of the rule group in the text box to
search for the rule group.
4. Select the File Integrity rule category and select the Custom subcategory to display the associated rules.
5. Select Create New Rule.
6. Complete the following pages.
User Guide 172 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
a. Specify File/Folder Path
– Protect a file – Enter the file that you want to protect.
– Protect files inside a directory – Enter the folder name that you want to protect. Enter a list of file
extensions that you want to protect.
Select the Also Protect Subfolders check box to protect all folders in the directory.
b. Specify Authorized Application Path
Enter the caller attributes:
– File Path – Browse to the executable location for the caller, and then select the matching type:
– Exact – Matches only the exact registry key. This is the fastest matching.
– Contains – Matches if the pattern is found anywhere in the key. This is the second fastest matching.
– Not Contains – Matches when the pattern is not found.
– Wildcard – Creates more complex rules that use * for any sequence of characters, # for any single
numerical character and ? for any single alpha character.
– Regex – Creates the most complex matching rules. This can be the slowest matching.
– Process Arguments – Add process arguments to filter the scope of the rule.
For example, if the file path is c:\Windows\System32\svchost.exe, then an argument might be -k
tapisvr. The rule then only applies to the TapiSvr service.
– MD5 or SHA1 – Enter a hex MD5 or SHA1 caller. The MD5 or SHA1 checksum algorithm is a method
for creating a file content checksum and verifying the content has not changed.
SHA1 is a more secure hashing algorithm and is recommended over MD5.
PBEPP can detect the type of hash used (MD5 or SHA1). Use MD5 or SHA1 when you can access the
file and you are certain the file does not normally change (for example, due to user changes or
software updates).
– File Size – Enter the file size.
– Executable is packed – Select True to pack the executable.
– File Location – Select from: Hard drive, USB,
CD-ROM and Network Share.
– Product Name, Product Description, Company – Enter the product information.
– Digital Signature Name, Digital Signature Validity – Select the signature parameters.
– Process Owner – Enter the name of the user account running the executable.
Alternatively, enter the SID for the process owner.
– User Group – Enter one or more user groups. If the user running the executable belongs to one of
the listed groups, the property will match.
User Guide 173 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
Alternatively, enter the SID for the user group.
c. Specify an action
Select the action to take when the rule is matched: Allow or Deny.
Select the Log check box to track the rule activities.
Set the rule severity. The severity level is included in the event log. The default value is 1.
You can also create a category to organize rules.
d. Rule Summary
– Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list – select to run the rule first.
Windows Events Rules
You can create a rule that tracks Windows Event logs, including: Application, System, and Security.
Source Names
The source name is the name of the Windows event.
The source name that you enter depends on the operating system that is forwarding the events.
Use the name in the Windows Event Viewer Source column.
Windows XP
Windows 2003
Use System-Provider[EventSourceName] on the Details tab of the event, if
available. Otherwise, use [Name].
Vista
Windows 7
Windows 2008
To create a Windows event rule:
User Guide 174 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
1. Select the Dashboard tab and click Protect; or select the Assets tab and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can also type the name of the rule group in the text box to
search for, display, and select that Rule Group.
4. Expand Windows Events, and then select: Application, System, or Security.
– Enabled – Select the check box to activate the rule.
One or more Windows event sources must be provided to activate the rule. Events are only forwarded
when a source is provided.
– Severity – Select the severity level from the list: Only Errors, Errors and Warnings, All.
Note that All includes Information events.
– Add – Click to provide the following information about the event log you want to track:
– Source name – The name of the application that issued the event. See Source Names.
You can enter the source name without providing Event IDs. All events from the source will be
forwarded.
– Include – Enter the Event IDs to forward to BeyondInsight.
– Exclude – Enter the Event IDs to exclude.
Note that the excluded list overrides the included list.
The following example shows a range of event IDs to include and two IDs in that range to exclude.
5. Click Save.
Trusted List Options
The Trusted List displays trusted malware by name and category.
To access Trusted List rules:
1. Select the Dashboard tab and click Protect; or select the Assets tab and click Protect.
2. Click Manage Rule Groups.
User Guide 175 © 2017. BeyondTrust Software, Inc.
Retina Protection Agents
3. Select a rule group from the Rule Groups pane. You can also type the name of the rule group in the box to
search for a rule group.
4. Select the Trusted List rule category.
5. Click Create New Rule to start the wizard.
6. Select a malware name check box and click Save.
7. Click Save.
8. Click Update.
Miscellaneous Options
Miscellaneous options allow you to set rules for BeyondInsight operations.
To access miscellaneous options:
1. Select the Dashboard tab and click Protect; or select the Assets tab and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can type the name of the rule group in the text box to
search for the rule group.
4. Expand Misc. Options and select a subcategory:
– Virus and Spyware
– General
– System Protection
– Scheduler
– Auto-Updater
– Vulnerability Assessment
– Intrusion Prevention
– IIS Protection
– Firewall
– Events
For more information, refer to the Retina Protection Agent User Guide.
5. After you change the properties for a subcategory, click Update.
User Guide 176 © 2017. BeyondTrust Software, Inc.
Regulatory Reports Pack
Regulatory Reports Pack
Note: The Regulatory Reporting packs require a license to activate the feature set. Contact your BeyondTrust
representative.
You can run regulatory reports to ensure that your assets are in compliance.
Review the following sections to learn more about the compliance scan templates available, compliance coverage,
running a scan, and reviewing scan results.
User Guide 177 © 2017. BeyondTrust Software, Inc.
Regulatory Reports Pack
Compliance Scans
By default the following scan templates are available.
Healthcare, Finance, and Government packs need an updated license key.
ISO-27002 Scans
Compliance Area Section 12.6.1 Control of technical vulnerabilities
COBiT Scans
Compliance Area Section DS11.6 Security Requirements for Data Management
Healthcare Pack Compliance Scans
The Healthcare Pack includes a HIPAA scan template.
Contact BeyondTrust for a license key to activate the compliance pack.
HIPAA Scans
Compliance Area Section 164.308 Administrative safeguards, (a)(8) Standard: Evaluation.
Finance Pack Compliance Scans
The Finance Pack includes a SOX and GLBA scan template.
Contact BeyondTrust for a license key to activate the compliance pack.
