5. Connectors and Notifications
Once logged in, users will have access to the NP-Live home page on which they can manage their workspaces. See the Workspaces section for more information on using workspaces. Once one or more workspaces have been created, the user can configure automated data imports through NP-Connect and automated reporting through the Notification Manager.
NP-Connect automates the secure retrieval of configuration files from firewalls, routers, switches, and network device configuration managers. NP-Connect hosts one or more connectors that securely retrieves configuration files at the specified frequency. By default, NP-Connect is accessible through HTTPS on port TCP/8443 of the NP-Live server and is isolated for security purposes.
The first time an administrator accesses NP-Connect from NP-Live (+Import Data -> New connector -> Manage connectors with NP-Connect), they are required to define a Connector group name and a secure passphrase. The Connector group name will be used to create the encrypted connector file store. Connector information is encrypted at rest and in transit using a passphrase protected PGP key. Only the connector owners know the passphrase and the passphrase is never stored. Once initiated, NP-Connect runs in the background collecting network information. If the NP-Live server is restarted, the connector owner is required to re-authenticate and restart the connectors. Connector owners can create multiple connector groups and each will require their own login. Once created, the user can select from the list of available connectors when logging in.
The connector page contains five main options options.
- add a new connector
- bulk start all connectors (see bulk start parameters below)
- bulk stop all connectors
- delete the connector (user must be logged into the connector group to delete)
- exit the connector group.
To add a new connector, select “+Add New Connector” button and a list of available Devices and Network management System connectors is presented. Upon selecting the Device or Network Management System to add, the user is requested to fill in connection information. The user must enter a Connector name (no spaces), host name, and credentials. The user can then verify the credentials are correct with the “Test access” button. Additional information may also be required based on the connector selected. Finally, a refresh schedule can be selected and a list of workspace the user wishes the device to be added can be input. The user can then test the connector or add the connector to complete the operation.
Note: Workspaces must be added to the connector for data to be transferred and displayed in the workspace. If workspaces are added after a connector is setup, data will not be sent to the workspace until the next scheduled import and a configuration change is identified. Creating workspaces before connectors facilitates faster visualization of data.
Once the connector is added, a tile is added to the NP-Connect home page. From the tile, the user can:
- manually activate the connector for a one time data pull
- run / pause the connector
- edit the connector
- copy the connector
- delete the connector.
The tile banner will show in three colors:
- red – connector failed
- blue – connector running
- gray – connector paused
Click the start / pause button to restart a failed or paused connector, note that a connector may take several minutes to change the banner color.
Notification manager is used to configure services and rules for generating and sending system notifications about Workspaces. Select the system menu (top right corner) and then “Notification manager to begin setup.
Configuring Notification Services
Before rules can be configured in notification manger, the administrator is required to configure at least one notification service. Services include: e-mail, STIX/TAXII, SIEM (Syslog), and select ticketing systems.
- SMTP configuration requires a server IP address, communication port, user id and password. Note that a firewall port may need to be opened for NP-Live to communicate with your SMTP server.
- Syslog configuration requires a server IP address and a communication port.
- Information on configuring SPLUNK can be found here.
- ServiceNow configuration requires a server address, user name and password.
- TAXII configuration requires a server address, server port, data path and a destination collection name.
Service configuration can be found under “Notification manager -> Configure Services” tab.
Creating Notification Rules
NP-Live can automatically send information to the configured services for changes and activities impacting your workspaces. Select the system menu and then “Notification manager -> Add/Edit Rules” to setup rules. Rules can be set to precisely choose which activities and events to include in notifications. When configuring the notification rule, the user will select a service to deliver the notification to, the workspace(s) to be monitored and frequency the report should be delivered.
After that, the criterion for generating the report is selected. Activity types include: Risk alerts, Warnings, Errors, Comments and Change events. For each Activity type, one or more activity status can be selected. The matrix below illustrates what status and severity is possible with each activity type.
Some notifications allow for multi selection and compounding with the AND function. The AND between each section is a logical AND for example: Activity Type = Warning AND Activity Status = New / open AND activity severity = Low will trigger only when all criterion are met.
Additionally, the notification rule can be filtered by keywords. Finally, the output can be sanitize to remove IP addresses and saved for future viewing.
Viewing Notification Rules and Reports
Once rules are created, they appear on the “Your Rules” tab and when rules are activated the reports display on the “Your Reports” tab if the “save for future viewing” box was checked.