Escolar Documentos
Profissional Documentos
Cultura Documentos
Student Guide
2 Launchpad v5.3 rev A Copyright© 2017 AlienVault. All rights reserved.
Table of Contents
Course Introduction...................................................................................................................1
Overview ............................................................................................................................................... 1
Course Introduction .............................................................................................................................. 2
Overview ..................................................................................................................................1-1
AlienVault USM Overview.................................................................................................................. 1-3
USM Architecture ............................................................................................................................. 1-10
AlienVault Labs and OTX ................................................................................................................ 1-14
Verifying Operations...............................................................................................................2-1
AlienVault USM User Interface .......................................................................................................... 2-3
USM Settings and Support ................................................................................................................ 2-7
AlienVault USM Primary Menu ........................................................................................................ 2-12
Environment Snapshot .................................................................................................................... 2-19
Verify Basic Operations ................................................................................................................... 2-22
Asset Management .................................................................................................................3-1
Asset Overview .................................................................................................................................. 3-3
Navigating the Assets UI ................................................................................................................... 3-6
Managing Assets ............................................................................................................................. 3-11
Adding Assets .................................................................................................................................. 3-21
Asset Discovery Scans .................................................................................................................... 3-26
Asset Groups ................................................................................................................................... 3-35
Networks and Network Groups ........................................................................................................ 3-42
Asset Labels .................................................................................................................................... 3-50
Policies ....................................................................................................................................4-1
USM Policy UI Overview.................................................................................................................... 4-3
USM Policies for Events .................................................................................................................... 4-8
USM Policies for Directive Events ................................................................................................... 4-26
Security Analysis ....................................................................................................................5-1
Security Analysis Process ................................................................................................................. 5-3
Overview Dashboards ....................................................................................................................... 5-5
Remediating Alarms ........................................................................................................................ 5-13
Investigate Events ........................................................................................................................... 5-26
Check Raw Logs .............................................................................................................................. 5-37
File Tickets ....................................................................................................................................... 5-41
Report Findings................................................................................................................................ 5-45
Course Review ........................................................................................................................6-1
Overview ............................................................................................................................................ 6-1
Course Wrap Up ................................................................................................................................ 6-2
ii AlienVault USM for Security Engineers v5.2 Rev A Copyright© 2015 AlienVault. All rights reserved.
Launchpad
Course Introduction
Overview
This module provides an introduction to the course.
Course Introduction
This course is designed to accelerate the student’s ability to properly operate the
AlienVault USM solution. Students will gain a clear understanding of AlienVault’s Open
Threat Exchange (OTX) and gain the knowledge and skills to manage users, identify
assets, and remediate security threats using the AlienVault USM solutions.
This one day course gives security engineers, analysts, and project team members an
orientation to AlienVault USM. It is designed to accelerate your awareness of the full
range of features in the USM platform, making you more effective
You will learn the basic architecture of AlienVault USM and how it helps to protect your
organization. You'll also build a basic understanding of how to detect and respond to
threats.
Next, you'll learn how to control and monitor access to the system with User
Management. You'll then learn how to ensure that the system is operating properly
and how to work with assets.
Finally, you'll see how to turn the data that's coming from the system into valuable
information and action.
Overview
This module provides an overview of the AlienVault Unified Security Management (USM) solution.
1-2 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
AlienVault USM Overview
1-4 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Asset discovery is an essential security capability of the AlienVault USM. The USM
discovers assets in your environment, detects changes in assets, and discovers rogue
assets in the network.
Asset discovery uses passive tools, such as passive operating system fingerprinting
and passive service discovery.
Asset discovery also utilizes active scanning, which can be scheduled to be performed
periodically or can be performed manually.
1-6 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Intrusion Detection monitors network traffic for malicious activity, monitors system log
messages, and monitors user activity.
Intrusion detection for AlienVault USM consists of Host-based Intrusion Detection
(HIDS) and Network-based Intrusion Detection (NIDS) components.
1-8 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Security intelligence combines and correlates collected logs and data to find malicious
patterns in network traffic and within host activity.
Security intelligence draws intelligence from different sources:
• AlienVault Lab Threat Intelligence correlation rules, which are created by
AlienVault Labs. These correlation rules are used to identify patterns associated
with malicious activity. They correlate data from different sources, such as
vulnerability scanning, NIDS, devices logs, etc. The NIDS component is populated
with well-tested signatures of recognized attacks.
• OTX threat data provides IP reputation information and OTX pulses which consist
of indicators of compromise (IoCs) that identify a specific threat. OTX is an open
information sharing and analysis network, where all AlienVault users can
participate and share information about incidents that may impact others. OTX
pulses provide you with a summary of the threat, a view into the software targeted,
and the related indicators of compromise (IoC) that can be used to detect the
threats.
