AlienVault USM Launchpad On Demand v5 3 Rev A Student Guide PDF

AlienVault Launchpad
Getting Started with USM

Version 5.3 Rev A
Student Guide
2 Launchpad v5.3 rev A Copyright© 2017 AlienVault. All rights reserved.
Table of Contents
Course Introduction...................................................................................................................1
Overview ............................................................................................................................................... 1
Course Introduction .............................................................................................................................. 2
Overview ..................................................................................................................................1-1
AlienVault USM Overview.................................................................................................................. 1-3
USM Architecture ............................................................................................................................. 1-10
AlienVault Labs and OTX ................................................................................................................ 1-14
Verifying Operations...............................................................................................................2-1
AlienVault USM User Interface .......................................................................................................... 2-3
USM Settings and Support ................................................................................................................ 2-7
AlienVault USM Primary Menu ........................................................................................................ 2-12
Environment Snapshot .................................................................................................................... 2-19
Verify Basic Operations ................................................................................................................... 2-22
Asset Management .................................................................................................................3-1
Asset Overview .................................................................................................................................. 3-3
Navigating the Assets UI ................................................................................................................... 3-6
Managing Assets ............................................................................................................................. 3-11
Adding Assets .................................................................................................................................. 3-21
Asset Discovery Scans .................................................................................................................... 3-26
Asset Groups ................................................................................................................................... 3-35
Networks and Network Groups ........................................................................................................ 3-42
Asset Labels .................................................................................................................................... 3-50
Policies ....................................................................................................................................4-1
USM Policy UI Overview.................................................................................................................... 4-3
USM Policies for Events .................................................................................................................... 4-8
USM Policies for Directive Events ................................................................................................... 4-26
Security Analysis ....................................................................................................................5-1
Security Analysis Process ................................................................................................................. 5-3
Overview Dashboards ....................................................................................................................... 5-5
Remediating Alarms ........................................................................................................................ 5-13
Investigate Events ........................................................................................................................... 5-26
Check Raw Logs .............................................................................................................................. 5-37
File Tickets ....................................................................................................................................... 5-41
Report Findings................................................................................................................................ 5-45
Course Review ........................................................................................................................6-1
Overview ............................................................................................................................................ 6-1
Course Wrap Up ................................................................................................................................ 6-2
ii AlienVault USM for Security Engineers v5.2 Rev A Copyright© 2015 AlienVault. All rights reserved.
Launchpad
Course Introduction
Overview
This module provides an introduction to the course.
Course Introduction
This course is designed to accelerate the student’s ability to properly operate the
AlienVault USM solution. Students will gain a clear understanding of AlienVault’s Open
Threat Exchange (OTX) and gain the knowledge and skills to manage users, identify
assets, and remediate security threats using the AlienVault USM solutions.
This one day course gives security engineers, analysts, and project team members an
orientation to AlienVault USM. It is designed to accelerate your awareness of the full
range of features in the USM platform, making you more effective
You will learn the basic architecture of AlienVault USM and how it helps to protect your
organization. You'll also build a basic understanding of how to detect and respond to
threats.
Next, you'll learn how to control and monitor access to the system with User
Management. You'll then learn how to ensure that the system is operating properly
and how to work with assets.
Finally, you'll see how to turn the data that's coming from the system into valuable
information and action.
2 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.

Copyright© 2017 AlienVault. All rights reserved. 3
This course is designed as an introduction to operating USM after initial professional
services engagement covering installation and initial configuration.
Copyright© 2017 AlienVault. All rights reserved. 5

As you complete the course, refer freely to our Documentation Center for additional
information or to research related topics.

Module 1
Overview
This module provides an overview of the AlienVault Unified Security Management (USM) solution.
1-2 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.
AlienVault USM Overview
Copyright© 2017 AlienVault. All rights reserved. 1-3

The figure shows the five essential security capabilities of the AlienVault USM solution.
The five capabilities are discussed in the subsequent slides.
Asset discovery is an essential security capability of the AlienVault USM. The USM
discovers assets in your environment, detects changes in assets, and discovers rogue
assets in the network.
Asset discovery uses passive tools, such as passive operating system fingerprinting
and passive service discovery.
Asset discovery also utilizes active scanning, which can be scheduled to be performed
periodically or can be performed manually.

Vulnerability assessment identifies vulnerabilities by comparing the installed software
on assets with a database of known vulnerabilities. Vulnerability assessment can also
be used to check compliance.
Scanning of assets can be unauthenticated or authenticated. Using an administrative
user account, AlienVault USM can scan the assets more effectively.
Intrusion Detection monitors network traffic for malicious activity, monitors system log
messages, and monitors user activity.
Intrusion detection for AlienVault USM consists of Host-based Intrusion Detection
(HIDS) and Network-based Intrusion Detection (NIDS) components.

Behavioral monitoring is used to detect abnormal traffic in the network by spotting
anomalies from the NIDS functionality, and by tracking asset availability.
NetFlow, or network flows, include the following data:
• Source IP address and port
• Destination IP address and port
• Network protocol (TCP, UDP, ICMP, etc.)
• Type of service
• Number of packets
• Number of bytes
• Number of flows
• Bits, bytes, and packets per second
• Bytes per packet
Behavioral monitoring uses NetFlow in two ways:
• Flows can be generated by network devices and sent to the USM Server, or
• The USM Sensor generates flows based on the mirrored traffic, and the USM
Sensors sends the flows to the USM Server.
In both cases, the USM Server acts as NetFlow collector.
Behavioral monitoring capability also includes integrated assets availability monitoring.
Security intelligence combines and correlates collected logs and data to find malicious
patterns in network traffic and within host activity.
Security intelligence draws intelligence from different sources:
• AlienVault Lab Threat Intelligence correlation rules, which are created by
AlienVault Labs. These correlation rules are used to identify patterns associated
with malicious activity. They correlate data from different sources, such as
vulnerability scanning, NIDS, devices logs, etc. The NIDS component is populated
with well-tested signatures of recognized attacks.
• OTX threat data provides IP reputation information and OTX pulses which consist
of indicators of compromise (IoCs) that identify a specific threat. OTX is an open
information sharing and analysis network, where all AlienVault users can
participate and share information about incidents that may impact others. OTX
pulses provide you with a summary of the threat, a view into the software targeted,
and the related indicators of compromise (IoC) that can be used to detect the
threats.

USM Architecture
The three core components of the AlienVault USM are:
• USM Sensor: deployed throughout your network to collect events for complete
visibility.
• USM Server: aggregates and correlates information gathered by the USM
Sensors, and provides single pane-of-glass management, reporting and
administration.
• USM Logger: securely archives raw event log data for forensic investigations and
compliance mandates.
With an All-in-One deployment, all three are on one system.

The USM Sensors are designed to send their data to the USM Server. Once the USM
Server has processed the data from the USM Sensors, the data is stored on the USM
Logger.
The USM Sensor combines asset discovery, vulnerability assessment, threat
detection, and behavioral monitoring to provide full situational awareness. The USM
Sensor is the front-line security module of the USM platform and provides detailed
visibility into your environment, vulnerabilities, attack targets and vectors, and services.
These events are normalized into a unified format and dynamic functions such as date
normalization and DNS resolution, are performed. Then, normalized events are sent to
the USM Server component.
The USM Server provides a unified management interface that combines security
automation and AlienVault Labs Threat Intelligence to correlate data, spot anomalies,
reduce risk, and improve your operational efficiency.
The USM Server receives events from the USM Sensor and performs policy
evaluation. The policy defines what will happen with events. By default, the events will
be sent to the correlation engine, from the risk assessment module, and then they will
be stored in the SQL database. Events can be also forwarded to another USM Server,
if required. This flow is completely configurable by threat intelligence policies.
Correlation can be done logically, where events are compared to patterns which are
composed by using logical operators such as OR and AND. Correlation can be also
calculated using cross correlation, where events are correlated with vulnerability data.
After events are processed and correlated, the USM Server performs risk analyses
and triggers an alarm if the risk of the event is high enough.
The USM Logger is the secure data archival component of the USM platform.

AlienVault Labs and OTX
AlienVault Labs conducts security research on global threats and vulnerabilities. The
team of security experts constantly monitors, analyzes, reverse engineers, and reports
on sophisticated zero-day threats including malware, botnets, phishing campaigns and
more.
AlienVault Labs Threat Intelligence drives USM security capabilities by identifying the
latest threats, resulting in the broadest view of attacker techniques and effective
defenses.
AlienVault Labs research is also a critical part of our analysis. Our labs team
generates original research on high profile threats, as well as instrumenting the
automatic analysis for discovering and certifying all threats coming from OTX partners
and USM customers who opt to share data.

