Detector Service Delivery System (SDS) Version 3 · PDF fileNetwork Detective™ Detector – User Guide 2 Workflow Used by an End User to Request an Investigation of an Alert

© 2018 RapidFire Tools, Inc. All rights reserved. V20180112

Detector Service Delivery System (SDS)

Version 3.0

Detecting and Responding to

IT Security Policy Violations

User Guide

Network Detective™ Detector – User Guide

1

Contents Overview of Detector .................................................................................................................................... 5

Purpose of this Guide .................................................................................................................................... 7

Components of the Stand-Alone Detector and Detector SDS ...................................................................... 7

Detector Appliance ............................................................................................................................... 7

Diagnostic Tool ...................................................................................................................................... 7

Network Detective Application ............................................................................................................. 7

The Network Detective Service Plan Creator and the Service Catalog ................................................. 7

The Network Detective Portal............................................................................................................... 8

Portal Integration with Ticketing Systems/PSAs ................................................................................... 8

Detector Deployment Options ...................................................................................................................... 9

Detector System Requirements .................................................................................................................... 9

General Overview of Detector SDS Use and Operation ................................................................................ 9

Defining the Detector Security Policy Violation Detection, Scanning, and Alerting Settings ..................... 10

Setting Up Detector .................................................................................................................................... 11

Step 1 - Initial Set Up of the Detector Appliance .................................................................................... 11

Step 2 - Associate Detector with a Site and Access Detector Settings ................................................... 11

Step 3 - Set Up the Detector Scan Host and Scan Configuration ............................................................ 12

Step 4 - Schedule Scans, Daily Alert Notifications, and Weekly Notices ................................................ 14

Step 5 - Configure Technician Email Group ............................................................................................ 14

Step 6 - Set Up Subject Text for End User and Email Tech Alert Notification Emails ............................. 16

Step 7 - Assign Security Policies for Policy Violation Detection and Alerting ......................................... 17

Step 8 - Set Up Weekly Notice Notification Recipients .......................................................................... 19

Step 9 - Run Scan to Perform Initial Data Collection .............................................................................. 20

Step 10 - Download Detector Initial Data Collection Scan Data ............................................................. 20

Step 11 - Set up Smart-Tags (optional) ................................................................................................... 21

Step 12 - Set Up Ticketing/PSA System Integrations (Optional) ............................................................. 22

Security Policy Violation Alert Notification Rule Actions ............................................................................ 23

Detector SDS Alert Response Action Workflow Processes ......................................................................... 23

Using the Detector ND Portal to Process Investigate and Ignore Action Requests .................................... 24

Workflow Used to Automatically Create a Ticket from an Alert ............................................................ 24

Workflow Used to Process Security Policy Violation Alert Investigation Requests ................................ 25


2

Workflow Used by an End User to Request an Investigation of an Alert ............................................... 27

Workflow Used by an End User to Request that an Alert be Ignored .................................................... 29

Workflow Steps to Process an Alert Ignore Request Sent to MSP Technicians by an End User ............ 30

Responding to Ignore Request Notification Emails ............................................................................ 31

Using the ND Portal to View and Process To Do Items and Alerts. ............................................................ 34

Accessing and Logging into the ND Portal .............................................................................................. 34

Using the ND Portal To Do List ................................................................................................................ 34

Accessing the ND Portal to Use the Alert Queue List ............................................................................. 35

Using the ND Portal Alert Queue ............................................................................................................ 35

Alert Item Statuses .................................................................................................................................. 36

Filtering the Alert Queue to View Alerts by Status ............................................................................. 36

Creating To Do Items from Alerts Listed in the Alert Queue .................................................................. 37

Reverting Completed Alerts Back to the To Do Item List ....................................................................... 38

End User Security Policy Violation Alert Notifications ................................................................................ 40

Setting Up End User Alert Notifications .................................................................................................. 40

Provisioning Additional Detector Appliances for Deployment ................................................................... 43

Provisioning Additional Detector Legacy Appliances for Deployment ....................................................... 44

Managing and Deleting “Ignore” Alert Rules .............................................................................................. 45

Setting up Automatic Report Generation Using the Reporter Appliance ................................................... 46

Step 1 – Set up a Connector for the Site ................................................................................................. 46

Step 2 – Associate a Reporter with the Site ............................................................................................ 47

Step 3 – Set the Detector Scan to Upload the Scan Data to Reporter .................................................... 48

Step 4 – Set up Reporter to Automatically Generate Reports ................................................................ 48

Appendix A - Sample Daily Alerts and Weekly Notices ............................................................................... 49

Sample Tech Alert ................................................................................................................................... 49

Sample End User Alert ............................................................................................................................ 49

Sample Weekly Notice ............................................................................................................................ 50

Appendix B – Set Up of Smart-Tags ............................................................................................................ 51

Assigning Smart Tags to Change Events that Refine Alerts and Notices ................................................ 52

Examples of Smart Tag Use ................................................................................................................. 55

Warning Concerning the Removal of a Detector Appliance from a Site ............................................ 55


3

Backing Up Smart Tags for Reuse ....................................................................................................... 55

Adding and Configuring Smart Tags .................................................................................................... 56

Deleting Smart Tags ............................................................................................................................ 61

Appendix C – Saving and Reusing Smart Tags through Export and Import ................................................ 62

Steps to Export and Save Smart Tags for Later Use ............................................................................ 62

Steps to Import Smart Tags for into your Site for Use with Detector................................................. 64

Appendix D – Using the Service Plan Creator ............................................................................................. 66

Service Plan Creator Use Cases ............................................................................................................... 66

Creating Service Plans and Service Catalogs ........................................................................................... 67

Step 1 – Create a New Service Plan .................................................................................................... 67

Step 2 – Assign Security Policies to Your Service Plan ........................................................................ 68

Step 3 – Defining Reports Deliverables to be Included in the Service Plan ........................................ 69

Step 4 – Creating a Service Catalog..................................................................................................... 71

Generating a Service Catalog Document ................................................................................................ 73

Generating a Service Plan Matrix Document .......................................................................................... 75

Generating a Sample Master Services Agreement for a Service Plan .................................................... 77

Managing Service Plans .......................................................................................................................... 80

Modifying a Plan ................................................................................................................................. 80

Deleting a Plan .................................................................................................................................... 81

Managing Service Catalogs ......................................................................................................................... 83

Modifying a Catalog ............................................................................................................................ 83

Deleting (excluding) Service Plans from a Catalog .............................................................................. 84

Adding Service Plans to a Catalog ....................................................................................................... 85

Removing (deleting) a Service Catalog from the List of Catalogs ....................................................... 86

Appendix E – Set Up and Assign a Ticketing/PSA System Integration to a Site Using Detector SDS .......... 87

Appendix F – Set Up ND Portal Branding (Detector SDS Only) ................................................................... 92

Appendix G – Set Up a Custom Subdomain to Access the ND Portal (Detector SDS Only) ........................ 94

Appendix H – Set Up Custom SMTP Server Support (Detector SDS Only) .................................................. 96

Appendix I – Setting up a ConnectWise Integrator Login ID ....................................................................... 98

Setting up an “Integrator Login” in ConnectWise ................................................................................... 98

Appendix J – Setting up a Network Detective to ConnectWise REST API Integration ................................ 99


4

Step 1 – Download and Install the ConnectWise Manage Internet Client Application ..................... 99

Step 2 – Select the ConnectWise Ticket System API Member Account to Integrate with Network

Detective ............................................................................................................................................. 99

Step 3 – Create an API Key in the ConnectWise Ticketing System ..................................................... 99

Step 4 – Configure Service Tables in ConnectWise ........................................................................... 100

Appendix K – Default Detector SDS Service Plans .................................................................................... 102

Appendix L – Additional Scan Host Configuration Options and Requirements ........................................ 104

Scan Host Requirements ....................................................................................................................... 104

Assigning Scan Hosts ............................................................................................................................. 104

Assigning Scan Hosts within a Workgroup ........................................................................................ 105


5

Overview of Detector

Detector prowls an entire network each day at whatever time you determine and then sends out daily Security Policy violation notification alerts to notify you of any suspicious issues it discovers.

And, for Detector Service Delivery System (SDS) subscribers, each discovered issue listed in a Security Policy Violation Alert contains an “Alert Link” that is a part of an automated process flow to enable your technicians to “Investigate” or “Ignore” the Alert item using the Network Detective (ND) Portal.

Clicking on any of these Alert Links in the Violation Alert Notification Email will take you to the ND Portal. In the Portal you can:

• review the issue’s forensics

• automatically generate a service ticket in your favorite Ticketing System/PSA

• configure a Detector Smart-Tag or an Ignore Rule to ignore the alert and prevent the same “false-positive” from being generated again in the future

Throughout the day, the Detector Appliance can perform scheduled IT assessment scans then issue

network change related Security Policy Violation Alerts on a Daily basis and Weekly Notices after

Anomalies, Changes, or Threats (ACT) have been identified on the network.

Each time Detector executes a pre-scheduled scan, it’s on the look-out for three classifications of internal network security issues: Anomalies, Changes, and Threats.

Anomalies are suspicious activities and findings that are out of the ordinary and unexpected and that should be investigated. Examples of anomalies are users logging in at times outside their historical patterns, or a USB drive plugged into a computer that has been tagged as being "locked down."

Changes are recorded variances from previous scans linked to specific aspects of the network environment that could represent a threat. Examples of suspicious changes are a user’s security permission promoted to administrative, or a new device added to the network that wasn’t there before.

Threats are defined as clear and recognizable dangers to the network environment that need fast attention. Examples of threats would be a critical security hole or a machine in the "DMZ" that hasn’t been patched in 30 days.

Detector Daily Alert


6

Every day Detector looks at a broad range of assets and configurations in search of anomalies, changes and threats, including: Wireless Networks, Network Devices, User Behavior, Computers, Printers, DNS entries, Switch Port Connections (Layer 2/3), and Internal Network Vulnerabilities. It also looks at issues specifically for environments subject to HIPAA and PCI compliance.

And, on a weekly basis, Detector will also notify you of changes in the large categories of: Access Control, Computer Security, Wireless Access, and Network Security.

Please note that throughout this guide you may see references to both “stand-alone” Detector and Detector SDS. Depending on which subscription you have purchased, please follow the instruction set for one or the other.

The stand-alone Detector has a limited number of features and is sold by individual license. Detector SDS has an expanded feature set and comes with “unlimited” licenses (subject to the license agreement).

The following provides a summary matrix between the stand-alone Detector and Detector SDS offerings:

Detector Detector SDS

Licensing Per Detector

Appliance

Unlimited Detector

Appliances

All Alerts ✓ ✓

Alerts sent through email ✓ ✓

Use RapidFire Tools’ supplied SMTP gateway ✓ ✓

Use custom SMTP gateway ✓

Use custom FROM email addresses ✓

Email Response Action Requests (Investigate and Ignore Actions)

✓

Branded Client Portal ✓

Custom Branded Portal Site Sub-domain ✓

Service Plan Creator ✓

Marketing Collateral ✓

Default Service Plans and Catalogs ✓

Direct PSA Integration (Autotask, ConnectWise, and Tigerpaw) ✓

Support Standard Support

Dedicated Portal Setup and

Onboarding


7

Purpose of this Guide This guide is designed to provide an overview and specific steps required to install and configure the

Detector Appliance and the Detector Service Delivery System (SDS). Configuration and set up will

include:

• the setting of Security Policies to enable detection of policy violations and trigger alerts

• the creation of Notification Rules to direct Alerts to email recipients or to automatically create

tickets in Ticketing/PSA systems.

• scheduling of network data collection and assessment scans

• scheduling of Daily Security Policy Violation Alerts and Weekly Notices

• creation of Service Plans and Catalogs

• integration of the Autotask, ConnectWise, and Tigerpaw PSA/Ticketing systems with the ND

Portal

• custom branding of the ND Portal web site used to process and manage To Do items and Alerts

Components of the Stand-Alone Detector and Detector SDS

Detector Appliance

This is the Detector Appliance software application that operates on either on a user supplied Microsoft

Hyper-V or VMware based system or the Small Form Factor Server computer available from RapidFire

Tools.

