Scott Marcus

What's In Your NetWitness RSA SecurID Identities?

Blog Post created by Scott Marcus Employee on Feb 28, 2017

The RSA SecurID dashboard allows analysts to monitor specific identities and their behaviors. It empowers organizations to monitor two-factor environments that utilize RSA's SecurID for authenticating to protected resources. Users can run reports using the NetWitness Report Engine, either ad-hoc or on a recurring schedule.

 

Sample dashboard screen:

SecurID Dashboard Sample

 

Dashlets Contained in this Dashboard

The SecurID dashboard contains the following dashlets:

  • RSA SecurID-Account Lockouts
  • RSA SecurID-Bad PIN Good Token Code
  • RSA SecurID-Bad PIN Previous Token Code
  • RSA SecurID-Bad Token Code Bad PIN
  • RSA SecurID-Bad Token Code Good PIN
  • RSA SecurID-Static Passcode Authentication
  • RSA SecurID-Token Code Reuse
  • RSA SecurID-Unknown User Failed Login

Prerequisites

Before you can deploy the RSA SecurID dashboard, you must meet the following prerequisites:

  • Must be a logs customer
  • Must be ingesting RSA SecurID logs
  • Must be using Security Analytics 10.6.x

Deployment

The RSA SecurID dashboard is not currently delivered through Live. Rather, you need to download a configuration file and add it into your RSA NetWitness Suite UI.

 

You need to download the following attachments from the blog post:

  • RSA_SecurID_Charts.zip (charts)
  • RSA_SecurID.cfg (dashboard)

 

Perform the following procedures to deploy the RSA SecurID Dashboard:

  1. Add the Result Meta Key to Configuration Files
  2. Add a Data Source to a Reporting Engine
  3. Import Charts Archive
  4. Set the Data Source on Each Chart
  5. Enable the Charts
  6. Import the Dashboard Configuration File
  7. Choose Dashlet Charts

Add the Result Meta Key to Configuration Files

To get value out of this dashboard, you need to index the result meta key.

 

To add result key to RSA NetWitness Suite:

  1. Update index-concentrator-custom.xml on the Concentrator, as follows:
    1. In the Security Analytics menu, select Administration > Services, and select a Concentrator.
    2. Select View > Config from the Actions menu.
    3. Select the Files tab, then select the index-concentrator-custom.xml file.
    4. Add the following line: 
      <key description="Result" level="IndexValues" name="result" format="Text" valueMax="10000" defaultAction="Open"/>
    5. Click Apply.
    6. Restart the Concentrator Service.
  2. Update table-map-custom.xml on the Log Decoder, as follows:
    1. In the Security Analytics menu, select Administration > Services, and select a Log Decoder.
    2. Select View > Config from the Actions menu.
    3. Select the Files tab, then select the table-map-custom.xml file.
    4. Add the following line:
      <mapping envisionName="result" nwName="result" flags="None" format="Text" envisionDisplayName="Result|Volume|Information|Reason|Succeed/Failed"/>
    5. Click Apply.
    6. Restart the Log Decoder service.
  3. Remember to restart both the Index Decoder and Concentrator services that you updated, so that your changes are applied.

Add a Data Source to a Reporting Engine

In most cases, for customers that have other reports running, the Data Source is already defined. If so, you can skip this section.

Perform the following steps to associate a data source with a Reporting Engine:

  1. In the Security Analytics menu, select Dashboard > Administration > Services.

  2. In the Services Grid, select a Reporting Engine service.

  3. Click  View > Config.

    The Services Config View of Reporting Engine is displayed.

  4. In the Sources tab, click Available Services.

  5. Select the Concentrator as the Data source.

Import Charts Archive

  1. Download the Charts archive, RSA_SecurID_Charts.zip, which is attached to this blog post.
  2. In the Security Analytics menu, select Reports.
  3. Click Charts.
  4. From the Chart Groups panel, select a folder to import the file.
  5. Do one of the following:
    • ln the Chart Groups panel, click  Import.
    • In the Chart toolbar, click  Import.
  6. Click Browse to navigate to the binary file.
    Security Analytics provides a file system view of the files.
  7. Locate the RSA_SecurID_Charts.zip file that you downloaded in step 1, and click Open.
    The file is added to the Import Chart list. The RSA SecurID rules are available through Live. If you have deployed the rules from Live, then choose to not overwrite on Import.
  8. (Optional) To overwrite any existing rule in the library with an identically named rule in the binary file when importing, check the Rule checkbox. If you do not select the Overwrite option, and an identical rule is encountered in the binary file, the binary file is imported and no error message is displayed.
  9. (Optional) To overwrite any existing chart in the library with an identically named chart in the binary file when importing, check the Chart checkbox. If you do not select the Overwrite option and an identical chart is encountered in the binary file, the binary file is imported and no error message is displayed.
  10. Click Import to import the binary file.