GLBA Scans
Compliance Area Section 6801 Protection of nonpublic personal information.
SOX Scans
Compliance Area Section 404 Management Assessment of Internal Controls.
Government Pack Compliance Scans
The Government Pack includes the FERC-NERC, NIST 800-53 and MASS 201 scan templates.
Contact BeyondTrust for a license key to activate the compliance pack.
Compliance Area CIP-005-3 R4 Cyber Vulnerability Assessment
NIST-800-53 Scans
SA System and Services Acquisition; SA-10 Developer Configuration
Compliance Area
management
MASS 201 Scans
Compliance Area Section 17.03(2)(b)(3) Duty to Protect and Standards for Protecting Personal
Information - Detect and Prevent Security Systems Failures
Running a Compliance Scan
The following procedure is an overview on running a scan. For detailed information on scan options, see Scanning.
To run a compliance scan:
User Guide 178 © 2017. BeyondTrust Software, Inc.
Regulatory Reports Pack
1. Select the asset group and then select Scan.
2. Select the scan template and click Scan.
Ensure the correct license key is applied to activate the compliance scans.
3. Click Scan.
4. Select the scan options, and then click Start Scan.
User Guide 179 © 2017. BeyondTrust Software, Inc.
Regulatory Reports Pack
Reviewing Compliance Scan Results
The following shows report information from the HIPAA Compliance scan. The summary of the vulnerability details
breaks down the vulnerability by severity.
Scroll through the list of vulnerabilities provided in the report. You can review remediation fixes, CVSS scores, and
additional information for the vulnerability as shown in the following example from a report.
User Guide 180 © 2017. BeyondTrust Software, Inc.
Configuration Compliance Pack
Configuration Compliance Pack
Note: The Configuration Compliance module requires a license to activate the feature set. Contact your
BeyondTrust representative.
The following tools are available to run benchmark scans:
• XCCDF audit groups. The Secure Configuration Audits audit group ships with the Configuration Compliance
module. Use this audit group to run your scan.
• Benchmark configuration. Import benchmark templates, synchronize templates, and review versions of
benchmark templates that ship with BeyondInsight.
• Configuration Compliance reports. Includes two reports: Benchmark Compliance and Benchmark Export.
For information about running a scan, see Running a Scan.
Setting Permissions for Configuration Compliance
You must create a user group and set permissions for the user group to run configuration compliance scans.
To create a group and set the permission:
1. Click the Configure tab, and then click Accounts.
2. Click + in the User Groups pane to create a group.
3. Enter a group name and description.
4. Select the Read and Write check boxes for the Benchmark Compliance permission.
5. Add an IP range for the group.
6. Select attributes (optional).
7. Click Update.
Add your configuration compliance users to the group. See User Accounts.
Running Benchmark Scans
The settings for configuring a benchmark scan are similar to vulnerability scans. For a complete procedure, see
Running a Vulnerability Scan.
You must, however, select the benchmark profiles that you want to include in the scan. You can select more than
one profile if needed.
User Guide 181 © 2017. BeyondTrust Software, Inc.
Configuration Compliance Pack
Viewing Benchmark Scan Results
The benchmark scan data can be saved in the following formats: SCAP output (zip), Full ARF, Micro ARF, NIST ARF,
expanded CSV.
Managing Benchmarks
BeyondInsight ships with a default set of benchmark templates. You can import additional or updated benchmarks,
and synchronize benchmarks.
If you are working with your benchmark profiles outside BeyondInsight, then you can synchronize the templates
using the BeyondInsight Configuration tool.
To download an editor to change your benchmarks, click the Download Editor button.
To manage benchmarks:
1. Click the Configure tab.
2. Click the Benchmark Management tab.
3. Expand a benchmark to review more detail.
Policies included with benchmark templates can be inactivated if they do not apply. Clear policies as needed.
User Guide 182 © 2017. BeyondTrust Software, Inc.
Configuration Compliance Pack
4. To import templates, click Import New Benchmark, navigate to the file and click Open. To overwrite an
existing template click Yes.
Importing Benchmarks
You can import .cab or .zip files that include the following:
• For Windows 7:
– CIS_Windows_7_Benchmark_v1.1.0_oval.xml
– CIS_Windows_7_Benchmark_v1.1.0.xml
– Windows-7-cpe-oval.xml
– Windows-7-cpe-dictionary.xml
• For Windows Server 2008:
– CIS_Windows_2008_Server_Benchmark_v1.1.0_oval.xml
– CIS_Windows_2008_Server_Benchmark_v1.1.0.xml
– Windows-2008-cpe-oval.xml
– Windows-2008-cpe-dictionary.xml
Setting OVAL Tests Option
You can store OVAL XML data to the BeyondInsight database.
If selected, OVAL values used to determine if a rule was compliant are parsed from OVAL output files and stored in
the BeyondInsight database.
To store OVAL tests in Benchmark reports:
1. Select Options.
2. On the Application Options dialog box, expand Benchmark Compliance.
3. Select the Yes check box to store OVAL tests.
4. Click Update.
User Guide 183 © 2017. BeyondTrust Software, Inc.
BeyondInsight Clarity Analytics
BeyondInsight Clarity Analytics
BeyondInsight Clarity is a behavior analytics tool that examines and classifies all events/activities to identify outliers
(or anomalies). An outlier is an observation which deviates so much from the other observations it arouses
suspicions that it was generated in a different way.
Clarity ranks activities and classifies assets according to their deviation from normal activity. The normal activity (or
baseline) is formed from:
• History of past activities and
• Risk attributes of an observed activity
Each activity (or event) has several key characteristics. When an observed characteristic goes beyond normal, an
alert is flagged. More flagged alerts indicates higher level of abnormality (threat level). The numeric threat level is
the sum of all flagged alerts.
In addition, all assets are grouped into clusters by similarity taking in account all available information including
vulnerabilities, attacks, installed applications, services, open ports, running applications and so forth.
As a result, the behavior analytics:
• Assigns threat level to each event from Retina network scanner, PowerBroker Endpoint Protection Platform,
PowerBroker for Windows, PowerBroker Unix & Linux, PowerBroker Password Safe (release events only)
• Assigns cluster ID to all assets.
