1

2
In a live environment, once you’ve configured your Hadoop settings and ensured your
connections are successful, you will configure your application settings. For this
workshop we’ll touch on most of these briefly so you can see what is available and
focus on some of the more critical settings, and you’ll configure a few settings on
your own.
You can configure applications settings such as time zone and date format, SSO and
Quick Links, Remote Ingesters, DNS Server entries, and LDAP Authentication.

You can also schedule Housekeeping Jobs, enable authentication using Active
Directory or other LDAP compliant directories, and enable X509 authentication for
CAC.

4
In the general settings, you can set things like the time zone and date format. You can
also enable the application to use web services. Web services aren’t covering in this
workshop, but some of the advanced courses will cover these, and you can find
information about them on documentation.securonix.com.

5
You can also enable the application for single sign-on. The quick links option lets you
add items to the main menu bar. For example, you can add a link to your Cloudera
Manager or SNYPR-Eye URL.

6
You can enable Policy Archival to configure how SNYPR will archive data globally on at
the datasource level.

In Global Mode:
• Select the Tenant or ALL tenants, if running in multi-tenant mode.
• Specific the index expiry days. This is the number of days after which the Archive
index in Solr will be deleted. The expiry days will depend on your expected EPS and
how much space you have available for indexed data and replicas of the indexed
data.
• Use > or >> to select the datasources that will be EXCLUDED from archival
configuration.

7
You can enable Policy Archival to configure how SNYPR will archive data globally or at
the datasource level.

Configure Archival Settings in Datasource Mode:

1. Select the tenants (multi-tenant mode).

2. Select the specific datasources to archive.

3. Specify the number of days after which the data will expire.

8
Data masking allows you to hide original data to protect sensitive information for
users and entities, including activity and access accounts, resource names, IP
Addresses, and other event attributes that could contain personally identifiable
information (PII).

You can enable/disable this from the Data Masking page within the Administration >
Settings section.

NOTE: By default, masking is disabled. Click Edit to enable this functionality.

We will discuss Data Masking in more detail in the Access Control lesson.

9
SNYPR uses Hadoop technologies including, HDFS, Impala, Kafka, HBase, Solr, and
Yarn.

Once you integrate Hadoop, you must configure your Hadoop settings within the
SNYPR application via the Administration > Settings > Hadoop entry.

10
The Securonix Remote Ingester is a lightweight Java program that is used to forward
logs in real time from remote servers to the SNYPR Kafka brokers. This real-time
forwarding of logs to Kafka brokers provides the ability to ingest and analyze events
as soon as they are generated.

This screen shows individual ingester details, ingester status, and available actions per
ingester.

Each individual ingester will have either a green, yellow, or red color to reflect the
status of the ingester connection:
• Green: The application is successfully connected to the ingester and is running.
• Yellow: The ingester status is refreshing.
• Red: The application failed to connect to the Ingester and has stopped.

These colors also display in the Ingesters header which shows a quick view of the
total, running, and stopped ingesters on the screen.

11
You can take the following actions on this screen:
• Stop: Stops the individual ingester.
• Start: Starts the individual ingester.
• Restart: Restarts the ingester.
• Download: Downloads the logs for individual ingester.
• Additional options:
• Create new syslog source ()
• View syslog configuration
• Refresh all: Refreshes content for all the ingesters on the screen.

12
Run Housekeeping jobs like clearing audit history and completed or failed jobs. Select
the job and then specify the number of days prior to the current date form which to
remove all data.

13
By default, the SNYPR application authenticates against the local MySQL data store.
However, you can use this screen if you want to use Active Directory or another LDAP
compliance directory for authenticating and/or authorizing users. The authorization
for the users is performed based on locally assigned roles.

To do this, The LDAP account should have read permissions for the organizational unit
against which the application authenticates.

You will identify and provide the DN (Distinguished Name) for the account. And the
IP addresses/hostname of the domain controller and the OU (organizational units)
containing the different users to be authenticated.

You will also need to make changes to the default LDAP authentication properties in
the ldap.config.properties file in the Securonix home directory. See the SNYPR
administration guide for the complete list of steps to use LDAP authentication for
SNYPR.

For details on how to set up LDAP authentication, see documentation.Securonix.com.

14
SNYPR supports X509 certificate authentication with a secure TLS/SSL connection.
X509 is a public key infrastructure (PKI) standard used to manage digital certificates
and public-key encryption to secure web and email communication. When X509
authentication is used, clients can authenticate to servers with certificates rather
than with a user name and password.

X509 works with the common access card. A (CAC) is used for the standard
identification of active duty uniformed service personnel, Selected Reserve,
Department of Defense (DoD)civilian employees, and eligible contractor personnel. It
is also used to enable physical access to buildings and controlled spaces, such as the
DoD computer networks and systems.

15
From this screen, you can configure application log settings and logging for each
module of the application.

Logging can be changed for each module within the application. To change the
logging levels, perform the following steps

1. Click the drop-down and select a resource to view logs:

• Imports: Logging for User Import and Glossary Import actions.
• Activity Imports: Logging for Activity Import for various connections.
• Policy Engine: Detect Behavioral Analytics, Anomaly Detection
• Web Services: Web application components.
• Work Flow: SOC Team Review, Activity Outlier Workflow, Access
Certification Workflow.
• Licensing: Logging for Managing, updating license.
• Views: Users, Resources, Peers, Organizations, Application.
• Add Data:
• Reports: Running and rendering reports.
• Configure: All actions available under the configure menu.
• UI Utilities: Analytical Activities, Applications, Dashboard, Incidents,

16
 Organizations, Peer, Resource, Detect, Transaction, User, Utility Impl, Token,
Common UI Utilities, Workbench Util.
2. Click the Log Levels drop-down and select one of the following:
a. ALL: The lowest possible rank and is intended to turn on all logging.
b. DEBUG: Designates fine-grained informational events that are most useful
to debug an application.
c. ERROR: Designates error events that might still allow the application to
continue running.
d. FATAL: Designates very severe error events that will presumably lead the
application to abort.
e. INFO: Designates informational messages that highlight the progress of
the application at coarse-grained level.
f. OFF: Turn off logging.
g. TRACE: Designates finer-grained informational events than the DEBUG
level.
h. WARN: Designates potentially harmful situations.
3. Click Update to save your changes.

