Solved: SNA Host Groups Advanced Options

navidn · ‎04-22-2024

Can someone help me with understanding what each of these Advanced options means and in which use cases I should check or uncheck these?

jamegill · ‎04-22-2024

Hi @navidn,

It's a good question and the answer(s) are a little tricker than ususal to locate. The "help" (question mark "?") icon in the upper-right hand corner which provides context-sensitive help has the information you're looking for, but in this case it's behind a collapsed heading of "View host group details" ... because there's a lot of information to cover in the help docs about Host Groups.

This is the help page the table below came from:
https:// <your SNA Manager> /smc/help/enterprise/en-us/Content/web_app_stealthwatch/managing_and_configuring_host_groups.htm?cshid=50051

Option	Description
Enable baselining for hosts in this group.	If you select this check box, a unique host level baseline is established only for each host in a host group. Otherwise, Secure Network Analytics baselines aggregate host behavior at the host group level. As previously stated, by default, Secure Network Analytics baselines every host within the Inside Hosts group; therefore, by default this option in enabled for Inside Hosts.
Disable security events using excluded services.	When this setting is enabled, security events for the host group(s) are disabled for any security event using a service that has the "Exclude" setting enabled on the TCP/UDP Service dialog.
Disable flood alarms and security events.	When this setting is enabled, flood alarms and flood security events are disabled when any host in the host group(s) is the target of a flood attack.
Trap hosts that scan unused addresses in this group.	Select this check box to enable the "trapping" of hosts that appear to be performing "low and slow" scans of the host group(s). ("Low and slow" scanning is the process of scanning the hosts/ports on a network over a period of hours to months. These types of scans may be performed in order to prevent discovery of the attacker, the ports being scanned, or the hosts being scanned, or even to pre-scan before release of a worm.) Any host that attempts to communicate with an unused address in the host group(s) (on any port) is counted. The scanning host receives a Trapped Host alert if the daily count threshold is exceeded. Once the host exceeds the number of days in that month that it can receive a Trapped Host alert, a Trapped Host alarm is triggered. After a host triggers a Trapped Host alarm, its Concern Index is raised to its threshold, making it a High Concern Index host. As such, the host generates Touched alarms that help you track any further activity. This is an advanced feature that should only be enabled for select small, well-controlled host groups with fixed IP addresses and a stable number of hosts, such as critical servers. This allows you to detect hosts intruding into the most important part of your network. Hosts that scan unused addresses in the Outside Hosts host group are not included in trapped host calculations and therefore do not generate trapped host alerts and alarms, regardless of whether this setting is enabled in the Outside Hosts host group.

ProTip: Learning all the concepts and capabilities discussed in that one help page will power-up your ability to manage and tune Secure Network Analytics to achieve the best detections!

--jg

View solution in original post

jamegill · ‎04-22-2024

Hi @navidn,

It's a good question and the answer(s) are a little tricker than ususal to locate. The "help" (question mark "?") icon in the upper-right hand corner which provides context-sensitive help has the information you're looking for, but in this case it's behind a collapsed heading of "View host group details" ... because there's a lot of information to cover in the help docs about Host Groups.

This is the help page the table below came from:
https:// <your SNA Manager> /smc/help/enterprise/en-us/Content/web_app_stealthwatch/managing_and_configuring_host_groups.htm?cshid=50051

Option	Description
Enable baselining for hosts in this group.	If you select this check box, a unique host level baseline is established only for each host in a host group. Otherwise, Secure Network Analytics baselines aggregate host behavior at the host group level. As previously stated, by default, Secure Network Analytics baselines every host within the Inside Hosts group; therefore, by default this option in enabled for Inside Hosts.
Disable security events using excluded services.	When this setting is enabled, security events for the host group(s) are disabled for any security event using a service that has the "Exclude" setting enabled on the TCP/UDP Service dialog.
Disable flood alarms and security events.	When this setting is enabled, flood alarms and flood security events are disabled when any host in the host group(s) is the target of a flood attack.
Trap hosts that scan unused addresses in this group.	Select this check box to enable the "trapping" of hosts that appear to be performing "low and slow" scans of the host group(s). ("Low and slow" scanning is the process of scanning the hosts/ports on a network over a period of hours to months. These types of scans may be performed in order to prevent discovery of the attacker, the ports being scanned, or the hosts being scanned, or even to pre-scan before release of a worm.) Any host that attempts to communicate with an unused address in the host group(s) (on any port) is counted. The scanning host receives a Trapped Host alert if the daily count threshold is exceeded. Once the host exceeds the number of days in that month that it can receive a Trapped Host alert, a Trapped Host alarm is triggered. After a host triggers a Trapped Host alarm, its Concern Index is raised to its threshold, making it a High Concern Index host. As such, the host generates Touched alarms that help you track any further activity. This is an advanced feature that should only be enabled for select small, well-controlled host groups with fixed IP addresses and a stable number of hosts, such as critical servers. This allows you to detect hosts intruding into the most important part of your network. Hosts that scan unused addresses in the Outside Hosts host group are not included in trapped host calculations and therefore do not generate trapped host alerts and alarms, regardless of whether this setting is enabled in the Outside Hosts host group.

ProTip: Learning all the concepts and capabilities discussed in that one help page will power-up your ability to manage and tune Secure Network Analytics to achieve the best detections!

--jg