Sources of Event Data
You can use Clarity to analyze data from the following sources:
• PowerBroker for Windows
• PowerBroker Unix & Linux
• Retina Network Security Scanner
• PowerBroker Endpoint Protection Platform
• PowerBroker Password Safe (password release events only; other types of events are not included such as
password requests, password resets, or password changes)
• Third Party Imports
Alerts
There are two types of alert:
Pattern - Determined by correlation of all characteristics of an event.
Explicit - Determined by selected specific characteristics. For example, time of event.
Alert Type Description
User Guide 184 © 2017. BeyondTrust Software, Inc.
BeyondInsight Clarity Analytics
Maps all characteristics of an event into a single internal cluster using self-organizing
maps clustering. Similar event characteristics lead to the same cluster. Thus, clusters
with high share of mapped events represent typical behavior, while clusters with
small number of events indicate outliers. Each user, host or asset characteristics
tracked independently, with independent sets of clusters. Note that clusters here are
hidden, used only for the time of analysis, and not the same as asset clusters.
Used characteristics:
a1 pattern
• PowerBroker for Windows events, per User: EventType, Exercised privilege, Path,
Asset, Launch weekday and time
• PowerBroker Unix & Linux events, per RunHost: RunCommand, RunCWD,
PBLUUser, MasterHost, SubmitHost, FinishStatus, Launch weekday and time, Accept,
RiskLevel
• Vulnerability events, per Asset: Vulnerability type, Risk
• Attack events, per Asset: Attack type, Category
Untrusted Application.
Default value: 0.33
a2 explicit
- If application is unsigned then value = value + 0.33
- If application has no version information then value = value + 0.33
Vulnerable Application.
a3 explicit
Vulnerability of launched application.
a4 explicit Asset Risk.
Event Timing.
Event time within working hours and weekday.
Default value: 0.33
a5 explicit
- If EventTime < WorkingHoursStart or EventTime > WorkingHoursEnd then value =
value + 0.33
- If EventDay is in WorkingWeekDaysMask then value = value + 0.33
Untrusted User.
Default value: 0.33
a6 explicit
- If user is local (not domain) user then value = value + 0.33
- If user is Administrator then value = value + 0.33
First App Launch.
a7 explicit
The alert is flagged when a user launches an application they never launched before.
First request for given managed account and system (Password Safe).
a8 explicit The alert is flagged when a user request password for account and system never
requested before.
Unusual password releases (Password Safe).
a9 explicit The alert is flagged when a user does not retrieve the password for approved
request or the password is retrieved more than once.
User Guide 185 © 2017. BeyondTrust Software, Inc.
BeyondInsight Clarity Analytics
Concurrent password requests (Password Safe).
a10 explicit
The alert is flagged when a user tries to acquire more than one password at a time.
Cluster Maps
A cluster map is a visual representation of asset clusters. Larger clusters indicate more assets sharing similar traits
within the organization. The smallest clusters (the number of assets in the cluster) indicate a potential anomaly (or
outlier).
Clusters group assets by correlated summary of:
• Launched applications
• Vulnerabilities
• Attacks
Cluster Map Numbering
A cluster map number is randomly generated and has no meaning in the context of the actual data in the map.
However, the closer the cluster map numbers, the more similar the attributes of the assets to each other.
For example, assets assigned to cluster 14 and cluster 16 would have similar qualities. However, assets assigned to
cluster 14 and cluster 68 would have fewer qualities in common.
The cluster map numbers can change at any time but this does not reflect on the assets and any potential outliers
or anomalies that might exist.
Cluster Shading
The shading is based on the Asset Risk/Attacks/Vuln Apps value. The Cluster Map uses the highest of the three and
the gradient is based on a range from 0.0 to 1.0.
Cluster Attributes
There are 8 cluster attributes organized in the following categories:
• Ordering attributes - Attributes are ordered from low to high. For example, Risk is an ordering attribute, a
greater risk value represents higher risk.
• Pattern attributes - A pattern value maps a set of characteristics to a single value (in the range 0 – 1). The
difference in pattern values shows similarities between different sets of the same type characteristics.
For example, a set of characteristics with values 0.1 and 0.11 are similar, while 0.1 and 0.9 are very different.
Attribute Type Description
Attacks Ordering Number of detected attacks. Greater value means more detected attacks.
Number of launches of vulnerable applications. Greater value means
Vulnerable Apps Ordering
more started/running vulnerable applications.
Risk Ordering Asset risk. Greater value means greater risk.
Running or/and elevated (depends on PowerBroker for Windows settings)
App Set Ordering
applications.
User Guide 186 © 2017. BeyondTrust Software, Inc.
BeyondInsight Clarity Analytics
Vulnerabilities
Pattern Discovered vulnerabilities.
Set
Service Set Pattern Services
Software Set Pattern Installed software packages.
Port Set Pattern Opened ports.
Configuring BeyondInsight Clarity
To work with BeyondInsight Clarity, you must configure the following settings.
1. Log on to the BeyondInsight Management Console.
2. Select the Configure tab on the main page.
3. Select Clarity Analytics, and the set the following:
– Enable Analytics - Select the check box to turn on the BeyondInsight Clarity feature.
– Time to run (hours, minutes) - Set the time to run the data collection.
– Frequency to run Analytics - The available settings:
– Daily
– Every 4 hours
– Every 6 hours
– Every 8 hours
– Every 12 hours
– Alert Threshold - The threshold for flagging explicit alerts. The higher the value the higher the sensitivity
and fewer flagged alerts. The range is between 0 – 1. The default value is 0.65.
– Som Probability Threshold - The threshold for flagging pattern alerts. The range is between 0 – 1. The
lower the value the higher the sensitivity and fewer flagged alerts. The default value is 0.05.
– Send notification to - Enter an email address. An email is sent to the recipient after the analytics
processing is complete. A summary of the analysis is included in the email.
– Alert malware confidence level - Select a confidence level from the list. The default value is Medium. Use
the setting to filter on the higher potential malware risks that are presented in the analytics data.
Setting Risk Analytics Values
Using the risk analytics values, you can focus the results data on the highest risk assets.
When you choose to normalize the data, the asset at highest risk is assigned the highest rating (set at 10); all other
assets would then be rated and organized below the highest risk asset. Normalizing the results provides a way to
distribute the assets in a more meaningful way to analyze the data.
