AlienVault Launchpad Getting Started with USM · AlienVault Launchpad Getting Started with USM...

AlienVault Launchpad Getting Started with USM

Version 5.3 Rev A

Student Guide

Table of Contents

Course Introduction ................................................................................................................... 1 Overview ............................................................................................................................................... 1 Course Introduction .............................................................................................................................. 2

Overview ..................................................................................................................................1-1 AlienVault USM Overview .................................................................................................................. 1-3 USM Architecture ............................................................................................................................. 1-10 AlienVault Labs and OTX ................................................................................................................ 1-14

Verifying Operations ...............................................................................................................2-1 AlienVault USM User Interface .......................................................................................................... 2-3 USM Settings and Support ................................................................................................................ 2-7 AlienVault USM Primary Menu ........................................................................................................ 2-12 Environment Snapshot .................................................................................................................... 2-19 Verify Basic Operations ................................................................................................................... 2-22

Asset Management .................................................................................................................3-1 Asset Overview .................................................................................................................................. 3-3 Navigating the Assets UI ................................................................................................................... 3-6 Managing Assets ............................................................................................................................. 3-11 Adding Assets .................................................................................................................................. 3-21 Asset Discovery Scans .................................................................................................................... 3-26 Asset Groups ................................................................................................................................... 3-35 Networks and Network Groups ........................................................................................................ 3-42 Asset Labels .................................................................................................................................... 3-50

Policies ....................................................................................................................................4-1 USM Policy UI Overview .................................................................................................................... 4-3 USM Policies for Events .................................................................................................................... 4-8 USM Policies for Directive Events ................................................................................................... 4-26

Security Analysis ....................................................................................................................5-1 Security Analysis Process ................................................................................................................. 5-3 Overview Dashboards ....................................................................................................................... 5-5 Remediating Alarms ........................................................................................................................ 5-13 Investigate Events ........................................................................................................................... 5-26 Check Raw Logs .............................................................................................................................. 5-37 File Tickets ....................................................................................................................................... 5-41 Report Findings................................................................................................................................ 5-45

Course Review ........................................................................................................................6-1 Overview ............................................................................................................................................ 6-1 Course Wrap Up ................................................................................................................................ 6-2

Launchpad

Course Introduction

Overview This module provides an introduction to the course.

2 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.

Course Introduction

This course is designed to accelerate the student’s ability to properly operate the AlienVault USM solution. Students will gain a clear understanding of AlienVault’s Open Threat Exchange (OTX) and gain the knowledge and skills to manage users, identify assets, and remediate security threats using the AlienVault USM solutions.

This one day course gives security engineers, analysts, and project team members an orientation to AlienVault USM. It is designed to accelerate your awareness of the full range of features in the USM platform, making you more effective

You will learn the basic architecture of AlienVault USM and how it helps to protect your organization. You'll also build a basic understanding of how to detect and respond to threats.

Next, you'll learn how to control and monitor access to the system with User Management. You'll then learn how to ensure that the system is operating properly and how to work with assets.

Finally, you'll see how to turn the data that's coming from the system into valuable information and action.

Copyright© 2017 AlienVault. All rights reserved. 5

This course is designed as an introduction to operating USM after initial professional services engagement covering installation and initial configuration.


As you complete the course, refer freely to our Documentation Center for additional information or to research related topics.

Module 1

Overview This module provides an overview of the AlienVault Unified Security Management (USM) solution.

Copyright© 2017 AlienVault. All rights reserved. 1-3

AlienVault USM Overview


The figure shows the five essential security capabilities of the AlienVault USM solution.

The five capabilities are discussed in the subsequent slides.


Asset discovery is an essential security capability of the AlienVault USM. The USM discovers assets in your environment, detects changes in assets, and discovers rogue assets in the network.

Asset discovery uses passive tools, such as passive operating system fingerprinting and passive service discovery.

Asset discovery also utilizes active scanning, which can be scheduled to be performed periodically or can be performed manually.


Vulnerability assessment identifies vulnerabilities by comparing the installed software on assets with a database of known vulnerabilities. Vulnerability assessment can also be used to check compliance.

Scanning of assets can be unauthenticated or authenticated. Using an administrative user account, AlienVault USM can scan the assets more effectively.


Intrusion Detection monitors network traffic for malicious activity, monitors system log messages, and monitors user activity.

Intrusion detection for AlienVault USM consists of Host-based Intrusion Detection (HIDS) and Network-based Intrusion Detection (NIDS) components.


Behavioral monitoring is used to detect abnormal traffic in the network by spotting anomalies from the NIDS functionality, and by tracking asset availability.

NetFlow, or network flows, include the following data:

• Source IP address and port

• Destination IP address and port

• Network protocol (TCP, UDP, ICMP, etc.)

• Type of service

• Number of packets

• Number of bytes

• Number of flows

• Bits, bytes, and packets per second

• Bytes per packet

Behavioral monitoring uses NetFlow in two ways:

• Flows can be generated by network devices and sent to the USM Server, or

• The USM Sensor generates flows based on the mirrored traffic, and the USM Sensors sends the flows to the USM Server.

In both cases, the USM Server acts as NetFlow collector.

Behavioral monitoring capability also includes integrated assets availability monitoring.


Security intelligence combines and correlates collected logs and data to find malicious patterns in network traffic and within host activity.

Security intelligence draws intelligence from different sources:

• AlienVault Lab Threat Intelligence correlation rules, which are created by AlienVault Labs. These correlation rules are used to identify patterns associated with malicious activity. They correlate data from different sources, such as vulnerability scanning, NIDS, devices logs, etc. The NIDS component is populated with well-tested signatures of recognized attacks.

• OTX threat data provides IP reputation information and OTX pulses which consist of indicators of compromise (IoCs) that identify a specific threat. OTX is an open information sharing and analysis network, where all AlienVault users can participate and share information about incidents that may impact others. OTX pulses provide you with a summary of the threat, a view into the software targeted, and the related indicators of compromise (IoC) that can be used to detect the threats.


USM Architecture


The three core components of the AlienVault USM are:

• USM Sensor: deployed throughout your network to collect events for complete visibility.

• USM Server: aggregates and correlates information gathered by the USM Sensors, and provides single pane-of-glass management, reporting and administration.

• USM Logger: securely archives raw event log data for forensic investigations and compliance mandates.

With an All-in-One deployment, all three are on one system.


The USM Sensors are designed to send their data to the USM Server. Once the USM Server has processed the data from the USM Sensors, the data is stored on the USM Logger.


The USM Sensor combines asset discovery, vulnerability assessment, threat detection, and behavioral monitoring to provide full situational awareness. The USM Sensor is the front-line security module of the USM platform and provides detailed visibility into your environment, vulnerabilities, attack targets and vectors, and services.

These events are normalized into a unified format and dynamic functions such as date normalization and DNS resolution, are performed. Then, normalized events are sent to the USM Server component.

The USM Server provides a unified management interface that combines security automation and AlienVault Labs Threat Intelligence to correlate data, spot anomalies, reduce risk, and improve your operational efficiency.

The USM Server receives events from the USM Sensor and performs policy evaluation. The policy defines what will happen with events. By default, the events will be sent to the correlation engine, from the risk assessment module, and then they will be stored in the SQL database. Events can be also forwarded to another USM Server, if required. This flow is completely configurable by threat intelligence policies.

Correlation can be done logically, where events are compared to patterns which are composed by using logical operators such as OR and AND. Correlation can be also calculated using cross correlation, where events are correlated with vulnerability data.

After events are processed and correlated, the USM Server performs risk analyses and triggers an alarm if the risk of the event is high enough.

The USM Logger is the secure data archival component of the USM platform.


AlienVault Labs and OTX


AlienVault Labs conducts security research on global threats and vulnerabilities. The team of security experts constantly monitors, analyzes, reverse engineers, and reports on sophisticated zero-day threats including malware, botnets, phishing campaigns and more.

AlienVault Labs Threat Intelligence drives USM security capabilities by identifying the latest threats, resulting in the broadest view of attacker techniques and effective defenses.