1-10 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The three core components of the AlienVault USM are:
• USM Sensor: deployed throughout your network to collect events for complete
visibility.
• USM Server: aggregates and correlates information gathered by the USM
Sensors, and provides single pane-of-glass management, reporting and
administration.
• USM Logger: securely archives raw event log data for forensic investigations and
compliance mandates.
With an All-in-One deployment, all three are on one system.
1-12 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The USM Sensor combines asset discovery, vulnerability assessment, threat
detection, and behavioral monitoring to provide full situational awareness. The USM
Sensor is the front-line security module of the USM platform and provides detailed
visibility into your environment, vulnerabilities, attack targets and vectors, and services.
These events are normalized into a unified format and dynamic functions such as date
normalization and DNS resolution, are performed. Then, normalized events are sent to
the USM Server component.
The USM Server provides a unified management interface that combines security
automation and AlienVault Labs Threat Intelligence to correlate data, spot anomalies,
reduce risk, and improve your operational efficiency.
The USM Server receives events from the USM Sensor and performs policy
evaluation. The policy defines what will happen with events. By default, the events will
be sent to the correlation engine, from the risk assessment module, and then they will
be stored in the SQL database. Events can be also forwarded to another USM Server,
if required. This flow is completely configurable by threat intelligence policies.
Correlation can be done logically, where events are compared to patterns which are
composed by using logical operators such as OR and AND. Correlation can be also
calculated using cross correlation, where events are correlated with vulnerability data.
After events are processed and correlated, the USM Server performs risk analyses
and triggers an alarm if the risk of the event is high enough.
The USM Logger is the secure data archival component of the USM platform.
1-14 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
AlienVault Labs conducts security research on global threats and vulnerabilities. The
team of security experts constantly monitors, analyzes, reverse engineers, and reports
on sophisticated zero-day threats including malware, botnets, phishing campaigns and
more.
AlienVault Labs Threat Intelligence drives USM security capabilities by identifying the
latest threats, resulting in the broadest view of attacker techniques and effective
defenses.
AlienVault Labs research is also a critical part of our analysis. Our labs team
generates original research on high profile threats, as well as instrumenting the
automatic analysis for discovering and certifying all threats coming from OTX partners
and USM customers who opt to share data.
1-16 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Open Threat Exchange (OTX) is the world’s first open threat intelligence community
that enables collaborative defense with actionable, community-powered threat data.
AlienVault Labs and other security researchers provide information to help understand
attacks that are currently being investigated and analyzed.
This data is automatically analyzed through a powerful discovery engine that is able to
granularly analyze the nature of the threat, and a similarly powerful validation engine
that continually curates the database and certifies the validity of those threats.
AlienVault OTX is a free open information sharing and analysis network that provides
access to real-time, detailed information about incidents that may impact you, allowing
you to learn from, and work with, others who have already experienced them.
We will be going over OTX in more detail later in the class.
For more information, go to https://otx.alienvault.com.
Verifying Operations
This module describes AlienVault Unified Security Management (USM) installation, basic
configuration and verification, and the web user interface (UI).
2-2 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
AlienVault USM User Interface
2. Primary menu
5. Environment Snapshot
2-4 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The Utility menu includes the following buttons:
• WELCOME - This shows the username of the user who is currently logged into the
system.
• IP ADDRESS – This shows the IP address or hostname of the USM.
• MESSAGE CENTER – The message center centralizes all in-system errors,
warnings, and messages.
• SETTINGS – This button shows the current user’s profile, current sessions by all
users, and user activity.
• SUPPORT – This button provides access to the help area and to diagnostic
support tools.
• LOGOUT - This button logs out the current user from the USM.
On the following slides, we look more closely at some of these buttons—the
MESSAGE CENTER, the SETTINGS menu, and SUPPORT.
2-6 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
USM Settings and Support
2-8 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The CURRENT SESSIONS menu lists who is logged into the system. If you are not
the administrator, the administrator must grant you permission in order for you to see
this list.
For each user, you see their username, IP address, and several other parameters.
You also have the option to log out a specific user by clicking on the button under
Actions.
As shown in the slide, three users are currently logged into the system.
2-10 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The SUPPORT section includes three areas:
• HELP - On the left side, this option provides links to the AlienVault forum and
to news about the latest releases of the USM. The right side includes a
Learning Center where you can find the information on how the USM functions.
• SUPPORT TOOLS - This option includes two tools that you might use when
working with AlienVault’s support team—the Diagnostic Tool and Remote
Support. The AlienVault Diagnostic Tool collects information about the system
status and sends it to the AlienVault Support Team. Connecting to Remote
Support will open an encrypted connection for AlienVault Support to diagnose
any issues with your AlienVault system(s).