Optional Small Form Factor Server Computer

This is an optional hardware component that can be purchased from RapidFire Tools to host and

operate the Detector Appliance. It is a small, portable server computer which plugs into the target

network through an Ethernet connection.

Diagnostic Tool

This tool is used for configuring and troubleshooting the Detector Appliance. The Diagnostic Tool should

be run on the same network as the Detector Appliance to perform diagnostics checks such as for

Detector Appliance connectivity.

Network Detective Application

This is the same Network Detective desktop application and report generator that is used with any other

Network Detective modules. This application contains additional features to manage the Detector

Appliance remotely.

The Network Detective Service Plan Creator and the Service Catalog

Detector SDS users have access to the Network Detective’s unique “Service Plan Creator” tool that gives

you the ability to modify our starter Service Plans, or create your own plans from scratch.


8

You define and name the offerings based on the security policies that you want to enforce, and the tool

automatically generates a “Service Plan Catalog” (or catalogs), and “Service Plan Matrix” sheet that

compares your plans to help you sell them to your clients and prospects.

Once you sell one of your plans to your client, simply “apply” the plan to the Detector assigned to that

client and its Service Policy Violation detection capability is then automatically configured to deliver

that exact plan.

For more information about creating Service Plans and Catalogs, please refer to the Service Plan Creator Quick Reference Guide located at www.rapidfireotools.com/nd.

The Network Detective Portal

The Network Detective (ND) Portal is used to process Investigate Alert Action Requests and Ignore

Alert Action Requests created in response to Anomalies, Changes, or Threats (ACT) detected by the

Detector Appliance.

The Portal acts as an ACT “triage center” that enables technicians to view a “To-Do” list of Investigate

Alert Action Requests and Ignore Alert Action Requests and to enable processing of these requests by:

• transferring the requests to Ticketing/PSA Systems such as Autotask, ConnectWise, and

Tigerpaw

• using the Portal to modify Detector Smart-Tags to configure the Detector Appliance to more

effectively detect Security Policy violations and address False Positives

• creating Ignore Rules to address Alert False Positives

• completing a given Action Request

To access the ND Portal, visit the default web site URL of https://alerts.alert-central.com .

To learn more about the Portal refer to the following sections:

• Using the Detector ND Portal to Process Investigate and Ignore Action Requests

• Set Up and Assign a Ticketing/PSA System Integration to a Site Using Detector SDS

• Set Up ND Portal Branding

• Set Up a Custom Subdomain to Access the ND Portal

• Set Up Custom SMTP Server Support for Alerts and Notifications

Portal Integration with Ticketing Systems/PSAs

To set up Detector SDS integration of the Autotask, ConnectWise, or Tigerpaw ticketing/PSA systems

with the ND Portal, please refer to Appendix E - Set Up and Assign a Ticketing System Integration to a

Site.

http://www.rapidfiretools.com/nd/Network_Detective_Service_Plan_Creator_Reference_Guide.pdf

http://www.rapidfiretools.com/nd/Network_Detective_Service_Plan_Creator_Reference_Guide.pdf

https://alerts.security-bulletins.com/


9

Detector Deployment Options

There are three Detector Appliance deployment platform options available to users:

• Hyper-V based systems

• VMware based systems

• on a Small Form Factor Computer Server available from RapidFire Tools

The next section outlines the steps to set up the scans, Tech Alerts, End User Alerts, and Weekly Notice

notification tasks to be performed using Detector.

Detector System Requirements

Below are the minimum requirements for installing and operating Detector.

Please note the Operational Requirements that must be met after Detector has been installed and

deployed.

Hyper-V Install Requirements:

• Hyper-V Enabled Operating System (Windows 8.1+)

• 2 GB Available RAM

• 20 GB Hard Drive Space VMware Install Requirements:

• ESXi 5.5+


• 20 GB Hard Drive Space

Operational Requirements:

• i5 Processor for dedicated use. Xeon server class processors for non-dedicated.


• 20 GB Hard Drive Space

General Overview of Detector SDS Use and Operation

Detector SDS is used to Detect and Alert upon Security Policy Violations that may consist of network

Access Anomalies, Changes, and Threats (ACT).

Detector SDS will scan a network and compare collected data with a set of predefined network Security

Policies that are contained within a Security Service Plan you create and assign to a Detector Site.

When Detector identifies a Security Policy Violation, there are a series of rule based Alert Notification

Actions and Response Action Workflows that can take place on a Daily basis in response to these

violations.


10

These Actions include:

• Investigate Alert Requests sent to a “Tech” Group via email

• Investigate Alert Requests are automatically created as “To Do” items in the ND Portal to

enable your company technicians to efficiently manage security incident perform “Triage” on

the issue

• Security Policy Violation Alerts sent to an “End User” Group containing a list of email recipients

at your client’s company

• Tickets being automatically generated in your Ticketing/PSA system for investigation, security

incident response, and remediation purposes

Detector SDS contains a number of other features that can enable you to package, market, and sell

Security Services. These features include the Service Plan Creator and the Service Catalog generation

tool that may be used to produce marketing literature and service contract documents.

Defining the Detector Security Policy Violation Detection, Scanning, and Alerting Settings

The setup process of the Detector SDS consists of setting up the following options:

• Policy Configuration using Service Plans with pre-configured Security Policies used for policy

violation detection of network Anomalies, Changes, or Threats (ACT)

• Notification Configurations consisting of Actions that automatically occur in response to

Security Policy Violations. These Actions include:

o Daily Alert Notification Emails sent to Technicians (Techs)

o Daily Alert Notification Emails sent to End Users

o Automatically created Tickets in Autotask, ConnectWise, or Tigerpaw

• Email Notification configuration that enables you to set up Tech and End User Notification

Email Groups of recipients set up to receive Daily Security Policy Violation Alert Notifications

• Setting up Scans

o Level 1 (Daily) Network Scan configuration and scheduling

o Level 2 (Weekly) Network Scan configuration and scheduling

• Weekly Notices Recipient assignment, notice Event Selection, and Scheduling

• Smart-Tag configurations to facilitate the refinement of security policy-based ACT detection

• Setting up Ticketing System Integration for use with the Network Detective (ND) Portal and

Network Detective Sites (Detector SDS Only)

• ND Portal Customization

o Portal Branding

o Custom Portal Subdomain

o Custom SMTP Server Usage for Alerts and Notifications


11

Setting Up Detector

Step 1 - Initial Set Up of the Detector Appliance

1. Install Detector on your client’s network by either:

a) connecting the Detector installed on the Small Form Factor Server Computer that you

purchased from RapidFire Tools to your client’s Network.

b) going to www.rapidfiretools.com/nd to download and install the Network Detective Virtual

Appliance on a Hyper-V or VMware enabled computer operating within your client’s

network. For more information about installing the Virtual Appliance, please download the

Virtual Appliance Installation Guide for Detector.

2. After successfully deploying Detector, visit www.rapidfiretools.com/nd to download and install

the latest version of the Network Detective Application. Then run Network Detective and login

with your credentials.

3. Create a new Site by selecting the New Site

option. Set the Site Name for the “Site” in

Network Detective.

Select the OK button to create the site.

Step 2 - Associate Detector with a Site and Access Detector Settings

1. From within the Site Window, select the

selector symbol to expand the Site’s

Preferences in order to Add an Appliance.

2. Next, select the Add Appliance button.

The Add Appliance window will be

displayed.

3. Select the Appliance ID of the Detector Appliance from the drop down menu.

Note: When users have purchased a Small

Form Factor Server Computer, the

Appliance ID can be found on a printed

label on the Small Form Factor Server

Computer itself.

After selecting the Appliance ID, select

the OK button to continue.

4. After successfully adding a Detector to

http://www.rapidfiretools.com/nd

https://www.rapidfiretools.com/nd/Virtual_Appliance_Installation_Guide_for_Detector.pdf



12

the Site, its Appliance ID will appear

under the Appliance bar in the Site

Preferences window. The status of the

Appliance will be indicated as Active.

Warning Concerning the Removal of a

Detector Appliance from a Site: When a Detector has been Associated with a Site and the Scan

Schedule, Alert Schedule, Alert Recipients, and Smart-Tags settings have been defined, if the

Detector is ever Associated with a different Site, the original Site’s Detector settings will be

automatically deleted.

Step 3 - Set Up the Detector Scan Host and Scan Configuration

Follow the steps below to set up a Scan Host and configure the scan:

1. After associating the Detector with the Site,

select the Detector Settings Icon located in the

Network Detective window to view the

Detector Settings window.

2. In the Detector Settings window, select the Modify

Scan Configuration option.

The Scan Configuration Wizard will appear.

The Detector Appliance requires access to at least one separate, additional PC on the client’s

network. This computer is called the “Scan Host.” The Scan Host is used to initiate scans.

Be sure that the computer you select to be a Scan Host meets the necessary Admin$, WMI,

File and Print Sharing requirements and their respective firewall settings. The computer must

also be operating Windows 7 or higher.

For more information on Scan Host requirements, see “Appendix L – Additional Scan Host

Configuration Options and Requirements”.


13

3. Enter the following information about the

Scan Host(s):

a. One set of login credentials for

all PCs that will serve as scan

hosts

b. IP Address or Computer Name

for the PCs that will serve as scan

hosts

c. Domain name (NOT the name of

the domain controller)

If you are in a Workgroup

environment, see “Assigning Scan

Hosts within a Workgroup”.

Note: We recommend that you assign at least two PCs to serve as scan hosts. This will allow

scans to run even if one scan host becomes unavailable.

4. Click Test Scan Hosts.

A message will appear indicating whether a

connection can be established to each scan host.

If the connection cannot be established, be sure

the scan host meets the requirements – and that

you have entered the correct credentials. See

“Appendix K – Additional Scan Host Configuration

Options and Requirements” for more information.

5. Follow the steps presented in the Wizard and

select Finish to complete the Scan Host set up and

Scan Configuration step.


14

Once installed and configured, the Detector Scan Host is used to perform network and push local

computer scans to ping-able computers during the Daily Scan process.

Step 4 - Schedule Scans, Daily Alert Notifications, and Weekly Notices

1. In the Detector settings window,

select the Modify Schedules

option.

The Schedule window will be

displayed.

2. Define the Time Zone, the time

that the Level 1 (Daily) and Level

2 (Weekly) scans should start,

and the days and times that the

Daily Alerts resulting from

Security Policy Violations and

Weekly Notices should be sent to

designated recipients.

Select Save to store the Schedule

settings.

Step 5 - Configure Technician Email Group

During the Security Policy Configuration step later in this Guide, you will configure the Security Policies

that Detector will Alert upon during its operation as the Appliance detects violations to the selected

policies.

During the Security Policies Configuration process, it will be necessary to define policy violation

detection response Action. This Action may include the sending of an Alert Notification Email to a

predefined list of recipients referred to as a Detector Email Group.

In this step, we will set up the Email Group that will be used when one particular Detector Action

named “Email Tech” is designated as a particular Security Policy violation’s response Action. To create

the Email Tech action’s Email Group, follow these steps.

1. Select the Modify Email Configuration

option.


15

2. Select the Email Groups tab in the Email

Configuration window.

3. Select the Add Email Group button.

4. The Add Email Group window will be

displayed.

5. During this step, you will enter in the

Name of the Email Group, select the

Group Type, and select or type in the

email addresses of the recipients that will

receive email notifications sent to this

Email Group.

a. For this Quick Start set up process,

type in the Name of the Email Group

you will use for your Company’s Tech

Team Email Group.

b. Next, set the Group Type to be

“Tech”.

c. Finally, select the To button to select email addresses from a list of your

company’s Network Detective users.


16

to define the Recipients of Daily

Alert Notification Emails. You can also directly type in the email address of the recipients as

well.

d. Once you have selected the email addresses for your Tech Team Email Group, Select the OK

button to save your new Email Group.

6. Proceed to Step 6 below before selecting

the Email Configuration window’s Save &

Close button.