AlienVault Labs research is also a critical part of our analysis. Our labs team generates original research on high profile threats, as well as instrumenting the automatic analysis for discovering and certifying all threats coming from OTX partners and USM customers who opt to share data.


AlienVault Labs Threat Intelligence maximizes the efficiency of your security monitoring program by delivering the following to your AlienVault USM installation.

Examples of what AlienVault Labs provides detection of includes:

• Advanced Persistent Threat (APT) detection - Detects targeted attacks often missed by other defenses

• Real-Time Botnet Detection - Identifies infection, compromise, and misuse of corporate assets

• Data Exfiltration Detection - Prevents leakage of sensitive and proprietary data

• Command-and-Control (C&C) Traffic Identification - Identifies compromised systems communicating with malicious actors

• Dynamic Incident Response and Investigation Guidance - Provides customized instructions on how to respond and investigate each alert


Open Threat Exchange (OTX) is the world’s first open threat intelligence community that enables collaborative defense with actionable, community-powered threat data. AlienVault Labs and other security researchers provide information to help understand attacks that are currently being investigated and analyzed.

This data is automatically analyzed through a powerful discovery engine that is able to granularly analyze the nature of the threat, and a similarly powerful validation engine that continually curates the database and certifies the validity of those threats.

AlienVault OTX is a free open information sharing and analysis network that provides access to real-time, detailed information about incidents that may impact you, allowing you to learn from, and work with, others who have already experienced them.

We will be going over OTX in more detail later in the class.

For more information, go to https://otx.alienvault.com.

Module 2

Verifying Operations This module describes AlienVault Unified Security Management (USM) installation, basic configuration and verification, and the web user interface (UI).


AlienVault USM User Interface


In the previous module of this course, we focused on the capabilities and components of the USM. In this module, we will focus on how to navigate the user interface and verify the basic operations of the system.

Once you connect to the USM web UI, and log in using administrative credentials, you will see the main window.

The main window allows you to access all of the functionality offered by the USM. This screen includes the following menu elements:

1. Utility menu

2. Primary menu

3. Help, which links to documentation

4. Secondary menu

5. Environment Snapshot


The Utility menu includes the following buttons:

• WELCOME - This shows the username of the user who is currently logged into the system.

• IP ADDRESS – This shows the IP address or hostname of the USM.

• MESSAGE CENTER – The message center centralizes all in-system errors, warnings, and messages.

• SETTINGS – This button shows the current user’s profile, current sessions by all users, and user activity.

• SUPPORT – This button provides access to the help area and to diagnostic support tools.

• LOGOUT - This button logs out the current user from the USM.

On the following slides, we look more closely at some of these buttons—the MESSAGE CENTER, the SETTINGS menu, and SUPPORT.


The Message Center centralizes all in-system errors, warnings, and messages--along with external messages sent by AlienVault--into a single, discoverable page within the USM web interface.

Messages can come from three different sources:

• System statuses

• User activity

• External messages from messages.alienvault.com, which come from HTTP over SSL on port 443 and are digitally signed


USM Settings and Support


The SETTINGS option includes three menus: MY PROFILE, CURRENT SESSIONS, and USER ACTIVITY.

The MY PROFILE menu shows the personal information (login, name, email, etc.) of the user who logged into the system. By changing the input fields and clicking the SAVE button, you can change your user information.

Additionally, you can change your password here.

In order to make any changes on the MY PROFILE menu, you will need to enter your current password before clicking SAVE.


The CURRENT SESSIONS menu lists who is logged into the system. If you are not the administrator, the administrator must grant you permission in order for you to see this list.

For each user, you see their username, IP address, and several other parameters. You also have the option to log out a specific user by clicking on the button under Actions.

As shown in the slide, three users are currently logged into the system.


The USER ACTIVITY menu shows critical actions that were performed by users. You can see a list of the actions that the table will show by clicking on All in the bar under the Action heading. You can filter the displayed actions by selecting the date range, user account, or action type and clicking View.


The SUPPORT section includes three areas:

• HELP - On the left side, this option provides links to the AlienVault forum and to news about the latest releases of the USM. The right side includes a Learning Center where you can find the information on how the USM functions.

• SUPPORT TOOLS - This option includes two tools that you might use when working with AlienVault’s support team—the Diagnostic Tool and Remote Support. The AlienVault Diagnostic Tool collects information about the system status and sends it to the AlienVault Support Team. Connecting to Remote Support will open an encrypted connection for AlienVault Support to diagnose any issues with your AlienVault system(s).

• DOWNLOADS - This option provides links to software packages for AlienVault operation.


AlienVault USM Primary Menu


The primary menu covers the main functions of the USM. This includes the following five menus:

• DASHBOARDS • ANALYSIS • ENVIRONMENT • REPORTS • CONFIGURATION


The first area that can be selected in the primary menu is DASHBOARDS. This area has the following options:

• OVERVIEW – Use this option to view charts, tables, and graphs that show various overview aspects of the system status. Additional sub-menus, such as Inventory and Honeypot Activity, can be added by clicking on the edit button.

• DEPLOYMENT STATUS - This option displays a global view of the system, including assets visibility, network visibility, and locations.

• RISK MAPS – This option displays the asset's state within a selected map and provides the ability to manage maps.

• OTX - This option allows you to visualize threats graphically in a map as well as list pulse information. The map visualizes IP addresses that belong to hosts that are performing attacks or have malicious behavior. These IP addresses are provided by the OTX, which includes the AlienVault Labs team and a community of worldwide USM and OSSIM users.


The second area that can be selected in the primary menu is ANALYSIS. This area includes the following options:

• ALARMS - Any event with a risk of 1 or greater generates an alarm. The Alarms option shows all the alarms generated in the USM. You can also search for alarms using filters.

• SECURITY EVENTS (SIEM) – Use this option to visualize all events that are processed or generated by the SIEM Server. You can do a forensic analysis of all events that have been processed by the USM. The SIEM database is designed for rapid and versatile analysis, which is required for the detection of, and response to, attacks.

• RAW LOGS - This option allows you to display stored logs. The USM Logger allows you to store a large volume of data for compliance, forensic analysis, or other purposes. The USM Logger is specifically geared for long-term storage and forensic archiving. The USM Logger stores data, digitally signs it, and timestamps the data. The data is securely stored and its integrity is preserved.

• TICKETS - A ticket is an element within the USM that contains information about detected alarms or any other issues that you want to track in a workflow. There are simple and advanced filters available to facilitate searches. You can create tickets manually. In addition, some USM functions, such as vulnerability scanning allow you to create tickets automatically. Tickets for alarms have to be opened manually.


The third area that can be selected in the primary menu is ENVIRONMENT. This area has the following options:

• ASSETS & GROUPS - This option allows you to manage assets, networks, asset groups, and network groups.

• VULNERABILITIES - This option provides a graphical interface to manage vulnerability scanning. The vulnerability scans can run from one or more AlienVault sensors.

• NETFLOW -This option provides the ability to monitor and work with NetFlow data.

• TRAFFIC CAPTURE - This option allows the user to implement and manage remote traffic capture through the AlienVault USM Sensor. There are several capture options such as timeout, packet size, sensor name, and packet source and destination.

• AVAILABILITY - You can use this option to view and configure availability monitoring.

• DETECTION - This option is used to manage intrusion detection for most operating systems. This option also displays log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response.


The fourth area that can be selected in the primary menu is REPORTS. This area has all of the report types available. This option allows you to run reports on your USM deployment, download them as PDF, and send them via e-mail. You can also modify the contents and layout of reports. In addition, you can schedule reports to be created automatically.


The last area that can be selected in the primary menu is CONFIGURATION. This area has the following options:

• ADMINISTRATION – You can use this section to manage users, system configuration, and backup and restore settings.

• DEPLOYMENT – In this section, you can manage USM components.

• THREAT INTELLIGENCE – These options are used for configuring USM policies, actions, ports, directives, compliance mapping, correlation rules, data sources, and security classification (taxonomy). You can also review and edit the knowledge base, which contains information and recommended actions for different types of security incidents.

• OTX – this option allows you to configure OTX if you did not configure it using the Getting Started Wizard.