• DOWNLOADS - This option provides links to software packages for AlienVault
operation.
2-12 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The primary menu covers the main functions of the USM. This includes the following
five menus:
• DASHBOARDS
• ANALYSIS
• ENVIRONMENT
• REPORTS
• CONFIGURATION
2-14 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The second area that can be selected in the primary menu is ANALYSIS. This area
includes the following options:
• ALARMS - Any event with a risk of 1 or greater generates an alarm. The Alarms
option shows all the alarms generated in the USM. You can also search for alarms
using filters.
• SECURITY EVENTS (SIEM) – Use this option to visualize all events that are
processed or generated by the SIEM Server. You can do a forensic analysis of all
events that have been processed by the USM. The SIEM database is designed for
rapid and versatile analysis, which is required for the detection of, and response to,
attacks.
• RAW LOGS - This option allows you to display stored logs. The USM Logger
allows you to store a large volume of data for compliance, forensic analysis, or
other purposes. The USM Logger is specifically geared for long-term storage and
forensic archiving. The USM Logger stores data, digitally signs it, and timestamps
the data. The data is securely stored and its integrity is preserved.
• TICKETS - A ticket is an element within the USM that contains information about
detected alarms or any other issues that you want to track in a workflow. There are
simple and advanced filters available to facilitate searches. You can create tickets
manually. In addition, some USM functions, such as vulnerability scanning allow
you to create tickets automatically. Tickets for alarms have to be opened manually.
2-16 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The fourth area that can be selected in the primary menu is REPORTS. This area has
all of the report types available. This option allows you to run reports on your USM
deployment, download them as PDF, and send them via e-mail. You can also modify
the contents and layout of reports. In addition, you can schedule reports to be created
automatically.
2-18 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Environment Snapshot
2-20 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
You can expand the Notification Tray to view the Environment Snapshot by clicking on
the small arrow on the right side of the USM user interface. The Environment
Snapshot shows open tickets, unresolved alarms, system health, latest event activity,
the number of monitored devices, and a graph of events received per second over a
recent period of time.
2-22 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Once the basic configuration of your USM system is completed, you should verify that
it is operating properly. Complete the following tasks to verify basic operations:
1. Observe any system errors and warnings in the Message Center to determine if
there are any outstanding issues with the system and log collection.
2-24 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Next, you should check that events are flowing into the USM’s database.
Any normalized log entry, received or generated by any USM at the application,
system, or network level is called an event.
The USM Server is the component responsible for collecting normalized events from a
USM Sensor, correlating them, and performing risk assessment. The USM Server
stores events in its database, which is designed for rapid analysis that is required for
attack detection and response.
To see events in the database, navigate to ANALYSIS > SECURITY EVENTS (SIEM).
On this screen, you can observe events, view details about events by clicking them,
and search and filter for events using time ranges and search filters.
The USM Server uses a formula based on Asset Value, Event Priority, and Event
Reliability to calculate an Event’s Risk. Any Event with a Risk of 1 or greater is an
Alarm.
To see alarms in your system, navigate to ANALYSIS > ALARMS. Below the filtering
and searching tools (but above the line-by-line listing of alarms), you can see a
graphical representation of alarms.
Blue circles indicate the number of alarms in a category at a particular time. A bigger
circle indicates a higher number of alarms. Alarms are prioritized according to five
categories:
• System compromise
• Exploitation and installation
• Delivery and attack
• Reconnaissance and probing
• Environmental awareness
The lower part of the window displays a list of alarms. Clicking an alarm will show
additional information about the alarm. Clicking View Details provides an even greater
level of information about the events that triggered the alarm. The Alarm Details page
also includes a Knowledge Base article with information about the alarm and
recommended steps to investigate it.
2-26 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Finally, to finish verifying basic operations, you should check that logs are being stored
in the USM Logger.
The USM Logger provides a file format that is specially designed to store logs for long-
term archiving. By default, the logs are indexed, compressed and digitally signed to
ensure their integrity every hour (more immediate signing can be enabled if
required).You can verify if the USM Logger component is receiving raw logs from
network devices by viewing the data in the Raw Logs screen.
To see the logs, navigate to Analysis > Raw Logs. The upper part of the window
displays a chart, where you can see the log trends in a predefined time frame. Logs
are displayed in the lower part of the window. You can see details about a log by
clicking the log.
You can also use the search box to search for specific logs, or select a time range in
order to display logs only for the selected time range.
