HIP Profile monitor only initially

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HIP Profile monitor only initially

L4 Transporter

Hello ,

 

We have got requirement to implement HIP profile for GP users ; 

 

But first we want to run it in Monitor mode without any enforcement or without blocking any users

 

Below are the requirements 

 

OS

Windows 10 

AV

Mcafee

AV updates not older than

5 days

Patch management

/

Disk encryption

Enabled

Firewall

Enabled

 

 

So do i just have to create HIP Object with all these conditions ?

 

And how will i check which machines will not hit these HIP objects ?

1 accepted solution

Accepted Solutions

@FWPalolearner,

The syntax for this is a little weird. You don't actually need to include brackets around things you don't want to group. So in your first example, the syntax that I would use would be:

not ("GP-Internal-AV" or  "GP-Internal-OS" or  "GP-Internal-FW" or "GP-Internal-DiskEncryption" ) and "GP-Internal-Domain-old"

 

Likewise your second example I would use:

not ("GP-External-AV" or "GP-External-OS" or "GP-External-FW" or "GP-External-DiskEncryption" ) and not "GP-Internal-Domain-Old"

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

@FWPalolearner,

So the thing to remember about HIP is that it never takes any action unless you've specifically told it to. By default, HIP is just going to be informational. What you would do here is just create a HIP Object matching your criteria and commit. The HIP Match logs on the firewall will tell you which connecting clients are matching your HIP Object. 

If you want to quickly see what machines aren't meeting your defined HIP parameters, you could do that easily enough by creating two HIP Profiles. You would simply set it to match or NOT match your HIP Object you defined above, and then you could search for either HIP Profile in your logs.

 

So for an example, lets say that I created a HIP Object called "Secured-Clients" and had it match all the criteria you defined. I would then create two HIP Profiles, with the first being "Trusted-Clients" for example that would simply match on the "Secured-Clients" HIP object you created previously. You would then create another HIP Profile called "NonTrusted-Clients" and simply have the match criteria as NOT "Secured-Clients". 

When it came to searching who was matching which profile, you can log into the firewall and search the HIP Match logs. To filter on the Trusted-Clients HIP Profile you would simply use the search ( matchname eq Trusted-Clients ) to find everyone who meets your HIP criteria and then ( matchname eq NonTrusted-Clients ) to find everyone who doesn't.

 

Just keep in mind that nothing will actually take into account your HIP Profiles until you actually configure it to do so. Simply creating new HIP Objects or HIP Profiles will never cause any issues to your existing profiles. 

Hello @BPry 

 

Thanks and apolgies for getting back to you late

 

I have configured HIP profiles but i have doubt in the syntax

I have created 4 HIP objects for checking AV , OS ,FW and Disk enc for machine in old domain . to check non compliant machines i have done below syntax for HIP profile

 

(not "GP-Internal-AV" or not "GP-Internal-OS" or not "GP-Internal-FW" or not "GP-Internal-DiskEncryption" ) and "GP-Internal-Domain-old"

 

or do i have to put parantheseis like below

((not "GP-Internal-AV" )or (not "GP-Internal-OS") or (not "GP-Internal-FW" )or (not "GP-Internal-DiskEncryption" ) )and "GP-Internal-Domain-old"

 

Similarly for external machines i have below

(not "GP-External-AV" or not "GP-External-OS" or not "GP-External-FW" or not "GP-External-DiskEncryption" ) and (not "GP-Internal-Domain-Old" )

 

or the syntax should be ?

((not "GP-External-AV") or (not "GP-External-OS") or (not "GP-External-FW") or (not "GP-External-DiskEncryption" )) and (not "GP-Internal-Domain-New" )

 

i am confused by paranthesis

@FWPalolearner,

The syntax for this is a little weird. You don't actually need to include brackets around things you don't want to group. So in your first example, the syntax that I would use would be:

not ("GP-Internal-AV" or  "GP-Internal-OS" or  "GP-Internal-FW" or "GP-Internal-DiskEncryption" ) and "GP-Internal-Domain-old"

 

Likewise your second example I would use:

not ("GP-External-AV" or "GP-External-OS" or "GP-External-FW" or "GP-External-DiskEncryption" ) and not "GP-Internal-Domain-Old"

@BPry  Thanks . this works . Thanks for your help as always 🙂

  • 1 accepted solution
  • 3127 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!