Using the analysis influence slider, you can change the results to emphasize risk levels based on exposures (shared
drives, open ports, software installed etc) or threats (vulnerabilities, attacks, malware, etc). For example, if you
move the slider to Exposure, asset exposure risk factors would be given greater weighting in the final risk
calculation and increase an asset's risk score.
User Guide 187 © 2017. BeyondTrust Software, Inc.
BeyondInsight Clarity Analytics
Analysis influence is only available for the Log calculations.
Analyzing Cluster Maps
You must configure settings in the BeyondInsight Management Console before any data is collected. See
Configuring BeyondInsight Clarity.
To view cluster maps:
1. From the menu, select Cluster Analysis.
The Cluster Map tab is selected by default.
Remember that the cluster map number is randomly generated and does not reflect the number of assets in
the cluster.
2. Select one of the following tabs to analyze cluster map data:
– Asset Counts - Clusters the assets with similar characteristics. The smaller the cluster tile the more likely
there will be an outlier.
– Cluster Risk - Clusters the assets based on the common risk characteristics. The larger tiles in the cluster
map will have the greater risk.
– Attacks - Clusters assets based on the common attack properties. The larger tiles indicate a greater attack
level. Drill down to learn more about the assets and the attack data.
– Vulnerable Applications - Clusters the assets by the similar installed vulnerable applications. The larger tiles
indicate a greater threat as a result of installed vulnerable applications on the assets.
Hover on the tile to display a summary of the event data.
In this example, the largest tile has the largest asset count at 52.
User Guide 188 © 2017. BeyondTrust Software, Inc.
BeyondInsight Clarity Analytics
In the smallest cluster, there is only one asset. However, the asset risk, attacks, and vulnerable apps scores are all
higher than the counts in the largest cluster. This might indicate a potential outlier.
Double-click a cluster to view more detail. Click the tabs to view more information.
User Guide 189 © 2017. BeyondTrust Software, Inc.
BeyondInsight Clarity Analytics
Analyzing Cluster Grids
Some key tips to keep in mind when analyzing threat conditions in your Clarity results data:
• Sort clusters by ordering attributes, such as Vulnerable Apps, Attacks, and Risk
• Potential outliers would be clusters with a small number of members and greater ordering attributes.
• For outliers, review the pattern attributes to identify if the outliers have a unique or a different set of running
applications, vulnerabilities, services, software, or ports.
To view the cluster grid:
1. From the menu, select Cluster Analysis.
2. Click the grid view icon:
The cluster number is displayed in the first column.
To review asset details for a cluster, double-click the row.
Clarity Reports
The following reports are available to run against the cluster map data:
• Event Review - Attacks - Breakdown of alert triggers for attack events by threat level.
• Event Review - Malware - Breakdown of alert triggers for Malware events by threat level. This report can be
used to display Clarity Malware events from BeyondInsight. For more information, see Clarity Malware
Analysis.
• Event Review - PowerBroker for Windows - Breakdown of alert triggers for events by threat level. Includes
relevant event details, and is ordered by threat level from largest to smallest.
• Event Review - PowerBroker Password Safe Release Events - Breakdown of alert triggers for release events by
threat level.
User Guide 190 © 2017. BeyondTrust Software, Inc.
BeyondInsight Clarity Analytics
• Event Review - PowerBroker Unix Linux - Breakdown of alert triggers for events by threat level. Includes
relevant event details, and is ordered by threat level from largest to smallest.
• Event Review - Scanner - Breakdown of alert triggers for Retina scanner events by threat level. Includes
relevant event details, and is ordered by threat level from largest to smallest.
• Highest Populated Clusters - Lists the most populated clusters.
• Lowest Populated Clusters - Lists the clusters with the least assets.
• Top 10 Assets by Cluster Movement - Displays differences in an asset's cluster assignment. Shows items by size
of move (distance between clusters) and time frame (fast or slow). The time frame can indicate that an asset is
an outlier if the changes occur quickly.
• Top 10 Assets by Total Threat Level - Displays top 10 assets based on overall threat level. This report can be
used to display Clarity Malware events from BeyondInsight. For more information, see Clarity Malware
Analysis.
• Top 10 Users by Threat Level - Displays top 10 users based on overall threat level.
User Guide 191 © 2017. BeyondTrust Software, Inc.
Clarity Dashboard
Clarity Dashboard
The Clarity Dashboard analyzes information stored in BeyondInsight’s centralized database, which contains data
gathered from across any or all BeyondInsight-supported solutions deployed in the customer environment. These
include:
• PowerBroker® for Windows: user and account activity data from desktops and servers
• PowerBroker for UNIX & Linux: user and account activity from servers
• PowerBroker Endpoint Protection Platform: IPS, IDS, anti-virus and firewall log data
• Retina CS Enterprise Vulnerability Management: vulnerability data
• Third-Party Vulnerability Scanners: imported data from Qualys®, Tenable®, and Rapid7®
Triggers
The following triggers identify assets that are at risk.
Trigger Description
Can be triggered by events in the following products:
• PowerBroker for Windows
• PowerBroker Servers for Unix & Linux
• PowerBroker Password Safe
Outlier
• Retina network scanner
• And malware and attack data detected by PowerBroker Endpoint
Protection Platform, Clarity Malware Analysis, and BeyondInsight
connectors.
PowerBroker for Windows events.
Triggers in the following cases:
Untrusted Application
• application is unsigned
• application has no version information
Vulnerable Application PowerBroker for Windows events
Can be triggered by events in the following products:
• PowerBroker for Windows
• PowerBroker Servers for Unix & Linux
Asset Risk Exceeds Threshold
• PowerBroker Password Safe
• Retina network scanner
• And malware and attack data
PowerBroker for Windows
Untrusted User PowerBroker Servers for Unix & Linux
PowerBroker Password Safe
First Application Launch PowerBroker for Windows, PowerBroker Servers for Unix & Linux.
User Guide 192 © 2017. BeyondTrust Software, Inc.
Clarity Dashboard
Triggered when a user launches an application they never launched
before.
PowerBroker Password Safe events.
First Password Release Request Triggered when a user request password for an account and system
never requested before.