When performing a search, the INDEXED QUERY performs a search against the
index compiled during the most recently-completed indexing operation. This search is
very fast, but may not include the latest log entries received. The RAW QUERY
performs a real-time search of the log files themselves. It will be slower to return
results but the results will be more complete.
Asset Management
This module describes AlienVault Unified Security Management (USM) asset management.
3-2 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Asset Overview
Assets in AlienVault are grouped based on IP addresses and networks that are
monitored by AlienVault. Grouping based on IP addresses allows for easier
management of and searching for assets. Assets can be grouped by functionality (e.g.
Firewalls), location (e.g. “headquarters”), or another type of grouping. Similarly,
networks monitored by AlienVault can be grouped into network groups.
3-4 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The USM has an asset management system that is used by all AlienVault
components. The assets are initially added to the USM using passive discovery and
active scanning.
Assets can also be added manually. This can be performed by adding individual
assets using the web UI, or by importing assets from security events or Comma
Separated Value (CSV) files.
The Asset Management System allows for easy asset search using rich filters and
subsequently enables reviewing and editing of asset information. Assets can also be
removed from the asset repository by deleting them.
The Asset Management System also includes an integrated inventory, which can store
additional information about individual assets. This proves useful for tracking
properties of assets belonging to/owned by an organization.
Additionally, you can manage the AlienVault HIDS in through the Assets Management
System. This is covered later in this course in Module 7, Threat Detection.
3-6 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
ASSETS & GROUPS is available in the Environment menu.
Under the ASSETS & GROUPS menu, there are five secondary menus that provide
an interface for managing the following:
• ASSETS
• ASSET GROUPS
• NETWORKS
• NETWORK GROUPS
• SCHEDULE SCAN
These sub-menus will be covered throughout the course.
If you click an asset, the asset will be expanded to display additional information:
Vulnerabilities, Alarms, Events, Availability, Services, Groups, and Notes. The
DETAILS button displays detailed information about an asset.
3-8 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Once the asset(s) are selected, you can perform the following through the ACTIONS
menu:
• Edit the selected asset(s)
• Delete the selected asset(s)
• Run an Asset Scan
• Run a Vulnerability Scan
• Deploy a HIDS Agents on selected asset(s)
• Enable Availability Monitoring
• Disable Availability Monitoring
• Create or Adding to an Asset Group
• Add a Note
There is a search field located at the top part of the window. The field shows selected
filters. The X icon is used to delete a selected filter. To clear the entire search filter,
select the Clear All Filters option.
3-10 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Managing Assets
3-12 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
In Asset Details, you can perform these through the ACTIONS menu:
• Edit the asset
• Delete the asset
• Run an Asset Scan
• Run a Vulnerability Scan
• Enable Availability Monitoring
• Disable Availability Monitoring
3-14 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Assets have three editable sections: GENERAL, PROPERTIES, and SOFTWARE.
The GENERAL section covers the basic information of an asset. The following
editable portions of an asset:
• Name - By default, the AlienVault system will automatically assign a name to a
discovered asset in a form of Host_, followed by IP address, where dots are
replaced with the underscore sign (_). You can replace the default name with a
meaningful name.
• IP Address – IP address of the asset. You can identify multiple IP addresses in
the address window for a single asset. Separate multiple IP addresses by
commas.
• FQDN/Aliases - You can enter a Fully Qualified Domain Name (FQDN) of the
asset, or you can enable reverse DNS resolution when performing asset discovery.
• Asset Value - You can change the value of an asset, depending on the role the
asset has in an organization. By default, asset value is set to 2. This is covered in
more detail in the next few slides.
• Devices Types - Select device type and subtype from the drop-down menu. To
remove a device type, click the “X” below the Device Type list.
You can also set other properties, such as description and location of the asset.
Additionally, you can provide an icon for the asset, toggle availability monitoring of the
asset, and define if the asset is external or internal.
3-16 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Each asset in an organization should have a value assigned, based on the importance
of the asset role in the organization. For example, printers in a printing company are
very important for business processes and will a have very high asset value.
As an example, in some organizations printers may not be important, and the asset
value for printers may be set to 0 or 1. However, in organizations in which printers are
the most important assets on their network, such as in printing shops, asset value for
printers may be set to a high value, such as 4 or 5.
However, printers in a company that offers web hosting are not as important, and will
have a low asset value. A web hosting company’s web servers would have a higher
value; and therefore, those web servers would be assigned a higher asset value than
the printers.
3-18 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The PROPERTIES section covers more specific information about an asset, including
hardware, roles, and department. The following are configurable properties of an
asset:
• Users Logged
• Role
• Department
• Workgroup
• Machine state
• CPU
• Memory
• Video
• ACL
• Route
• Storage
• MAC Address
Note the property settings can be locked, which means it will not be overwritten during
future asset discoveries.