AlienVault Labs Threat Intelligence maximizes the efficiency of your security
monitoring program by delivering the following to your AlienVault USM installation.
Examples of what AlienVault Labs provides detection of includes:
• Advanced Persistent Threat (APT) detection - Detects targeted attacks often
missed by other defenses
• Real-Time Botnet Detection - Identifies infection, compromise, and misuse of
corporate assets
• Data Exfiltration Detection - Prevents leakage of sensitive and proprietary data
• Command-and-Control (C&C) Traffic Identification - Identifies compromised
systems communicating with malicious actors
• Dynamic Incident Response and Investigation Guidance - Provides customized
instructions on how to respond and investigate each alert
Open Threat Exchange (OTX) is the world’s first open threat intelligence community
that enables collaborative defense with actionable, community-powered threat data.
AlienVault Labs and other security researchers provide information to help understand
attacks that are currently being investigated and analyzed.
This data is automatically analyzed through a powerful discovery engine that is able to
granularly analyze the nature of the threat, and a similarly powerful validation engine
that continually curates the database and certifies the validity of those threats.
AlienVault OTX is a free open information sharing and analysis network that provides
access to real-time, detailed information about incidents that may impact you, allowing
you to learn from, and work with, others who have already experienced them.
We will be going over OTX in more detail later in the class.
For more information, go to https://otx.alienvault.com.

Module 2
Verifying Operations
This module describes AlienVault Unified Security Management (USM) installation, basic
configuration and verification, and the web user interface (UI).
AlienVault USM User Interface

In the previous module of this course, we focused on the capabilities and components
of the USM. In this module, we will focus on how to navigate the user interface and
verify the basic operations of the system.
Once you connect to the USM web UI, and log in using administrative credentials, you
will see the main window.
The main window allows you to access all of the functionality offered by the USM. This
screen includes the following menu elements:
1. Utility menu
2. Primary menu
3. Help, which links to documentation

4. Secondary menu
5. Environment Snapshot
The Utility menu includes the following buttons:
• WELCOME - This shows the username of the user who is currently logged into the
system.
• IP ADDRESS – This shows the IP address or hostname of the USM.
• MESSAGE CENTER – The message center centralizes all in-system errors,
warnings, and messages.
• SETTINGS – This button shows the current user’s profile, current sessions by all
users, and user activity.
• SUPPORT – This button provides access to the help area and to diagnostic
support tools.
• LOGOUT - This button logs out the current user from the USM.
On the following slides, we look more closely at some of these buttons—the
MESSAGE CENTER, the SETTINGS menu, and SUPPORT.

The Message Center centralizes all in-system errors, warnings, and messages--along
with external messages sent by AlienVault--into a single, discoverable page within the
USM web interface.
Messages can come from three different sources:
• System statuses
• User activity
• External messages from messages.alienvault.com, which come from HTTP
over SSL on port 443 and are digitally signed
USM Settings and Support

The SETTINGS option includes three menus: MY PROFILE, CURRENT SESSIONS,
and USER ACTIVITY.
The MY PROFILE menu shows the personal information (login, name, email, etc.) of
the user who logged into the system. By changing the input fields and clicking the
SAVE button, you can change your user information.
Additionally, you can change your password here.
In order to make any changes on the MY PROFILE menu, you will

need to enter your current password before clicking SAVE.
The CURRENT SESSIONS menu lists who is logged into the system. If you are not
the administrator, the administrator must grant you permission in order for you to see
this list.
For each user, you see their username, IP address, and several other parameters.
You also have the option to log out a specific user by clicking on the button under
Actions.
As shown in the slide, three users are currently logged into the system.

The USER ACTIVITY menu shows critical actions that were performed by users. You
can see a list of the actions that the table will show by clicking on All in the bar under
the Action heading. You can filter the displayed actions by selecting the date range,
user account, or action type and clicking View.
The SUPPORT section includes three areas:
• HELP - On the left side, this option provides links to the AlienVault forum and
to news about the latest releases of the USM. The right side includes a
Learning Center where you can find the information on how the USM functions.
• SUPPORT TOOLS - This option includes two tools that you might use when
working with AlienVault’s support team—the Diagnostic Tool and Remote
Support. The AlienVault Diagnostic Tool collects information about the system
status and sends it to the AlienVault Support Team. Connecting to Remote
Support will open an encrypted connection for AlienVault Support to diagnose
any issues with your AlienVault system(s).
• DOWNLOADS - This option provides links to software packages for AlienVault
operation.

AlienVault USM Primary Menu
The primary menu covers the main functions of the USM. This includes the following
five menus:
• DASHBOARDS
• ANALYSIS
• ENVIRONMENT
• REPORTS
• CONFIGURATION

The first area that can be selected in the primary menu is DASHBOARDS. This area
has the following options:
• OVERVIEW – Use this option to view charts, tables, and graphs that show various
overview aspects of the system status. Additional sub-menus, such as Inventory
and Honeypot Activity, can be added by clicking on the edit button.
• DEPLOYMENT STATUS - This option displays a global view of the system,
including assets visibility, network visibility, and locations.
• RISK MAPS – This option displays the asset's state within a selected map and
provides the ability to manage maps.
• OTX - This option allows you to visualize threats graphically in a map as well as list
pulse information. The map visualizes IP addresses that belong to hosts that are
performing attacks or have malicious behavior. These IP addresses are provided
by the OTX, which includes the AlienVault Labs team and a community of
worldwide USM and OSSIM users.
The second area that can be selected in the primary menu is ANALYSIS. This area
includes the following options:
• ALARMS - Any event with a risk of 1 or greater generates an alarm. The Alarms
option shows all the alarms generated in the USM. You can also search for alarms
using filters.
• SECURITY EVENTS (SIEM) – Use this option to visualize all events that are
processed or generated by the SIEM Server. You can do a forensic analysis of all
events that have been processed by the USM. The SIEM database is designed for
rapid and versatile analysis, which is required for the detection of, and response to,
attacks.
• RAW LOGS - This option allows you to display stored logs. The USM Logger
allows you to store a large volume of data for compliance, forensic analysis, or
other purposes. The USM Logger is specifically geared for long-term storage and
forensic archiving. The USM Logger stores data, digitally signs it, and timestamps
the data. The data is securely stored and its integrity is preserved.
• TICKETS - A ticket is an element within the USM that contains information about
detected alarms or any other issues that you want to track in a workflow. There are
simple and advanced filters available to facilitate searches. You can create tickets
manually. In addition, some USM functions, such as vulnerability scanning allow
you to create tickets automatically. Tickets for alarms have to be opened manually.

The third area that can be selected in the primary menu is ENVIRONMENT. This area
has the following options:
• ASSETS & GROUPS - This option allows you to manage assets, networks, asset
groups, and network groups.
• VULNERABILITIES - This option provides a graphical interface to manage
vulnerability scanning. The vulnerability scans can run from one or more AlienVault
sensors.
• NETFLOW -This option provides the ability to monitor and work with NetFlow data.
• TRAFFIC CAPTURE - This option allows the user to implement and manage
remote traffic capture through the AlienVault USM Sensor. There are several
capture options such as timeout, packet size, sensor name, and packet source and
destination.
• AVAILABILITY - You can use this option to view and configure availability
monitoring.
• DETECTION - This option is used to manage intrusion detection for most operating
systems. This option also displays log analysis, integrity checking, Windows
registry monitoring, rootkit detection, time-based alerting, and active response.
The fourth area that can be selected in the primary menu is REPORTS. This area has
all of the report types available. This option allows you to run reports on your USM
deployment, download them as PDF, and send them via e-mail. You can also modify
the contents and layout of reports. In addition, you can schedule reports to be created
automatically.

The last area that can be selected in the primary menu is CONFIGURATION. This
area has the following options:
• ADMINISTRATION – You can use this section to manage users, system
configuration, and backup and restore settings.
• DEPLOYMENT – In this section, you can manage USM components.
• THREAT INTELLIGENCE – These options are used for configuring USM policies,
actions, ports, directives, compliance mapping, correlation rules, data sources, and
security classification (taxonomy). You can also review and edit the knowledge
base, which contains information and recommended actions for different types of
security incidents.
• OTX – this option allows you to configure OTX if you did not configure it using the
Getting Started Wizard.
Environment Snapshot

The Environment Snapshot is on the right side of the USM web UI. The default state
shows the current alarms and the amount of Events Per Second (EPS).
You can expand the Notification Tray to view the Environment Snapshot by clicking on
the small arrow on the right side of the USM user interface. The Environment
Snapshot shows open tickets, unresolved alarms, system health, latest event activity,
the number of monitored devices, and a graph of events received per second over a
recent period of time.

Verify Basic Operations
Once the basic configuration of your USM system is completed, you should verify that
it is operating properly. Complete the following tasks to verify basic operations:
1. Observe any system errors and warnings in the Message Center to determine if
there are any outstanding issues with the system and log collection.
2. Confirm that security events are populating correctly.