Step 6 - Set Up Subject Text for End User and Email Tech Alert Notification Emails

1. Select the Email Subjects tab in the Email

Configuration window.

2. Enter a reference to the Detector’s

Network Detective “Site” name within

the Subject line for the End User Alert

and Tech Alert Notification Email

messages.

3. Select the Save & Close button.


17

Step 7 - Assign Security Policies for Policy Violation Detection and Alerting

The Policy Configuration option enables you to define when Detector sends alerts containing

information about identified threats to Access Control, Computer, and Network Security policies that

are detected by the Detector Appliance.

1. In the Detector Settings window, select the Policy

Configuration Modify button to access the Policy

Configuration options window.

The Policy Configuration window will be

displayed.

2. Using the Service Plan option, select the

Gold Service Plan to assign an initial set of

Security Policies to your Detector’s

configuration.

To learn more about Service Plans and

how to create custom Service Plans,

please refer to the Detector User Guide.

Any Policy Item listed and presented in

Red Text indicates that this policy

requires that some policy specific Smart-

Tags must be set up.

To learn more about Smart-Tags and their use, please refer to Step 11 – Set up of Smart-Tags.

In some cases, Smart-Tags that are associated with these particular policies may need to be set

up if alerts are to be generated or to prevent the detection of false positives.

Policies listed in Black Text within the Policy Configuration window are either:

a) policies that do not require a Smart-Tag

b) policies that require Smart-Tags that have been configured

Select one or more of Policies that you would like Detector to alert upon when a policy violation

has occurred. During this process, be sure to note which Smart-Tags must be configured to

enable alerts to be sent when violations of the selected Security Policies take place.


18

3. Select the Next button.

The Configure Notifications window will

be displayed.

Each Security Policy’s Alert Notification

Rule is assigned one of four Action

options:

• Create Ticket

• Email Tech

• Email End User

• None

When the Create Ticket Action is assigned to a policy’s Alert Notification Rule, Detector SDS will

automatically submit an Alert to your Ticketing System/PSA based on the Ticketing System to Site

Mapping configuration contained within the Portal’s Settings. For more information about how to set

up Detector SDS to work with your Autotask, ConnectWise or Tigerpaw Ticketing System/PSA, refer to

Appendix E - Set Up and Assign a Ticketing/PSA System Integration to a Site.

4. In this step, an Action will need to be

assigned to each policy violation

Notification associated with a given

Security Policy.

a. Right click on the Action column and

select the Select All menu option.

b. The list of Security Policy

Notifications will be highlighted in

Blue.

c. Next, right click again on the Action

column.

d. Next , select the Select Action menu

option.

e. Then select the Email Tech menu

option. This selection will assign the

Email Tech Action to all of the selected

Security Policies.


19

5. In this step you will assign your

Company’s Tech Team Email Group to

each of the Security Policy Notifications

that were assigned the Email Tech

Action.

a. Right click on the Email Group

column and click on the Select Group

Name menu option.

b. The list of available Email Groups for

selection will be displayed.

c. Select your Company’s Tech Team

Email Group. To create a Group, refer

to Step 5 - Configure Technician Email

Group.

d. Now, all of the Email Tech Notification Action for each Security Policy will be assigned the

Email Group you selected.

6. Next, select the Finish button to save your selections.

Note: Service Plans have a set of recommended Reports that should be generated on a regular

basis. If you want to have these reports automatically generated, then set up the necessary

Network and Security Assessments using the Network Assessment and Security Assessment

Modules to generate the reports to be run.

Step 8 - Set Up Weekly Notice Notification Recipients

1. Go to Detector settings window and select the Add Recipient

button on the Weekly Notice bar. The Weekly Notice

Alerts configuration window will be displayed.

2. Within the Email Configuration tab, define the recipients

of Weekly Notice Alerts emails either by:

a. selecting the To button and selecting recipients

from list in Select Users Form

b. entering in recipient email address(es) manually

in the To field.

After adding the recipient email addresses, select the

Selected Notices tab.

3. Set the Selected Notices by selecting the Weekly Notice Alerts options available in the list.


20

After you have selected the Weekly Notice types that you

want sent to the selected Recipients, click on the Save &

Close button to save your Weekly Notice Alerts settings.

Please Note: Two Weekly Scan Data Sets must exist in

order for a Weekly Notice to be generated and sent. For

example: from a past scan (last week) and most recent

scan (this week).

Step 9 - Run Scan to Perform Initial Data Collection

In order to perform Step 10 – Download Detector Initial Data Collection Scan Data, it is necessary

for Detector to perform an initial Data Collection on the network. This initial Data Collection is

performed through the execution of the Level 1 Scan (Daily Scan).

Two options are available to you in order to perform this initial Data Collection:

1) Wait until Detector completes the Level 1

Scan (Daily) scheduled in the previous step.

2) Use the Detector Scan Now feature to start

the Level 1 Scan (Daily).

When either the scheduled scan or the scan initiated with the Scan Now option have been

completed, the scan data must be downloaded into the Detector’s Smart-Tags settings window

Step 10 - Download Detector Initial Data Collection Scan Data

1. After the initial Data Collection scan is complete,

select the Smart-Tags link in the Detector Settings

window. The Smart-Tags window will be

displayed.

2. Select the Download Scan button to download

the scan data.

3. After the scan data has been downloaded, you

may select the Configure link to return to the


21

Detector Settings window. Otherwise, to set up Smart-Tags proceed to Step 11.

Step 11 - Set up Smart-Tags (optional)

Smart-Tags are used to enable Detector’s Machine Learning capability in order to further detect

violations to the Security Policies you select, as well as, eliminate False Positives.

During the initial set-up of the Detector Appliance, this step is optional. You may either close the

Detector Settings window and wait for Detector to start running scans and sending Alerts, or you may

proceed with setting up Smart-Tags. This step is dependent on the successful completion of Step 9 and

Step 10.

To configure Smart-Tags, follow these steps.

1. For the initial set-up of the Detector using this Guide, configure the following Smart-Tags:

SMART-TAG ITEM TAGGED WHY IS THIS ITEM BEING TAGGED?

RESTRICTED NETWORK Network Devices added to this network must be authorized

BUSINESS OWNER PC Computer Only the Business Owner is authorized to access

RESTRICTED IT ADMIN ONLY Computer Computers may only be accessed by IT Administrators

SINGLE DESKTOP USER User Users are only supposed to access one computer

LOCKED DOWN COMPUTER Computer No applications are to be installed or removed

SENSITIVE COMPUTER Computer Screen lock should be enabled on these computers

2. Search the list of Recommended and Available

Smart-Tags displayed in the Smart-Tags window

with those you previously noted above.

Note: Some Smart-Tags have a Red Corner

marker in the tag’s icon. These marked Smart-

Tags represent tags that must be set up to

enable

alerts to be sent for the specific Security

Policies

you selected in Step 8.


22

3. Double-click on a Smart-Tag icon to open the

Tag.

Depending on the requirements for the Smart-

Tag you are configuring, select or type in the

Computers, Users, SSIDs, Printers, or IP

Addresses that are required to configure the

specific tag.

4. After configuring the Smart-Tag, select the

Save & Close button to save the Smart-Tag’s

configuration.

5. After configuring the six (6) Smart-Tags defined

in item one (1) above, select the Configure link

to return to the Detector Settings window.

6. After completing all of the Detector settings

configuration, you can exit the Network

Detective application.

Step 12 - Set Up Ticketing/PSA System Integrations (Optional)

To set up Detector SDS integration of the Autotask, ConnectWise, or Tigerpaw ticketing/PSA systems

with the ND Portal, please refer to Appendix E - Set Up and Assign a Ticketing/PSA System Integration to

a Site.


23

Security Policy Violation Alert Notification Rule Actions

There are four predefined Security Policy’s Alert Notification Rule Actions that can be configured in the

Detector SDS’s Notification Settings. These Actions are assigned to specific Alert Notifications

generated as a result of a Policy Violation identified by Detector (Refer to Step 7 - Assign Security

Policies for Policy Violation Detection and Alerting).

These Actions are:

1. Create a Ticket – this Action will automatically generate a Ticket in the Ticketing/PSA system for

an Alert that has been set up to work with the ND Portal for a particular Site that has been

Mapped to a Connection that interfaces your company’s Ticketing/PSA system to the ND Portal.

2. Email Tech Group – this Action will automatically create an Investigate Alert To Do item in the

ND Portal for members of your technical team to process in response to a specific Alert.

3. Email End User – this Action will send an “End User” Alert Notification to an email recipient in

your Client’s Company. This Alert will enable the End User to play a role in directing how your

technicians should respond to an Alert. End Users can direct your company’s technicians to:

a. investigate an Alert

b. set up an Ignore Rule to ignore the Alert in the future.

4. None (i.e. no action)

Detector SDS Alert Response Action Workflow Processes

The Alert Response Use Cases below summarize the Alert Response Workflow Processes for Actions

one (1) through four (4) referenced above.

These Alert Response Workflow Processes are:

• Alert automatically Creates a Ticket in the Ticketing System/PSA that you configured in the ND

Portal’s Settings. For more information about setting up an Ticketing System/PSA in the ND

Portal please refer to

• Tech Group Members respond to Investigate Alert Request To Do Items listed in the To Do list

in the ND Portal

• End User submits an Investigate Alert Request Notification email to your technicians and To Do

item to the ND Portal

• End User submits an Ignore Alert Request Notification email and To Do item to the ND Portal

• Tech Group Members process the Ignore Alert Request To Do items in the ND Portal


24

Using the Detector ND Portal to Process Investigate and Ignore Action Requests

The workflow associated with the processing of Investigate or Ignore Action Requests relies on a

combination of email notifications along with the ND Portal system to assign these Action Requests to

your technicians as To Do items listed in the Portal’s To Do list.

You can access the ND Portal in order to view the current To Do list for each Network Detective Site

used to manage a Detector on your client’s network.

The ND Portal can be accessed https://alerts.alert-central.com.

Below, are the Alert Response Workflows that can be used by your company’s technicians and your

clients to assign and process Investigate Alert and Ignore Alert Action Requests.

Workflow Used to Automatically Create a Ticket from an Alert

In this use case, Detector SDS Alerts that are generated will automatically create Tickets in the

Ticketing/PSA System that is configured to operate with the Network Detective Site that is used to

manage your Detector Appliance.

To learn more about how to create a Ticketing/PSA System “Connection” to your ticketing system and to

“Map” your Network Detective Site used to manage your Detector to automatically create tickets,

please refer to section Appendix E – Set Up and Assign a Ticketing/PSA System Integration to a Site

Using Detector SDS.

After a Daily Alert triggers a Ticket to be automatically generated, the Alert will be placed into the ND

Portal Alert Queue. This Alert will be assigned the Status of Ticket indicating that a ticket was created

on your company’s Ticketing/PSA system when the Alert was generated by the Detector Appliance.

https://alerts.alert-central.com/


25

Workflow Used to Process Security Policy Violation Alert Investigation Requests

Step 1 – Tech Alert Recipient Email Group member receives a Tech Alert Notification Email requesting

an Alert’s investigation.

Review the Tech Alert Notification Email and

select the link within individual Alert item to

access the ND Portal To Do list item related to

the Alert.

The ND Portal Login Page will be displayed.

Step 2 – Log into the ND Portal to view the Investigate Action Request To Do Item

Log into the ND Portal using your Network

Detective login credentials.

After login is successful, the Investigate

Request contained within the Pending To Do

list will be opened in the Portal automatically.

Step 3 –Review the Alert details.

In the Alert’s To Do item, details are

displayed.

Select the symbol to the right of the

Alert’s Additional Information and

History section headings to review any

additional details concerning the Alert.


26

Step 4 – Select one or more Actions to be performed in response to the Alert’s Investigation Request

Respond to the Alert incident and

Investigate Request using these steps:

a. Select the computers, users, or

other “items” referenced within

the Investigate Request.

b. Select the Action(s) that will be

assigned to the request. In this

case, the Actions available for

assignment may include:

• Remove or add Detector

Smart-Tags to computers, users, or other items

• Create a Ticket in the Ticketing System you have Mapped to the Site.