PowerBroker Password Safe events.
Unusual Password Release Request Triggered when a user does not retrieve the password for approved
request or the password is retrieved more than once.
PowerBroker Password Safe events.
Concurrent Password Release Request Triggered when a user tries to acquire more than one password at a
time.
Malware Detected Malware is detected on an asset.
Risk Events by Threat Level
Drill into the risk events to learn more about the event; such as the trigger, type of event, asset name, and severity.
Risk Events by Application
Bubbles represent aggregated threat events. The data is displayed in a quadrant layout:
• The X axis indicates the average asset risk for each bubble (measured at the center of the bubble).
• The Y axis indicates the average threat level for each bubble (measured at the center of the bubble).
The location of the bubble indicates the level of risk. Highest risk assets are displayed in the upper right quadrant.
Bubbles can be arranged by the following:
• Asset - Displays a bubble for each of the most active assets.
• User - Displays a bubble for each of the most active users.
• Application - Displays a bubble for each high level threat data source application.
Drill in to a bubble to learn more information, such as: trigger, event type, asset name, and severity.
User Guide 193 © 2017. BeyondTrust Software, Inc.
Clarity Dashboard
Note: The system restricts the number of bubbles for legibility.
Triggers List
The Triggers list displays the total number of events which are affected by each trigger.
Click the trigger link to list all the events that make up the count. Event details include asset, triggers, user,
description.
User Guide 194 © 2017. BeyondTrust Software, Inc.
BeyondInsight Clarity - Malware Analysis
BeyondInsight Clarity - Malware Analysis
You can use the Clarity - Malware Analysis tool to detect if any files are infected by malware or a virus. Two sources
of data can be used to determine if malware is infecting files on your assets.
• PowerBroker for Windows file hashes - Create a policy in PowerBroker for Windows and apply the policy to
the assets. For specific settings needed to work with the Clarity Malware, see Configuring PowerBroker for
Windows.
• Retina scans - Only the Service and All Audits scans can be used with Clarity Malware. Create and run a scan
using either the Service scan template or All Audits scan template. For more information, see Running a
Vulnerability Scan.
After you configure Clarity Malware and gather data, you can review the results on the Malware tab in the
BeyondInsight management console, and using the Malware report available in the management console.
Architecture Overview
The following diagram shows the workflow for Clarity - Malware Analysis.
Note that only application file hashes are sent to BeyondSaaS with no system or user identifiable information
provided.
Configuring BeyondInsight
Allow up to 24 hours to pass before any data is populated in the BeyondInsight database.
To set Clarity Malware options:
User Guide 195 © 2017. BeyondTrust Software, Inc.
BeyondInsight Clarity - Malware Analysis
1. Log on to BeyondInsight.
2. Click Options.
3. Expand Clarity Malware Options, and then set the following:
– Alert Level -
– Enable Clarity Malware Analysis – Select the check box to turn on analysis.
– Time to run (minutes after midnight) – The default value is 240 (4 AM). The first query starts at 4 AM after
you initially install BeyondInsight. To change the time that the collection occurs, enter the number of
minutes past midnight that you want the collection to occur.
– Frequency to query (hours) – The available settings:
– 0 - Daily
– 1 - Hourly
– 2 - Every 2 hours
– 4 - Every 4 hours
– 6 - Every 6 hours
4. Click Update.
Configuring PowerBroker for Windows
Ensure you set the following PowerBroker for Windows settings when creating your policy.
For more information about configuring policies in PowerBroker for Windows, refer to the PowerBroker for
Windows product documentation.
To configure PowerBroker for Windows:
1. Open the snapin and create a Privilege Identity rule. Ensure Action is set to Add Admin rights to application(s).
2. Go to Settings and set Log events to BeyondInsight to Enabled.
User Guide 196 © 2017. BeyondTrust Software, Inc.
BeyondInsight Clarity - Malware Analysis
3. Set Log application launch with modified token to Enabled.
4. Click Update to update the policy in BeyondInsight.
Reviewing Malware Information in the Management Console
Log on to the BeyondInsight management console, and go to the Assets page.
The Confidence Level can be one of the following values: High, Medium, Low. The confidence level indicates the
likelihood that the malware is a real threat to your environment.
You can also use the Malware report to view the information collected using Clarity Malware.
Note: If the Clarity Malware Details button is not available then the data might have been collected by
PowerBroker Endpoint Protection Platform. Confidence Level is an attribute that is provided by Clarity
Malware. If there is no level displayed then the malware might have been detected by PowerBroker
Endpoint Protection Platform.
User Guide 197 © 2017. BeyondTrust Software, Inc.
BeyondInsight Clarity - Malware Analysis
Additionally, you can review the malware details by selecting an asset on the Assets page.
Using Reports to Analyze Results
You can use the Malware report in the management console and the Clarity reports in BeyondInsight Analytics and
Reporting to analyze the collected information.
User Guide 198 © 2017. BeyondTrust Software, Inc.
BeyondInsight Clarity - Malware Analysis
A Daily Sync job must be run to retrieve the data from the BeyondInsight Analytics and Reporting database. The
following reports in BeyondInsight Analytics and Reporting provide the Clarity Malware details.
Top 10 Assets by Total Threat Level Report
In the chart area, each asset is displayed along with the total threat level (for example, 13) and the severity level
indicated by I (Info), L (Low), M (Medium), or H (High).
The threat breakdown is presented in the lower section of the report. The Clarity Malware is indicated in red.
Click the Overall Threat Level link to view more information on the malware, including the name, description,
severity, category and threat level.
User Guide 199 © 2017. BeyondTrust Software, Inc.
BeyondInsight Clarity - Malware Analysis
Event Review - Malware Report
Run the Event Review - Malware report to view a list of the assets and the malware detected on the asset.
The following example report is sorted on Category. Note that the description is the same for any malware that is
discovered through Clarity Malware.
User Guide 200 © 2017. BeyondTrust Software, Inc.
Configuring a Claims-Aware Web Site
Configuring a Claims-Aware Web Site
You can configure a claims-aware web site to bypass the current BeyondInsight logon page and authenticate against
any configured Federated Service that uses SAML 2.0 to issue claims.