Environment Snapshot


The Environment Snapshot is on the right side of the USM web UI. The default state shows the current alarms and the amount of Events Per Second (EPS).


You can expand the Notification Tray to view the Environment Snapshot by clicking on the small arrow on the right side of the USM user interface. The Environment Snapshot shows open tickets, unresolved alarms, system health, latest event activity, the number of monitored devices, and a graph of events received per second over a recent period of time.


Verify Basic Operations


Once the basic configuration of your USM system is completed, you should verify that it is operating properly. Complete the following tasks to verify basic operations:

1. Observe any system errors and warnings in the Message Center to determine if there are any outstanding issues with the system and log collection.

2. Confirm that security events are populating correctly.

3. Confirm that alarms are displaying correctly.

4. Confirm that raw logs are populating correctly.


It’s important to assure that your USM system is deployed properly. In the Deployment Status area, the USM displays any potential issues it detects.


Next, you should check that events are flowing into the USM’s database.

Any normalized log entry, received or generated by any USM at the application, system, or network level is called an event.

The USM Server is the component responsible for collecting normalized events from a USM Sensor, correlating them, and performing risk assessment. The USM Server stores events in its database, which is designed for rapid analysis that is required for attack detection and response.

To see events in the database, navigate to ANALYSIS > SECURITY EVENTS (SIEM). On this screen, you can observe events, view details about events by clicking them, and search and filter for events using time ranges and search filters.


Next, you should check that the USM is creating alarms.

The USM Server uses a formula based on Asset Value, Event Priority, and Event Reliability to calculate an Event’s Risk. Any Event with a Risk of 1 or greater is an Alarm.

To see alarms in your system, navigate to ANALYSIS > ALARMS. Below the filtering and searching tools (but above the line-by-line listing of alarms), you can see a graphical representation of alarms.

Note that the filtering section will be expanded by default. In order to get to the graphical representation of the alarms, collapse the search filter or scroll down.

Blue circles indicate the number of alarms in a category at a particular time. A bigger circle indicates a higher number of alarms. Alarms are prioritized according to five categories:

• System compromise

• Exploitation and installation

• Delivery and attack

• Reconnaissance and probing

• Environmental awareness

The lower part of the window displays a list of alarms. Clicking an alarm will show additional information about the alarm. Clicking View Details provides an even greater level of information about the events that triggered the alarm. The Alarm Details page also includes a Knowledge Base article with information about the alarm and recommended steps to investigate it.


Finally, to finish verifying basic operations, you should check that logs are being stored in the USM Logger.

The USM Logger provides a file format that is specially designed to store logs for long-term archiving. By default, the logs are indexed, compressed and digitally signed to ensure their integrity every hour (more immediate signing can be enabled if required).You can verify if the USM Logger component is receiving raw logs from network devices by viewing the data in the Raw Logs screen.

To see the logs, navigate to Analysis > Raw Logs. The upper part of the window displays a chart, where you can see the log trends in a predefined time frame. Logs are displayed in the lower part of the window. You can see details about a log by clicking the log.

You can also use the search box to search for specific logs, or select a time range in order to display logs only for the selected time range.

When performing a search, the INDEXED QUERY performs a search against the index compiled during the most recently-completed indexing operation. This search is very fast, but may not include the latest log entries received. The RAW QUERY performs a real-time search of the log files themselves. It will be slower to return results but the results will be more complete.

Module 3

Asset Management This module describes AlienVault Unified Security Management (USM) asset management.


Asset Overview


In the USM, an asset is a piece of equipment that bears a unique IP address on the company’s network. Assets generally include hardware, such as servers, email servers, file servers, desktops, laptops, printers, firewalls, routers, other network devices or security device such as the USM itself.

Asset management and inventory is one of the functionalities provided by the USM.

Assets in AlienVault are grouped based on IP addresses and networks that are monitored by AlienVault. Grouping based on IP addresses allows for easier management of and searching for assets. Assets can be grouped by functionality (e.g. Firewalls), location (e.g. “headquarters”), or another type of grouping. Similarly, networks monitored by AlienVault can be grouped into network groups.


The USM has an asset management system that is used by all AlienVault components. The assets are initially added to the USM using passive discovery and active scanning.

Assets can also be added manually. This can be performed by adding individual assets using the web UI, or by importing assets from security events or Comma Separated Value (CSV) files.

The Asset Management System allows for easy asset search using rich filters and subsequently enables reviewing and editing of asset information. Assets can also be removed from the asset repository by deleting them.

The Asset Management System also includes an integrated inventory, which can store additional information about individual assets. This proves useful for tracking properties of assets belonging to/owned by an organization.

Additionally, you can manage the AlienVault HIDS in through the Assets Management System. This is covered later in this course in Module 7, Threat Detection.


Navigating the Assets UI


ASSETS & GROUPS is available in the Environment menu.

Under the ASSETS & GROUPS menu, there are five secondary menus that provide an interface for managing the following:

• ASSETS • ASSET GROUPS • NETWORKS • NETWORK GROUPS • SCHEDULE SCAN These sub-menus will be covered throughout the course.


Navigating to ENVIRONMENT > ASSETS & GROUPS > ASSETS will bring you to the Asset screen view. This screen has the asset list and search filter.

The Getting Started Wizard creates the initial asset list when using the USM All-in-One. Additionally, you can export your list of assets by clicking the icon in the upper right.

The central part of the window displays a list of assets in the system. The asset list provides a list of assets and can be expanded the show the details for an individual asset. Above that window, there are icons to delete, edit, or label assets.

The total number of assets is displayed above the list of assets. This number will change if a search refines the results.

If you run a search, the central part of the window displays a table with a list of assets meeting the search criteria. The fields that appear in the table are the following:

• HOSTNAME • IP • DEVICE TYPE • OPERATING SYSTEM • ASSET VALUE • VULN SCAN SCHEDULED • AVAILABILITY CONFIGURED • HIDS STATUS

If you click an asset, the asset will be expanded to display additional information: Vulnerabilities, Alarms, Events, Availability, Services, Groups, and Notes. The DETAILS button displays detailed information about an asset.


Once the asset(s) are selected, you can perform the following through the ACTIONS menu:

• Edit the selected asset(s)

• Delete the selected asset(s)

• Run an Asset Scan

• Run a Vulnerability Scan

• Deploy a HIDS Agents on selected asset(s)

• Enable Availability Monitoring

• Disable Availability Monitoring

• Create or Adding to an Asset Group

• Add a Note


If you wish to have a more refined list of assets, you can search based on different parameters. The search criteria options for assets are on the left side of the screen.

When the search filter options are specified, the window will only show assets that meet the requirements of the search criteria.

The following search filters are available:

• Alarms - Enables the search for assets with associated alarms.

• Events - Enables the search for assets with associated events.

• Vulnerabilities - Enables the search for assets with vulnerabilities. The values are Info, Low, Medium, High, and Serious.

• Asset Value - Enables the search for assets within a value range. Values range from 0 to 5.

• Availability Status - search for assets that are not configured for availability monitoring, or are found up or down.

• Show Assets Added - Enables the search by the date the asset was added.

• Last Updated - Enables the search by the date the asset was last updated.

• MORE FILTERS - Allows you to add more filters: Network, Software, Sensor, Device Type, Ports/Services, and Locations (not shown in the figure).

With multiple filters, USM by default uses a logical AND for search. However, if there are multiple filters of the same type (e.g. two networks) will operate as a logical OR.

There is a search field located at the top part of the window. The field shows selected filters. The X icon is used to delete a selected filter. To clear the entire search filter, select the Clear All Filters option.


Managing Assets


If you want to see details about an asset, click the DETAILS button for the asset. You can also delete the asset or modify it by opening the ACTION menu.

The asset status of the screen displays some summarized information about the asset.

On the right side of the screen, there is an action menu, edit icon, and a deletion icon for this specific asset. Directly below that is a map, showing the asset’s location if defined.

Below the map on the right side is the ENVIRONMENT STATUS. This displays whether or not HIDS, Automatic Asset Discovery, or Vulnerability Scan Scheduled are enabled. The status circle that is located next to the link can appear in three different colors:

• Red - Nothing is available.