• Assign an Ignore Rule to the Alert by selecting the “Do not send this alert for the

selected items again (ignore completely)”.

• Cancel the entire request.

Note: The user can perform both

the remove/add Smart-Tag

Action along with creating a

Ticket Action simultaneously

when processing the Alert’s To

Do item.

c. Select the Submit button to

complete the processing of the Investigate Request To Do item.

Step 5 – After selecting the Completed To Do item’s Submit button, a Confirm Batch Action window

may be displayed.

This window is displayed in cases where you are

processing an Alert that has one or more

“Related Alerts”.

Related Alerts are essentially alerts that

have been duplicated on a day by day basis

as a result of a recurring Security Policy

violation.

Select the Confirm button to complete the To Do item and close any Related Alerts.


27

Step 6 – A Confirmation of your submission will be

displayed.

Step 7 – The completed To Do item’s Alert will be

moved into the Alerts Queue contained within

the ND Portal with a Status assigned as

Complete.

Step 8 - Log out of the ND Portal.

Workflow Used by an End User to Request an Investigation of an Alert

An End User should follow the steps below to create Investigate Alert Requests and To Do items in the

ND Portal for your technicians to process.

Step 1 - The End User will receive a Security Policy

Violation Notification Email message

containing an Alert from the Detector

Appliance.

This Email contains the Alert and presents a

question to the End User asking if your

company should Investigate the Alert issue.

Step 2 - To initiate the Investigate Alert Request, the

End User should select the Yes option.

Selecting the Yes option in the email message

starts an Internet browser session that will

access the ND Portal and display a page to be

used by the End User to create an Investigate

Request.


28

Step 3 - Complete the Request Investigation page by

adding a note and select the Request

Investigation button.

Step 4 - The “OK, your request has been submitted”

message displayed by the Portal indicates that

your Investigate Request has been submitted to

the ND Portal To Do item list.

Step 5 - An Investigate Request email is sent to the

technicians assigned to service the End User’s

network to notify them that an Investigate

Request To Do item is pending.


29

Workflow Used by an End User to Request that an Alert be Ignored

An End User should follow the steps below to create Ignore Alert Requests and To Do items in the ND

Portal for your technicians to process.

Step 1 - The End User will receive a Security Policy

Violation Notification Email message containing

an Alert from the Detector Appliance.

This Email contains the Alert and presents a

question to the End User asking if your company

should Investigate the Alert issue.

Step 2 - To initiate the Ignore Alert Request, the End User

should select the “No” option.

Selecting the No option in the email message

starts an Internet browser session that will access

the ND Portal and display a page to be used by the

End User to create an Ignore Request.

Step 3 - Complete the Request Ignore page by adding a

note and select the Request Ignore button.

Step 4 - The “OK, your request has been submitted”

message displayed by the Portal indicates that

your Ignore Request has been submitted to the

ND Portal To Do item list.


30

Step 5 - An Ignore Request email is sent to the

technicians assigned to service the End User’s

network to notify them that an Ignore Request

To Do item is pending.

Workflow Steps to Process an Alert Ignore Request Sent to MSP Technicians by an End User

The Detector SDS Email End User Action feature can be

used to configure the Detector to send certain Alerts for

specific Security Policies to End Users.

For more information about this feature please reference

to the End User Alerts section of this Guide.

End Users can submit Ignore Action Requests to your

technicians.

To submit an Ignore Action Request, the End User would

select the “No” option contained within any Daily Alert

Notification Email.

After the End User select the “No” option, the End User

will be directed to access the ND Portal via an Internet

Web Browser. The ND Portal will present to the End User

the Daily Alert Ignore Request page. The End User will use

this page to issue the Ignore Action Request via the Portal.

After the End User issues the Ignore Action Request, your

technicians will receive an Ignore Request Notification

email.


31

Responding to Ignore Request Notification Emails

Ignore Action Requests are used to direct your technicians to configure and apply an Ignore Rule to an

Alert. The applied Alert Ignore Rule is intended to eliminate a False Positive.

To enable a Recipient of an Ignore Action Request Notification email to process an Ignore Request, the

Recipient of the Ignore Request email will follow these steps:

Step 1 – Tech Alert Recipient Email Group member

receives an Ignore Request Notification Email

requesting that an Ignore Rule be assigned to an

Alert.

Step 2 – The Alert Recipient reviews the Ignore Request

Notification Email and selects the link within

individual Alert item to access the To Do list in

the ND Portal.

The ND Portal Login Page will be displayed.

Step 3 – Log into the ND Portal to view the Ignore

Request To Do item.

Log into the ND Portal using your Network

Detective login credentials.

After login is successful, the Ignore Request

contained within the Pending To Do list will be

opened in the Portal automatically.

Step 4 – Review the Alert’s Ignore Request details.

In the Alert’s To Do item, details are

displayed.

Select the symbol to the right of the

Alert’s.

Additional Information and History section headings to review any additional details concerning

the Alert.


32

Step 5 – Select one or more Actions to be performed in response to the Ignore Request

Respond to the Alert incident and Ignore

Request using these steps:

a. Select the computers, users, or

other “items” referenced within

the Ignore Request.

b. Select the Action(s) that will be

assigned to the request. In this

case, the Ignore Actions available

for assignment may

include:

• Remove or add Detector Smart-Tags to computers, users, or other items.

• Assign an Ignore Rule to the Alert by selecting the “Do not send this alert for the

selected items again (ignore completely)”.

• Create a Ticket in the Ticketing System you have Mapped to the Site.

• Cancel the entire request by selecting no Actions and selecting the Mark Complete

button.

Note: The user can perform

both the remove/add Smart-

Tag Action along with

creating an Ignore Rule or

any other Action

simultaneously when

processing the Alert’s To Do

item.

c. Select the Submit button to complete the processing of the Ignore Request To Do item.

Step 6 – After selecting the Completed To Do item’s

Submit button, a Confirm Batch Action window

may be displayed.

This window is displayed in cases where you are

processing an Alert that has one or more “Related

Alerts”.

Related Alerts are essentially alerts that have

been duplicated on a day by day basis as a result

of a recurring Security Policy violation.


33

Select the Confirm button to complete the To Do item and close any Related Alerts.

Step 7 – A Confirmation of your submission will be

displayed.

Step 8 – The completed To Do item’s Alert will be moved

into the Alerts Queue contained within the ND

Portal with a Status assigned as Complete.

Step 9 - Log out of the ND Portal.


34

Using the ND Portal to View and Process To Do Items and Alerts.

Below is a general overview of the ND Portal’s To Do list functionality used to process To Do items

created by Detector SDS and by End Users that submit Investigate Alert Requests and Ignore Alert

Requests.

Accessing and Logging into the ND Portal

To access your ND Portal account, visit https://alerts.alert-

central.com and log into the ND Portal using your

Network Detective login credentials.

After login is successful, the Pending To Do list screen will

be opened in the Portal automatically by default.

Using the ND Portal To Do List

The Pending To Do items List as displayed in the ND Portal as the Portal’s default Home page.




35

From the To Do item page you may select:

• a Site from the All Sites List to filter the To Do list view to a specific Site’s list

• the Alerts tab to view the Alerts Queue

• the Audit Log to view logged events related to the creation, processing, and completion of

Alerts and related To Do items

• the Settings option to access the ND Portal custom Branding features and Ticketing/PSA system

integration feature

Accessing the ND Portal to Use the Alert Queue List

To access your ND Portal account, visit https://alerts.alert-

central.com and log into the ND Portal using your

Network Detective login credentials.

After login is successful, the Pending To Do list screen will

be opened in the Portal automatically by default.

Using the ND Portal Alert Queue

All Alerts generated as a result of Security Policy violations are by the Detector are placed into the ND

Portal’s Alert Queue.

To view the Alert Queue, select the Alerts tab and the Alerts Queue will be displayed in the ND Portal.




36

Each Alert’s entry in the Queue presents the Alert’s Status, the Date the Alert was generated, which Site

it is associated with and the Message that was generated as part of the Alert’s creation.

Alert Item Statuses

For each Alert in the Alert Queue, a Status is assigned.

These statuses are:

New - this status is set for Alerts that are generated for network security violations that

do not have a Security Policy associated with a specific Alert type in the Detector

Settings

To Do – this status indicates that the Alert is associated with an open To Do item

End User – this status is assigned to an Alert when the Daily Alert notification has been

sent to an Alert Notification Email recipient in your Client’s company requesting the

recipients input on how your technical team should respond to the Alert

Complete – this status indicates that an Alert associated with a To Do item has been

processed and closed

Ticket - this status indicates that an Alert’s notification rule was set to automatically

generate a Ticket in the Ticketing/PSA system configured to operate with the Detector

SDS system and a specific Network Detective Site used to manage a Detector

Filtering the Alert Queue to View Alerts by Status

1. Select the Alerts view.

2. Select the Status for the types of Alerts

that you want to be displayed in the

Alerts Queue.


37

3. The Alert Queue list will be updated to

display Alert items that are assigned the

Status you selected.

Creating To Do Items from Alerts Listed in the Alert Queue

To Do items can be created for Alerts that have been assigned a Status of either “New” or “Ticket” to

the Alert when the Alert is viewed in the Alert Queue.

Follow the steps below to create a To Do item from an Alert located in the Alert Queue:

1. Select the Alerts view to access the Alert Queue.

2. Filter the Alerts to view Alert items that have

been assigned a Status of either “New” or

“Ticket”.

3. Select a specific Alert to view the Alert’s details.


38

4. The Alert’s Details window will be displayed.

5. To transform the Alert into a To Do item or

generate a Ticket from the Alert, select either the

Create To Do or the Create Ticket option.

Or, you can select the Alerts view to return to

the Alerts Queue.

If you select the Create To Do option, the To Do

item will be added to the To Do list, and the Alert’s To Do item page will be automatically

displayed.

If you select the Create Ticket option, then a Ticket will be created in the Ticketing/PSA system

that is Mapped to the Detector Site as defined in the ND Portal Settings.

Reverting Completed Alerts Back to the To Do Item List

To move a Completed Alert back to the To Do list for further reinvestigation and Alert Response Action

processing you may “Revert” the Completed Alert.

Follow these steps to Revert a Completed Alert item back to the To Do list:

1. Select the Alerts view.

2. To view an Alert’s details, click on a Completed

Alert item to open the Alert details page.


39

3. The Alert’s details page is displayed

4. Select the Revert button to create a To Do item

for the selected Alert.

5. The To Do item will be added to the To Do list,

and the Alert’s To Do item page will be

automatically displayed.

6. Process the Alert’s To Do item as by select the

Actions to apply to the Alert and Submit to

Complete the item.


40

End User Security Policy Violation Alert Notifications

This purpose of the End User Notifications feature is to

notify individuals within your client’s company about

Security Policy Violations via selected Detector Alerts.

In cases where your technicians will require guidance

from your client as to how your technicians should to

respond to a particular Security Policy Violation Alert,

you can configure Detector SDS to send End User Alert

Notifications directly to email recipients in your client’s

company.

Upon your client’s receipt of an Alert, your client can

assign To Do items to your technicians. The To Do items

may request that your technicians:

• Investigate the Alert

• Assign an Ignore Rule to a specific Alert to

address False Positives

End User Alerts are configured and controlled by a Notification Rule assigned to a specific Security

Policy. Notification Rules are configured either through the use of the Notification Rules setup or the

Policy Configuration features located within the Detector Settings window.

Setting Up End User Alert Notifications

Follow these steps to assign an Action to a Security Policy to enable Security Policy Violation Alerts to

be sent to an End User when a Policy violation is detected.

1. In the main Detector Settings window, minimize

the main Detector Settings section of the window

by selecting the control.


41

2. Next, minimize the Weekly Notification settings

section of the Window by selecting the

control.

The Notification Rules section of the window will

be maximized.

3. In order to assign the End User Action to a

Security Policy you will need to either have an

existing End User Email Group, or you can create

and End User Email Group by selecting the Email

Group button.