3. Confirm that alarms are displaying correctly.
4. Confirm that raw logs are populating correctly.

It’s important to assure that your USM system is deployed properly. In the Deployment
Status area, the USM displays any potential issues it detects.
Next, you should check that events are flowing into the USM’s database.
Any normalized log entry, received or generated by any USM at the application,
system, or network level is called an event.
The USM Server is the component responsible for collecting normalized events from a
USM Sensor, correlating them, and performing risk assessment. The USM Server
stores events in its database, which is designed for rapid analysis that is required for
attack detection and response.
To see events in the database, navigate to ANALYSIS > SECURITY EVENTS (SIEM).
On this screen, you can observe events, view details about events by clicking them,
and search and filter for events using time ranges and search filters.

Next, you should check that the USM is creating alarms.
The USM Server uses a formula based on Asset Value, Event Priority, and Event
Reliability to calculate an Event’s Risk. Any Event with a Risk of 1 or greater is an
Alarm.
To see alarms in your system, navigate to ANALYSIS > ALARMS. Below the filtering
and searching tools (but above the line-by-line listing of alarms), you can see a
graphical representation of alarms.
Note that the filtering section will be expanded by default. In order

to get to the graphical representation of the alarms, collapse the
search filter or scroll down.
Blue circles indicate the number of alarms in a category at a particular time. A bigger
circle indicates a higher number of alarms. Alarms are prioritized according to five
categories:
• System compromise
• Exploitation and installation
• Delivery and attack
• Reconnaissance and probing
• Environmental awareness
The lower part of the window displays a list of alarms. Clicking an alarm will show
additional information about the alarm. Clicking View Details provides an even greater
level of information about the events that triggered the alarm. The Alarm Details page
also includes a Knowledge Base article with information about the alarm and
recommended steps to investigate it.
Finally, to finish verifying basic operations, you should check that logs are being stored
in the USM Logger.
The USM Logger provides a file format that is specially designed to store logs for long-
term archiving. By default, the logs are indexed, compressed and digitally signed to
ensure their integrity every hour (more immediate signing can be enabled if
required).You can verify if the USM Logger component is receiving raw logs from
network devices by viewing the data in the Raw Logs screen.
To see the logs, navigate to Analysis > Raw Logs. The upper part of the window
displays a chart, where you can see the log trends in a predefined time frame. Logs
are displayed in the lower part of the window. You can see details about a log by
clicking the log.
You can also use the search box to search for specific logs, or select a time range in
order to display logs only for the selected time range.
When performing a search, the INDEXED QUERY performs a search against the
index compiled during the most recently-completed indexing operation. This search is
very fast, but may not include the latest log entries received. The RAW QUERY
performs a real-time search of the log files themselves. It will be slower to return
results but the results will be more complete.

Module 3
Asset Management
This module describes AlienVault Unified Security Management (USM) asset management.
Asset Overview

In the USM, an asset is a piece of equipment that bears a unique IP address on the
company’s network. Assets generally include hardware, such as servers, email
servers, file servers, desktops, laptops, printers, firewalls, routers, other network
devices or security device such as the USM itself.
Asset management and inventory is one of the functionalities provided by the USM.
Assets in AlienVault are grouped based on IP addresses and networks that are
monitored by AlienVault. Grouping based on IP addresses allows for easier
management of and searching for assets. Assets can be grouped by functionality (e.g.
Firewalls), location (e.g. “headquarters”), or another type of grouping. Similarly,
networks monitored by AlienVault can be grouped into network groups.
The USM has an asset management system that is used by all AlienVault
components. The assets are initially added to the USM using passive discovery and
active scanning.
Assets can also be added manually. This can be performed by adding individual
assets using the web UI, or by importing assets from security events or Comma
Separated Value (CSV) files.
The Asset Management System allows for easy asset search using rich filters and
subsequently enables reviewing and editing of asset information. Assets can also be
removed from the asset repository by deleting them.
The Asset Management System also includes an integrated inventory, which can store
additional information about individual assets. This proves useful for tracking
properties of assets belonging to/owned by an organization.
Additionally, you can manage the AlienVault HIDS in through the Assets Management
System. This is covered later in this course in Module 7, Threat Detection.

Navigating the Assets UI
ASSETS & GROUPS is available in the Environment menu.
Under the ASSETS & GROUPS menu, there are five secondary menus that provide
an interface for managing the following:
• ASSETS
• ASSET GROUPS
• NETWORKS
• NETWORK GROUPS
• SCHEDULE SCAN
These sub-menus will be covered throughout the course.

Navigating to ENVIRONMENT > ASSETS & GROUPS > ASSETS will bring you to the
Asset screen view. This screen has the asset list and search filter.
The Getting Started Wizard creates the initial asset list when using the USM All-in-
One. Additionally, you can export your list of assets by clicking the icon in the upper
right.
The central part of the window displays a list of assets in the system. The asset list
provides a list of assets and can be expanded the show the details for an individual
asset. Above that window, there are icons to delete, edit, or label assets.
The total number of assets is displayed above the list of assets. This number will
change if a search refines the results.
If you run a search, the central part of the window displays a table with a list of assets
meeting the search criteria. The fields that appear in the table are the following:
• HOSTNAME
• IP
• DEVICE TYPE
• OPERATING SYSTEM
• ASSET VALUE
• VULN SCAN SCHEDULED
• AVAILABILITY CONFIGURED
• HIDS STATUS
If you click an asset, the asset will be expanded to display additional information:
Vulnerabilities, Alarms, Events, Availability, Services, Groups, and Notes. The
DETAILS button displays detailed information about an asset.
Once the asset(s) are selected, you can perform the following through the ACTIONS
menu:
• Edit the selected asset(s)
• Delete the selected asset(s)
• Run an Asset Scan
• Run a Vulnerability Scan
• Deploy a HIDS Agents on selected asset(s)
• Enable Availability Monitoring
• Disable Availability Monitoring
• Create or Adding to an Asset Group
• Add a Note

If you wish to have a more refined list of assets, you can search based on different
parameters. The search criteria options for assets are on the left side of the screen.
When the search filter options are specified, the window will only show assets that
meet the requirements of the search criteria.
The following search filters are available:
• Alarms - Enables the search for assets with associated alarms.
• Events - Enables the search for assets with associated events.
• Vulnerabilities - Enables the search for assets with vulnerabilities. The values are
Info, Low, Medium, High, and Serious.
• Asset Value - Enables the search for assets within a value range. Values range
from 0 to 5.
• Availability Status - search for assets that are not configured for availability
monitoring, or are found up or down.
• Show Assets Added - Enables the search by the date the asset was added.
• Last Updated - Enables the search by the date the asset was last updated.
• MORE FILTERS - Allows you to add more filters: Network, Software, Sensor,
Device Type, Ports/Services, and Locations (not shown in the figure).
With multiple filters, USM by default uses a logical AND for search. However, if there
are multiple filters of the same type (e.g. two networks) will operate as a logical OR.
There is a search field located at the top part of the window. The field shows selected
filters. The X icon is used to delete a selected filter. To clear the entire search filter,
select the Clear All Filters option.
Managing Assets

If you want to see details about an asset, click the DETAILS button for the asset. You
can also delete the asset or modify it by opening the ACTION menu.
The asset status of the screen displays some summarized information about the asset.
On the right side of the screen, there is an action menu, edit icon, and a deletion icon
for this specific asset. Directly below that is a map, showing the asset’s location if
defined.
Below the map on the right side is the ENVIRONMENT STATUS. This displays
whether or not HIDS, Automatic Asset Discovery, or Vulnerability Scan Scheduled are
enabled. The status circle that is located next to the link can appear in three different
colors:
• Red - Nothing is available.
• Green - Everything is available.
• Yellow - Some are available. Note this color will not be displayed for Vulnerability
Scan Scheduled.
SUGGESTIONS are below the environment status. This part shows suggestions
related to the asset. Suggestions can be:
• Warning messages when an asset that has sent logs does not send an event in 24
hours.
• Information messages when an asset is not sending logs to the system or when an
asset is sending logs but there is no plugin enabled for parsing the logs.
In Asset Details, you can perform these through the ACTIONS menu:
• Edit the asset
• Delete the asset
• Run an Asset Scan
• Run a Vulnerability Scan
• Enable Availability Monitoring
• Disable Availability Monitoring

The status circles display an overview of the asset information. Detailed status
information is provided in the table below. You can show relevant details in the table
either by clicking on a circle or by clicking on any of the blue tabs above the table.
Assets have three editable sections: GENERAL, PROPERTIES, and SOFTWARE.
The GENERAL section covers the basic information of an asset. The following
editable portions of an asset:
• Name - By default, the AlienVault system will automatically assign a name to a
discovered asset in a form of Host_, followed by IP address, where dots are
replaced with the underscore sign (_). You can replace the default name with a
meaningful name.
• IP Address – IP address of the asset. You can identify multiple IP addresses in
the address window for a single asset. Separate multiple IP addresses by
commas.
• FQDN/Aliases - You can enter a Fully Qualified Domain Name (FQDN) of the
asset, or you can enable reverse DNS resolution when performing asset discovery.
• Asset Value - You can change the value of an asset, depending on the role the
asset has in an organization. By default, asset value is set to 2. This is covered in
more detail in the next few slides.
• Devices Types - Select device type and subtype from the drop-down menu. To
remove a device type, click the “X” below the Device Type list.
You can also set other properties, such as description and location of the asset.
Additionally, you can provide an icon for the asset, toggle availability monitoring of the
asset, and define if the asset is external or internal.
Changes made to the Asset in General, Properties, or

Software tab are all saved by clicking Save on the
General tab view.
Note that there is no “overall” Save button on the
Properties or Software view.