The claims aware website is configured to redirect to a defined Federation Service through the web.config. Upon
receiving the required set of claims, the user will then be redirected to the existing BeyondInsight website. At that
point, it is determined if the user has the appropriate group membership to log in given the claims associated with
them.
If users attempting to access BeyondInsight have group claims matching a user group defined in BeyondInsight, and
that user group has the BeyondInsight Login permission, the user will bypass the BeyondInsight logon screen. If the
user is new to BeyondInsight, they will be created in the system using the same claims information. The user will
also be added to all groups, as defined in the group claim information, which match in BeyondInsight that they are
not already a member of.
If the user is not a member of at least one group defined in BeyondInsight, or that user group does not have the
BeyondInsight Logon permission, they will be redirected to the BeyondInsight logon page.
Create a BeyondInsight User Group
Create a BeyondInsight user group and ensure the group is assigned the permission, BeyondInsight Login.
Adding Relying Party Trust
After BeyondInsight is installed, metadata is created for the claims-aware web site. Use the metadata to configure
the relying party trust on the Federation Services instance.
The metadata is located in the following directory:
[Install path]\eEye Digital Security\Retina CS\WebSiteClaimsAware\FederationMetadata\2007-06\
When selecting a Data Source in the Add Relying Party Trust Wizard, select the FederationMetadata.xml that was
generated during the install:
User Guide 201 © 2017. BeyondTrust Software, Inc.
Configuring a Claims-Aware Web Site
Setting up Claim Rules
Note: Claims rules can be defined in a number of different ways. The examples provided are simply one way of
pushing claims to BeyondInsight. As long as the claims rules are configured to include at least one claim of
outgoing type Group and a single outgoing claim of type Name, then BeyondInsight has enough
information to potentially grant access to the site to the user.
The following example illustrates a claim that would be sent based on the group membership. The Outgoing Claim
Value must be a BeyondInsight user group.
User Guide 202 © 2017. BeyondTrust Software, Inc.
Configuring a Claims-Aware Web Site
Supported Federation Service Claim Types
Mapping to
Outgoing Claim Type Outgoing Claim Type BeyondInsight
User Detail
Group
http://schemas.xmlsoap.org/claims/Group Required
membership
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Required User name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Optional Surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Optional First name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Optional Email address
Claims Aware SAML
The following procedure shows you how to set up a claims aware web site using the Windows Identity Foundation
(WIF) SDK.
User Guide 203 © 2017. BeyondTrust Software, Inc.
Configuring a Claims-Aware Web Site
1. Start the Windows Identity Foundation Federation Utility.
2. On the Welcome page, browse to and select the web.config file for BeyondInsight Claims Aware site.
The Application URI should automatically populate.
3. Click Next.
4. Select Using an existing STS.
5. Enter Root URL of Claims Issuer or STS ( https://adfsaccount.adatum.com )
6. Select Test location.
FederationMetadata.xml will be downloaded
User Guide 204 © 2017. BeyondTrust Software, Inc.
Configuring a Claims-Aware Web Site
7. Click Next.
8. Select a STS signing certificate option, and then click Next.
9. Select an encryption option, and then click Next.
10. Select the appropriate claims, and then click Next.
11. Review the settings on the Summary page, and then click Finish.
User Guide 205 © 2017. BeyondTrust Software, Inc.
Managing PowerBroker Sudo Events
Managing PowerBroker Sudo Events
On the Assets page, you can review the run arguments and I/O logs captured for an asset that is running PBSudo.
Viewing Run Arguments and IO Logs
On the Assets page, you can review the run arguments and I/O logs captured for an asset.
To view the run arguments and IO logs:
1. Go to the Assets page, and then select PowerBroker for Sudo from the list.
2. Click i for an asset.
3. Click the Run Arguments tab or IO Logs tab to view more information.
Creating a PowerBroker Sudo Smart Group
You can create a Smart Group to organize Sudo assets.
You can set filters based on the assets and the event types, including user name, command, exit status, and run
arguments.
Creating a Sudo Client Smart Group
To create a Smart Group:
User Guide 206 © 2017. BeyondTrust Software, Inc.
Managing PowerBroker Sudo Events
1. On the Assets page, click Manage Smart Rules.
2. Select the Sudo clients that you want to include in the Smart Group data.
3. Select one of the following:
– All Sudo clients
– All Sudo clients that have not checked in
– All Sudo clients that have checked in
4. Select the type of server. For example, Log Server or Submit Host.
5. In the Perform Actions section, select Show Asset as Smart Group.
6. Click Save.
After the Smart Group processes and the data collected, you can view the details on the Assets page.
Creating a Sudo Events Smart Group
You can create a Smart Group based on the PowerBroker Sudo events.
To create a Smart Group:
1. On the Assets page, click Manage Smart Rules.
2. Select the event fields that you want to include in the Smart Group data.
User Guide 207 © 2017. BeyondTrust Software, Inc.
Managing PowerBroker Sudo Events
3. In the Perform Actions section, select Show Asset as Smart Group.
4. Click Save.
After the Smart Group processes and the data collected, you can view the details on the Assets page.
1. Go to the Assets page, and then select the Smart Group.
2. Select an asset and click i.
3. Click PBSUDO Events.
User Guide 208 © 2017. BeyondTrust Software, Inc.
Managing BeyondInsight Services
Managing BeyondInsight Services
Monitoring Services
On the Services page, you can see the status of a service (Running, Stopped, Paused).
Additionally, you can view the log files to troubleshoot potential problems with a service.
To review BeyondInsight services:
1. Select the Configure tab.
2. Select the Services tab.
3. Click View to open and review details in the log.
4. Click Email to send the log to selected email addresses.
Turn on Debug Logging
To turn on debug logging:
1. Select the Configure tab.
2. Select the Services tab.
3. To turn on debug logging, click Enable Debug Logging.
All BeyondInsight services are restarted if you turn on debug logging.
Turn off debug logging after you finish troubleshooting BeyondInsight to improve performance.
Changing the Credentials for a Service
To change the credentials for the service:
1. Select the Configure tab.
2. Select the Services tab.
3. Click the button as shown:
User Guide 209 © 2017. BeyondTrust Software, Inc.