4. Enter the name of the Email Group to be

assigned to your client’s company, set the Email

Group Type of End User, and enter in the email

addresses for the client company ‘s recipients of

Security Policy Violation Alert Notification

Emails.

5. Select the Ok button to save the Email Group’s

settings.

6. Next, for the Security Policies where the Alerts

are to be sent to one or more End Users at your

client’s company set the Action to be Email End

User.


42

7. Then select and assign the Group Name to the

policy selecting an End User Email Group that

you previously configured.

For each Security Policy where you want Daily

Alerts sent to your client, assign the Email End

User Action. Select the End User Group you

created that contains your client company’s Alert

Recipients.

8. To save the updated Notification Rules, exit the

Detector Settings window by selecting the Home

icon.


43

Provisioning Additional Detector Appliances for Deployment

With Detector SDS, you have the ability to self-provision and deploy an unlimited number of Detector

Appliances.

Follow these steps to provision a Detector Appliance:

1. Run Network Detective and login with your credentials.

2. Select the Appliance icon on the ribbon bar.

The Appliances window will be displayed.

3. Select the Provision Detector button to begin the Detector provisioning process.

The Provision Detector window will be displayed.

4. Select the number of Detectors you want to activate

and select the OK button to continue.

5. The Detector Provisioned window will be

displayed to indicate that the Detector(s) have

been provisioned for use.

Select the OK button to view the newly

provisioned Detector in the Appliances window.

6. The newly provisioned Detector will be displayed

in the Appliances window and provisioned as Not

Activated.

7. To complete the Detector Activation process, go to www.rapidfiretools.com/nd and download

and install the Network Detective Virtual Appliance on a Hyper-V or VMware enabled computer

operating within your client’s network. For more information about installing the Virtual

Appliance, please download the Virtual Appliance Installation Guide.


http://www.rapidfiretools.com/nd/Virtual_Appliance_Installation_Guide.pdf


44

Provisioning Additional Detector Legacy Appliances for Deployment

With Detector SDS, you have the ability to self-provision and deploy an unlimited number of Detector

Appliances.

Note that this workflow is currently in the process of being phased out in favor of new functionality. See

Provisioning Additional Detector Appliances for Deployment for instructions on the new workflow.

Follow these steps to provision a Detector Appliance:


2. Select the Appliance icon on the ribbon bar.

The Appliances window will be displayed.

3. Select the Provision Legacy Detector button to begin the Detector provisioning process.

The Provision Legacy Detector window will be

displayed.

4. Select the number of Detectors you want to

activate, select the Authorization check

box, and select the OK button to continue.

5. The Detector Provisioned window will be

displayed to indicate that the Detector(s) have

been provisioned for use.

Select the OK button to view the newly

provisioned Detector in the Appliances window.

6. The newly provisioned Detector will be displayed

in the Appliances window and provisioned as Not

Activated.

7. To complete the Detector Activation process, go to www.rapidfiretools.com/nd and download

and install the Network Detective Virtual Appliance on a Hyper-V or VMware enabled computer



45

operating within your client’s network. For more information about installing the Virtual

Appliance, please download the Virtual Appliance Installation Guide.

Managing and Deleting “Ignore” Alert Rules

With Detector SDS, you have the ability to select Alerts that you can “Ignore” through the use of the ND

Portal’s Ignore Alert process as a method to minimize Detector alerting on ACT false positives.

In order to view and delete Ignore Alert Rules assigned to a particular alert for a Site associated with

your Detector Appliance, you can use the View Ignored Alerts feature.

Follow these steps to view and delete Detector Alert ignore rules:


2. Open your Site associated with your Detector and view the Detector Settings.

3. Select the View Ignored Alerts button located

on the Daily Alerts bar in the Detector Settings

window.

The Ignored Alerts window will be displayed.

4. Select the X icon next to the Ignore Alert rule

that you would like to delete.

Selected Ignore Alert rules will be grayed out

indicating that these rules will be deleted after

the Alert Rule settings are saved.

http://www.rapidfiretools.com/nd/Virtual_Appliance_Installation_Guide.pdf


46

5. After selecting the Ignore Alert rules that you

want to delete, select the Save & Close button

in the Ignored Alerts window.

Setting up Automatic Report Generation Using the Reporter Appliance The Reporter Appliance can be used with Detector to set up and perform the automatic report generation of Network Assessment and Security Assessment reports. To learn more about how to install and use the Reporter Appliance, please visit www.rapidfiretools.com/nd and download the Reporter Quick Reference guide. To set up a Reporter to work with the Network Detective Site used to manage a Detector installed on your client’s network, please follow these steps. First, you will need to set up a Connector to operate with the Site. Then, you will be required to Associate a Reporter with the Site.

Step 1 – Set up a Connector for the Site

1. Login to Network Detective.

2. Open the Network Detective Site used with your Detector.



Preferences and verify that your Detector is Associated with this Site.

4. Select the Connectors button to add a

Connector to the Site. The Connectors

list window will be displayed.

This Connector is required to enable the

Detector to transport its scan files to the

RapidFire Tools Secure Storage Area for

access by the Reporter during the

scheduled report generation time.



47

5. Select the Add Connectors button to

display the Add Connector window.

Assign a Connector Label that specifically

references the name of the Site that is

going to be using the Connector. Next

select the OK button to finish adding the

Connector to the Site.

Step 2 – Associate a Reporter with the Site



Preferences.

2. Next, select the Add Appliance button.

The Add Appliance window will be

displayed.

3. Select the Appliance ID of the Reporter

Appliance from the drop down menu.

Note: When users have purchased a

Small Form Factor Server Computer, the

Appliance ID can be found on a printed

label on the Small Form Factor Server

Computer itself.

After selecting the Appliance ID, select

the OK button to continue.

4. After successfully adding a Reporter to

the Site, its Appliance ID will appear

under the Appliance bar in the Site

Preferences window. The status of the

Appliance will be indicated as Active.


48

Step 3 – Set the Detector Scan to Upload the Scan Data to Reporter

1. Open the Detector Settings.

2. Select the Scan Configuration button.

3. In the Scan Configuration Wizard window, select the option “Upload finished scan to Reporter”.

4. Select the Finish button to save your updated Detector scan settings.

Step 4 – Set up Reporter to Automatically Generate Reports

When your company subscribes to the Network Assessment and/or Security Assessment Modules from RapidFire Tools, Detector SDS can be used to schedule the automatic generation of Network and/or Security Assessment reports. To configure the automatic generation of Network and Security Assessment reports by Reporter for your Detector Appliance, please refer to the Reporter User Guide at www.rapidfiretools.com/nd .



49

Appendix A - Sample Daily Alerts and Weekly Notices Below are samples of email messages that present a Tech Alert and End User Alert Notifications and a Weekly Notice.

Sample Tech Alert

Sample End User Alert


50

Sample Weekly Notice


51

Appendix B – Set Up of Smart-Tags

1. Select the Smart-Tags link to open the Smart-

Tags window.

2. Compare the list of Recommended and Available

Smart-Tags displayed in the Smart-Tags window

with those you previously noted were associated

with the Security Policies you selected during

Step 7.

Note: Some Smart-Tags have a Red Corner

marker in the tag’s icon. These marked Smart-

Tags represent tags that must be set up to enable

alerts to be sent for the specific Security Policies

you selected in Step 7.

3. Double-click on a Smart-Tag to open the Tag.

Depending on the requirements for the Smart-

Tag you are configuring, select or enter in the

Computers, Users, SSIDs, Printers, or IP

Addresses that are required to configure the

specific tag.

4. Select Save & Close button to save the Smart-Tag’s configuration. The configured tag will be

listed in the Applied Tags list.

5. Configure the remaining Smart-Tags associated with Policies you selected back in Step 7.

6. After you have configured the Smart-Tags, select

the Configure link to return to the Detector

Settings window.


52

Assigning Smart Tags to Change Events that Refine Alerts and Notices

Detector incorporates a proprietary feature named “Smart Tags”. The Smart Tags feature allows you to

fine-tune the Detector to adapt to each client’s unique IT environment to detect network Anomalies,

Changes, and Threats (ACT).

Smart Tags allow you to enrich the detection system by adding information about specific users, assets,

and settings that helps Detector get “smarter” about what it is finding. That means more potential

threats identified with fewer “false positives.”

Here is an example of some of the Smart Tags available for use:

Tag Applied To For What? Why?

ACCOUNTING COMPUTER Computer Computers that can either access or are running accounting systems

Identifies when non-accounting users attempt to access these computers

ACCOUNTING USER User These users should have access to accounting systems

Identifies who should have access to accounting systems

AUTHORIZED PRINTER Printer Printers that are allowed on the network

Helps identify which computers are allowed to be published on the network

AUTHORIZED SSID SSID Indicates which wireless networks that computers on the network may connect to for network access

Allows identification of wireless networks that are safe to connect to

BUSINESS OWNER User Business owners typically have more sensitive information on their systems

Helps associated business owners with their computers

BUSINESS OWNER PC Computer Computers used by business owners

Raises the computer’s security significance

DMZ COMPUTER Computer Computers in the DMZ typically bridge the public Internet and private internal network

Because these computers are exposed to the outside network, their security becomes more significant

GUEST NETWORK IP Range IP ranges that are reserved for guest networks.

Network changes from this range typically do not indicate a security concern.


53


GUEST WIRELESS NETWORK IP Range IP ranges that are reserved for guest networks.

Network changes from this range typically do not indicate a security concern.

HIPAA/ePHI AUTHORIZED USER

User These users are allowed to access computers containing ePHI.

Indicates which users can access computers with ePHI.

HIPAA/ePHI COMPUTER Computer Computers that contain ePHI.

Allows identification of unauthorized access to a system with ePHI.

IT ADMIN User IT Administrators typically have more access to network resources than the typical user

Identifies who should have this elevated level of access

LOCKED DOWN Computer Locked down computers are highly controlled systems where changes are limited

Changes to locked down computers are more significant than other computers

LOCKED DOWN DNS Network Tag a network to detect DNS changes on

Any changes in DNS for the specified subnet will trigger this alert. It is used in environments where you are certain there should be no DNS changes.

NO DIRECT INTERNET ACCESS Computer Computers that should have no direct Internet access (web or otherwise)

Allows identification of changes that might inadvertently grant Internet access

PCI/CDE AUTHORIZED USER User These users are allowed to access computers in the Cardholder Data Environment (CDE)

Indicates which users can access the CDE

PCI/CDE COMPUTER Computer Computers that are a part of the Cardholder Data Environment (CDE)

Allows identification of unauthorized access to the CDE

RESTRICTED IT ADMIN ONLY Computer Some computers (typically servers) should only be access directly by IT Administrators

Allows alerting when access occurs by non-IT Admin users


54


RESTRICTED NETWORK IP Range Restricted networks are defined as networks where the appearance of new devices is very rare

Tagging an IP range as a restricted network indicates changes are more significant

SENSITIVE COMPUTER Computer Tag a computer that contains sensitive information

This represents a computer that has sensitive information on it

SENSITIVE USER User Tag a user that works on sensitive information

This represents a user that works on sensitive information

SINGLE DESKTOP USER User Users that have dedicated desktop and should never log into other systems directly

Enhances detection of anomalies by identifying which users have been assigned a computer

VIRTUAL MACHINE Computer Computers that are not physical devices

Distinguishing between physical and virtual computers help determine what changes are considered abnormal

AUTHORIZED PRINTER Printer Printers that are allowed on the network

Helps identify which printers are allowed to be published on the network

TRANSIENT PRINTER Printer Transient printers are routinely put on and taken off the network

Allows for the removal of false positives related to inactivity and theft


55

Examples of Smart Tag Use

Here are some examples of how you might use the Smart Tags to fine-tune Detector’s alerts for a

particular client:

Restricted Computer Access Detection

Within Detector, you can tag a particular computer as being “RESTRICTED IT ADMIN ONLY”. Then,

when any user logs into the network that has not been tagged “IT ADMIN”, Detector will send an alert.

