How to display Security Events from an external AlienVault Database
Transcription
How to display Security Events from an external AlienVault Database
AlienVault Unified Security Management™ Solution Complete. Simple. Affordable How to display Security Events from an external AlienVault Database Copyright© 2014 AlienVault. All rights reserved. AlienVault™, AlienVault Unified Security Management™, AlienVault USM™, AlienVault Open Threat Exchange™, AlienVault OTX™, Open Threat Exchange™, AlienVault OTX Reputation Monitor™, AlienVault OTX Reputation Monitor Alert™, AlienVault OSSIM™ and OSSIM™ are trademarks or service marks of AlienVault. AlienVault Unified Security Management™ Solution How to display Security Events from an external AlienVault Database CONTENTS 1. INTRODUCTION .................................................................................................... 4 2. PRE-REQUISITE: ALLOW AN EXTERNAL CONNECTION TO THE ALIENVAULT DATABASE .................................................................................... 4 2.1. Alienvault Firewall Setup .......................................................................................... 5 2.2. Grant privileges to the remote user ........................................................................... 6 3. HOW TO ADD AN EXTERNAL ALIENVAULT DATABASE ................................. 7 4. HOW TO DISPLAY EVENTS FROM AN EXTERNAL ALIENVAULT DATABASE ............................................................................................................ 8 DC-00158 Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 3 of 9 AlienVault Unified Security Management™ Solution How to display Security Events from an external AlienVault Database 1. INTRODUCTION This document explains how to add a connection to external AlienVault databases and how to view the events related to those databases. This procedure only works with AlienVault databases, which must use the same version as that is used by the framework. A successful connection to an external AlienVault database has to follow the below points and in this specific order: 2. 1. Authorize remote access in the external AlienVault database. 2. Add the external AlienVault database in the GUI. 3. View events related to the external AlienVault database. PRE-REQUISITE: ALLOW AN EXTERNAL CONNECTION TO THE ALIENVAULT DATABASE Before adding the external database in your system, it’s necessary to perform the following actions in the target AV platform where the external database is located: To configure the AV firewall to allow an external connection to the database (the firewall is blocking this by default) Grant privileges to the external user connecting to the database. In case of not following these pre-requisites, AlienVault USM™ will display the below warning screen: DC-00158 Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 4 of 9 AlienVault Unified Security Management™ Solution How to display Security Events from an external AlienVault Database 2.1. ALIENVAULT FIREWALL SETUP AlienVault uses the port 3306 as default for the databases. 1. Connect by ssh, using the admin IP address, to the AlienVault appliance where the external DB is located. The AlienVault Setup main menu appears. 2. On the computer keyboard, press the arrow keys to move to the option ‘Jailbreak System’. Then, press Enter to accept the selection (<OK>). 3. Edit the file /etc/ossim/firewall_include and add the following line: -I INPUT -s <administration IP or network] -p tcp –m state --state NEW –dports <database_port> -j ACCEPT 4. Enter the following command: ossim-reconfig 5. Check the rule is active by entering the following command: iptables –nvL | grep <database_port> DC-00158 Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 5 of 9 AlienVault Unified Security Management™ Solution How to display Security Events from an external AlienVault Database 2.2. GRANT PRIVILEGES TO THE REMOTE USER 1. Connect by ssh, using the admin IP address, to the AlienVault appliance where the external DB is located. The AlienVault Setup main menu appears. 2. On the computer keyboard, press the arrow keys to move to the option ‘Jailbreak System’. Then, press Enter to accept the selection (<OK>). 3. Enter the following command: ossim-db 4. Grant privileges to the remote user: GRANT ALL ON alienvault.* TO <user>@'<framework_ip>' IDENTIFIED BY '<user_pass>'; GRANT ALL ON alienvault_siem.* TO <user>@'<framework_ip>' IDENTIFIED BY '<user_pass>'; GRANT ALL ON datawarehouse.* TO <user>@'<framework_ip>' IDENTIFIED BY '<user_pass>'; FLUSH PRIVILEGES; Where: <user> refers to the user that will be entered in the web form when an external database is added. <framework_ip> refers to the platform IP where the external database is going to be added. <user_pass> refers to the associated/entered password in the web form when an external database is added. 5. Enter this command: quit; 6. DC-00158 Enter the following command: Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 6 of 9 AlienVault Unified Security Management™ Solution How to display Security Events from an external AlienVault Database ossim-reconfig 3. DC-00158 HOW TO ADD AN EXTERNAL ALIENVAULT DATABASE 1. Launch a web browser and enter your IP address into the address bar. 2. Choose ‘Analysis > Security event (SIEM) > External Databases’ and click on NEW. 3. Fill the form out and click on SAVE. Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 7 of 9 AlienVault Unified Security Management™ Solution How to display Security Events from an external AlienVault Database 4. DC-00158 HOW TO DISPLAY EVENTS FROM AN EXTERNAL ALIENVAULT DATABASE 1. Launch a web browser and enter your IP address into the address bar. 2. Choose ‘Analysis > Security event (SIEM) > SIEM’. 3. Click on this icon ( Edition 00 ) and select your database. Copyright© 2014 AlienVault. All rights reserved. Page 8 of 9 AlienVault Unified Security Management™ Solution How to display Security Events from an external AlienVault Database 4. DC-00158 If the window below appears, follow the instructions given in Section 2 PREREQUISITE: ALLOW AN EXTERNAL CONNECTION TO THE ALIENVAULT DATABASE. Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 9 of 9