LiveFlow Security Insights - LiveWire - 25.3.0

LiveWire 25.3.0 New Features
ft:locale
en-US
Product name
LiveWire
Version
25.3.0

The following new LiveFlow Alerts have been added to LiveWire.

  • Anomalous IP Hops
  • Encryption on IANA Reserved Port
  • RDP on Non-Standard Port
  • Threat Intel Indicator
  • TLS Forbidden Version
  • TLS Missing SNI
  • TLS Self-Signed Certificate
  • TLS Unusual Certificate
  • Unassigned Encryption
  • Unauthorized Application Use
  • Unexpected Encryption
  • Unexpected Plaintext

LiveFlow Configuration - Capture Options

The configuration options for LiveFlow Alerts have been upgraded to support more complicated options.

Malicious IP or Domain Detected LiveFlow Alert is one such example. In the LiveFlow capture options, configuration for LiveFlow alerts can be found by clicking the “Configure” button under the “LiveFlow Alerts” section, which will display the LiveFlow Alerts Configuration modal.



In the LiveFlow Alerts Configuration modal, the LiveFlow Alerts with more complex options will have a gear icon on the far right which, upon clicking it, will open up a sidebar with more configuration options.





Security Insights Licensing

Beginning with LiveWire 25.3, the user must have the security insights enabled LiveWire License applied to the LiveWire in order to enable the following LiveFlow Alerts:

Note: This is not a separate license that is added or activated. It is a LiveWire license that includes Security Insights as a feature.
  • Anomalous IP Hops
  • Cleartext Credentials Detected
  • Encryption on IANA Reserved Port
  • Kerberos Detected
  • Kerberos RC4 Detected
  • Malicious IP or Domain Detected
  • Microsoft IP Detected
  • NTLM Protocol Detected
  • RDP on Non-Standard Port
  • Threat Intel Indicator
  • TLS Certificate Anomalies Detected
  • TLS Client Excessive Handshakes
  • TLS Long Lived Connection
  • TLS Missing SNI
  • TLS Self-Signed Certificate
  • TLS Unusual Certificate
  • TLS Weak Cipher Suite
  • Unassigned Encryption
  • Unauthorized Application Use
  • Unexpected Encryption
  • Unexpected Plaintext


Sending LiveFlow Alerts to LiveNX

Updating Certificates in LiveNX LiveAdmin
  1. Load LiveAdmin in LiveNX into your browser
  2. Click the “TLS” view in the left panel

  3. Upload the desired certificate file to “Public Certificate* (PEM)” and the desired private key to “Private Key* (RSA unencrypted)”, and then click “Upload”. Note: The certificate file must include the domain name to LiveNX.

  4. Refresh the browser page.
Enabling Network Intelligence & Security Dashboard in LiveNX
  1. Load LiveNX in your browser.
  2. Go to the LiveNX Settings.

  3. Navigate to “Network Intelligence Configuration” → “Network Configuration.”

  4. Click the “LiveAction Receiver Configuration” toggle button into the “Enabled” state to turn on the Network Intelligence feature.

  5. Copy the “Token” field under the “LiveAction Receiver Configuration” section. This token will be used to configure OpenTelemetry in LiveWire.

  6. Click the “Save” button under the “LiveAction Receiver Configuration” section.
  7. Navigate to “Security Dashboard” and click the “Enable Security Dashboard” checkbox.

  8. Click the “Apply” button.
Configuring OpenTelemetry in LiveWire
  1. Load LiveWire in your browser.
  2. Go to the “Configure Engine” view.

  3. Navigate down to the “OpenTelemetry” section and do the following:
    1. Make sure the “Enable OpenTelemetry” radio button is selected
    2. Enter the “Endpoint”, which should be “https://:4317”, where is the domain name pointing to LiveNX and is also a domain name in the certificate file used in LiveNX and LiveWire.
    3. Enter the “Token” from LiveNX in the “LiveAction Receiver Configuration” section.
    4. Make sure “LiveFlow Alerts” is toggled on in the “Send” section.
    5. Make sure “Use TLS” is checked and “Skip certificate verification” is not checked.
    6. Upload the desired certificate file to CA Certificate in the TLS section (this must be the same certificate file uploaded to LiveNX through LiveAdmin).

  4. Click the “Apply” button to apply the changes.

Configuring LiveFlow Capture in LiveWire

  1. Load LiveWire in your browser.
  2. Go to the Captures view.

  3. Either create a New “LiveFlow Capture” from the “New Capture” drop down, or modify the capture options of an existing LiveFlow capture by clicking the “Capture Options” button for the LiveFlow capture.

  4. In the “LiveFlow” section of the capture options, there is an “Output” sub-section. If there doesn’t already exist an output target for “OpenTelemetry (LiveFlow Alerts)”, add one by clicking the “Add Output” button to see a drop down of possible outputs and selecting “OpenTelemetry (LiveFlow Alerts)”.



  5. The “OpenTelemetry (LiveFlow Alerts)” output target must be enabled (the toggle button must be blue and to the right), and the “LiveFlow Alerts” checkbox option must be checked. If anything in the “OPENTELEMETRY STATUS” section is red, then you haven’t configured the OpenTelemetry settings correctly and you will need to revisit the “Configuring OpenTelemetry in LiveWire” above.
  6. After modifying any additional capture options you desire, click the “OK” button.

LiveNX Security Insights UI

  1. Load LiveNX in your browser.
  2. Click the “Security” button in the top bar.

  3. This is the new Security UI.