Changes to Locked Down Computer Detection

Within Detector, you can tag a particular computer as “Locked Down” (meaning, do not allow changes

to this computer). If someone manages to install an application on this machine, then Detector will

detect that the application was installed and send an Alert. In this way, tagging can remove false

positives and increases the relevance of alerts.

Wireless Network Availability Detection

Within Detector, you can tag a specific wireless network as a “GUEST WIRELESS NETWORK” telling

Detector it does not need to worry about new devices appearing on it. But if a new device shows up on

any non-guest network, then the appearance is significant and Detector will send you an alert so you can

determine if it is worth looking into.

Using Smart Tags

You can select, configure, or modify, your Smart Tags at any time. That allows you to see what kind of

alerts Detector is sending you and create the tags you want to use to “tweak” the Detector system.

The use of Smart Tags improves the detection of Anomalies, Changes, and Threats (ACT) by providing

additional “knowledge” of the network environment to the Detector. Once the Detector has scanned

your network for the first time, you can explore the data and assign Smart Tags to entries like

computers and users.

The use of the Smart Tags feature presumes that the Level 1 (Daily) Scan and/or Level 2 (Weekly) Scan

types available on the Detector Appliance have been configured and performed.

Warning Concerning the Removal of a Detector Appliance from a Site

When a Detector has been Associated with a Site and the Scan Schedule, Alert Schedule, Alert

Recipients, and Smart Tags settings have been defined, if the Detector is ever Associated with a

different Site, the original Site’s Detector settings will be automatically deleted.

Backing Up Smart Tags for Reuse

You have the ability to Export the Smart Tags associated with a Network Detective Site file that is

Associated with Detector. If you wish to save the assigned Smart Tags contained within the existing Site

that is Associated with Detector for later use with a new Site, then use the Smart Tags Export and


56

Import options described in Appendix C – Saving and Reusing Smart Tags through Export and Import

found on page 51.

Adding and Configuring Smart Tags

To assign and configure Smart Tags to enable Detector to recognize any Anomalies, Changes and

Threats (ACT) that trigger Daily Alerts or Weekly Notice alerts, perform the following steps.

Step 1 – Select the Site

Double click your mouse pointer on the Site that you

are configuring automated scan, alerts, and reports

to be performed upon in order to view and access

the Site.

Step 2 – Select Manage Detector Appliance and Access the Detector

Settings

After the Site has been opened, select the Detector icon located within the

Site bar.

The Detector Settings window will be displayed.


57

Step 3 – Access Smart Tags and Verify that Scan Data has been Downloaded

Select the Smart Tags link within the Detector’s

Settings window.

If no scans have been performed by the Detector,

the following message will be presented by Network

Detective.

After scans have been performed, select the Smart

Tags link and download the scan as instructed.

Once the scans have been downloaded, the

completion of the process will be confirmed by the

presentation of the Smart Tags options consisting of

Applied Tags, Recommended Tags, and Available

Tags as presented to the right.

Once the Smart Tags are “Up to Date”, you can

access, view, and use the settings for Applied Tags,

Recommended Tags, and Available Tags.

Also note: When starting a Site using the Detector,

then attempting to view or update the Smart Tags

configuration, you may be prompted to update the

scan data with the latest scan per a notice as

presented to the right.

Depending on the number of changes in Users and Computers on your client’s network, you may wish

download the updated scan to ensure the latest User identity and Computer information is available for

use when setting Smart Tag configurations.


58

Step 4 – Select and Apply Recommended Tags

1. To add a Smart Tag from the Recommended

Tags list, select the Recommended Tags

option by selecting the selector on the

Recommended Tags bar.

The Recommended Tags window will be

displayed.

2. Next, select the Smart Tag that you would like to configure and apply.

For example, select the IT Admin tag by

double-clicking on the IT Admin User Smart

Tag Icon.

This action will display the Tag Explorer

window for this Smart Tag.

Within the Tag Explorer window, instructions

are presented that detail:

• what the Tag is to be “Applied To” (i.e. users or computers)

• the “For What” purpose the Tag can be used

• the “Why” reason to use the Tag

Note: There are a number of Smart Tags that should be used as logical “pairs”. For example, the

IT Admin User tag should be used with the Restricted IT Admin Computer Only tag. Using this

pair of Smart Tags will enable you to define all of the IT Admin users, and the computer

endpoints that are to be only accessible by IT Admin users. Alerts will be generated when non-IT

Admin users access the computers designated as Restricted IT Admin Computers Only.


59

3. Next, define which network Users are IT

Admin Users by selecting the Users that

should be designated as IT Administrators in

the Tag Explorer window presented for the IT

Admin Users tag.

To specify the IT Admin Users, select the

Check Box next to Users that should be

designated as IT Admin Users from the list

presented in the Tag Explorer window.

4. Next, select the Save & Close button to save the Smart Tag settings for the IT Admin User Smart

Tag.

When the IT Admin Tag is configured and

Applied, the IT Admin Tag will be available

for updating in the Applied Tags section of

the Smart Tags options window.

Step 5 – View Applied Tags

To view the Smart Tags that have been

Applied from the Applied Tags list, select the

Applied Tags option by selecting the

selector on the Applied Tags bar.

The Smart Tags that have been applied to the

Detector configuration for the Site will be

listed in the Applied Tags window as seen

below.

You can double click on the Smart Tag to view the tag’s settings.


60

Step 6 – Select and Apply Additional Smart Tags from the Available Tags Window

1. To add a Smart Tag from the Available Tags

list, select the Available Tags option by

selecting the selector on the Available

Tags bar.

The Smart Tags available for use will be

displayed.

2. Double click on the Smart Tag that you want

to use and the Tag Explorer window for the

selected tag will open. Configure the Tag by

selecting the Users or Computers listed in the

Tag Explorer window that you want to

designate as being “Tagged” within the Tag

as displayed below.

3. Next, select the Save & Close button to save the Smart Tag settings for the selected Smart Tag.

When the Tag you selected is configured and Applied, the Tag will be available for updating in

the Applied Tags section of the Smart Tags options window.

4. Verify that the Tag you configured and Applied is in the Applied Tags window.

To view the Smart Tags that have been

Applied from the Applied Tags list, select the

Applied Tags option by selecting the

selector on the Applied Tags bar.


61

The Applied Tags will be displayed to enable

you to confirm that the Smart Tag you

selected and configured has been Applied.

Deleting Smart Tags

Use the following steps to delete a Smart Tag

Step 1 – Open the Applied Tags Window and Select the Tag for Deletion

To access the Smart Tags that have been Applied

from the Applied Tags list, select the Applied Tags

option by selecting the selector on the Applied

Tags bar.

The Applied Tags window will be displayed.

Step 2 – Select the Tag and Delete

Right click the mouse pointer on the tag to be

deleted. A Remove Tag menu option will be

presented.

Select the Remove Tag menu option and the tag will

be deleted and removed from the Applied Tags

window.


62

Appendix C – Saving and Reusing Smart Tags through Export and Import

Before associating a new Network Detective Site file to a

Detector that has already been configured for use with

another Site to detect Anomalies, Changes, and Threats

(ACT) on a network, you may want to Export and reuse

the original site’s Smart Tag settings.

The use of the Export Smart-Tags feature must be done

before associating a new Site with your Detector if the

Detector is to be used to detect ACT events on the same

network.

Once a Detector and its associated Site have been configured to operate with a given network, switching

the Site file to be used with your Detector will trigger a deletion of the Smart Tag settings associated

with the original Site used to configure and apply the Smart Tag settings to your Detector.

If there is a requirement to save the Smart Tags from the current Site’s Detector configuration for reuse

in a different Site associated with your Detector that is to be connected to the same network as the

original Site was used, you must use the Smart Tags Export and Import options to save and reuse the

tags for later use in your new Site file used to set up the Detector’s configuration.

Steps to Export and Save Smart Tags for Later Use


After starting Network Detective, double click your

mouse pointer on the Site that you are configuring the

automated scan and alerts to be performed upon in

order to view and access the Site’s Settings.

Step 2 – Select Manage Detector Appliance and Access the Detector Settings

After the Site has been opened, select the Detector icon located within the Site bar.



63

Step 3 – Access Smart Tags and Verify that Scan Data

has been Downloaded

Select the Smart Tags link within the Detector’s Settings

window.

Step 4 – Export Smart Tags

Select the Export option to export the Smart Tags

configuration.

Your will be prompted to save the Smart Tags export file

in a location of your choice.

Select the folder you want to save the Smart Tags

Configuration file in, name the file, and select the Save

button to export the file.


64

Steps to Import Smart Tags for into your Site for Use with Detector


Double click your mouse pointer on the Site that you are

configuring automated scan, alerts, and reports to be

performed upon in order to view and access the Site.

Step 2 – Select Manage Detector Appliance and Access the Detector Settings

After the Site has been opened, select the Detector icon located within the

Site bar.



65

Step 3 – Access Smart Tags and Verify that Scan Data has been Downloaded

Select the Smart Tags link within the Detector’s Settings

window.

Step 4 –Import a Smart Tags Configuration File

Select the Import option to import a Smart Tags

configuration file.

A prompt will be presented requesting verification from

you in order to continue the Import of the Smart Tags

Configuration File.

Select the Yes button to continue.

The Import Detector Smart Tag Configuration window

will be displayed.

Select the Smart Tag Configuration File name and select

the Open button to perform the Smart Tag Import

process.


66

Appendix D – Using the Service Plan Creator

The purpose of this appendix is to provide an overview and specific steps required to use the Network

Detective Service Plan Creator.

Other supplementary guides to be referenced along with this guide include, the Detector SDS Quick

Reference Guide and Detector Quick Start Guide. These guides are available at

www.rapidfiretools.com/nd.

Service Plan Creator Use Cases

There are four use cases for the Service Plan Creator:

• Create Service Plans that are used to offer and deliver one-time Assessment Services

• Create Service Plans that leverage the Network Detective Detector to deliver an on-going

Security Policy-based Service Offering to your customers using the Detector Appliance

• Create Service Catalogs used to produce a Service Catalog document in Word format. The

purpose of the Service Catalog document is to enable you to produce marketing literature, sales

proposals, and service agreements. The Service Catalog document presents:

o a Service Plan Matrix of the plans you are proposing to a prospective client or customer

o descriptions of the Security Policies and Procedures associated with each Service Plan

o a list of reports deliverables for each of the proposed plans

• Generate a stand-alone Service Plan Matrix document in Word format summarizing the Service

Plans you created

The next section outlines the steps necessary to create Service Plans and Catalogs.



67

Creating Service Plans and Service Catalogs

To create a new Service Plan, follow these steps:

Step 1 – Create a New Service Plan

4. After successfully deploying Detector, visit www.rapidfiretools.com/nd to download and install

the latest version of the Network Detective Application. Then run Network Detective and login

with your credentials.

5. Select the Service Plans icon.

6. Select Create New Service Plan.

7. Enter the name for your Service Plan.

Select Ok to generate the basic Service Plan

template.

Your Service Plan template will be displayed

within the Manage Plans window.

Note that the default Service Plan template

does not have any Network Detective Sites,

Security Policies, or Scheduled Reports

specified.

Before assigning the Service Plan to a Network Detective Site that is associated with a Detector,

you will need to specify the Service Plan’s Policies and Scheduled Reports requirements.



68

Step 2 – Assign Security Policies to Your Service Plan

1. Select the Edit Service Plan option to add the

Security Policy assignments to the newly

created plan.

.

2. Select the Security Policies tab and select the

policies that you want to assign to your

Service Plan.

3. As you select the Policies, be sure to

familiarize yourself with the Smart Tags

descriptions presented.

For each Security Policy that requires a

Smart Tag set up to be performed, the Tags

associated with a given security policy will

need to be configured to fully enable the

Detector’s Security Policy Violation

detection.

4. After completing the selection of the Policies

that you want associated with your Service

Plan, select the Save button before you

proceed to the next step.


69

Step 3 – Defining Reports Deliverables to be Included in the Service Plan

You have the ability to include references to one or more Network Assessment and Security

Assessment Reports to be included as a part of your Service Plan deliverables to your customer.