• Green - Everything is available.

• Yellow - Some are available. Note this color will not be displayed for Vulnerability Scan Scheduled.

SUGGESTIONS are below the environment status. This part shows suggestions related to the asset. Suggestions can be:

• Warning messages when an asset that has sent logs does not send an event in 24 hours.

• Information messages when an asset is not sending logs to the system or when an asset is sending logs but there is no plugin enabled for parsing the logs.


In Asset Details, you can perform these through the ACTIONS menu:

• Edit the asset

• Delete the asset

• Run an Asset Scan

• Run a Vulnerability Scan

• Enable Availability Monitoring

• Disable Availability Monitoring


The status circles display an overview of the asset information. Detailed status information is provided in the table below. You can show relevant details in the table either by clicking on a circle or by clicking on any of the blue tabs above the table.


Assets have three editable sections: GENERAL, PROPERTIES, and SOFTWARE.

The GENERAL section covers the basic information of an asset. The following editable portions of an asset:

• Name - By default, the AlienVault system will automatically assign a name to a discovered asset in a form of Host_, followed by IP address, where dots are replaced with the underscore sign (_). You can replace the default name with a meaningful name.

• IP Address – IP address of the asset. You can identify multiple IP addresses in the address window for a single asset. Separate multiple IP addresses by commas.

• FQDN/Aliases - You can enter a Fully Qualified Domain Name (FQDN) of the asset, or you can enable reverse DNS resolution when performing asset discovery.

• Asset Value - You can change the value of an asset, depending on the role the asset has in an organization. By default, asset value is set to 2. This is covered in more detail in the next few slides.

• Devices Types - Select device type and subtype from the drop-down menu. To remove a device type, click the “X” below the Device Type list.

You can also set other properties, such as description and location of the asset. Additionally, you can provide an icon for the asset, toggle availability monitoring of the asset, and define if the asset is external or internal.

Changes made to the Asset in General, Properties, or Software tab are all saved by clicking Save on the General tab view. Note that there is no “overall” Save button on the Properties or Software view.


Each asset that is detected by or imported into AlienVault has an asset value, ranging from 0 to 5, 0 being the lowest value and 5 the highest. This value is included in risk assessment calculation performed by the USM Server (SIEM) component.


Each asset in an organization should have a value assigned, based on the importance of the asset role in the organization. For example, printers in a printing company are very important for business processes and will a have very high asset value.

As an example, in some organizations printers may not be important, and the asset value for printers may be set to 0 or 1. However, in organizations in which printers are the most important assets on their network, such as in printing shops, asset value for printers may be set to a high value, such as 4 or 5.

However, printers in a company that offers web hosting are not as important, and will have a low asset value. A web hosting company’s web servers would have a higher value; and therefore, those web servers would be assigned a higher asset value than the printers.


Asset value can be set administratively in the web UI of the USM.

When calculating a risk for an event in the USM, some events with two hosts involved in generating the event may be found. In such case, the highest asset value is used in calculation.

If the host that generates the event is not defined within the USM inventory, the system tries to get the asset value of the host. If the host is not included in the USM inventory, the system first checks whether the host belongs to one of the defined networks. If the host belongs to one of the networks and the host’s asset value has not been defined, the system will use the network asset value to do the risk calculation. If the asset value is not explicitly set for a network, the system will use the default value of 2 for the host.


The PROPERTIES section covers more specific information about an asset, including hardware, roles, and department. The following are configurable properties of an asset:

• Users Logged • Role • Department • Workgroup • Machine state • CPU • Memory • Video • ACL • Route • Storage • MAC Address

Note the property settings can be locked, which means it will not be overwritten during future asset discoveries.

Note the Save button in the Properties tab will only save a specific property. It will not save your global changes.

To save changes, return to the General tab and click the Save button.


The SOFTWARE section displays the software that is running on an asset. The list includes software found running during a scan and any software manually added.

When manually adding software, the USM will autocomplete your software with a list of possibilities. Selecting manually added software will be locked in the asset’s list of software.

Note the Save button in the Software tab will only save a specific property. It will not save your global changes.

To save changes, return to the General tab and click the Save button.


Adding Assets


Assets are added into the AlienVault system by the asset discovery process.

Assets can also be imported from SIEM events if desired. To import assets from SIEM events, navigate to ENVIRONMENT > ASSETS & GROUPS, and expand the ADD ASSETS option. Select the IMPORT FROM SIEM option from the drop-down menu. The system will notify you on how many assets were detected in SIEM events, and will ask you to confirm the import of the events. You can also scan for new assets from this menu.

If asset discovery process is not desired, or if it does not detect a specific asset, the asset can also be added manually.


To add an individual asset manually, select ADD HOST from the ADD ASSETS menu. The NEW ASSET window appears.

Fill in the required fields. Note that this screen is similar to the GENERAL tab in the EDIT ASSET dialogue. Click SAVE when you are done populating the input fields.

After you are done adding your asset, the USM will take you to the Asset Details page of the corresponding asset.


You can add a list of assets by importing a comma separated values (CSV) file. This is useful if your asset inventory is already stored in a spreadsheet or database.

The USM requires the CSV asset list have a particular format. It needs a header and a list of assets. The CSV file should be in the following format:

"IP(IP1,IP2,...)";"Hostname";"FQDNs(FQDN1,FQDN2,...)";"Description";"Asset value";"Operating System";"Latitude";"Longitude";"Host ID";"External Asset";"Device Types(Type1,Type2,...)„.

An example of a CSV asset list, including the header looks like this: "IPs";"Hostname";"FQDNs";"Description";"Asset Value";"Operating System";"Latitude";"Longitude";"Host ID";"External Asset";"Device Type"

"192.168.10.10";"mail";"mail1.example.com,mail2.example.com";"my public mail server";"4";"Linux";"23.78";"121.45";

"379D45C0BBF22B4458BD2F8EE09ECCC2";0;"Server:Mail Server"

"172.16.23.17";"USM";"usm.example-1.com";"AlienVault USM";"2";"LInux";"23.78";"121.45";"379D45C0BBF22B4458BD2F8EE09ECCC2";0;"Server:Security Device"

Next, select the IMPORT CSV option from the ADD ASSETS menu. Then select the CSV file. The file will upload and the confirmation dialogue will appear. If there are any errors in your CSV file, they will be reported in the dialogue.


You can also import assets from SIEM events. This option checks events and networks, and imports all new assets that the SIEM discovered.

Once you select Import From SIEM, the USM will search the SIEM events for any new assets on your networks.

If new assets are found, you will be prompted to IMPORT or CANCEL the results. If you wish, you can also view the logs to see what the USM determines is an asset.

Assets are imported 25,000 at a time. If the USM found more than 25,000 hosts, you will need to rerun the Import from SIEM until all the hosts are added.


Asset Discovery Scans


Asset discovery is one of the primary USM functionalities, which allows initial asset discovery. The functionality can be also used to augment the knowledge of existing assets by determining the operating system of an asset and the services (open ports) that are running on the asset.

Open the ADD ASSETS menu and select Scan for New Assets. This will open the SCAN FOR NEW ASSETS screen. In the screen, first select assets, asset groups, networks, or network groups you would like to scan.


Select the desired targets, and then optionally select a sensor. Next, select the scan type from the drop-down menu. The following options are available:

• Ping - Pings each selected asset.

• Normal - Scans the 1000 most common ports.

• Fast Scan - Scans the 100 most common ports.

• Full Scan - Scans all ports, the operating system, and determines MAC addresses

• Custom - Allows a user to define the ports to scan.

The following options are available for the scan timing template:

• Paranoid - This mode scans very slowly. It serializes all scans (no parallel scanning) and generally waits at least 5 minutes between sending packets.

• Sneaky - Runs as paranoid mode but with a 15 second wait time.

• Polite - Serializes the probes and waits at least 0.4 seconds between them.

• Normal - The default behavior, which tries to run as quickly as possible without overloading the network or missing hosts/ports.

• Aggressive – Scans with a 5-minute timeout per host, and never waits more than 1.25 seconds for probe responses.