Each asset that is detected by or imported into AlienVault has an asset value, ranging
from 0 to 5, 0 being the lowest value and 5 the highest. This value is included in risk
assessment calculation performed by the USM Server (SIEM) component.
Each asset in an organization should have a value assigned, based on the importance
of the asset role in the organization. For example, printers in a printing company are
very important for business processes and will a have very high asset value.
As an example, in some organizations printers may not be important, and the asset
value for printers may be set to 0 or 1. However, in organizations in which printers are
the most important assets on their network, such as in printing shops, asset value for
printers may be set to a high value, such as 4 or 5.
However, printers in a company that offers web hosting are not as important, and will
have a low asset value. A web hosting company’s web servers would have a higher
value; and therefore, those web servers would be assigned a higher asset value than
the printers.

Asset value can be set administratively in the web UI of the USM.
When calculating a risk for an event in the USM, some events with two hosts involved
in generating the event may be found. In such case, the highest asset value is used in
calculation.
If the host that generates the event is not defined within the USM inventory, the system
tries to get the asset value of the host. If the host is not included in the USM inventory,
the system first checks whether the host belongs to one of the defined networks. If the
host belongs to one of the networks and the host’s asset value has not been defined,
the system will use the network asset value to do the risk calculation. If the asset value
is not explicitly set for a network, the system will use the default value of 2 for the host.
The PROPERTIES section covers more specific information about an asset, including
hardware, roles, and department. The following are configurable properties of an
asset:
• Users Logged
• Role
• Department
• Workgroup
• Machine state
• CPU
• Memory
• Video
• ACL
• Route
• Storage
• MAC Address
Note the property settings can be locked, which means it will not be overwritten during
future asset discoveries.
Note the Save button in the Properties tab will only save a
specific property. It will not save your global changes.
To save changes, return to the General tab and click the
Save button.

The SOFTWARE section displays the software that is running on an asset. The list
includes software found running during a scan and any software manually added.
When manually adding software, the USM will autocomplete your software with a list of
possibilities. Selecting manually added software will be locked in the asset’s list of
software.
Note the Save button in the Software tab will only save a
specific property. It will not save your global changes.
To save changes, return to the General tab and click the
Save button.
Adding Assets

Assets are added into the AlienVault system by the asset discovery process.
Assets can also be imported from SIEM events if desired. To import assets from SIEM
events, navigate to ENVIRONMENT > ASSETS & GROUPS, and expand the ADD
ASSETS option. Select the IMPORT FROM SIEM option from the drop-down menu.
The system will notify you on how many assets were detected in SIEM events, and will
ask you to confirm the import of the events. You can also scan for new assets from this
menu.
If asset discovery process is not desired, or if it does not detect a specific asset, the
asset can also be added manually.
To add an individual asset manually, select ADD HOST from the ADD ASSETS menu.
The NEW ASSET window appears.
Fill in the required fields. Note that this screen is similar to the GENERAL tab in the
EDIT ASSET dialogue. Click SAVE when you are done populating the input fields.
After you are done adding your asset, the USM will take you to the Asset Details page
of the corresponding asset.

You can add a list of assets by importing a comma separated values (CSV) file. This is
useful if your asset inventory is already stored in a spreadsheet or database.
The USM requires the CSV asset list have a particular format. It needs a header and a
list of assets. The CSV file should be in the following format:
"IP(IP1,IP2,...)";"Hostname";"FQDNs(FQDN1,FQDN2,...)";"Descrip
tion";"Asset value";"Operating
System";"Latitude";"Longitude";"Host ID";"External
Asset";"Device Types(Type1,Type2,...)„.
An example of a CSV asset list, including the header looks like this:
"IPs";"Hostname";"FQDNs";"Description";"Asset
Value";"Operating System";"Latitude";"Longitude";"Host
ID";"External Asset";"Device Type"
"192.168.10.10";"mail";"mail1.example.com,mail2.example.com";"
my public mail server";"4";"Linux";"23.78";"121.45";
"379D45C0BBF22B4458BD2F8EE09ECCC2";0;"Server:Mail Server"
"172.16.23.17";"USM";"usm.example-1.com";"AlienVault
USM";"2";"LInux";"23.78";"121.45";"379D45C0BBF22B4458BD2F8EE09
ECCC2";0;"Server:Security Device"
Next, select the IMPORT CSV option from the ADD ASSETS menu. Then select the
CSV file. The file will upload and the confirmation dialogue will appear. If there are any
errors in your CSV file, they will be reported in the dialogue.
You can also import assets from SIEM events. This option checks events and
networks, and imports all new assets that the SIEM discovered.
Once you select Import From SIEM, the USM will search the SIEM events for any new
assets on your networks.
If new assets are found, you will be prompted to IMPORT or CANCEL the results. If
you wish, you can also view the logs to see what the USM determines is an asset.
Assets are imported 25,000 at a time. If the USM found more than 25,000 hosts, you
will need to rerun the Import from SIEM until all the hosts are added.

Asset Discovery Scans
Asset discovery is one of the primary USM functionalities, which allows initial asset
discovery. The functionality can be also used to augment the knowledge of existing
assets by determining the operating system of an asset and the services (open ports)
that are running on the asset.
Open the ADD ASSETS menu and select Scan for New Assets. This will open the
SCAN FOR NEW ASSETS screen. In the screen, first select assets, asset groups,
networks, or network groups you would like to scan.

Select the desired targets, and then optionally select a sensor. Next, select the scan
type from the drop-down menu. The following options are available:
• Ping - Pings each selected asset.
• Normal - Scans the 1000 most common ports.
• Fast Scan - Scans the 100 most common ports.
• Full Scan - Scans all ports, the operating system, and determines MAC addresses
• Custom - Allows a user to define the ports to scan.
The following options are available for the scan timing template:
• Paranoid - This mode scans very slowly. It serializes all scans (no parallel
scanning) and generally waits at least 5 minutes between sending packets.
• Sneaky - Runs as paranoid mode but with a 15 second wait time.
• Polite - Serializes the probes and waits at least 0.4 seconds between them.
• Normal - The default behavior, which tries to run as quickly as possible without
overloading the network or missing hosts/ports.
• Aggressive – Scans with a 5-minute timeout per host, and never waits more than
1.25 seconds for probe responses.
• Insane - Suitable for very fast networks. It times out hosts in 75 seconds and only
waits 0.3 seconds for individual probes.
Finally, enable auto detection of services and operating systems and enable reverse
DNS resolution to automatically determine FQDN of scanned assets. Click START
SCAN when done with configuring scan.
The USM has to be configured with a DNS server that can

resolve known assets IP addresses. Be extremely cautious when
enabling DNS resolution during a scan of many assets since this
option will generate many DNS queries. These queries can
overload a poorly configured and protected DNS server.
An Asset Discovery Scan takes time, depending on the number of scanned assets,
selected scan type, and timing template. Once assets are scanned, the results will be
displayed in a table below the scan configuration window. You can review the
scanning results and decide to delete the results (CLEAR SCAN RESULTS), or
update asset information in the database with the results (UPDATE DATABASE
VALUES).
Note that the results of the asset discovery scan are not automatically added to the
database. You must select the results and click Update Database Values.
In the scan above, the USM found three hosts. The scanning detected that the one of
the assets is running Microsoft Windows 7 operating system, and that some services
are running on the machine. The other two assets are running Linux.

Once you update asset information in the database with the results of the discovery
scan, you will be prompted that information about existing hosts in the database will be
overwritten. This includes fields like Department in the asset properties.
If this is satisfactory, click OK.
When the database is updated, the USM will display the list of updated assets.
If there is already information that the USM views as more accurate, the USM will not
overwrite that information, but will display a warning. If you wish to see more
information on the warning, click the details icon.

Note that when you scan assets manually, you will need to add in the results. They will
not be added in automatically. Only scheduled scans will update the database
automatically.
Navigate to ENVIRONMENT > ASSETS & GROUPS > SCHEDULE SCAN to enable
periodic asset discovery. Click on SCHEDULE NEW SCAN.