Managing BeyondInsight Services
4. Enter the credentials, and then click OK.
User Guide 210 © 2017. BeyondTrust Software, Inc.
Appendix A: Preparing Your Database Application for
Appendix A: Preparing Your Database Application for Scans
You can set your database applications as targets for scanning.
To ensure that your database can be successfully scanned by Retina, review the following section on MySQL to
prepare your database.
Preparing Your MySQL Database
Review your MySQL settings and ensure the following is in place:
• Verify the latest GA release of MySQL ODBC driver is installed on the scanner system.
– Go to Administrator tools.
– Run Data Sources (ODBC).
– Select the Drivers tab.
– Search for the MySQL driver.
– If no driver is found, then download and install the latest GA released MySQL driver from the MySQL
website.
• Ensure a remote connection can be established to the target database using the ‘mysql’ tool provided with the
MySQL database installation.
User Guide 211 © 2017. BeyondTrust Software, Inc.
Appendix B: Report Templates and Audit Groups
Appendix B: Report Templates and Audit Groups
The following tables list the report templates and audit groups available with BeyondInsight.
You can run reports on existing scan information that is stored in the BeyondInsight database.
You can run all reports from BeyondInsight Analytics and Reporting. For more information, refer to the
BeyondInsight Reporting User Guide.
Report Templates
Table 5. Vulnerabilities
Report Name Description
Lists targets that are inaccessible and includes a reason. For example,
the target does not exist on the network, or administrative rights were
Access not provided.
Also includes job metrics details such as, agent name that ran the scan,
credentials, and scan duration.
Lists all vulnerabilities found.
All Audits Scan Drill down by vulnerability to review more information, such as fixes,
references, exploits and affected assets.
Details the vulnerability results of PCI security scans.
Payment Card Industry Data Security Standard (PCI DSS) specifies
security requirements for merchants and service providers that store,
PCI Compliance Report
process, or transmit cardholder data. PCI Security scans are conducted
over the Internet by an Approved Scanning Vendor (ASV).
The Retail Report pack is required for this report.
Lists vulnerabilities based on the Personally Identifiable Information
audits.
Vulnerabilities - Personally
Includes personal (such as email address, driver's license, social security
Identifiable Information
number) and financial information (such as credit card information but
not including the credit card number).
Lists vulnerabilities based on the VMware Security Hardening audits.
Vulnerabilities - VMware
The audits adhere to the VMware Security Hardening Guides to ensure
Security Hardening
that your VMware assets are secure.
Lists vulnerabilities by CVE reference ID.
Vulnerabilities by Reference Drill down into an ID for more information, such as assets affected and
potential fixes.
Vulnerabilities Delta Provides the vulnerability differences between two scans.
Vulnerabilities Lists vulnerabilities grouped by assets.
User Guide 212 © 2017. BeyondTrust Software, Inc.
Appendix B: Report Templates and Audit Groups
Report Name Description
The report details the vulnerabilities with criticality, descriptions, fix
information and references. The references provide a link to the CVE
web site. You can run custom or standard reports to review the system,
users and security issues.
Lists vulnerabilities that are set to exclude. Includes the expiry date and
Vulnerability Exclusions
reason properties.
Provides a tabular list of all vulnerabilities discovered and their
associated details.
Penetration Testing
Select the Pen. Testing menu item to generate an .xml file that you can
use to run penetration tests.
Vulnerability Export
For example, you can use Metasploit to try to exploit vulnerabilities that
might be found in the .xml report output.
The Attacks report uses information gathered by Retina Protection Agents.
Table 6. Attacks
Report Name Description
Displays the total number of attacks, attacks per asset, assets attacked,
attacker IP address, a list of the top x attacks, criticality and trends over
time.
Attack
Drill down into each attack for more information, such as action, port,
protocol, and attacker.
Displays the total number of malware attacks, a list of the top x malware
attacks, trends over time, and assets affected.
Malware
Drill down into each malware attack for more information, such as
location of the malware, asset and IP address, etc.
Delta reports are useful for comparing changes such as add/remove of user accounts, software, OS upgrades.
Table 7. Assets
Report Name Description
Displays assets in a selected scan in a .csv format. Information includes: the
Asset Export
asset name, IP address, DNS, domain and operating system.
User Guide 213 © 2017. BeyondTrust Software, Inc.
Appendix B: Report Templates and Audit Groups
Report Name Description
Provides asset and risk information by hardware, MAC address, operating
Assets
system, port, process, services, share and user account.
Displays discovery information based on the selected scans. You can select
more than one scan to report on.
Discovery Report
You can include assets that are unreachable.
Reports on existing data only.
Lists the targets found on the network, including: workstations, routers,
Discovery Scan laptops, printers.
Credentials are not required for a discovery scan.
OS Delta Displays the differences in operating systems between two scans.
Lists top 100 and bottom 100 discovered operating systems.
OS
Assets are grouped by OS. IP address, asset name, DNS name and risk.
Port Delta Displays the port differences between two scans.
Lists top 100 and bottom 100 discovered ports for the assets included in
the scan.
Assets are grouped by port. IP address, asset, DNS and risk level are
Port
included.
Click an asset to drill down to more information: vulnerabilities, MAC
address, ports, processes, and more.
Service Delta Details the service differences between two scans.
Lists top 100 and bottom 100 discovered services for the assets included
in the scan.
Assets are grouped by service. IP address, asset name, DNS name, and risk
Service
level are included.
Click an asset to drill down to more information: vulnerabilities, MAC
address, ports, processes, and more.
Share Delta Displays the shares differences between two scans.
Provides a summary of top and bottom shares and a breakdown by IP
Share
address, asset name, DNS name, operating system and criticality.
Lists top 100 and bottom 100 discovered software for the assets included
in the scan.
Assets are grouped by software. IP address, asset name, DNS name, and
Software
risk level are included.
Click an asset to drill down to more information: vulnerabilities, MAC
address, ports, processes, and more.
Software Delta Displays the software differences between two scans.
Lists the number of new, unchanged and removed users.
User Delta
Drill down by asset to review a summary of the user updates.
User Guide 214 © 2017. BeyondTrust Software, Inc.
Appendix B: Report Templates and Audit Groups
Report Name Description
Lists top 100 and bottom 100 discovered users for the assets included in
the scan.