The Reports you select to be included in the Service Plan deliverables will be referenced in three places

within Network Detective:

• the Service Plan Scheduled Reports window

• the Service Catalog* document generated by Network Detective

• the Service Plan Matrix document generated by Network Detective

*Note: The Service Catalog document will enable you to present an overview of your company’s Service

Plan(s) to your clients.

Follow these steps to define the Reports deliverables for your Service Plan.

1. Select the Scheduled Reports tab to plan and

document the Scheduled Report runs

associated with a given Service Plan.

2. Select the Schedule Report button to define

the Reports that should be part of the

Service Plan you are creating.

You can define which Reports should be

generated by Detector and at which Intervals

(daily, weekly, monthly, etc.) the reports are

to be generated.

3. Select from the Network and Security

Reports listed in the Schedule Reports

Wizard window, and select the Next button.

4. Using the Every list control, select the

frequency from the choices available (i.e.

day, week, month, year, or once). Select the

Finish button once your selections are

complete.


70

After you have selected the Reports that are a part of the Service Plan, and have assigned

the frequency of Report generation, these reports will be listed in the Scheduled Reports

window.

When a Service Plan has been assigned to a

Network Detective Site used with a

Detector, you can use the Reporter

Appliance to schedule the actual automatic

Report generation tasks to generate the

reports deliverables for your service plans.

Note: When selecting a particular Report, or a group of Reports to be included in a Service Plan,

you will need to define how frequently that the Reports are to be generated by your team as

part of delivering your company’s security service associated with the Service Plan.

5. Select the Save button to save your Service

Plan Reports selections and configurations.

6. Select the Manage Plans options to view a

summary of your new Service Plan.

The Manage Plans window will list your

newly created Service Plan and present the

details associated with the plan.

The details include the number of:

• Network Detective Sites that use the

plan

• Security Policies assigned to the plan

itself

• Reports that are to be generated and

delivered to the customer as part of a

particular Service Plan


71

Step 4 – Creating a Service Catalog


2. Select the Manage Catalogs Icon.

All of the available Service Catalogs will be

available within the Catalog Name drop

down list found within the Service Catalog

window.

3. To create a new Service Catalog, select the

default Catalog named “All Plans” and

select the Clone button.

4. Enter in the Catalog Name and select the OK

button to create the new catalog.


72

5. Select the Exclude option to hide each of the

plans you do not want to be included in the

Service Catalog document to be generated.

6. The remaining Service Plans not excluded

from your new Service Catalog will be

contained within the catalog.

The Service Catalog you created will be

automatically saved for future use.


73

Generating a Service Catalog Document

After you have created a Service Catalog, you can use Network Detective to generate a Service Catalog

document in Microsoft Word format.

The Service Catalog document will contain a list of the Security Plans you have assigned to your Service

Catalog(s) along with an overview of the Service Plan Security Policies and Procedures, and a list of

Reports deliverables.

To generate the Service Catalog document, follow these steps:



All of the Catalogs will be presented in the

Catalog Name list.

3. To generate the Service Catalog document,

select the name of the Catalog from the

Catalog Name list.

4. Select the Generate and then select the

Service Plan Catalog menu option to

generate the Service Catalog document.


74

5. Network Detective will generate the

Service Catalog document and open

Microsoft Word so that you may edit

and print the document.


75

Generating a Service Plan Matrix Document

After you have created a Service Plan, you can use Network Detective to generate a Service Plan Matrix

document in Microsoft Word format.

The Service Plan Matrix document will contain a list of the Security Policies you have assigned to your

Service Plan(s) along with a list of Reports deliverables.

To generate the Service Plan Matrix document, follow these steps:



All of the Catalogs will be presented in the

Catalog Name list.

3. To generate the Service Plan Matrix

document for a specific Catalog, select the

name of the Catalog from the Catalog Name

list.

4. Select the Generate and then select the Plan

Matrix menu option to generate the Plan

Matrix document.


76

5. Network Detective will generate the Plan

Matrix document and open Microsoft Word

so that you may edit and print the document.

The Security Policies associated with the Plan

are in the document.

And a list of Reports deliverables associated

with the plan are referenced the Report

Tasks section of the Service Plan’s Matrix.


77

Generating a Sample Master Services Agreement for a Service Plan

After you have created a Service Plan, you can use Network Detective to generate a sample Master

Services Agreement (MSA) document in Microsoft Word format.

The sample MSA document will include an example of terms and conditions for an MSA and reference

an Exhibit that will present a list of the Security Policies and Procedures that reflect the Service Plan

that will be selected when setting up the Detector for your customer.

To generate the Sample MSA document, follow these steps:

Step 1 – Opening Existing Network Detective Site that is Associated with your Detector

1. Start the Network Detective application.

2. Select the Site that that is Associated with

your Detector Appliance.

3. To open the Site, double-click on the Site

name.

Step 2 – Access the Detector Settings

After opening the Site associated with your Detector Appliance,

select the Detector Settings icon located on the left side of

the Network Detective window to view the Detector’s Settings.

Step 3 – Select the Policy Configuration Option

The Policy Configuration option enables you to configure Detector to detect violations of Access

Control, Computer, and Network Security policies that take place within the network.

Within the Policy Configuration window, you have

the option to generate the Sample Master Service

Agreement that is associated with the selected

Service Plan’s Security Policies that you have defined

for your Detector.

In the Detector Settings window, select the Policy

Configuration Modify button to access the Policy



78

The Policy Configuration window will be displayed.

Step 4 – Generate Master Service Agreement Option

Select the Generate button in the Policy Configuration window.

Next, select the Master Service Agreement Option.

The MSA Customization window will be displayed

Step 5 – Enter the MSP information, Customer information, and Service Plan Cost Details

In the MSA Configuration window, enter the MSP Name, State, and Address along with the Customer

Name and Address.

Next, enter the Service Plan Monthly Charge, Additional Hourly Billing Rate, Hours per Month

Included, Emergency Authorized Limit, and the Effective Date to be referenced in the sample MSA.

After entering the MSA Configuration information, select the OK button.


79

The Disclaimer notification and confirmation window

will be displayed.

Step 6 – Confirm Acceptance of the Disclaimer and Generate the Sample MSA

Select the OK button in the Disclaimer window to generate the Sample MSA in Word format.

Network Detective will generate the Master Services

Agreement document and open Microsoft Word so

that you may edit and print the document.


80

Managing Service Plans

The instructions below detail the processes used to Modify and Delete Service Plans.

Modifying a Plan

To edit a Service Plan, follow these steps:


2. Select the Edit icon on the Service Plan

that you would like to edit.

The Modify Service Plan window will be

displayed.

3. Change the Detector Security Policies, the

plan’s Scheduled Reports settings, or the

Name of the plan, and select the Save

button.


81

Impact of Service Plan Changes upon Deployed Detector Service Policy Settings -

IMPORTANT

In cases where a Service Plan has been previously assigned to one or more Detector Appliances that are

deployed, and the Service Plan has been updated, this revised Service Plan and its new Detector Policy

Settings must be manually applied to each Detector that will continue to use the plan.

For more information about how to apply the Security Policies contained within a Service Plan to a

Detector Appliance, please refer to the Detector Quick Start Guide available at


Deleting a Plan

To Delete a Service Plan, follow these steps:


2. Select the Edit icon on the Service Plan

that you would like to Delete.

3. Confirm the deletion of the Service Plan you

selected.



82

4. The selected Service Plan is deleted and is

removed from the Manage Plans window.


83

Impact of Deleting a Service Plan Previously Used to Configure Security Policy

Settings - IMPORTANT

In cases where a Service Plan has been previously assigned to one or more Detector Appliances that are

deployed, and the Service Plan has been deleted, a new Service Plan and its new Detector Policy

Settings will need to be associated with these Detectors.

For more information about how to apply the Security Policies contained within a Service Plan to a

Detector Appliance, please refer to the Detector Quick Start Guide available at


Managing Service Catalogs

The instructions below detail the processes used to Modify and Remove (i.e. delete) Service Catalogs.

Modifying a Catalog

To edit a Service Catalog, follow these steps:


2. Select the Manage Catalogs icon.

3. Select Service Catalog Name for the Catalog


The selected Service Catalog will be displayed

in the Manage Catalogs window.



84

At this point in the process, you may:

• Add Service Plans to a Catalog

• Exclude Service Plans from a Catalog

• Remove the selected Catalog entirely from the Service Plan Creator

Deleting (excluding) Service Plans from a Catalog

To delete a Service Plan from a Service Catalog, follow these steps:






in the Manage Catalogs window. This

Catalog will include the Service Plans

previously added to the Catalog.

4. Just below the name of each Service Plan is a

link labeled Exclude. The selection of the

Exclude Link removes the Service Plan from

the Catalog.

Select the Exclude Link to remove the specific

Service Plan selected from the Service


85

Catalog.

The Excluded Service Plan will no longer be listed within the Service Catalog user interface

unless re-added in the future.

Adding Service Plans to a Catalog

To Add a Service Plan to a Service Catalog, follow these steps:






in the Manage Catalogs window. This

Catalog will include the Service Plans

previously added to the Catalog.

Select the Include All Plans button.

This action will add all of the other Service

Plans that are currently not listed within the

Catalog’s Service Plan list.


86

4. Just below the name of each Service Plan is a

link labeled Exclude. The selection of the

Exclude Link removes the Service Plan from

the Catalog.

After you have Excluded the Services Plans

that are not required, exit the Service Plan

Creator.

Removing (deleting) a Service Catalog from the List of Catalogs

To Remove (delete) an entire Service Catalog, follow these steps:




that you would like to Remove.


in the Manage Catalogs window.

4. Select Remove button to delete the Catalog

from the Service Plan Creator.


87

5. The Catalog that you Removed will no longer

be present in the Catalog Name list.

Appendix E – Set Up and Assign a Ticketing/PSA System Integration to a Site Using Detector SDS

To successfully configure the Autotask, ConnectWise, or Tigerpaw Ticketing/PSA system integration with

the ND Portal, you will require the following information for the ticketing system you plan to set up for

use with the Portal:

This information will include:

• your Username and Password for your Ticketing System/PSA Integration Account provided

by the Ticketing System’s manufacturer

• URL for the Ticketing/PSA system’s API Integration system access

Step 1 – Set Up a Connection to your Ticketing System/PSA

Follow these steps to set up a Connection to your Ticketing System/PSA in the Portal.

1. Visit https://alerts.alert-central.com and log into

the Network Detective Portal.

Note: In order to configure the Settings in the

Portal, the login credentials you use to access the

Portal will require the Master User rights for your

company’s Network Detective account.

2. Select the Global Settings option.



88

3. Select the Connections option.

4. Select the Add option to create a

new Ticketing System/PSA

Connection to be later assigned it to

a Network Detective Site.

The Add Connection Setup New

Connection window will be

displayed.

5. In the Setup New Connection window, select

the Connection Type by selecting the

Autotask, ConnectWise, ConnectWise REST, or

Tigerpaw system.

Note about ConnectWise Support: For

ConnectWise connections, you will need to

set up an Integrator ID and use the Integrator

ID login credentials when setting up a

ConnectWise

integration in the ND Portal.

To learn more about setting up a

ConnectWise Integrator ID to work with the

ND Portal, refer to Appendix I – Setting up a

ConnectWise Integrator Login ID. If you are using the ConnectWise REST API integration, see

Appendix J – Setting up a Network Detective to ConnectWise REST API Integration.


89

6. Then select the Test Login button to test the Connection to the Ticketing/PSA system you

selected.

7. Then enter in the information required to set up the Connection.

This information will include:

• your Username and Password for your

Ticketing System/PSA Integration Account

provided by the Ticketing System’s

manufacturer

• URL for the Ticketing/PSA system’s API

Integration system access

8. Select the Test Login button to test your

Connection login.

After a successful test login, the second Add

Connection Ticket Details window will be

displayed.

9. Continue creating your Connection by entering in

the necessary Ticket Details that is relative to the

Ticketing System /PSA you are using in your

Connection setup.