Note the Save button in the Properties tab will only save a
specific property. It will not save your global changes.
To save changes, return to the General tab and click the
Save button.
Note the Save button in the Software tab will only save a
specific property. It will not save your global changes.
To save changes, return to the General tab and click the
Save button.
3-20 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Adding Assets
3-22 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
To add an individual asset manually, select ADD HOST from the ADD ASSETS menu.
The NEW ASSET window appears.
Fill in the required fields. Note that this screen is similar to the GENERAL tab in the
EDIT ASSET dialogue. Click SAVE when you are done populating the input fields.
After you are done adding your asset, the USM will take you to the Asset Details page
of the corresponding asset.
3-24 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
You can also import assets from SIEM events. This option checks events and
networks, and imports all new assets that the SIEM discovered.
Once you select Import From SIEM, the USM will search the SIEM events for any new
assets on your networks.
If new assets are found, you will be prompted to IMPORT or CANCEL the results. If
you wish, you can also view the logs to see what the USM determines is an asset.
Assets are imported 25,000 at a time. If the USM found more than 25,000 hosts, you
will need to rerun the Import from SIEM until all the hosts are added.
3-26 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Asset discovery is one of the primary USM functionalities, which allows initial asset
discovery. The functionality can be also used to augment the knowledge of existing
assets by determining the operating system of an asset and the services (open ports)
that are running on the asset.
Open the ADD ASSETS menu and select Scan for New Assets. This will open the
SCAN FOR NEW ASSETS screen. In the screen, first select assets, asset groups,
networks, or network groups you would like to scan.
The following options are available for the scan timing template:
• Paranoid - This mode scans very slowly. It serializes all scans (no parallel
scanning) and generally waits at least 5 minutes between sending packets.
• Sneaky - Runs as paranoid mode but with a 15 second wait time.
• Polite - Serializes the probes and waits at least 0.4 seconds between them.
• Normal - The default behavior, which tries to run as quickly as possible without
overloading the network or missing hosts/ports.
• Aggressive – Scans with a 5-minute timeout per host, and never waits more than
1.25 seconds for probe responses.
• Insane - Suitable for very fast networks. It times out hosts in 75 seconds and only
waits 0.3 seconds for individual probes.
Finally, enable auto detection of services and operating systems and enable reverse
DNS resolution to automatically determine FQDN of scanned assets. Click START
SCAN when done with configuring scan.
3-28 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
An Asset Discovery Scan takes time, depending on the number of scanned assets,
selected scan type, and timing template. Once assets are scanned, the results will be
displayed in a table below the scan configuration window. You can review the
scanning results and decide to delete the results (CLEAR SCAN RESULTS), or
update asset information in the database with the results (UPDATE DATABASE
VALUES).
Note that the results of the asset discovery scan are not automatically added to the
database. You must select the results and click Update Database Values.
In the scan above, the USM found three hosts. The scanning detected that the one of
the assets is running Microsoft Windows 7 operating system, and that some services
are running on the machine. The other two assets are running Linux.
3-30 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
When the database is updated, the USM will display the list of updated assets.
If there is already information that the USM views as more accurate, the USM will not
overwrite that information, but will display a warning. If you wish to see more
information on the warning, click the details icon.
3-32 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Navigate to ENVIRONMENT > ASSETS & GROUPS > SCHEDULE SCAN to enable
periodic asset discovery. Click on SCHEDULE NEW SCAN.
2. Enter a name for the task, select a sensor from which the scan will be performed,
and enter networks you want to scan.
3. Select scan type, timing template, and optionally enable auto detection of
operating system and services and reverse DNS resolution.
4. Select scanning frequency. The provided options are Hourly, Daily, Weekly, and
Monthly.
3-34 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Asset Groups
3-36 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Asset groups are administratively created objects that group similar assets for specific
purposes. For example, you could group all network firewalls, or all servers running
Microsoft Server operating system. Such groups are useful when performing various
tasks, such as vulnerability assessment or asset discovery, or when you are interested
only in events coming from specific devices. Grouping of assets is possible based on
various properties. The following are some of them:
• Asset value
• Network
• Software running on assets
• Sensor that monitors assets
• Device type of asset
• Open port or services running on assets
• Location of assets
Asset groups are integrated into the USM workflow. They can be used for running
reports, filtering alarms/events/raw logs, scans, policies, and directives for threat
intelligence.
3-38 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
This will bring up a dialogue box. In this, you will see a list of any created asset groups
if they exist. If there are not any pre-existing asset groups or you do not wish to use a
pre-existing asset group, type in the name of the New Group, and then click the “+”
icon.