• Insane - Suitable for very fast networks. It times out hosts in 75 seconds and only waits 0.3 seconds for individual probes.

Finally, enable auto detection of services and operating systems and enable reverse DNS resolution to automatically determine FQDN of scanned assets. Click START SCAN when done with configuring scan.

The USM has to be configured with a DNS server that can resolve known assets IP addresses. Be extremely cautious when enabling DNS resolution during a scan of many assets since this option will generate many DNS queries. These queries can overload a poorly configured and protected DNS server.


An Asset Discovery Scan takes time, depending on the number of scanned assets, selected scan type, and timing template. Once assets are scanned, the results will be displayed in a table below the scan configuration window. You can review the scanning results and decide to delete the results (CLEAR SCAN RESULTS), or update asset information in the database with the results (UPDATE DATABASE VALUES).

Note that the results of the asset discovery scan are not automatically added to the database. You must select the results and click Update Database Values.

In the scan above, the USM found three hosts. The scanning detected that the one of the assets is running Microsoft Windows 7 operating system, and that some services are running on the machine. The other two assets are running Linux.


Once you update asset information in the database with the results of the discovery scan, you will be prompted that information about existing hosts in the database will be overwritten. This includes fields like Department in the asset properties.

If this is satisfactory, click OK.


When the database is updated, the USM will display the list of updated assets.

If there is already information that the USM views as more accurate, the USM will not overwrite that information, but will display a warning. If you wish to see more information on the warning, click the details icon.


Note that when you scan assets manually, you will need to add in the results. They will not be added in automatically. Only scheduled scans will update the database automatically.


Navigate to ENVIRONMENT > ASSETS & GROUPS > SCHEDULE SCAN to enable periodic asset discovery. Click on SCHEDULE NEW SCAN.


Asset discovery can also be scheduled to occur periodically to find new assets:

1. In the displayed window, click NEW to create new scanning tasks.

2. Enter a name for the task, select a sensor from which the scan will be performed, and enter networks you want to scan.

3. Select scan type, timing template, and optionally enable auto detection of operating system and services and reverse DNS resolution.

4. Select scanning frequency. The provided options are Hourly, Daily, Weekly, and Monthly.

5. Enable scan and click SAVE to save the scan task.


Asset Groups


The figure shows a hierarchy of assets in the AlienVault Asset Management System. Assets are organized into networks based on IP addresses, where networks belong to locations. If required, assets can be organized into asset groups, which can span across many networks or locations. Additionally, networks can also belong to network groups.

Asset groups and network groups usually have functional names (e.g. critical assets, engineering network, DMZ). Assets and networks are not required to be part of either an asset group or a network group, respectively.

However, an asset is always part of a network by definition. In the example above, Asset 1 will always be part of the 172.16.4.0/24 network, even though it is not part of an asset group.

Also note that asset groups can overlap networks. Those networks may or may not be part of a network group.


Asset groups are administratively created objects that group similar assets for specific purposes. For example, you could group all network firewalls, or all servers running Microsoft Server operating system. Such groups are useful when performing various tasks, such as vulnerability assessment or asset discovery, or when you are interested only in events coming from specific devices. Grouping of assets is possible based on various properties. The following are some of them:

• Asset value

• Network

• Software running on assets

• Sensor that monitors assets

• Device type of asset

• Open port or services running on assets

• Location of assets

Asset groups are integrated into the USM workflow. They can be used for running reports, filtering alarms/events/raw logs, scans, policies, and directives for threat intelligence.


To create an asset group from the assets list, navigate to ENVIRONMENT > ASSETS & GROUPS > ASSETS. Next, select the desired assets. After selecting the desired assets, go to the ACTIONS menu and select Create/Add to Group.


This will bring up a dialogue box. In this, you will see a list of any created asset groups if they exist. If there are not any pre-existing asset groups or you do not wish to use a pre-existing asset group, type in the name of the New Group, and then click the “+” icon.


After the asset group is created, the USM will open the Group Details for the newly created asset group. This will look similar to the Asset Details screen.

The Group Details screen allows you to add assets directly to the group, edit the group, run scans, and toggle availability monitoring.

From this view, there are other tasks you can do in addition to editing the group:

• Add a note to the asset group

• See and manage the assets that are part of this group

• View vulnerabilities, alarms, events, availability, services, and notes to this asset group

From this view, you can also navigate to any asset that is a member of the specific asset group.


To edit an asset group, you can edit the asset group from the listing of asset groups under ENVIRONMENT > ASSETS & GROUPS > ASSET GROUPS. Alternatively, navigate to the desired Group Details and click Edit under the ACTIONS menu.

The group details that you can edit are the group name, owner, and description.


Networks and Network Groups


Assets in USM are part of a network. USM recognizes networks by their CIDR notation. Networks can be part of a network group. Assets are organized into networks based on IP addresses. Additionally, networks can also be grouped into network groups for easier management.

Networks also specify which assets will be imported during asset discovery. Assets are grouped based on IP addresses and configured networks for easier asset navigation and management.


To review already configured networks, navigate to ENVIRONMENT > ASSETS & GROUPS > NETWORKS. This will display a list of monitored networks.

The network list has a similar UI to the asset list. You will be able to examine details, run actions such as editing and deleting, and search networks.


The NETWORKS view has a similar search filter to assets and asset groups.


Networks are automatically added to the USM in the three following ways:

1. If the USM has an IP address assigned, then the USM knows about that network. This can go by multiple interfaces

2. Initially, the Getting Started Wizard in the USM All-in-One will find the monitored networks.

3. If you provide a network range to scan, USM will add the network.

You can also add a network manually.

Select ADD NETWORK from the ACTION menu, and fill in the appropriate fields. Click SAVE when done with populating the input fields. You can also create a network by importing a CSV file. In the USM, each CSV file must contain a header row:

"Netname";"CIDRs";"Description";"Asset Value";"Net ID"

"Perimeter Network";"192.168.10.0/24,192.168.9.0/24";"This is my network";"2";"479D45C0BBF22B4458BD2F8EE09ECAC2"


The Network Details screen will display various details of your network. This screen provides a similar display to asset details.

In Network Details, you can observe the snapshot and properties of assets belonging to the network. You can also toggle on and off the details about the network, delete the network, and observe environment status of assets and suggestions.

On the right side of the screen, there is an action menu, edit icon, and a deletion icon for this specific network. Directly below that is a map, showing the network’s location if defined.

Below the map on the right side is the ENVIRONMENT STATUS. This displays whether or not HIDS, Automatic Asset Discovery, or Vulnerability Scan Scheduled are enabled for assets on this network. The status circle that is located next to the link can appear in three different colors:

• Red - Nothing is available.

• Green - Everything is available.

• Yellow - Some are available. Note this color will not be displayed for Vulnerability Scan Scheduled.


To edit the network, click the edit icon. The EDIT NETWORK dialogue box will open.

In this dialogue box, you can edit the network properties. The most common properties are name, network prefix (CIDR), owner, asset value, and description.


Networks can be grouped into network groups for administrative purposes. To create a network group, navigate to Environment > Assets & Groups > Network Groups.

Click NEW to create a new network group. Specify the name for the network group, a description, and select network group members from the network list. Click SAVE when you are done adding networks to the group.


Asset Labels


Asset labels are an additional organizational tool for your USM implementation. This allows you to assign a label for various device attributes (e.g. firewalls, switches, printers, etc.) that can help you with managing your USM environment.


The label icon is available on the ASSETS, ASSET GROUPS, and NETWORKS sub-menus under ENVIRONMENT > ASSETS & GROUPS.

To access the labels, click the label icon. This will open a dialogue box that will initially show no labels. If there are labels already created, they will appear in this box.

To create a new label, click Manage Labels.


Next, the MANAGE LABELS dialogue box will open. Here you will see any labels already created in the LABEL LIST. From here, you can delete or edit any pre-existing labels or create a new one.

You have a variety of colors to choose from for your label.

Once you have created the desired label, click SAVE.

Note that clicking SAVE will not assign a label to your assets or asset groups.


