Module 1 - Data Analysis using CyberSense

Review the existing Cyber Recovery pre-created policies for NetWorker and PPDM

In this lesson you'll Analyze NetWorker copies using CyberSense and learn how to understand the data CyberSense displays for a post-attack investigation.

Navigate to the Policies section of the UI. You should see the **NetWorker-FS** and **PPDM-FS** policies that were already created as a part of this lab.

Copies Analysis using CyberSense

We already have last **GOOD** copy of NetWorker and PPDM data which was analyzed by **CyberSense** (that is already added from the Applications tab as part of this lab). The following steps were performed to add a **CyberSense** application. Users can delete and add it again with these settings. Provide the FQDN/IP address of the CyberSense host with root credentials and Storage Username which is a ddboost user present on Vault DD. Analysis will use DDBoost API to run analysis for particular workloads. Please check the Cyber Recovery and CyberSense guides for additional information.

From the **Infrastructure** menu, click **Assets** on the left-hand side of the CR UI and click on the Applications tab and click Add. Enter the following values for the CyberSense host and click SAVE: Nickname =CyberSense \ FQDN or IP Address = cybersense.vault.local\ Application Type = CyberSense \ Tags = You can give a tag name of your choice for CyberSense application (optional) \ Host Username = root \ Host Password = Password123! \ SSH Port = 22

When working with Cyber Recovery starting release 19.13 and also with CyberSense starting release 8.2, you will have to configure the interface links between the CyberSense server(s) to the PowerProtect DD systems before you can analyze and copy. The interface link feature, also called "Multi Link" provides CyberSense the ability to load balance network traffic when reading data from the DD system(s) during analyze jobs. It's mandatory to configure a DDBoost user on each CyberSense server you have for every DD system it's going to read files from, the DDBoost protocol is used to check that the connection exists and that it's stable, while Cyber Recovery will manage that and display the connectivity status. If a DD system has more than one network interface, it's recommended to configure the DDBoost user for each network interface. For more information refer to the Cyber Recovery Product Guide.

Click the Configure link on the "Interface Links" column of the CyberSense server

Select the DD system

Select the network interface of the DD, and also a network interface of the CyberSense server, then click Add Interface Link. In other environments there might be more network interfaces, and you would be able to link these interfaces together the same way. When ready to create the multi interface link configuration click **Save**.

The **status** should indicate **Active** in order for you to be able to analyze copies. It might take several minutes before the status is updated.

Select the **Policies** page and navigate to **Copies**. Review the last **GOOD** copies related to policy **NetWorker-FS** and **PPDM-FS**.

Infected data for NetWorker-FS policy

Infected data for Production client (client1.demo.local) is already backed up to Production DD ddveprod.demo.local using Production NetWorker (192.168.1.20) and synced to Vault DD ddvevault.vault.local

Users can view the infected data by accessing **CS-Data --> Pre-configured NW policy** folder on the Launch Pad desktop. The infected data was copied to the production client to the **/temp** directory, backed up and synced.

Create a Copy and Analyze it

Let's now create a copy of infected data which was already synced to Vault DD. Select **NetWorker-FS** policy under Policies tab and run **Copy Lock.**

Select Retention Lock Duration of default 12 hours and click **Apply**

Navigate to the Jobs page. The Copy Lock Job is completed now