3-40 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
To edit an asset group, you can edit the asset group from the listing of asset groups
under ENVIRONMENT > ASSETS & GROUPS > ASSET GROUPS. Alternatively,
navigate to the desired Group Details and click Edit under the ACTIONS menu.
The group details that you can edit are the group name, owner, and description.
3-42 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Assets in USM are part of a network. USM recognizes networks by their CIDR
notation. Networks can be part of a network group. Assets are organized into networks
based on IP addresses. Additionally, networks can also be grouped into network
groups for easier management.
Networks also specify which assets will be imported during asset discovery. Assets are
grouped based on IP addresses and configured networks for easier asset navigation
and management.
3-44 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The NETWORKS view has a similar search filter to assets and asset groups.
2. Initially, the Getting Started Wizard in the USM All-in-One will find the monitored
networks.
3. If you provide a network range to scan, USM will add the network.
3-46 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The Network Details screen will display various details of your network. This screen
provides a similar display to asset details.
In Network Details, you can observe the snapshot and properties of assets belonging
to the network. You can also toggle on and off the details about the network, delete the
network, and observe environment status of assets and suggestions.
On the right side of the screen, there is an action menu, edit icon, and a deletion icon
for this specific network. Directly below that is a map, showing the network’s location if
defined.
Below the map on the right side is the ENVIRONMENT STATUS. This displays
whether or not HIDS, Automatic Asset Discovery, or Vulnerability Scan Scheduled are
enabled for assets on this network. The status circle that is located next to the link can
appear in three different colors:
• Red - Nothing is available.
• Green - Everything is available.
• Yellow - Some are available. Note this color will not be displayed for Vulnerability
Scan Scheduled.
3-48 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Networks can be grouped into network groups for administrative purposes. To create a
network group, navigate to Environment > Assets & Groups > Network Groups.
Click NEW to create a new network group. Specify the name for the network group, a
description, and select network group members from the network list. Click SAVE
when you are done adding networks to the group.
3-50 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Asset labels are an additional organizational tool for your USM implementation. This
allows you to assign a label for various device attributes (e.g. firewalls, switches,
printers, etc.) that can help you with managing your USM environment.
3-52 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Next, the MANAGE LABELS dialogue box will open. Here you will see any labels
already created in the LABEL LIST. From here, you can delete or edit any pre-existing
labels or create a new one.
You have a variety of colors to choose from for your label.
Once you have created the desired label, click SAVE.
Note that clicking SAVE will not assign a label to your assets or asset
groups.
3-54 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Labels are the most flexible form for organizing assets. An asset, asset group, or
network can have multiple labels.
For example, the assets above show how they have multiple labels. The Server2008
has the Windows and Lab Servers labels, whereas the fw-dmz asset has the firewalls
and perimeter network.
Policies
This module describes AlienVault Unified Security Management (USM) policies.
4-2 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
USM Policy UI Overview
4-4 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
To configure policies, navigate to CONFIGURATION > THREAT INTELLIGENCE >
POLICY.
Policies can be configured separately for events (the upper part of the screen) and
directive events (the lower part of the screen). Since directive events are generated by
the USM Server, you have the option to configure a policy for directive events
generated only by an individual USM Server.
If required, you can configure policy groups, which allow you to group policies for
administrative purposes.
By default, three policy groups exist: the Default policy group and the AV default
policies and Policies for events generated in server.
You can create your own policy groups by clicking the EDIT POLICY GROUPS button,
and then providing a name for the group.
4-6 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Policies are composed of policy rules, which are applied in descending order. When an
event is being processed, policy rules are evaluated in order from top down. When an
event matches a rule, the system stops processing that event. This is the reason why
very specific and restrictive rules should be defined at the top of the rules list, while
generic rules should be specified at the bottom of the rules list.
The figure shows an example where 3 policy rules are configured:
• The first rule matches Cisco ASA events with source IP address of 10.128.10.15.
• The second rule matches all Cisco ASA events.
• The third rule matches Cisco ASA events with source IP address of 10.177.16.150.
Because the second rule is generic, it will match all Cisco ASA events. Therefore, the
third rule, which is more specific, will never be evaluated. In order to correctly process
events, the INTERNAL_NMAP rule should be placed before the FIREWALL_EVENTS
rule.
4-8 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Policies are composed of conditions and consequences. Conditions determine which
events are processed by the policy. Consequences define what will happen to events
matching the specified conditions.
If a field is not currently filled in, it will appear yellow. For example, the source and
destinations are not filled in when a policy is first created. Therefore, those fields will
appear yellow on a new policy.
4-10 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
For source or destination ports, you can designate multiple values for UDP and TCP
ports. For example, you can set up a port group called DNS with both UDP port 53 and
TCP port 53.