Once the desired label is selected, the label will appear under the details screen of the corresponding choice. Labels can be applied to assets, asset groups, networks, and network groups. Additionally, there can be more than one label applied to the desired asset, network, or group.

Once you have created a label, apply the label to an asset:

1. Select the asset or assets by clicking the check box to the left of the asset.

2. Click the Labels icon.

3. Click the check box next to the label or labels you wish to apply to the selected asset(s).

4. Close the labels window.


Labels are the most flexible form for organizing assets. An asset, asset group, or network can have multiple labels.

For example, the assets above show how they have multiple labels. The Server2008 has the Windows and Lab Servers labels, whereas the fw-dmz asset has the firewalls and perimeter network.

Module 4

Policies This module describes AlienVault Unified Security Management (USM) policies.


USM Policy UI Overview


Policies are the USM configuration objects that allow you to configure how the system processes events once they arrive at the USM Server.

The figure shows where policies are evaluated in the USM Server processing pipeline. Policies are evaluated immediately after event collection, and influence further event processing.

Here are some examples of how to use policies to influence event processing:

• Perform risk assessment and correlation without storing events in the server database. This is typically done with firewall events, but could be done with any type of event.

• Store events in the USM Logger and not correlate the events. This is typically done if the events in question have no directives or cross-correlation rules to process them.

• Correlate events and forward them to another USM Server without storing them. In larger, distributed deployments, the USM components can be tiered to allow for additional scaling.

Filtering eliminates unnecessary event processing and improves the performance of the system (when implemented properly).

Policies are also often used to:

• Reduce false positive alarms

• Send an email notification

• Temporarily hide true positive alarms until corrective or preventative action takes place

• Increase the importance of a specific event


To configure policies, navigate to CONFIGURATION > THREAT INTELLIGENCE > POLICY.

Policies can be configured separately for events (the upper part of the screen) and directive events (the lower part of the screen). Since directive events are generated by the USM Server, you have the option to configure a policy for directive events generated only by an individual USM Server.

If required, you can configure policy groups, which allow you to group policies for administrative purposes.

By default, three policy groups exist: the Default policy group and the AV default policies and Policies for events generated in server.

You can create your own policy groups by clicking the EDIT POLICY GROUPS button, and then providing a name for the group.

The red X and green check mark indicate if policy is disabled or enabled, respectively.


There are three policy groups in the USM:

• Default policy group – Used for new events only. Policies in this group controls the how the USM Sever handles the identified events.

• AV default policies - group for disabling or enabling the AVAPI policy. This also impacts only new events coming into the system. The AVAPI rule is disabled by default.

• Policies for events generated in server - a policy group for correlation events that have already gone through the default policy group. These processed events also go through correlation directives.

Correlation directives are covered in detail in the next module.


Policies are composed of policy rules, which are applied in descending order. When an event is being processed, policy rules are evaluated in order from top down. When an event matches a rule, the system stops processing that event. This is the reason why very specific and restrictive rules should be defined at the top of the rules list, while generic rules should be specified at the bottom of the rules list.

The figure shows an example where 3 policy rules are configured:

• The first rule matches Cisco ASA events with source IP address of 10.128.10.15.

• The second rule matches all Cisco ASA events.

• The third rule matches Cisco ASA events with source IP address of 10.177.16.150.

Because the second rule is generic, it will match all Cisco ASA events. Therefore, the third rule, which is more specific, will never be evaluated. In order to correctly process events, the INTERNAL_NMAP rule should be placed before the FIREWALL_EVENTS rule.


USM Policies for Events


Policies are composed of conditions and consequences. Conditions determine which events are processed by the policy. Consequences define what will happen to events matching the specified conditions.

If a field is not currently filled in, it will appear yellow. For example, the source and destinations are not filled in when a policy is first created. Therefore, those fields will appear yellow on a new policy.


Policy conditions include the source and destinations of events. Source and destination are a pre-defined asset, asset group, network, or network group. You can also choose ANY if you want the policy to apply to any source and/or any destination.

• SOURCE - Defines assets, asset groups, networks, or network groups as the source IP address of the event.

• DESTINATION - Defines assets, asset groups, networks, or network groups as the destination IP address of an event.


For source or destination ports, you can designate multiple values for UDP and TCP ports. For example, you can set up a port group called DNS with both UDP port 53 and TCP port 53.

• SOURCE PORTS - Defines TCP or UDP source port of an event.

• DESTINATION PORTS - Defines TCP or UDP destination port of an event.


Event types define the events that will be processed by this policy.

There are two different ways to identify the event types that you want to match the policy.

• Use Data Source (DS) Groups to select events by data source

• Use Taxonomy to select events by event type.


In addition to selecting already exisitng data source groups, you can create a new data source group by selecting desired data sources or event types.


Once you’ve selected the desired data types, click UPDATE to add a new data type.


After you’ve created your new data source group, select it in the list box.


Next, select the security classification (Taxonomy). This can be refined to category and subtype.


To access the other conditions, click ADD MORE CONDITIONS. This will bring up a dialogue box with the available options. The available options are:

• Sensors • Reputation • Event priority • Time range


The SENSORS panel allows you to match events based on the USM Sensor that collected and normalized the event.


The REPUTATION panel allows you to match events based on the reputation of either source or destination IP address of an event.


The EVENT PRIORITY panel allows you to match events based on the priority and reliability of an event.


TIME RANGE is a time window for matching events. For example, if you want to email an admin about a successful login to the HR server between 3am to 6am, you can set up a policy that will do that.


Consequences define what will happen when events meet the specified condition. The first policy consequence you can assign is an action. There are three possible actions that you can configure in USM:

• Send an email to a preconfigured email address

• Execute a command to invoke a script on the USM

• Open a ticket in the internal USM ticketing system


The SIEM consequence determines how the USM Server will process events. In almost all cases, you want to use the power of the SIEM within the USM to correlate events that arrive at the USM Server.

If you enable the SIEM capability, you can then select to enable or disable several options:

• Change the priority of events

• Perform risk assessment of events

• Perform logical correlation of events

• Perform cross-correlation of events

• Store events in the SIEM SQL database

Note that if you disable the SIEM option, this will disable the other options within the SIEM consequence.


The LOGGER consequence defines if the USM Logger will store events, and how events that are stored will be signed. By default, all events are logged and digitaly signed into the USM Logger.

Line signing will only be selectable if the server is configured to support it. If you mouse-over the word Line, an explanatory pop-up will be shown.


The FORWARDING consequence defines whether events will be forwarded to other USM Server or USM Logger. The default setting is No. Selecting Yes will only work if other USM Servers or USM Loggers have previously been configured in the USM.


USM Policies for Directive Events


Like a policy for events, a policy for directive events is composed of conditions and consequences. Conditions determine which events are processed by the policy. Consequences define what will happen to events matching the specified conditions.

However, the policy for directive events has fewer conditions and consequences, since such policies are designed to match only directive events that have been created within the specific USM Server.

The Data Source (DS) Groups for directive event policies behaves differently than choosing the DS Groups for event policies.

By default, you can choose all Directive events. There are no other directive event groups listed. In order to have additional choices, click INSERT NEW DS GROUP.


Actions for directive event policies work the same way as the actions for policies.


SIEM consequences for directive event policies work the same way as the SIEM consequences for event policies.

Module 5

Security Analysis This module describes security analysis of alarms and events produced by AlienVault Unified Security Management (USM).


Security Analysis Process


When an alarm is triggered in the USM you should take action.

The system uses alarms to let you know that it has found an event, or pattern of events, that should be investigated. You might determine that the alarm represents a genuine security issue, which will require you to act to remediate the issue. On the other hand, if the alarm is not a concern, you can tune the USM so that it will show only relevant alarms in the future. Either way following a sound security analysis approach is essential to obtaining the full value from your investment in the USM.

The figure shows the overall process of security analyses in the USM comprising of the following steps:

• Examine the USM dashboards to see the overall security posture of networks that are monitored by the system and look for unusual events.

• Examine the USM alarms. You should also see if there are any tickets pending your actions.

• If available examine OTX data for IOCs or IP addresses involved in the alarms. Also, examine external resources that could help you determine whether an attack is real or not.