For more information about Log Settings, see documentation.Securonix.com.

16
This screen allows you to review your licenses installed with the application. View
details about the current licenses including number of users and resources licensed,
license issue and expiration date and issuer details.

On this screen, you can install a new license or uninstall and update a current license,
if needed.

17
Security Assertion Markup Language (SAML) is an XML-based, open-standard data
format for exchanging authentication and authorization data between parties (in
particular, between an identity provider and a service provider).

SAML settings are related to configuration of single-sign on (SSO), which help reduce
the administrative overhead of distributing multiple authentication tokens to the
user.

Navigate to Administration > Settings > SAML SETTINGS to configure these settings.

18
From this screen, you can enter text to appear on the SNYPR Logon screen. For
example, display the company privacy policy.

If you enable Do you want to use the above text as logon banner? You will be
provide the text to include on the banner button. For example, “Yes, I accept the
terms and conditions.”

Next, enable Do you want to show a banner with custom text after user logs in? to
include text that will appear on all screens of the application.

19
On the Spotter settings screen, you can configure settings to control how Spotter
works in your environment.

• Maximum Docs Per Query: Enter the maximum number of Solr documents to
retrieve for the query.
• Maximum Jobs: Enter the maximum number of jobs that can run simultaneously.
• Maximum Queries Per User: Enter the maximum number of queries that can be
run per user.
• Maximum RAM usage: Enter the maximum RAM usage required range from 0 to
100 percent.
• Maximum Disk usage: Enter the maximum Disk usage required range from 0 to
100 percent.
• Maximum Users In Cache: Enter the maximum number of user in cache.
• Default Time To Pause Job: Enter the default time to pause job.
For a complete explanation of the settings, see the documentation website.

20
On this screen, you can enable and configure settings for Securonix SOAR.

Securonix Security Orchestrator, Automation, and Response (SOAR) is an automated

incident response solution that combines user entity behavior analytics (UEBA), SIEM,
and SOAR capabilities into a unified platform.

• It is designed to help security teams respond to security incidents and alerts faster
and more consistently through security orchestration, automation, and response.
• Security orchestration consolidates every security tool and integration, and like an
orchestra, this functionality brings all the security elements into harmony.
• It uses a single interface to coordinate security tools and cross-platform
interactions. Automation is then applied to playbook tasks to reduce the amount
of manual work needed to resolve security incidents.

To enable Securonix SOAR, navigate to Administration > Settings > Securonix SOAR
SETTINGS.

21
The application uses the mail server:
• To send email notifications on a violation.
• To send job success/failure notifications.
• To send email notifications on user lifecycle changes (new, updated, and
terminated users).
• To send notification emails for case-related issues.
• To receive emails when comments are added to existing cases.

ON this screen, provide the email server SNYPR will use to send and receive email.

22
Once you’ve configured SMTP Server Settings, configure email templates for receiving
notifications in SNYPR.
The available email templates are listed in the left navigation pane. The templates are
grouped by module or type.

These include the following modules:

• Access Outlier
• Access Review
• Case Management
• Content Upload Success
• Disable Masking Workflow
• End User Notification
• Job completed with Errors
• Job Failure
• Job Success
• Notification
• Password Management
• Policy Violation
• Reporting
• User Import

24
Click the name of the module to view each template for that module.

Example: For Case Management, you have templates for:

• Case Assignment
• Case Management
• Case SLA Notification

You can delete a template or click the + icon to create a new template from this
template.

26
Click the name of the template to view the details like the sender name, the
description of the template, the subject, and the content of the email. You can edit
any of the details and the body of the email. You can add text and variables, change
the styles of the text using the ribbon, or make changes to the html source code by
click the Show Source button.

27
You can add new email templates to create custom notifications from the Email
Templates screen or on the fly from the Run Job screen during data import.

29
Provide the name of the sender, the template name, and a description of the
template. Then provide the email address of the person or group that will receive the
notification in the event of the transaction. You must enter a value in this field, and
you can enter multiple email addresses. You can also add CC and BCC addressees.

Next, add the subject line the addressee will see when the receive the notification.
HTML Enabled is toggled to YES by default, and so is Store in Outbox prior to
sending.

30
Select a module for Use this template for. You will be able to use variables for this
module only in the body of the email.

Type your message and format as you like. You can change the style, size, color, and
typeface of the text, create bulleted and numbered lists, add horizontal rules, insert
hyperlinks, and drag and drop images into the template. You can also click the paste
icon to paste your content directly into the template.

31
To add variables to the email body, click Add Email Template Variables. The
variables will populate when the notification is sent.

Only the variables for which the SNYPR event generates a value will be populated. For
example, when a case is assigned to an analyst, the assignees first and last name,
their manager name, and the case id will be populated.

Click Save to save the new template. You can now select the template from the
module in the UI.

32
Variables are listed by module. When you select a module, you will only be able to
use variables for that module in the body of your email. Some examples include the
access value for access outlier, the entitlement count for access review, the case
assignee first and last name for case management, the event title for a policy
violation, and the job id for an import.

33
When SNYPR sends any notifications from email templates, you can see the outbox
by accessing the three dot collapses menu on the top navigation menu.

34