• SOURCE PORTS - Defines TCP or UDP source port of an event.
• DESTINATION PORTS - Defines TCP or UDP destination port of an event.
4-12 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
In addition to selecting already exisitng data source groups, you can create a new data
source group by selecting desired data sources or event types.
4-14 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
After you’ve created your new data source group, select it in the list box.
4-16 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
To access the other conditions, click ADD MORE CONDITIONS. This will bring up a
dialogue box with the available options. The available options are:
• Sensors
• Reputation
• Event priority
• Time range
4-18 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The REPUTATION panel allows you to match events based on the reputation of either
source or destination IP address of an event.
4-20 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
TIME RANGE is a time window for matching events. For example, if you want to email
an admin about a successful login to the HR server between 3am to 6am, you can set
up a policy that will do that.
4-22 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The SIEM consequence determines how the USM Server will process events. In
almost all cases, you want to use the power of the SIEM within the USM to correlate
events that arrive at the USM Server.
If you enable the SIEM capability, you can then select to enable or disable several
options:
• Change the priority of events
• Perform risk assessment of events
• Perform logical correlation of events
• Perform cross-correlation of events
• Store events in the SIEM SQL database
Note that if you disable the SIEM option, this will disable the other options within the
SIEM consequence.
4-24 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The FORWARDING consequence defines whether events will be forwarded to other
USM Server or USM Logger. The default setting is No. Selecting Yes will only work if
other USM Servers or USM Loggers have previously been configured in the USM.
4-26 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Like a policy for events, a policy for directive events is composed of conditions and
consequences. Conditions determine which events are processed by the policy.
Consequences define what will happen to events matching the specified conditions.
However, the policy for directive events has fewer conditions and consequences, since
such policies are designed to match only directive events that have been created
within the specific USM Server.
The Data Source (DS) Groups for directive event policies behaves differently than
choosing the DS Groups for event policies.
By default, you can choose all Directive events. There are no other directive event
groups listed. In order to have additional choices, click INSERT NEW DS GROUP.
4-28 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
SIEM consequences for directive event policies work the same way as the SIEM
consequences for event policies.
Security Analysis
This module describes security analysis of alarms and events produced by AlienVault Unified
Security Management (USM).
5-2 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Security Analysis Process
5-4 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Overview Dashboards
5-6 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Navigate to DASHBOARDS > OVERVIEW to examine the threat level of networks that
are being monitored by the USM. In the next few slides you will see several
dashboards that can help you determine the overall security posture and find unusual
behavior.
The EXECUTIVE dashboard at DASHBOARDS > OVERVIEW > EXECUTIVE shows
an overview of the network. Pay attention to the overall threat level of the network and
to Top 10 event categories to determine top event types that threaten your network.
The upper right pod in the OVERVIEW Dashboard shows the top OTX activity in your
USM. This shows the five OTX pulses that generated the most events in your
environment.
5-8 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The NETWORK dashboard at DASHBOARDS > OVERVIEW > NETWORK shows
information about network trends and statistics. This information is provided by
NetFlow, which is used to collect and transmit information about network traffic flow.
Pay attention to abrupt changes that deviate from expected traffic patterns. Examine
the source and destination IP addresses and source and destination ports of such
flows. Use that information to search if there are any related events or alarms.
5-10 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Below the Events from Most Active OTX Pulses, there’s a trend graph that shows
events from all OTX pulses.
5-12 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Remediating Alarms
5-14 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Navigate to ANALYSIS > ALARMS to examine alarms. The upper part of the screen
is the search. The middle part of the screen represents alarms in a graphical way. The
lower part of the screen displays a list of alarms sorted by date by default.
5-16 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Navigate to ANALYSIS > ALARMS. When you are filtering alarms, you can filter on a
specific OTX Pulse to see all alarms generated from a specific pulse or filter to see all
alarms generated from any OTX pulses.
5-18 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
When you click VIEW DETAILS the details about an alarm are shown. On the upper
part of the screen you can examine information about the source and the destination of
the traffic triggering the alarm. You can also see the recommended knowledge base
article with the information about the alarm.
5-20 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Clicking on the OTX Indicators for pulses or OTX IP reputation will open up a box with
the OTX details.
5-22 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
On the lower part of the screen, you will see individual events that triggered the alarm.
If the alarm is a result of a directive event then you will see individual events and a
directive event that was created by these individual events.
You can examine details about a single event by clicking the name of the event.
If an alarm has OTX data associated with it, it will appear in the alarm list. Events and
Alarms with OTX data have two colors:
• Orange – security events that were generated from a pulse
• Blue – security events that include OTX IP reputation data
Security events that were generated from an OTX pulse and also
include IP reputation information will appear orange.
