Getting Started with State Analyzer

For an overview of how TSA works, see About Tripwire State Analyzer.

Step 1: Check Data Sources

First, check that State Analyzer is collecting data from one or more Tripwire Enterprise systems.

  1. Navigate to Settings > Data Sources.
  2. Verify that there is at least one TSA Data Source in the list.
    If you don't have a TSA Data Source, follow the steps in Data Sources to add one.
  3. Next, navigate to Environment > Assets and verify that the assets associated with your TSA Data Source are present. It may take several minutes for Assets to appear after adding a TSA Data Source.

Step 2: Configure TSA Settings

Next configure TSA settings for your environment.

  1. Navigate to State Analyzer > Allowlist Settings.
  2. On the Display Types tab, select the Allowlist Types you want to monitor and click Enable.
    Disabled Allowlist Types are not shown on the Allowed Items or Allowed Settings pages.
  3. Click the Preferences tab, then configure any desired settings there.

Step 3: Create Allowlists

Next you need to create Allowlists, which list Approved Items for each Allowlist Type. The process to create Allowlists depends on whether you are migrating from an existing Whitelist Profiler App (WLP App) installation, or starting from scratch.

  1. Navigate to State Analyzer > Allowlist Settings and click the Display Types tab.
  2. Click IMPORT EXISTING ALLOWLIST FILES.
  3. Complete the Import Allowlist Files panel:
    1. From the Allowlist Type drop-down, select an Allowlist Type to be imported.
    2. Click ADD FILE and select a CSV file to import.

      Tips:  

      Whitelist CSV files from the WLP App are in the following directory:
      <wlp_root_dir>/whitelists

      The maximum size for each imported CSV file is 10MB, with a limit of 2048 characters per field.

    3. Verify that the file you chose is added to the Selection list.
    4. Repeat the steps above for each Allowlist file to be imported.
    5. Click IMPORT.
  4. Confirm that the data was imported successfully:
    1. Navigate to State Analyzer > Allowed Items.
    2. Check the tabs on the Allowed Items page to verify that your data was added.
  1. Navigate to State Analyzer > Allowed Items and select the tab for the Allowlist Item you want to add.
  2. Click the NEW <ITEM TYPE> button.
  3. In the New Item pane, configure Attributes, which describe the basic configuration of the Item.
    • To use a regular expression, enter it in the appropriate field and select Regular Expression.
    • Select Is Enabled to enable processing of this Item during an Allowlist Assessment.
    • Select Show Content in TE? to display this element's content in TE.
  4. Configure the Scope, which specifies the monitored systems that should be evaluated against this Item during an Allowlist Assessment: 
    • Select All Assets to evaluate this Item against all assets associated with this TSA Data Source.
    • To only evaluate a subset of assets, enter or select criteria used to identify assets (Tags, IP Addresses, Assets, etc.).
  5. Enter values for any User-Defined Attributes. User Defined Attributes for an Allowlist can be created on the corresponding Attributes tab on the Allowlist Settings page.
  6. Click Save.

Tip:  

If you have many Allowed Items to add, you may want to create them outside of TSA. Follow this process for each Allowlist you want to create:

  1. Manually create several Items on the Allowed Items page of TSA as described above. You can use these as models when you manually add other Items.
  2. Export the Allowed Items to a CSV file.
  3. Edit the CSV file with the tool of your choice to add additional Items and formatting. See the Allowed Items CSV File Reference for details.
  4. Import the Allowed Items file back into TSA.

Step 4: Run an Allowlist Assessment

During an Allowlist Assessment, Tripwire State Analyzer compares a specified Allowlist to element data generated by the following TE rule group: Tripwire State Analyzer > Server-side Rules > Query Rules.

  1. Navigate to State Analyzer > Allowlist Assessment.
  2. Click NEW ALLOWLIST ASSESSMENT.
  3. Complete the New Allowlist Assessment panel:
    1. Select the Allowlist Type to create the Assessment for.
    2. Create a descriptive Assessment Name, like "Daily Open Ports".
    3. For the Scope, leave All Assets selected. Scopes specify which assets are evaluated when the Assessment runs.
    4. For the Schedule Details, select Now.

Step 5: Examine the Results

During an Allowlist Assessment, Tripwire State Analyzer compares TE element data to a corresponding Allowlist and creates a list of Authorized, Unauthorized, and Unused Items.

  • Authorized Items match an Allowed Item in an Allowlist.
  • Unauthorized Items do not match any Allowed Items in an Allowlist.
  • Unused Items are Allowed Items that were not found during the Assessment.

These results are displayed on the Allowlist Assessment page. Each row in the table there represents a different Assessment, showing the results of its most recent run.

  1. Take a closer look at the Allowlist Assessment table:
    • Click anywhere in a row to view or edit the Assessment that created those results.
    • Click the numbers in the Authorized Items, Unauthorized Items, and Unused Items columns to see more details about these Items.
    • Use the icons above the table to export Assessments to an external file, show and hide columns, or to filter the Assessments displayed.
  2. If there are Unauthorized Items that should be Authorized, you can add them to the corresponding Allowlist:
    1. Click the number in the Unauthorized Items column.
    2. Select the Item(s) you want to add to an Allowlist and click Make Allowed.
    3. In the confirmation dialog, click Save.
    4. Navigate to the appropriate tab of the Allowed Items page. The newly-added Items should be at the top of the list with a NEW icon.
    5. Back on the Allowlist Assessment page, select the same Assessment and click Run. Click the number in the Authorized Items column to verify that the Item is now Authorized.

In addition to the Allowlist Assessment results displayed in TSA, you can monitor the same data in several places in the TE Console:

  • In the Node Manager, TE will create new element versions associated with the TSA rule group:

    Tripwire State Analyzer > Server-side Rules > Query Rules

  • In the Report Manager, there are a variety of Tripwire-defined TSA reports in the following report group:

    Root Report Group > Tripwire State Analyzer

Next Steps

Repeat the steps above to migrate your WLP whitelists into TSA, run initial Allowlist Assessments on each one, and change Unauthorized Items to Authorized, if applicable.

After that, you may want to:

  1. Address any remaining Unauthorized Items and have TE check the affected systems, then verify the changes in TSA.
  2. Edit your Allowlist Assessments and/or create new ones to run on a regular schedule.
  3. Create Allowed Items for the open ports used by Tripwire products. To do this, you import an Open Ports CSV file from the Tripwire Customer Center (TCC):
    1. Navigate to the TE Product Downloads page of the TCC.
    2. From the Documentation section, download the Tripwire State Analyzer docs bundle for your version.
    3. Expand the file, then import the Open Ports CSV file as described in Importing or Exporting Allowed Items.