Asset discovery can also be scheduled to occur periodically to find new assets:
1. In the displayed window, click NEW to create new scanning tasks.
2. Enter a name for the task, select a sensor from which the scan will be performed,
and enter networks you want to scan.
3. Select scan type, timing template, and optionally enable auto detection of
operating system and services and reverse DNS resolution.
4. Select scanning frequency. The provided options are Hourly, Daily, Weekly, and
Monthly.
5. Enable scan and click SAVE to save the scan task.
Asset Groups

The figure shows a hierarchy of assets in the AlienVault Asset Management System.
Assets are organized into networks based on IP addresses, where networks belong to
locations. If required, assets can be organized into asset groups, which can span
across many networks or locations. Additionally, networks can also belong to network
groups.
Asset groups and network groups usually have functional names (e.g. critical assets,
engineering network, DMZ). Assets and networks are not required to be part of either
an asset group or a network group, respectively.
However, an asset is always part of a network by definition. In the example above,
Asset 1 will always be part of the 172.16.4.0/24 network, even though it is not part of
an asset group.
Also note that asset groups can overlap networks. Those networks may or may not be
part of a network group.
Asset groups are administratively created objects that group similar assets for specific
purposes. For example, you could group all network firewalls, or all servers running
Microsoft Server operating system. Such groups are useful when performing various
tasks, such as vulnerability assessment or asset discovery, or when you are interested
only in events coming from specific devices. Grouping of assets is possible based on
various properties. The following are some of them:
• Asset value
• Network
• Software running on assets
• Sensor that monitors assets
• Device type of asset
• Open port or services running on assets
• Location of assets
Asset groups are integrated into the USM workflow. They can be used for running
reports, filtering alarms/events/raw logs, scans, policies, and directives for threat
intelligence.

To create an asset group from the assets list, navigate to ENVIRONMENT > ASSETS
& GROUPS > ASSETS. Next, select the desired assets. After selecting the desired
assets, go to the ACTIONS menu and select Create/Add to Group.
This will bring up a dialogue box. In this, you will see a list of any created asset groups
if they exist. If there are not any pre-existing asset groups or you do not wish to use a
pre-existing asset group, type in the name of the New Group, and then click the “+”
icon.

After the asset group is created, the USM will open the Group Details for the newly
created asset group. This will look similar to the Asset Details screen.
The Group Details screen allows you to add assets directly to the group, edit the
group, run scans, and toggle availability monitoring.
From this view, there are other tasks you can do in addition to editing the group:
• Add a note to the asset group
• See and manage the assets that are part of this group
• View vulnerabilities, alarms, events, availability, services, and notes to this asset
group
From this view, you can also navigate to any asset that is a member of the specific
asset group.
To edit an asset group, you can edit the asset group from the listing of asset groups
under ENVIRONMENT > ASSETS & GROUPS > ASSET GROUPS. Alternatively,
navigate to the desired Group Details and click Edit under the ACTIONS menu.
The group details that you can edit are the group name, owner, and description.

Networks and Network Groups
Assets in USM are part of a network. USM recognizes networks by their CIDR
notation. Networks can be part of a network group. Assets are organized into networks
based on IP addresses. Additionally, networks can also be grouped into network
groups for easier management.
Networks also specify which assets will be imported during asset discovery. Assets are
grouped based on IP addresses and configured networks for easier asset navigation
and management.

To review already configured networks, navigate to ENVIRONMENT > ASSETS &
GROUPS > NETWORKS. This will display a list of monitored networks.
The network list has a similar UI to the asset list. You will be able to examine details,
run actions such as editing and deleting, and search networks.
The NETWORKS view has a similar search filter to assets and asset groups.

Networks are automatically added to the USM in the three following ways:
1. If the USM has an IP address assigned, then the USM knows about that network.
This can go by multiple interfaces
2. Initially, the Getting Started Wizard in the USM All-in-One will find the monitored
networks.
3. If you provide a network range to scan, USM will add the network.
You can also add a network manually.

Select ADD NETWORK from the ACTION menu, and fill in the appropriate fields. Click
SAVE when done with populating the input fields.
You can also create a network by importing a CSV file. In the USM, each CSV file
must contain a header row:
"Netname";"CIDRs";"Description";"Asset Value";"Net ID"
"Perimeter Network";"192.168.10.0/24,192.168.9.0/24";"This is
my network";"2";"479D45C0BBF22B4458BD2F8EE09ECAC2"
The Network Details screen will display various details of your network. This screen
provides a similar display to asset details.
In Network Details, you can observe the snapshot and properties of assets belonging
to the network. You can also toggle on and off the details about the network, delete the
network, and observe environment status of assets and suggestions.
On the right side of the screen, there is an action menu, edit icon, and a deletion icon
for this specific network. Directly below that is a map, showing the network’s location if
defined.
Below the map on the right side is the ENVIRONMENT STATUS. This displays
whether or not HIDS, Automatic Asset Discovery, or Vulnerability Scan Scheduled are
enabled for assets on this network. The status circle that is located next to the link can
appear in three different colors:
• Red - Nothing is available.
• Green - Everything is available.
• Yellow - Some are available. Note this color will not be displayed for Vulnerability
Scan Scheduled.

To edit the network, click the edit icon. The EDIT NETWORK dialogue box will open.
In this dialogue box, you can edit the network properties. The most common properties
are name, network prefix (CIDR), owner, asset value, and description.
Networks can be grouped into network groups for administrative purposes. To create a
network group, navigate to Environment > Assets & Groups > Network Groups.
Click NEW to create a new network group. Specify the name for the network group, a
description, and select network group members from the network list. Click SAVE
when you are done adding networks to the group.

Asset Labels
Asset labels are an additional organizational tool for your USM implementation. This
allows you to assign a label for various device attributes (e.g. firewalls, switches,
printers, etc.) that can help you with managing your USM environment.

The label icon is available on the ASSETS, ASSET GROUPS, and NETWORKS sub-
menus under ENVIRONMENT > ASSETS & GROUPS.
To access the labels, click the label icon. This will open a dialogue box that will initially
show no labels. If there are labels already created, they will appear in this box.
To create a new label, click Manage Labels.
Next, the MANAGE LABELS dialogue box will open. Here you will see any labels
already created in the LABEL LIST. From here, you can delete or edit any pre-existing
labels or create a new one.
You have a variety of colors to choose from for your label.
Once you have created the desired label, click SAVE.
Note that clicking SAVE will not assign a label to your assets or asset
groups.

Once the desired label is selected, the label will appear under the details screen of the
corresponding choice. Labels can be applied to assets, asset groups, networks, and
network groups. Additionally, there can be more than one label applied to the desired
asset, network, or group.
Once you have created a label, apply the label to an asset:
1. Select the asset or assets by clicking the check box to the left of the asset.
2. Click the Labels icon.

3. Click the check box next to the label or labels you wish to apply to the selected
asset(s).
4. Close the labels window.
Labels are the most flexible form for organizing assets. An asset, asset group, or
network can have multiple labels.
For example, the assets above show how they have multiple labels. The Server2008
has the Windows and Lab Servers labels, whereas the fw-dmz asset has the firewalls
and perimeter network.

Module 4
Policies
This module describes AlienVault Unified Security Management (USM) policies.
USM Policy UI Overview

Policies are the USM configuration objects that allow you to configure how the system
processes events once they arrive at the USM Server.
The figure shows where policies are evaluated in the USM Server processing pipeline.
Policies are evaluated immediately after event collection, and influence further event
processing.
Here are some examples of how to use policies to influence event processing:
• Perform risk assessment and correlation without storing events in the server
database. This is typically done with firewall events, but could be done with any
type of event.
• Store events in the USM Logger and not correlate the events. This is typically done
if the events in question have no directives or cross-correlation rules to process
them.
• Correlate events and forward them to another USM Server without storing them. In
larger, distributed deployments, the USM components can be tiered to allow for
additional scaling.
Filtering eliminates unnecessary event processing and improves the performance of
the system (when implemented properly).
Policies are also often used to:
• Reduce false positive alarms
• Send an email notification
• Temporarily hide true positive alarms until corrective or preventative action takes
place
• Increase the importance of a specific event
To configure policies, navigate to CONFIGURATION > THREAT INTELLIGENCE >
POLICY.
Policies can be configured separately for events (the upper part of the screen) and
directive events (the lower part of the screen). Since directive events are generated by
the USM Server, you have the option to configure a policy for directive events
generated only by an individual USM Server.
If required, you can configure policy groups, which allow you to group policies for
administrative purposes.
By default, three policy groups exist: the Default policy group and the AV default
policies and Policies for events generated in server.
You can create your own policy groups by clicking the EDIT POLICY GROUPS button,
and then providing a name for the group.
The red X and green check mark indicate if policy is disabled or

enabled, respectively.