5-24 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
If an event listed in an alarm has an orange OTX icon, clicking on it will bring up details
about the OTX pulse.
5-26 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
When investigating an alarm it is also useful to check if there are any related events in
the SIEM database that were not correlated by the correlation engine. For example,
you can search for events that came from the same host as the offending traffic, which
triggered the alarm.
You can search for events by navigating to ANALYSIS > SECURITY EVENTS (SIEM)
> SIEM. Events are listed in the lower part of the screen while the upper screen
displays filters that can be used to find events. You can also click ADVANCED
SEARCH to specify a more granular search.
In the example, the filter is specified to find only events that are related to the source
IP address that was reported in the alarm discussed previously.
You can sort the events based on the event name, date, and sensor that detected the
event, source or destination IP address and risk. You can examine details about an
event by clicking the event.
Look for events that are related to alarms but that were not
correlated by the correlation engine. If you observe that
scenario, you should consider customizing or creating custom
directive rules.
5-28 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Below the search filter, you will see a list of events that matches your search.
Security events that were generated from an OTX pulse and also
include IP reputation information will appear orange.
5-30 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
When you click the blue OTX icon (if available) in the list of security events, the OTX
IP reputation dialogue will be displayed.
5-32 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
If you wish to investigate an event, click on the view details icon. This will display
several details about the event, including a raw log that triggered the event.
5-34 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The next step when examining alarms is to check information about an asset involved
in an alarm. Navigate to ENVIRONMENT > ASSETS & GROUPS > ASSETS to
search for the asset that is involved in the alarm you are investigating.
Verify the operating system and services to confirm that the alarm triggered is valid
and needs to be investigated further.
5-36 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Check Raw Logs
5-38 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
You can examine details about a log by clicking and expanding the log.
You can also verify the integrity of a log by verifying the log signature. Click the
Validate button at the right side of each log to verify whether a log has been altered. In
the example, signature verification succeeded which means that the log has not been
changed since it was initially signed.
5-40 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
File Tickets
5-42 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Tickets can be opened in several ways:
• Automatically as a result of a configured policy.
• Automatically as a response to detected vulnerabilities after vulnerability scan of
an asset.
• Manually during alarm investigation when examining details of an alarm.
• Manually, non-related to an alarm or event.
To open a ticket during an alarm investigation click CREATE TICKET from the
ACTIONS menu when examining details about an alarm. A new window opens where
you can enter information about the ticket. The majority of the input fields are already
populated from the alarm details. You need to select the priority of the ticket and
assign the ticket to an administrative user.
5-44 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Report Findings
You can run reports either immediately through the web UI or you can schedule them
by creating a scheduler task to run reports once or periodically. After AlienVault USM
generates a report, you can view it directly in the web UI in HTML or you can download
or send the report via email as a PDF document.
You can also customize reports to meet your business needs, both in terms of content
and “look and feel” (company logo, color palette, and so on).
5-46 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
To run a report immediately, navigate to Reports > All Reports and search for a
report you would like to run. Alternatively, you can select a desired report category
from the REPORTS drop-down menu to display only the reports from the desired
family.
You can also filter the displayed reports by entering a report name into the Search
field. The search functionality displays search results on the fly.
You can also display the details of a report by clicking the report name. The details of
a report display which modules are included in the report. In the example, the details
about Alarm Report are shown. The report uses the Default layout and consists of the
Title Page and the following modules:
• Alarms – Top Attacked Host
• Alarms – Top Attacker Host
• Alarms – Top Destination Ports
• Alarms – Top Alarms
• Alarms – Top Alarms by Risk
Execute the report by clicking the Run icon.
5-48 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Based on the type of the report, the date range, and the number of assets it may take
a while for the system to generate the report. After the system generates the report, it
displays it in the web UI as an HTML document. You can either download the report as
a PDF document or send it to a defined email address.
Course Review
Overview
This module provides a course review.
Course Wrap Up
6-2 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
The Launchpad course gets you started by helping you see that the system is
operating, how to work with your assets, some work on policies, and then finally
looking at dashboards and alarms to start the process of security analysis. It’s an
excellent way to get started understanding the power of USM, but does not give the
complete coverage that you get in the AlienVault USM for Security Engineers (AUSE)
class.
Take AlienVault USM for Security Engineers to learn about working with different data
sources, and how to correlate data. This course also covers how to use the different
reports, customize them, use them to manage compliance challenges, as well as the
ins and outs of threat detection.
6-4 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
Copyright© 2017 AlienVault. All rights reserved. 6-5
Join the Open Threat Exchange
6-6 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.