• Examine other events that may be related to the alarms you are investigating.

• Examine assets that are involved in the alarms. Pay attention to any detected vulnerabilities in assets.

• Examine raw logs in the USM Logger if you want to know if there are any related logs that were not sent to the USM Server, or if you need logs as evidence.

• If required use a packet capture of the offending traffic to perform an offline analysis on another system (not shown in the figure).

• Report your findings to the appropriate parties, depending on the severity.

We will cover reporting in Module 15.


Overview Dashboards


To search for events in the USM that might require your attention first look at the ENVIRONMENT SNAPSHOT area of the user interface. Pay attention to the number of open tickets and unresolved alarms.

You can navigate directly to the OPEN TICKETS and UNRESOLVED ALARMS section of the user interface by clicking the number of open tickets or unresolved alarms respectively.


Navigate to DASHBOARDS > OVERVIEW to examine the threat level of networks that are being monitored by the USM. In the next few slides you will see several dashboards that can help you determine the overall security posture and find unusual behavior.

The EXECUTIVE dashboard at DASHBOARDS > OVERVIEW > EXECUTIVE shows an overview of the network. Pay attention to the overall threat level of the network and to Top 10 event categories to determine top event types that threaten your network.

The upper right pod in the OVERVIEW Dashboard shows the top OTX activity in your USM. This shows the five OTX pulses that generated the most events in your environment.


To see information about alarms and events that are stored in the system navigate to DASHBOARDS > OVERVIEW > SECURITY. Pay attention to hosts with many events and to hosts that have promiscuous behavior. Also pay attention to the top five alarms and the top five events.


The NETWORK dashboard at DASHBOARDS > OVERVIEW > NETWORK shows information about network trends and statistics. This information is provided by NetFlow, which is used to collect and transmit information about network traffic flow. Pay attention to abrupt changes that deviate from expected traffic patterns. Examine the source and destination IP addresses and source and destination ports of such flows. Use that information to search if there are any related events or alarms.

The NETWORK tab is not shown by default. You have to enter the edit mode of dashboards by clicking the pen icon at the right side of the screen and adding the tab to the dashboard layout.


OTX has its own dashboard in the USM. The first section shows OTX pulses statistics:

• Subscribed pulses

• Indicators or IOCs

• Lasted updated

• Number of alarms and events

The second section shows events from the twenty most active OTX pulses for the past week. The more events a specific pulse generates on a specific date, the bigger the circle that will appear.


Below the Events from Most Active OTX Pulses, there’s a trend graph that shows events from all OTX pulses.


The OTX IP reputation dashboard is below the OTX pulse data. To reach the OTX IP reputation area, scroll down below the OTX pulse data. In the top of the dashboard, you can use the drop-downs to change the OTX data you see: you can view all OTX rep data or switch it to see only OTX rep data that affects you or is in your security events.

You will see two sections: an OTX IP reputation map and the OTX IP reputation statistics. The statistics include general statistics on unique IP addresses and updated OTX data. The other statistics include malicious IP addresses by activity and top 10 countries generating OTX activity.


Remediating Alarms


When performing a security analysis you should always look at the alarms. These are special events that have a risk equal to or greater than one.

Alarms can be a result of a single event or can be the result of a directive event created through correlation rules. Since alarms indicate events with high risk, they require immediate investigation and remediation.


Navigate to ANALYSIS > ALARMS to examine alarms. The upper part of the screen is the search. The middle part of the screen represents alarms in a graphical way. The lower part of the screen displays a list of alarms sorted by date by default.


You can use filters to search for specific alarms. Click SEARCH AND FILTER to reveal the search input fields. Specify the search filter by populating the input fields.

For example you can filter for alarms coming only from a specific sensor, on OTX reputation data, for alarms with a specific name or for alarms involving specific source and destination IP addresses. To filter events by date you can select starting and ending dates. Click SEARCH to see the search results. The results will be displayed in both the graphical view and in the alarms list.

The horizontal axis of the graphical view represents the dates of alarms while the vertical axis represents the intent of alarms. The size of each blue circle specifies the number of alarms of a specific intent in a specific time frame. You can click a blue circle to display only alarms of a specific intent and in a specific time frame.


Navigate to ANALYSIS > ALARMS. When you are filtering alarms, you can filter on a specific OTX Pulse to see all alarms generated from a specific pulse or filter to see all alarms generated from any OTX pulses.


Alarms are listed in rows where one row represents one alarm. The following information is displayed about an alarm in columns:

• DATE of an alarm.

• STATUS of an alarm: Open, Closed or being correlated.

• INTENT & STRATEGY of an alarm.

• METHOD of an alarm.

• OTX data if available

• RISK of the alarm as calculated by risk assessment. The minimum risk of an alarm is one.

• SOURCE displays source IP address of traffic triggering the alarm. An orange circle next to the IP address indicates that OTX data is available for the IP address.

• DESTINATION DISPLAYS destination IP address of traffic triggering the alarm. An orange circle next to the IP address indicates that OTX data is available for the IP address.

Alarms can be sorted in descending or ascending order. Alarms with OTX data indicate activity of known hosts with bad reputations.

Click an alarm to expand it and see more information about the alarm. When an alarm is expanded you have the following options available:

• ATTACK PATTERN shows whether the traffic triggering the alarm is reaching your assets from elsewhere or coming from your assets.

• View details about the alarm by clicking the VIEW DETAILS button.

• Close the alarm by clicking the CLOSE button.

• Delete the alarm by clicking the DELETE button.

• Label the alarm as false positive or as analysis being in process by clicking the APPLY LABEL. These labels can be then used when searching for alarms.


When you click VIEW DETAILS the details about an alarm are shown. On the upper part of the screen you can examine information about the source and the destination of the traffic triggering the alarm. You can also see the recommended knowledge base article with the information about the alarm.


When you click VIEW DETAILS the details about an alarm are shown. On the upper part of the screen you can examine information about the source and the destination of the traffic triggering the alarm. You can also see the recommended knowledge base article with the information about the alarm.

In the example you can see the alarm trigger and the description. In addition to that, the USM provides you with Directive ID and source and destination information. In the example above you can see details of a Command and Control (C&C) communication, which represents botnet behavior.


Clicking on the OTX Indicators for pulses or OTX IP reputation will open up a box with the OTX details.


In the example, you can see the alarm trigger and the description. In addition to that, the USM provides you with Directive ID and source and destination information.


On the lower part of the screen, you will see individual events that triggered the alarm. If the alarm is a result of a directive event then you will see individual events and a directive event that was created by these individual events.

You can examine details about a single event by clicking the name of the event.

If an alarm has OTX data associated with it, it will appear in the alarm list. Events and Alarms with OTX data have two colors:

• Orange – security events that were generated from a pulse

• Blue – security events that include OTX IP reputation data

Security events that were generated from an OTX pulse and also include IP reputation information will appear orange.


If an event listed in an alarm has a blue OTX icon, clicking on it will bring up details about the OTX IP Reputation.


If an event listed in an alarm has an orange OTX icon, clicking on it will bring up details about the OTX pulse.


Investigate Events


When investigating an alarm it is also useful to check if there are any related events in the SIEM database that were not correlated by the correlation engine. For example, you can search for events that came from the same host as the offending traffic, which triggered the alarm.

You can search for events by navigating to ANALYSIS > SECURITY EVENTS (SIEM) > SIEM. Events are listed in the lower part of the screen while the upper screen displays filters that can be used to find events. You can also click ADVANCED SEARCH to specify a more granular search.

In the example, the filter is specified to find only events that are related to the source IP address that was reported in the alarm discussed previously.

You can sort the events based on the event name, date, and sensor that detected the event, source or destination IP address and risk. You can examine details about an event by clicking the event.

Recall that based on the configured policies some events may not be stored in the SIEM database but are still correlated and assessed by the risk assessment engine to create alarms.

Look for events that are related to alarms but that were not correlated by the correlation engine. If you observe that scenario, you should consider customizing or creating custom directive rules.