For Autotask, set up the Company Name, Work

Type, Assigned Resource, Role, Due Date, Issue

Type, Queue, Priority, Status and Source fields.

For ConnectWise, set up the Company Name,

Service Board, Status, Service Type, Source, and

Priority fields. Sub-Service Type and Service Item

should be completed if applicable.

For Tigerpaw. set up the Service Board, Service

Type, Account, Representative, Status, and Priority

fields.

Select the Test Ticket button to continue.

The Add Connection Settings Confirmation window will be displayed after the Test Ticket

process is successful.


90

10. In the Add Connection Confirm Settings window

presented, enter the Name for your new

Connection to the Ticketing System/PSA in the

Name field.

11. Review the Connection’s configuration details

and select the Save button to complete the

creation of your Ticketing System/PSA

Connection setup.

12. The new Connection created will be listed in the

Portal’s Connection list.

13. Your new Connection will be listed in the

Connections list.

Step 2 – Map your Detector’s Site to a Ticketing System/PSA Connection

Follow these steps to map a Ticketing System/PSA Connection to the Network Detective Site associated

with your Detector.

1. In the Integrations window, select the Add

button located in the Site Mappings section of

the window.

The Map Site to Connection window will be

displayed.

2. Select the Network Detective Site you want to

assign to this Ticketing System/PSA Integration.

3. Next, select the name of the Connection that you

want use to link the Site to your Ticketing

System/PSA.


91

4. After selecting the Connection name, use the

Company Lookup field to search and select the

Company name to be referenced when

generating Tickets for the selected Site.

5. Select the Save button to save your Site Mapping

to Ticketing System/PSA Integration.

6. The Site’s mapping to your Ticketing System/PSA

Integation will be saved and listed in the Site

Mappings list.

Your Portal account now can be used to create tickets for any Alerts or To Do items listed in the Portal

for the Network Detective Site you selected.


92

Appendix F – Set Up ND Portal Branding (Detector SDS Only)



Note: In order to configure the settings in the





3. Select the Branding option.

https://alerts.alert-central.com/


93

4. Enter your company brand in the

Company Name field.

The company brand information

you entered will be presented in

the Preview.

5. To select the Banner color for

your company’s Portal login

screen, single click on the Banner

Color field and a color selector

control will be displayed.

6. Select your Banner Color and

select the Save button to save

your Branding settings.

7. Log out of the ND Portal, then log back into the

Portal in order to verify that your Branding

settings have been applied.


94

Appendix G – Set Up a Custom Subdomain to Access the ND Portal (Detector SDS Only)



Note: In order to configure the settings in the





3. Select the Branding option.



95

4. Enter the Subdomain name

you desire in the Site

Subdomain field.

5. Select the Save button to save

your Subdomain setting.

6. Log out of the ND Portal.

7. Next, access the ND Portal by using the URL

for the new Subdomain you configured to

access the Portal’s login screen.


96

Appendix H – Set Up Custom SMTP Server Support (Detector SDS Only)

Follow these steps to set up the use of your own SMTP server to send Alerts and Notices from Detector.

Follow these steps to set up the Email Configuration.

1. In the Detector Settings window, select the Email

Configuration Modify button to access the Email


The Email Configuration window will be

displayed.

2. Select the SMTP Server tab within the Email

Configuration window to access the Custom

SMTP Server settings.

3. Configure the following to set up your Customer

SMTP Server to send Detector Alerts and Notices:

• Alert From email address and display

name

• Report From email address and display

name

• SMTP Server Address

• Port Number

• Security Method

• SMTP Server Username and Password


97

4. Select the Send Test Email button to test the

SMTP email Server configuration and email

addresses.

5. Select the Send button in the Send Test Emails

window. The status of the email test is displayed

in the Send Test Emails window.

After a successful test has been completed, select

the Close button to close the Send Test Emails

window.

6. To complete the setup process, select the Save & Close button in the Email Configuration

window to save the Custom SMTP Server Email Configuration settings.


98

Appendix I – Setting up a ConnectWise Integrator Login ID

Before configuration items can be imported into the ConnectWise PSA, the appropriate permissions

must be setup in your ConnectWise system and you must configure a ConnectWise “Integration

Connection” in Network Detective Portal.

Setting up an “Integrator Login” in ConnectWise

• Navigate to System-> Setup Tables

• Type “Integrator” into the Table lookup and hit Enter

• Click the Integrator Login link

Click the “New” Icon to bring up the New Integrator login screen as shown on the right.

Enter and record Username and Password

values which you will need later on when

configuring a ConnectWise “Integration

Connection” in the Network Detective Portal.

Set the Access Level to “All Records.”

Using the ConnectWise Enable Available APIs

function, enable the following APIs:

• ServiceTicket API

• Company API

• Reporting API

• System API Note: If using the Network Detective Application’s Export Options, then additional API’s must be set up as referenced in the Network Detective User Guide.

Click the Save icon to save this Integrator Login.


99

Appendix J – Setting up a Network Detective to ConnectWise REST API Integration To set up a connection between the ND portal and the ConnectWise Ticketing system using the REST API

you will be required to:

Step 1 – Download and Install the ConnectWise Manage Internet Client Application

To enable the integration, you will need to use the ConnectWise Manage Internet Client application.

Download and install the app from http://university.connectwise.com/install/. Then log in using your

credentials.

If you are using the ConnectWise Manage web app, you can continue to use the web app after you have

completed the steps in this guide and enabled the integration with ND.

Step 2 – Select the ConnectWise Ticket System API Member Account to Integrate with Network Detective

1. From the ConnectWise dashboard, click System from the side menu.

2. Next, click Members.

3. Click on API Members Tab. The API Members screen will appear.

Note that the API Members Tab may not show by default and may need to be added. You can

add this tab from the Tab Configuration menu on the Members page .

4. Click on the button to create a new API Member. Fill in all required information.

5. Confirm that the API Member has been

assigned Admin rights by checking the

member’s Role ID under Security Information.

Step 3 – Create an API Key in the ConnectWise Ticketing System

1. Select the API Member that you created previously.

2. From the API Member

details screen, click API

Keys.

http://university.connectwise.com/install/


100

3. Click the button.

4. Enter a Description for the API Key.

5. Click Save.

6. The newly generated API Key will appear.

7. Write down or take a screen shot of the

Member’s Public and Private API Key strings.

This information will be required to set up

the integration between ND and

ConnectWise. Note that the Private Key is

only available at the time the key is created.

Be sure to copy the keys for your records.

Step 4 – Configure Service Tables in ConnectWise

In order to export issues from ND as tickets in ConnectWise, you will need to configure several Service

Tables in ConnectWise. These tables ensure that the issues in ND are “mapped” correctly to the tickets

created within ConnectWise. You must configure the Service Tables correctly in order to establish the

connection between ND and ConnectWise.

You can configure the Service Tables in ConnectWise from System>Setup Tables>Category>Service.

Configure the Service Tables as detailed below:

1. Service Board

You must have a Service Board created within ConnectWise. In addition, within the Service

Board, you must create values for the following fields. You can create values for these fields

from the Service Board page:

a. Statuses

b. Types

c. Teams

You must create at least one value for each of these fields.


101

In addition, you must define values for two additional Service Tables:

2. Source

You must include at least one Source.

3. Priority

You must include at least one Priority

level.

If your existing Service Tables already contain values for the fields listed above, you do not need to

create new values.

Once you have completed the configuration requirements detailed in this topic, you can then proceed to

Appendix E – Set Up and Assign a Ticketing/PSA System Integration to a Site Using Detector SDS.


102

Appendix K – Default Detector SDS Service Plans

The default Detector SDS Service Plans available for selection after initial installation are the Bronze,

Silver, Gold, and Platinum plans. Below is an overview of the default Security Policies associated with

each Service Plan.

Security Policy Description Bronze Silver Gold Platinum

Authorize New Devices to be Added to Restricted Networks ✓ ✓ ✓ ✓

Restrict Access to Accounting Computers to Authorized Users ✓ ✓ ✓ ✓

Restrict Access to Business Owner Computers to Authorized Users ✓ ✓ ✓ ✓

Restrict IT Administrative Access to Minimum Necessary ✓ ✓ ✓ ✓

Restrict Users that are Not Authorized to Log into Multiple Computer Systems ✓ ✓ ✓ ✓

Strictly Control the Addition of New Local Computer Administrators ✓ ✓ ✓ ✓

Strictly Control the Addition of New Users to the Domain ✓ ✓ ✓ ✓

Install Critical Patches on Network Computers within 30 Days ✓ ✓ ✓

Only Connect to Authorized Wireless Networks ✓ ✓ ✓

Strictly Control the Addition of Printers ✓ ✓ ✓

Restrict Access to IT Admin Only Restricted Computers to IT Administrators ✓ ✓ ✓

Users Should Only Access Authorized Systems ✓ ✓ ✓

Changes on Locked Down Computers should be Strictly Controlled ✓ ✓

Install Critical Patches for DMZ Computers within 30 Days ✓ ✓

Investigate Suspicious Logons by Users ✓ ✓

Investigate Suspicious Logons to Computers ✓ ✓

Remediate High Severity Internal Vulnerabilities Immediately (CVSS > 7.0) ✓ ✓

Restrict Internet Access for Computers that are Not Authorized to Access the

Internet Directly ✓ ✓

Detect Network Changes to Internal Networks ✓

Detect Network Changes to Internal Wireless Networks ✓

Remediate Medium Severity Internal Vulnerabilities (CVSS > 4.0) ✓

Restrict Access to Computers Containing ePHI to Authorized Users ✓

Restrict Access to Systems in the Cardholder Data Environment (CDE) to

Authorized Users ✓

Strictly Control the Clearing of System and Audit Logs

Strictly Control the Removal of Users from the Domain

Enable automatic screen lock on computers with sensitive information

Enable automatic screen lock for users with access to sensitive information


103

Security Policy Description Bronze Silver Gold Platinum

Strictly control DNS on Locked Down Networks

Strictly control changes to Group Policy

Strictly control changes to the Default Domain Policy

Only store Personally Identifiable Information (PII) on systems marked as sensitive

Strictly Control the Creation of New User Profiles

Only store ePHI on designated systems

Only store cardholder data on designated systems


104

Appendix L – Additional Scan Host Configuration Options and Requirements

The Detector Appliance requires access to at least one separate, additional PC on the client’s network.

This computer is called the “Scan Host.” The Scan Host is used to initiate scans.

Scan Host Requirements

Before proceeding to set up the Scan Host, ensure that the following requirements are met:

• The Scan Host PC must have Windows 7 or higher.

• WMI, Admin$, and File and Print Sharing must be enabled on the network along with their

respective firewall settings.

Note that in order to initiate the scans, the Scan Host PC must also:

• be turned on

• be connected to the network

Assigning Scan Hosts

You assign Scan Hosts in the first step of the Scan Configuration Wizard. We recommend that you assign

at least two PCs to serve as scan hosts. This will allow scans to run even if one scan host becomes

unavailable.

To assign Scan Hosts:

1. In the Detector Settings window, select the

Modify Scan Configuration option.

The Scan Configuration Wizard will appear.

2. Click Modify Settings if you wish to modify a

previously configured scan.


105

3. The Scan Hosts window will appear. Next assign scan hosts:

a. Enter one set of login credentials to access the PCs that you wish to designate as scan hosts.

b. Enter the name of the domain (NOT the name of the domain controller).

c. Enter the IPs or computer names of the computers that will initiate the scans.

4. Once you have entered scan hosts, click Test Scan Hosts to be sure you can connect. If you are

unable to connect, verify that the A) scan hosts meet the requirements listed above, B) that you

have entered the values correctly as detailed in the image above.

Assigning Scan Hosts within a Workgroup

If you are working within a Workgroup environment, you will

need to enter the following characters into the Domain field

when assigning scan hosts: “.\” (without quotation marks).

Documents

Detector Service Delivery System (SDS) Version 3 · PDF fileNetwork Detective™ Detector – User Guide 2 Workflow Used by an End User to Request an Investigation of an Alert