There are three policy groups in the USM:
• Default policy group – Used for new events only. Policies in this group controls
the how the USM Sever handles the identified events.
• AV default policies - group for disabling or enabling the AVAPI policy. This also
impacts only new events coming into the system. The AVAPI rule is disabled by
default.
• Policies for events generated in server - a policy group for correlation events
that have already gone through the default policy group. These processed events
also go through correlation directives.
Correlation directives are covered in detail in the next module.
Policies are composed of policy rules, which are applied in descending order. When an
event is being processed, policy rules are evaluated in order from top down. When an
event matches a rule, the system stops processing that event. This is the reason why
very specific and restrictive rules should be defined at the top of the rules list, while
generic rules should be specified at the bottom of the rules list.
The figure shows an example where 3 policy rules are configured:
• The first rule matches Cisco ASA events with source IP address of 10.128.10.15.
• The second rule matches all Cisco ASA events.
• The third rule matches Cisco ASA events with source IP address of 10.177.16.150.
Because the second rule is generic, it will match all Cisco ASA events. Therefore, the
third rule, which is more specific, will never be evaluated. In order to correctly process
events, the INTERNAL_NMAP rule should be placed before the FIREWALL_EVENTS
rule.

USM Policies for Events
Policies are composed of conditions and consequences. Conditions determine which
events are processed by the policy. Consequences define what will happen to events
matching the specified conditions.
If a field is not currently filled in, it will appear yellow. For example, the source and
destinations are not filled in when a policy is first created. Therefore, those fields will
appear yellow on a new policy.

Policy conditions include the source and destinations of events. Source and
destination are a pre-defined asset, asset group, network, or network group. You can
also choose ANY if you want the policy to apply to any source and/or any destination.
• SOURCE - Defines assets, asset groups, networks, or network groups as the
source IP address of the event.
• DESTINATION - Defines assets, asset groups, networks, or network groups as the
destination IP address of an event.
For source or destination ports, you can designate multiple values for UDP and TCP
ports. For example, you can set up a port group called DNS with both UDP port 53 and
TCP port 53.
• SOURCE PORTS - Defines TCP or UDP source port of an event.
• DESTINATION PORTS - Defines TCP or UDP destination port of an event.

Event types define the events that will be processed by this policy.
There are two different ways to identify the event types that you want to match the
policy.
• Use Data Source (DS) Groups to select events by data source
• Use Taxonomy to select events by event type.
In addition to selecting already exisitng data source groups, you can create a new data
source group by selecting desired data sources or event types.

Once you’ve selected the desired data types, click UPDATE to add a new data type.
After you’ve created your new data source group, select it in the list box.

Next, select the security classification (Taxonomy). This can be refined to category
and subtype.
To access the other conditions, click ADD MORE CONDITIONS. This will bring up a
dialogue box with the available options. The available options are:
• Sensors
• Reputation
• Event priority
• Time range

The SENSORS panel allows you to match events based on the USM Sensor that
collected and normalized the event.
The REPUTATION panel allows you to match events based on the reputation of either
source or destination IP address of an event.

The EVENT PRIORITY panel allows you to match events based on the priority and
reliability of an event.
TIME RANGE is a time window for matching events. For example, if you want to email
an admin about a successful login to the HR server between 3am to 6am, you can set
up a policy that will do that.

Consequences define what will happen when events meet the specified condition. The
first policy consequence you can assign is an action. There are three possible actions
that you can configure in USM:
• Send an email to a preconfigured email address
• Execute a command to invoke a script on the USM
• Open a ticket in the internal USM ticketing system
The SIEM consequence determines how the USM Server will process events. In
almost all cases, you want to use the power of the SIEM within the USM to correlate
events that arrive at the USM Server.
If you enable the SIEM capability, you can then select to enable or disable several
options:
• Change the priority of events
• Perform risk assessment of events
• Perform logical correlation of events
• Perform cross-correlation of events
• Store events in the SIEM SQL database
Note that if you disable the SIEM option, this will disable the other options within the
SIEM consequence.

The LOGGER consequence defines if the USM Logger will store events, and how
events that are stored will be signed. By default, all events are logged and digitaly
signed into the USM Logger.
Line signing will only be selectable if the server is configured to support it. If you
mouse-over the word Line, an explanatory pop-up will be shown.
The FORWARDING consequence defines whether events will be forwarded to other
USM Server or USM Logger. The default setting is No. Selecting Yes will only work if
other USM Servers or USM Loggers have previously been configured in the USM.

USM Policies for Directive Events
Like a policy for events, a policy for directive events is composed of conditions and
consequences. Conditions determine which events are processed by the policy.
Consequences define what will happen to events matching the specified conditions.
However, the policy for directive events has fewer conditions and consequences, since
such policies are designed to match only directive events that have been created
within the specific USM Server.
The Data Source (DS) Groups for directive event policies behaves differently than
choosing the DS Groups for event policies.
By default, you can choose all Directive events. There are no other directive event
groups listed. In order to have additional choices, click INSERT NEW DS GROUP.

Actions for directive event policies work the same way as the actions for policies.
SIEM consequences for directive event policies work the same way as the SIEM
consequences for event policies.

Module 5
Security Analysis
This module describes security analysis of alarms and events produced by AlienVault Unified
Security Management (USM).
Security Analysis Process

When an alarm is triggered in the USM you should take action.
The system uses alarms to let you know that it has found an event, or pattern of
events, that should be investigated. You might determine that the alarm represents a
genuine security issue, which will require you to act to remediate the issue. On the
other hand, if the alarm is not a concern, you can tune the USM so that it will show
only relevant alarms in the future. Either way following a sound security analysis
approach is essential to obtaining the full value from your investment in the USM.
The figure shows the overall process of security analyses in the USM comprising of
the following steps:
• Examine the USM dashboards to see the overall security posture of networks that
are monitored by the system and look for unusual events.
• Examine the USM alarms. You should also see if there are any tickets pending
your actions.
• If available examine OTX data for IOCs or IP addresses involved in the alarms.
Also, examine external resources that could help you determine whether an attack
is real or not.
• Examine other events that may be related to the alarms you are investigating.
• Examine assets that are involved in the alarms. Pay attention to any detected
vulnerabilities in assets.
• Examine raw logs in the USM Logger if you want to know if there are any related
logs that were not sent to the USM Server, or if you need logs as evidence.
• If required use a packet capture of the offending traffic to perform an offline
analysis on another system (not shown in the figure).
• Report your findings to the appropriate parties, depending on the severity.
We will cover reporting in Module 15.
Overview Dashboards

To search for events in the USM that might require your attention first look at the
ENVIRONMENT SNAPSHOT area of the user interface. Pay attention to the number
of open tickets and unresolved alarms.
You can navigate directly to the OPEN TICKETS and UNRESOLVED ALARMS
section of the user interface by clicking the number of open tickets or unresolved
alarms respectively.
Navigate to DASHBOARDS > OVERVIEW to examine the threat level of networks that
are being monitored by the USM. In the next few slides you will see several
dashboards that can help you determine the overall security posture and find unusual
behavior.
The EXECUTIVE dashboard at DASHBOARDS > OVERVIEW > EXECUTIVE shows
an overview of the network. Pay attention to the overall threat level of the network and
to Top 10 event categories to determine top event types that threaten your network.
The upper right pod in the OVERVIEW Dashboard shows the top OTX activity in your
USM. This shows the five OTX pulses that generated the most events in your
environment.

To see information about alarms and events that are stored in the system navigate to
DASHBOARDS > OVERVIEW > SECURITY. Pay attention to hosts with many events
and to hosts that have promiscuous behavior. Also pay attention to the top five alarms
and the top five events.
The NETWORK dashboard at DASHBOARDS > OVERVIEW > NETWORK shows
information about network trends and statistics. This information is provided by
NetFlow, which is used to collect and transmit information about network traffic flow.
Pay attention to abrupt changes that deviate from expected traffic patterns. Examine
the source and destination IP addresses and source and destination ports of such
flows. Use that information to search if there are any related events or alarms.
The NETWORK tab is not shown by default. You have to enter

the edit mode of dashboards by clicking the pen icon at the right
side of the screen and adding the tab to the dashboard layout.

OTX has its own dashboard in the USM. The first section shows OTX pulses statistics:
• Subscribed pulses
• Indicators or IOCs
• Lasted updated
• Number of alarms and events
The second section shows events from the twenty most active OTX pulses for the past
week. The more events a specific pulse generates on a specific date, the bigger the
circle that will appear.
Below the Events from Most Active OTX Pulses, there’s a trend graph that shows
events from all OTX pulses.