Set the Data Source on Each Chart

  1. For each imported chart, go to Reports > Charts.
  2. Select the Chart and click the edit Icon.
  3. Select the Data Source for each Chart (set to the Concentrator where the Secure ID logs are being aggregated).
  4. Click Save.

Enable the Charts

To enable the charts, do the following:

  1. In the Security Analytics menu, select Reports.
  2. Click Charts.
  3. Click Identity Group.
    The RSA SecureID folder appears.
  4. Select the RSA SecureID folder.
    All charts related to RSA SecureID are listed under the Charts list panel.
  5. In the Charts list panel, select a chart or several charts that display disabled button in the Enabled column.
    select chart dialog box
  6. Click enabled button.

A confirmation message indicates that the chart(s) state is changed successfully.

Import the Dashboard Configuration file

Important: Importing a dashboard only works on 10.6.x systems, because of known permission issues importing Dashboards into 10.5.x (or prior releases).

        
  1. Download the dashboard configuration file, RSA_SecurID.cfg, which is attached to this blog post.
  2. In the dashboard toolbar, select Import Dashboard icon Import Dashboard.
  3. Browse to the dashboard file in the Import Dashboard dialog.
  4. Click Import Dashboard.
  5. Reconnect the dashlet to each corresponding report dashlet by clicking the icon shown in the following illustration.
    Reconnect Dashlet image

The dashboard is displayed in the UI.

Choose Dashlet Charts

After importing the Dashboards, the RSA SecurID Dashboard Dashlets need to be associated with corresponding dashlet charts.

 

After the Dashboard is imported, the screen looks something like this:

blank dashboard

 

To select charts for the dashlets:

  1. Click on the Dashlet setup Icon, dashlet setup icon.
    The dashlet Options dialog box is displayed.
    dashlet options
  2. Click Browse to choose the chart to display.
  3. On the Select Charts windows under the Groups menu, select the Identity folder.
    Select Chart screen
  4. Select the RSA SecurID folder.
  5. For each chart listed, select its checkbox and then click Select.
  6. In the Options dialog box, click Browse and select the chart that matches the name shown in the Title.
  7. Click Select.
  8. Click Apply.
  9. Repeat steps 1–8 for each dashlet in the dashboard.

Dependencies

The RSA SecurID Dashboard only applies to customers collecting from logs. Thus, All the dashlets for this dashboard have a medium of Log.

 

The following table describes the dependencies for each dashlet, as well as other details.

 

DashletDependencies
Report RuleReport ChartOther
RSA SecurIDBadPIN Good Token CodeRSA SecurIDBadPIN Good Token CodeRSA SecurIDBadPIN Good Token CodeThe RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv) is required.
RSA SecurIDBadPIN Previous Token CodeRSA SecurIDBadPIN Previous Token CodeRSA SecurIDBadPIN Previous Token Code
RSA SecurIDBadToken Code Bad PINRSA SecurIDBadToken Code Bad PINRSA SecurIDBadToken Code Bad PIN
RSA SecurIDBadToken Code Good PINRSA SecurIDBadToken Code Good PINRSA SecurIDBadToken Code Good PIN
RSA SecurIDStatic Passcode AuthenticationRSA SecurIDStatic Passcode AuthenticationRSA SecurIDStatic Passcode Authentication
RSA SecurIDToken Code ReuseRSA SecurIDToken Code ReuseRSA SecurIDToken Code Reuse
RSA SecurIDUnknownUser Failed LoginRSA SecurIDUnknownUser Failed LoginRSA SecurIDUnknownUser Failed Login
RSA SecurIDAccount LockoutsRSA SecurIDAccount LockoutsRSA SecurIDAccount Lockouts

Outcomes