Navigate to ANALYSIS > SECURITY EVENTS (SIEM). When you click an individual event details about the event are shown. Here you can examine the normalized event and security event information. You can see the asset value of the source and destination assets, the event priority, event risk and the event reliability. You can also examine the reputation data of source and destination IP addresses (if it is available).

Additionally, if the event is network related, you can also examine the packet triggering the event by examining the payload of the packet in the details window.

From here, you have three filters to view events in relation to OTX:

• OTX IP REPUTATION – Expand the list to show the set of IP Reputation filters. Filter by severity or by the type of activity that the IP address has been identified doing.

• OTX PULSE – Search on a specific OTX pulse to see all events generated from the IOCs included in that pulse.

• ALL OTX ACTIVITY – Checking this box only will display events that have been generated from OTX pulses


Below the search filter, you will see a list of events that matches your search.


If an event has OTX data associated with it, it will appear in the event list. Events and Alarms with OTX data have two colors:

• Orange – security events that were generated from a pulse

• Blue – security events that include OTX IP reputation data

Security events that were generated from an OTX pulse and also include IP reputation information will appear orange.


When you click the blue OTX icon (if available) in the list of security events, the OTX IP reputation dialogue will be displayed.


When you click the orange OTX icon (if available) in the list of security events, the OTX IP reputation dialogue will be displayed.


If you wish to investigate an event, click on the view details icon. This will display several details about the event, including a raw log that triggered the event.


In the event details, you can see the number of IOCs or OTX IP reputation data that relate to a specific event. If you click on that number, the OTX details will appear in a dialogue box.


The next step when examining alarms is to check information about an asset involved in an alarm. Navigate to ENVIRONMENT > ASSETS & GROUPS > ASSETS to search for the asset that is involved in the alarm you are investigating.

Verify the operating system and services to confirm that the alarm triggered is valid and needs to be investigated further.


When examining assets you should also pay attention to any vulnerabilities that are detected by vulnerability scans. You can also examine all reported alarms and events the asset was involved in to find any related activity to the alarm you are analyzing.

For example, if you see vulnerabilities in an asset, examine them and determine the severity of each vulnerability.

Detecting and examining vulnerabilities is covered in the “Threat Detection” module.


Check Raw Logs


When examining an alarm you can also find additional information by examining raw logs that are stored in the USM Logger. Recall that raw logs are digitally signed to ensure the integrity of the data.

Navigate to ANALYSIS > RAW LOGS and search for any raw logs that are related to the activity reported by an alarm. You can filter for logs by selecting a time range in the chart or by selecting predefined time ranges. You can specify a search pattern in the SEARCH input field to limit the display of the logs.


You can examine details about a log by clicking and expanding the log.

You can also verify the integrity of a log by verifying the log signature. Click the Validate button at the right side of each log to verify whether a log has been altered. In the example, signature verification succeeded which means that the log has not been changed since it was initially signed.


You can export raw logs to a text file for offline analysis or for evidence. Logs can be exported if necessary.

To export logs search for logs you are interested in and click EXPORTS. Then you can choose to export only logs that are shown on the screen by clicking Screen export or you can export the entire search result by clicking Entire export. Note the entire export selection is limited to 249,999 logs. Once you select the logs you want to export click the download icon to complete the process.


File Tickets


The USM has its own ticketing system that can be used to delegate tasks to other administrator users and to track the progress of investigations into specific alarms and events.

Navigate to ANALYSIS > TICKETS to see a list of tickets. Tickets are listed in rows. The following information is displayed for each ticket:

• Ticket identifier

• Ticket title

• Ticket priority

• Date of creation of the ticket

• Life time of the ticket

• Administrative user that is in charge of resolving the ticket

• Administrative user that submitted the ticket

• Type of the ticket

• Status of the ticket

• Extra information about the ticket, including tags

You can filter the displayed tickets by populating the input fields in the FILTERS section of the screen. You can also close several tickets at the same time by checking the box to the left of a ticket identifier and clicking CLOSE SELECTED.


Tickets can be opened in several ways:

• Automatically as a result of a configured policy.

• Automatically as a response to detected vulnerabilities after vulnerability scan of an asset.

• Manually during alarm investigation when examining details of an alarm.

• Manually, non-related to an alarm or event.

To open a ticket during an alarm investigation click CREATE TICKET from the ACTIONS menu when examining details about an alarm. A new window opens where you can enter information about the ticket. The majority of the input fields are already populated from the alarm details. You need to select the priority of the ticket and assign the ticket to an administrative user.


To view details about a ticket or edit it click the ticket title. From here click the edit icon in the upper right corner. This opens a subsequent screen where you can make changes to the ticket:

• Change the status of the ticket. Status options: open, assigned, studying, waiting, testing and closed.

• Change the priority of the ticket using numeric values (from 1 to 10) or using descriptive values (low, medium, high).

• Transfer the ticket to other administrative user.

• Attach a file to the ticket

• Provide a description of the changes that were made regarding the opened ticket.

• Describe actions that were taken regarding the opened ticket.

Click SAVE when you are done editing the ticket. The changes will be saved and shown in the ticket details. Each change is saved as a separate entry in the ticket.

You can also delete the ticket if it is not relevant by clicking the icon in the upper right corner of the screen.


Report Findings


AlienVault Unified Security Management (USM) has an internal reporting system which you can use to generate reports in order to meet your business and management needs. The reporting system uses a module-based approach, with over 2,600 components available. This allows you to have infinite types of reporting modules to be combined into a single report. Examples include reports on the required information on compliance, vulnerabilities, alarms, events, assets, etc.

AlienVault Threat Intelligence Updates constantly provide updates for the AlienVault USM report modules and provide you with new views of data about an environment.

You can run reports either immediately through the web UI or you can schedule them by creating a scheduler task to run reports once or periodically. After AlienVault USM generates a report, you can view it directly in the web UI in HTML or you can download or send the report via email as a PDF document.

You can also customize reports to meet your business needs, both in terms of content and “look and feel” (company logo, color palette, and so on).


To run a report immediately, navigate to Reports > All Reports and search for a report you would like to run. Alternatively, you can select a desired report category from the REPORTS drop-down menu to display only the reports from the desired family.


You can use the Categories section in the right side of the screen to display only the desired report category. Check the checkbox on the right side of the report family name to display only reports from selected report family.

If you selected a specific report family from the REPORTS drop-down menu, the report family category would be already selected.

You can also filter the displayed reports by entering a report name into the Search field. The search functionality displays search results on the fly.

You can also display the details of a report by clicking the report name. The details of a report display which modules are included in the report. In the example, the details about Alarm Report are shown. The report uses the Default layout and consists of the Title Page and the following modules:

• Alarms – Top Attacked Host

• Alarms – Top Attacker Host

• Alarms – Top Destination Ports

• Alarms – Top Alarms

• Alarms – Top Alarms by Risk

Execute the report by clicking the Run icon.


Based on the type of the report, the date range, and the number of assets it may take a while for the system to generate the report. After the system generates the report, it displays it in the web UI as an HTML document. You can either download the report as a PDF document or send it to a defined email address.

To enable sending reports via email, you have to correctly configure AlienVault USM with a mail relay server. You can do this by navigating to Configuration > Deployment > Components > AlienVault Center > [Your USM] > General Configuration > Mail Server Relay.

Launchpad

Course Review

Overview This module provides a course review.


Course Wrap Up


The Launchpad course gets you started by helping you see that the system is operating, how to work with your assets, some work on policies, and then finally looking at dashboards and alarms to start the process of security analysis. It’s an excellent way to get started understanding the power of USM, but does not give the complete coverage that you get in the AlienVault USM for Security Engineers (AUSE) class.

Take AlienVault USM for Security Engineers to learn about working with different data sources, and how to correlate data. This course also covers how to use the different reports, customize them, use them to manage compliance challenges, as well as the ins and outs of threat detection.


AlienVault USM for Security Engineers


Join the Open Threat Exchange

AlienVault Launchpad Getting Started with USM · AlienVault Launchpad Getting Started with USM...

Documents

Transcript of AlienVault Launchpad Getting Started with USM · AlienVault Launchpad Getting Started with USM...