The OTX IP reputation dashboard is below the OTX pulse data. To reach the OTX IP
reputation area, scroll down below the OTX pulse data. In the top of the dashboard,
you can use the drop-downs to change the OTX data you see: you can view all OTX
rep data or switch it to see only OTX rep data that affects you or is in your security
events.
You will see two sections: an OTX IP reputation map and the OTX IP reputation
statistics. The statistics include general statistics on unique IP addresses and updated
OTX data. The other statistics include malicious IP addresses by activity and top 10
countries generating OTX activity.
Remediating Alarms

When performing a security analysis you should always look at the alarms. These are
special events that have a risk equal to or greater than one.
Alarms can be a result of a single event or can be the result of a directive event
created through correlation rules. Since alarms indicate events with high risk, they
require immediate investigation and remediation.
Navigate to ANALYSIS > ALARMS to examine alarms. The upper part of the screen
is the search. The middle part of the screen represents alarms in a graphical way. The
lower part of the screen displays a list of alarms sorted by date by default.

You can use filters to search for specific alarms. Click SEARCH AND FILTER to
reveal the search input fields. Specify the search filter by populating the input fields.
For example you can filter for alarms coming only from a specific sensor, on OTX
reputation data, for alarms with a specific name or for alarms involving specific source
and destination IP addresses. To filter events by date you can select starting and
ending dates. Click SEARCH to see the search results. The results will be displayed in
both the graphical view and in the alarms list.
The horizontal axis of the graphical view represents the dates of alarms while the
vertical axis represents the intent of alarms. The size of each blue circle specifies the
number of alarms of a specific intent in a specific time frame. You can click a blue
circle to display only alarms of a specific intent and in a specific time frame.
Navigate to ANALYSIS > ALARMS. When you are filtering alarms, you can filter on a
specific OTX Pulse to see all alarms generated from a specific pulse or filter to see all
alarms generated from any OTX pulses.

Alarms are listed in rows where one row represents one alarm. The following
information is displayed about an alarm in columns:
• DATE of an alarm.
• STATUS of an alarm: Open, Closed or being correlated.
• INTENT & STRATEGY of an alarm.
• METHOD of an alarm.
• OTX data if available
• RISK of the alarm as calculated by risk assessment. The minimum risk of an alarm
is one.
• SOURCE displays source IP address of traffic triggering the alarm. An orange
circle next to the IP address indicates that OTX data is available for the IP address.
• DESTINATION DISPLAYS destination IP address of traffic triggering the alarm. An
orange circle next to the IP address indicates that OTX data is available for the IP
address.
Alarms can be sorted in descending or ascending order. Alarms with OTX data
indicate activity of known hosts with bad reputations.
Click an alarm to expand it and see more information about the alarm. When an alarm
is expanded you have the following options available:
• ATTACK PATTERN shows whether the traffic triggering the alarm is reaching your
assets from elsewhere or coming from your assets.
• View details about the alarm by clicking the VIEW DETAILS button.
• Close the alarm by clicking the CLOSE button.
• Delete the alarm by clicking the DELETE button.
• Label the alarm as false positive or as analysis being in process by clicking the
APPLY LABEL. These labels can be then used when searching for alarms.
When you click VIEW DETAILS the details about an alarm are shown. On the upper
part of the screen you can examine information about the source and the destination of
the traffic triggering the alarm. You can also see the recommended knowledge base
article with the information about the alarm.

When you click VIEW DETAILS the details about an alarm are shown. On the upper
part of the screen you can examine information about the source and the destination of
the traffic triggering the alarm. You can also see the recommended knowledge base
article with the information about the alarm.
In the example you can see the alarm trigger and the description. In addition to that,
the USM provides you with Directive ID and source and destination information. In the
example above you can see details of a Command and Control (C&C) communication,
which represents botnet behavior.
Clicking on the OTX Indicators for pulses or OTX IP reputation will open up a box with
the OTX details.

In the example, you can see the alarm trigger and the description. In addition to that,
the USM provides you with Directive ID and source and destination information.
On the lower part of the screen, you will see individual events that triggered the alarm.
If the alarm is a result of a directive event then you will see individual events and a
directive event that was created by these individual events.
You can examine details about a single event by clicking the name of the event.
If an alarm has OTX data associated with it, it will appear in the alarm list. Events and
Alarms with OTX data have two colors:
• Orange – security events that were generated from a pulse
• Blue – security events that include OTX IP reputation data
Security events that were generated from an OTX pulse and also
include IP reputation information will appear orange.

If an event listed in an alarm has a blue OTX icon, clicking on it will bring up details
about the OTX IP Reputation.
If an event listed in an alarm has an orange OTX icon, clicking on it will bring up details
about the OTX pulse.

Investigate Events
When investigating an alarm it is also useful to check if there are any related events in
the SIEM database that were not correlated by the correlation engine. For example,
you can search for events that came from the same host as the offending traffic, which
triggered the alarm.
You can search for events by navigating to ANALYSIS > SECURITY EVENTS (SIEM)
> SIEM. Events are listed in the lower part of the screen while the upper screen
displays filters that can be used to find events. You can also click ADVANCED
SEARCH to specify a more granular search.
In the example, the filter is specified to find only events that are related to the source
IP address that was reported in the alarm discussed previously.
You can sort the events based on the event name, date, and sensor that detected the
event, source or destination IP address and risk. You can examine details about an
event by clicking the event.
Recall that based on the configured policies some events may

not be stored in the SIEM database but are still correlated and
assessed by the risk assessment engine to create alarms.
Look for events that are related to alarms but that were not
correlated by the correlation engine. If you observe that
scenario, you should consider customizing or creating custom
directive rules.

Navigate to ANALYSIS > SECURITY EVENTS (SIEM).
When you click an individual event details about the event are shown. Here you can
examine the normalized event and security event information. You can see the asset
value of the source and destination assets, the event priority, event risk and the event
reliability. You can also examine the reputation data of source and destination IP
addresses (if it is available).
Additionally, if the event is network related, you can also examine the packet triggering
the event by examining the payload of the packet in the details window.
From here, you have three filters to view events in relation to OTX:
• OTX IP REPUTATION – Expand the list to show the set of IP Reputation filters.
Filter by severity or by the type of activity that the IP address has been identified
doing.
• OTX PULSE – Search on a specific OTX pulse to see all events generated from
the IOCs included in that pulse.
• ALL OTX ACTIVITY – Checking this box only will display events that have been
generated from OTX pulses
Below the search filter, you will see a list of events that matches your search.

If an event has OTX data associated with it, it will appear in the event list. Events and
Alarms with OTX data have two colors:
• Orange – security events that were generated from a pulse
• Blue – security events that include OTX IP reputation data
Security events that were generated from an OTX pulse and also
include IP reputation information will appear orange.
When you click the blue OTX icon (if available) in the list of security events, the OTX
IP reputation dialogue will be displayed.

When you click the orange OTX icon (if available) in the list of security events, the
OTX IP reputation dialogue will be displayed.
If you wish to investigate an event, click on the view details icon. This will display
several details about the event, including a raw log that triggered the event.

In the event details, you can see the number of IOCs or OTX IP reputation data that
relate to a specific event. If you click on that number, the OTX details will appear in a
dialogue box.
The next step when examining alarms is to check information about an asset involved
in an alarm. Navigate to ENVIRONMENT > ASSETS & GROUPS > ASSETS to
search for the asset that is involved in the alarm you are investigating.
Verify the operating system and services to confirm that the alarm triggered is valid
and needs to be investigated further.

When examining assets you should also pay attention to any vulnerabilities that are
detected by vulnerability scans. You can also examine all reported alarms and events
the asset was involved in to find any related activity to the alarm you are analyzing.
For example, if you see vulnerabilities in an asset, examine them and determine the
severity of each vulnerability.
Detecting and examining vulnerabilities is covered in the “Threat

Detection” module.
Check Raw Logs

When examining an alarm you can also find additional information by examining raw
logs that are stored in the USM Logger. Recall that raw logs are digitally signed to
ensure the integrity of the data.
Navigate to ANALYSIS > RAW LOGS and search for any raw logs that are related to
the activity reported by an alarm. You can filter for logs by selecting a time range in the
chart or by selecting predefined time ranges. You can specify a search pattern in the
SEARCH input field to limit the display of the logs.
You can examine details about a log by clicking and expanding the log.
You can also verify the integrity of a log by verifying the log signature. Click the
Validate button at the right side of each log to verify whether a log has been altered. In
the example, signature verification succeeded which means that the log has not been
changed since it was initially signed.

