Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            First Steps with AirShield

            Modified on Wed, Jun 30, 2021 at 4:00 PM

            Thank you for using LOCH platform and AirShield! The follow first steps will help ensure your success with our platform.



            This video can be viewed any time at https://file-cdn.802secure.net/multimedia/intro.mp4


            0: Logging In and Account Management

            To access the console, visit https://console.802secure.net/ and enter your e-mail address and password.


            Forgotten Password

            If you have forgotten your password, click the Forgot password? link underneath the Sign In button and enter your e-mail address. A password reset link will be sent to your e-mail address. If it doesn't arrive in a few minutes check your Spam folder.


            Profile Settings

            To view and change your profile settings and account password, open the dropdown selection at the top right of the page and select Profile.



            From the Profile page you can:

            • Change your password
            • Change your first and last name


            To change your visual style such as light or dark theme, full screen mode, fixed side bars, click on the Layout Settings widget at the top right of the page:





            1: Dashboard

            The LOCH dashboard provides a quick birds-eye view of your environment. It will show the number of AirShield sensors on-line, the count of AccessPoints and Clients seen in the past 24 hours, a breakdown of the risks and a searchable list of events. It is accessed by visiting https://console.802secure.com/dashboard or clicking on the Home icon at the top left of the menu bar.



            2: Navigation and Filtering

            Menu Bar

            The menu bar on the far left of the screen is your primary method of switching to different sections of the Console. The menu bar view can be modified via the Layout Settings icon.



            Menu selections are available based upon solutions purchased.


            Filtering

            Most tables provide filtering to aid in searching the large amounts of information collected or generated by the LOCH platform. These filter bars are generally at the top left of the table and provide both a user-friendly clickable interface or a SQL-like query text engine for more advanced uses.


            By clicking on the filter icon (Filter Icon) a modal window appears:


            Filter Modal


            Each field to be filtered on is available from the drop-down list and new fields can be added with the Add Rule (Add Rule) button. By default rules are additive in nature meaning the are inclusive or exclusive to the search. They can be switched by selecting the AND/OR buttons (AND/OR/Invert) or their direction/selection inverted.


            A grouping of terms can be created for more complex filtering queries.


            The SQL-like text building the query is displayed in the search box next to the filter icon. This text can be copy/pasted and modified directly.


            An invalid filter query will not be permitted.


            3: Events

            The Event page provides a fully searchable table listing of all activities identified by LOCH, generated by our Behavior and Analytics engine, AIRSHIELD sensors, or other sources.



            The chart shows the event breakdown for the past 24 hours with the identifiers and counts.


            Selecting an identifier will filter the graph:



            Selecting the filter icon filters the search results.



            Event Sources and Identifiers:

            Events may have multiple sources:

            • ANALYTICS: LOCH's Behavior Analytics Engine
            • AIRDEFENSE: Sourced from AirDefense Syslog
            • MERAKI: Sourced from Cisco Meraki AirMarshall Syslog
            • CONSOLE: Actions performed on the console - LOGIN, LOGOUT, ASSIGNMENT, etc
            • CUSTOMER API: Events based on the Customer API
            • SENSOR API: Issues related to communication between 802 hardware components and the API engine
            • INTERROGATOR: LOCH's Interrogation Engine
            • WIDS: Wireless Intrusion Detection System, usually protocol violations
            • AIRSHIELD: Events generated on AirShield Sensors
            • PERFORMANCE: Wi-Fi Performance Testing

            Each event will have an identifier.


            4: Lists and View Pages

            AirShield continuously monitors and reports to the LOCH Cloud where this data is analyzed and stored in different tables. Viewing these tables will typically follow a similar principle of showing the most recently observed devices, generating a specific query to filter the results and a toolbar to perform different actions.


            For example the WiFi Access Points page is broken into three main sections. The top section is the Asset Tag based on the six primary markets.



            Below that are the Tools that perform actions such as quickly filtering results, defining a more complex query filter, exporting data, selecting rows and performing actions. Hovering over an icon will provide a tooltip showing that icon's action.



            Finally the rest of the page is a data table view of the results.


            Next Steps

            AIRSHIELD sensors observe a signifiant amount of information to provide a long running history of RF activity. The console provides access to this information for use in tracking down policy violators, unapproved devices, and generally understanding the exposed radio world.  


            After becoming comfortable with moving around the system, some of your next tasks should be:

            • Ensure AIRSHIELD Sensor locations are correct
            • Review all recently observed Access Points and Networks
              • Identify your networks by their name (ESSID) and radio addresses (BSSID), use the query filter to narrow down your view accordingly
              • Check to ensure the observed Encryption and Authentication methods are what you expect
            • Review the Zero Trust Wireless Monitoring trust policy concept and how the AIRSHIELD Behavior Analytics Engine functions.
              • If you do not have a wireless policy in place, consider building one
              • If you have a small number of networks, e.g. your internal employee network and a guest network, the existing trust policies can be naturally applied.
            • Place your networks (ESSIDs) and radios (BSSIDs) into Trust Levels
            • Begin monitoring your network for Client Policy Violations and identifying higher risk clients.
            • In some cases devices may be required to move between two different trusted network boundaries, in which case a unique Client Group could be created to organize and track these unique systems.
            • Review the default Rules and Widgets on the primary Dashboard, creating new ones to match your environment
            • Build specific Policies and configure Notifications
            • If using a SIEM or SOAR configure the events2logger service or setup cloud connections to your platform.
            • Prepare for Install the Incidents Tracker App on an Android phone to use for Threat Hunting with Incidents


            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0