User
Assets are grouped by user. IP address, asset name, DNS name, and risk
level are included.
Lists Windows event types based on your selection: Application, System,
Windows Events Report Security.
Retina Protection Agent module required.
Table 8. Executive Overview
Report Name Description
Provides an overview summary of assets and trends, such as audits by
Executive Summary
machine and audits by severity.
Table 9. Patches
Report Name Description
Lists the assets included in the scan and the number of patches that need to
be applied to each asset.
Patches
Lists each patch available and includes a link to more information for the
patch. Each patch also provides the name of the violated audit.
Table 10. Hardware
Report Name Description
Lists a summary of hardware differences between two scans.
Hardware Delta
Drill down by asset to review differences.
Hardware Lists the hardware discovered on each asset included in the scan.
Table 11. Regulatory Compliance
Report Name Description
Provides a report that ensures your environment satisfies the framework
COBiT Compliance identified in the COBiT framework.
Additional components: Any report pack.
Maps monitored controls to NERC requirements.
FERC-NERC
Additional components: Government report pack.
Provides security risk assessments that satisfy the requirements in the GLBA.
GLBA Compliance
Additional components: Financial report pack.
Maps configuration, patch and zero-day vulnerabilities to HIPAA security
rules.
HIPAA Compliance Running a scan using the default scan settings ensures compliance to Section
164.308 Administrative safeguards, (a)(8) Standard: Evaluation.
Additional components: Healthcare report pack.
User Guide 215 © 2017. BeyondTrust Software, Inc.
Appendix B: Report Templates and Audit Groups
Report Name Description
Displays vulnerabilities mapped to HITRUST regulatory compliance standards.
HITRUST Compliance
Supported sections from the standard and vulnerability counts are displayed.
Maps configuration, patch and zero-day vulnerabilities to satisfy ISO-27002.
ISO-27002 Compliance
Additional components: Any report pack.
Maps compliance violations and vulnerabilities back to ITIL best categories.
ITIL Compliance
Additional components: Any report pack.
Maps configuration, patch and zero-day vulnerabilities to MASS 201.
MASS 201
Additional components: Government report pack.
Maps configuration, patch and zero-day vulnerabilities to NIST 800-53
NIST 800-53 standard used to support FISMA compliance.
Additional components: Government report pack.
Maps configuration, patch and zero-day vulnerabilities to defined SOX
SOX Compliance requirements.
Additional components: Retail or Healthcare report pack.
Table 12. Protection
Report Name Description
Protection Agent Displays the policies applied on an asset.
Configuration Retina Protection Agent module.
Display detailed information about the Protection agents including, computer
Protection Agent Version
installed on, version, when the agent was last updated.
Provides a summary of differences in a protection policy.
Protection Policy Differences You cannot run reports on existing data for the Protection reports. This report
Report is intended to provide configuration information for your Retina Protection
agent policies.
Table 13. Configuration Compliance
Report Name Description
Benchmark Compliance Runs a benchmark scan based on a selected benchmark template and policy.
Benchmark Export Provides a summary of differences in a benchmark policy.
Additional components: Configuration Compliance module
Table 14. Patch Management
Report Name Description
Approved Patches Lists assets where patches are approved.
Installed Patches Lists installed patches.
Required Patches Lists required patches.
WSUS Audits Report Displays the data that is imported from WSUS.
User Guide 216 © 2017. BeyondTrust Software, Inc.
Appendix B: Report Templates and Audit Groups
Additional components: Patch Management module
Table 15. Tickets
Report Name Description
Displays details such as Status (Open, New, Closed), Severity, Assigned user,
Ticket
due date, ID, and ticket title.
Table 16. Mobility
Report Name Description
Mobile Assets Lists mobile assets discovered.
Mobile Vulnerabilities Lists vulnerabilities associated with mobile assets.
Table 17. PowerBroker for Windows
Report Name Description
Application ActiveX Details Displays information about installation events for ActiveX controls in Internet
Explorer.
Applications by Computer Displays information about application usage on a client.
Displays information about all applications under management tracked by hash
code.
Applications By Hash
Details include, hash code of the binary file, application name, file version,
product name, and certificate publisher, etc.
Displays information about all applications under management tracked by
Applications By Path
launch path.
Displays charts about the applications most frequently launched, requiring
elevation, triggering User Account Control (UAC), launched by Shell rule.
Dashboard Report
Also, charts about ActiveX controls, rules applied, local administrators, and the
ratio of administrator users to standard users.
Enumerates Shares, Groups, Processes, User and Group Privileges, Hardware ,
Detailed Discovery Scan
Services, Software on PowerBroker for Windows assets.
Displays the assets managed using PowerBroker for Windows File Integrity
File Integrity by Asset
rules.
File Integrity by Rule Displays the assets organized by the PowerBroker for Windows rules.
Displays assets with risk compliance rules in place, group by vulnerabilities.
Risk Compliance
Filter the report on rule name, application, path, and user.
Displays the assets that have a justification that provides information on the
Rule Justification reasons for elevation. Filter the report on rule name, application, path, and
user.
Shell Rule Executions Displays information about all applications that run based on a shell-rule.
User Guide 217 © 2017. BeyondTrust Software, Inc.
Appendix B: Report Templates and Audit Groups
Table 18. Administrative
Report Name Description
Password Safe User
Provides details on licensing for Password Safe.
Licensing
User Guide 218 © 2017. BeyondTrust Software, Inc.
Appendix B: Report Templates and Audit Groups
Audit Groups
Access Scan All Audits
Android ActiveSync
BlackBerry
Databases Database Servers
Domain Controllers
FDCC-Windows XP FDCC-Windows Vista
Mail Servers
SANS20 (All) Secure Audits Configuration
SANS20 (Unix) SCADA
SANS20 (Windows)
Third Party Patch Assessment
Virtualization Web Applications
Zero-Day
Regulatory Reporting Pack Audit Groups
COBiT Compliance GLBA Compliance
HIPAA Compliance HITRUST
ITIL Compliance ISO-27002 Compliance
NERC/FERC Compliance Mass 201 CMR 17 Compliance
PCI Compliance NIST 800-53 Compliance
SOX Compliance
User Guide 219 © 2017. BeyondTrust Software, Inc.