You can export raw logs to a text file for offline analysis or for evidence. Logs can be
exported if necessary.
To export logs search for logs you are interested in and click EXPORTS. Then you can
choose to export only logs that are shown on the screen by clicking Screen export or
you can export the entire search result by clicking Entire export. Note the entire
export selection is limited to 249,999 logs. Once you select the logs you want to export
click the download icon to complete the process.
File Tickets

The USM has its own ticketing system that can be used to delegate tasks to other
administrator users and to track the progress of investigations into specific alarms and
events.
Navigate to ANALYSIS > TICKETS to see a list of tickets. Tickets are listed in rows.
The following information is displayed for each ticket:
• Ticket identifier
• Ticket title
• Ticket priority
• Date of creation of the ticket
• Life time of the ticket
• Administrative user that is in charge of resolving the ticket
• Administrative user that submitted the ticket
• Type of the ticket
• Status of the ticket
• Extra information about the ticket, including tags
You can filter the displayed tickets by populating the input fields in the FILTERS
section of the screen. You can also close several tickets at the same time by checking
the box to the left of a ticket identifier and clicking CLOSE SELECTED.
Tickets can be opened in several ways:
• Automatically as a result of a configured policy.
• Automatically as a response to detected vulnerabilities after vulnerability scan of
an asset.
• Manually during alarm investigation when examining details of an alarm.
• Manually, non-related to an alarm or event.
To open a ticket during an alarm investigation click CREATE TICKET from the
ACTIONS menu when examining details about an alarm. A new window opens where
you can enter information about the ticket. The majority of the input fields are already
populated from the alarm details. You need to select the priority of the ticket and
assign the ticket to an administrative user.

To view details about a ticket or edit it click the ticket title. From here click the edit icon
in the upper right corner. This opens a subsequent screen where you can make
changes to the ticket:
• Change the status of the ticket. Status options: open, assigned, studying, waiting,
testing and closed.
• Change the priority of the ticket using numeric values (from 1 to 10) or using
descriptive values (low, medium, high).
• Transfer the ticket to other administrative user.
• Attach a file to the ticket
• Provide a description of the changes that were made regarding the opened ticket.
• Describe actions that were taken regarding the opened ticket.
Click SAVE when you are done editing the ticket. The changes will be saved and
shown in the ticket details. Each change is saved as a separate entry in the ticket.
You can also delete the ticket if it is not relevant by clicking the icon in the upper right
corner of the screen.
Report Findings

AlienVault Unified Security Management (USM) has an internal reporting system which
you can use to generate reports in order to meet your business and management
needs. The reporting system uses a module-based approach, with over 2,600
components available. This allows you to have infinite types of reporting modules to be
combined into a single report. Examples include reports on the required information on
compliance, vulnerabilities, alarms, events, assets, etc.
AlienVault Threat Intelligence Updates constantly provide

updates for the AlienVault USM report modules and provide you
with new views of data about an environment.
You can run reports either immediately through the web UI or you can schedule them
by creating a scheduler task to run reports once or periodically. After AlienVault USM
generates a report, you can view it directly in the web UI in HTML or you can download
or send the report via email as a PDF document.
You can also customize reports to meet your business needs, both in terms of content
and “look and feel” (company logo, color palette, and so on).
To run a report immediately, navigate to Reports > All Reports and search for a
report you would like to run. Alternatively, you can select a desired report category
from the REPORTS drop-down menu to display only the reports from the desired
family.

You can use the Categories section in the right side of the screen to display only the
desired report category. Check the checkbox on the right side of the report family
name to display only reports from selected report family.
If you selected a specific report family from the REPORTS

drop-down menu, the report family category would be already
selected.
You can also filter the displayed reports by entering a report name into the Search
field. The search functionality displays search results on the fly.
You can also display the details of a report by clicking the report name. The details of
a report display which modules are included in the report. In the example, the details
about Alarm Report are shown. The report uses the Default layout and consists of the
Title Page and the following modules:
• Alarms – Top Attacked Host
• Alarms – Top Attacker Host
• Alarms – Top Destination Ports
• Alarms – Top Alarms
• Alarms – Top Alarms by Risk
Execute the report by clicking the Run icon.
Based on the type of the report, the date range, and the number of assets it may take
a while for the system to generate the report. After the system generates the report, it
displays it in the web UI as an HTML document. You can either download the report as
a PDF document or send it to a defined email address.
To enable sending reports via email, you have to correctly

configure AlienVault USM with a mail relay server. You can do
this by navigating to Configuration > Deployment > Components
> AlienVault Center > [Your USM] > General Configuration > Mail
Server Relay.

Launchpad
Course Review
Overview
This module provides a course review.
Course Wrap Up
The Launchpad course gets you started by helping you see that the system is
operating, how to work with your assets, some work on policies, and then finally
looking at dashboards and alarms to start the process of security analysis. It’s an
excellent way to get started understanding the power of USM, but does not give the
complete coverage that you get in the AlienVault USM for Security Engineers (AUSE)
class.
Take AlienVault USM for Security Engineers to learn about working with different data
sources, and how to correlate data. This course also covers how to use the different
reports, customize them, use them to manage compliance challenges, as well as the
ins and outs of threat detection.

AlienVault USM for Security Engineers
Join the Open Threat Exchange

AlienVault USM Launchpad On Demand v5 3 Rev A Student Guide PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

AlienVault USM Launchpad On Demand v5 3 Rev A Student Guide PDF

Transféré par

Droits d'auteur :

Formats disponibles

AlienVault Launchpad

Getting Started with USM

2 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.

Copyright© 2017 AlienVault. All rights reserved. 5

6 Launchpad v5.3 Rev A Copyright© 2017 AlienVault. All rights reserved.

Copyright© 2017 AlienVault. All rights reserved. 1-3

The five capabilities are discussed in the subsequent slides.

Copyright© 2017 AlienVault. All rights reserved. 1-5

Copyright© 2017 AlienVault. All rights reserved. 1-7

Copyright© 2017 AlienVault. All rights reserved. 1-9

Copyright© 2017 AlienVault. All rights reserved. 1-11

Copyright© 2017 AlienVault. All rights reserved. 1-13

Copyright© 2017 AlienVault. All rights reserved. 1-15

Copyright© 2017 AlienVault. All rights reserved. 1-17

Copyright© 2017 AlienVault. All rights reserved. 2-3

3. Help, which links to documentation

Copyright© 2017 AlienVault. All rights reserved. 2-5

Copyright© 2017 AlienVault. All rights reserved. 2-7

In order to make any changes on the MY PROFILE menu, you will

Copyright© 2017 AlienVault. All rights reserved. 2-9

Copyright© 2017 AlienVault. All rights reserved. 2-11

Copyright© 2017 AlienVault. All rights reserved. 2-13

Copyright© 2017 AlienVault. All rights reserved. 2-15

Copyright© 2017 AlienVault. All rights reserved. 2-17

Copyright© 2017 AlienVault. All rights reserved. 2-19

Copyright© 2017 AlienVault. All rights reserved. 2-21

2. Confirm that security events are populating correctly.

4. Confirm that raw logs are populating correctly.

Copyright© 2017 AlienVault. All rights reserved. 2-23

Copyright© 2017 AlienVault. All rights reserved. 2-25

Note that the filtering section will be expanded by default. In order

Copyright© 2017 AlienVault. All rights reserved. 2-27

Copyright© 2017 AlienVault. All rights reserved. 3-3

Copyright© 2017 AlienVault. All rights reserved. 3-5

Copyright© 2017 AlienVault. All rights reserved. 3-7

Copyright© 2017 AlienVault. All rights reserved. 3-9

Copyright© 2017 AlienVault. All rights reserved. 3-11

Copyright© 2017 AlienVault. All rights reserved. 3-13

Changes made to the Asset in General, Properties, or

Copyright© 2017 AlienVault. All rights reserved. 3-15

Copyright© 2017 AlienVault. All rights reserved. 3-17

Copyright© 2017 AlienVault. All rights reserved. 3-19

Copyright© 2017 AlienVault. All rights reserved. 3-21

Copyright© 2017 AlienVault. All rights reserved. 3-23

Copyright© 2017 AlienVault. All rights reserved. 3-25

Copyright© 2017 AlienVault. All rights reserved. 3-27

The USM has to be configured with a DNS server that can

Copyright© 2017 AlienVault. All rights reserved. 3-29

Copyright© 2017 AlienVault. All rights reserved. 3-31

Copyright© 2017 AlienVault. All rights reserved. 3-33

5. Enable scan and click SAVE to save the scan task.

Copyright© 2017 AlienVault. All rights reserved. 3-35

Copyright© 2017 AlienVault. All rights reserved. 3-37

Copyright© 2017 AlienVault. All rights reserved. 3-39

Copyright© 2017 AlienVault. All rights reserved. 3-41

Copyright© 2017 AlienVault. All rights reserved. 3-43

Copyright© 2017 AlienVault. All rights reserved. 3-45

You can also add a network manually.

Copyright© 2017 AlienVault. All rights reserved. 3-47

Copyright© 2017 AlienVault. All rights reserved. 3-49

Copyright© 2017 AlienVault. All rights reserved. 3-51

Copyright© 2017 AlienVault. All rights reserved. 3-53

2. Click the Labels icon.