Exercise 1: Search for, Examine, and Edit Assets

In this exercise you will manage assets that were discovered by AlienVault USM.
You will first search for an asset, then you will examine details about the asset, and
finally you will edit the asset by changing the asset name, description, value, and
device type. You will also add a property to the asset’s inventory.
Lab Exercise Procedure
Complete these steps:
Step 1 Return to the USM web UI. Log in using admin as a username and
password as a password.
Step 2 Navigate to ENVIRONMENT > ASSETS & GROUPS > ASSETS.
Examine the asset list.

You should see three assets from the 172.20.71.0/26 network. Use the
IP Addressing section of this document and identify the device type by
completing the following table:
USM Hostname IP Address Device Type
Host-172-20-71-9 172.20.71.9
Host-172-20-71-10 172.20.71.10
Host-172-20-71-12 172.20.71.12

Assets that were discovered in the 172.20.71.0/26 network,

including management IP address of USM, are IP addresses on
the lab device interfaces that are used by the remote lab
management system.

Step 3 Explore how the search functionality works. Search for the
Windows Server asset by entering the IP address of the asset
into the Search input field in the left upper side:

Only one server asset will be displayed as a result.

Step 4 Expand the details about the server by clicking the details icon on
the right side:
 Examine the details of the asset. Its asset value is set to the default value
of 2. You should see that the operating system of the asset is Windows
Server and the device type is set to General Purpose, as discovered by
the initial scan. You should also see that the server was involved in traffic-
generating events, but not in traffic-generating alarms.
Step 5 Examine services that are running on the server by clicking the
SERVICES circle. Alternatively click the SERVICES link.
 The number of services may vary slightly, depending on the
amount of MSRPC connections that the Windows server is
making at that exact time.

Write the services down:

_____________________________________
Step 6 Examine the asset events by clicking the EVENTS circle.
Alternatively click the EVENTS link.

Step 7 Examine software running on the asset by clicking the SOFTWARE

link.
 What software is running on the server?
___________________________________________________________
Step 8 Examine the environmental status of the asset. You will see that the asset
has been configured for periodic asset discovery as part of the Getting
Started Wizard, but has not been configured with HIDS. This is displayed
as a black circle. Note that the vulnerability scan is not scheduled for this
asset.

Step 9 Edit the asset by selecting EDIT under the ACTIONS menu. Edit
the name, asset value, description, and device type of the asset as
shown in the figure and the table below. In the Device Types field,
you will need to remove the General Purpose line as well as add
the newer device types.

Name Server2012
Asset value 2
Description This is a Windows Server 2012 in the lab environment
Device Types Server:HTTP Server
 Server:file Server

Step 10 Click the PROPERTIES tab. Click on Add New Properties, select
the property, and add the following properties to the asset:

Department property with a value of LAB. Check Lock property. Click

SAVE.
Role property with a value of LAB Server. Check Lock property.
Click SAVE. Then close the window.
 If you leave the EDIT ASSET window open for a long period of
time, you may get a cross-site request forgery error. In that case,
you will need to close and reopen the EDIT ASSET window.

Step 11 Now you should see changed details of the asset.

Step 12 Return to the list of assets. Examine the details about the asset
at
Host-<IP USM>. This is the USM All-in-One server.
Step 13 Edit the asset by selecting EDIT under the ACTIONS menu. Edit
the name, asset value and device types of the asset as shown in
the figure. SAVE the changes.
Step 14 Return to the list of assets. Check the USM and Server 2012 assets
checkboxes and click the label icon.

Step 15 Click the Manage Labels link and create a label as displayed in the
figure. Provide the name, select a color, and SAVE the label.

Close the MANAGE LABELS window.

Step 16 Label the previously selected assets with the created label by
checking the label checkbox. The label will be used in the next
exercise when demonstrating search and filtering capabilities.
 Step 17 Cick the details of the Server 2012 asset. You will see the Critical
Assets label applied.

Exercise 2: Perform Asset Discovery

In this exercise, you will scan the Server 2012 asset more thoroughly to detect
additional services and other properties. You will also examine and edit the
scheduled scanning job that was configured as part of the Getting Started Wizard.
Lab Exercise Procedure
Complete these steps:
Step 1 Return to the USM web UI. Log in using admin as a username and
password as a password.
Step 2 Navigate to ENVIRONMENT > ASSETS & GROUPS > ASSETS.
Select Scan For New Assets under the ADD ASSETS menu.

Step 3 Scan Server 2012 asset using the following scan attributes:
Local sensor
Normal scan type
Aggressive timing template
Autodetect services and operating
system No reverse DNS resolution
Click START SCAN to begin the scanning process.
 After clicking START SCAN, a window will pop up with a scan
progress bar.

Step 4 Scroll down to examine the scanning results at the bottom of the
screen.

Observe that the scanning job detected the MAC address, operating system,
and services on the machine. Save the scanning results into the database
by clicking UPDATE MANAGED ASSETS. Do not fill any other global
properties for the asset when asked, and click SAVE.

Ignore the message about overwriting the existing values and click OK.

You will get a notification that the asset information has been updated
successfully.
Step 5 Navigate to ENVIRONMENT > ASSETS & GROUPS > ASSETS.
Examine details about the Server 2012 asset. Examine the services
running on the server. You should see that additional services have
been discovered by the scan and entered into the asset database.

Recall that the number of services may vary slightly, depending

on the amount of MSRPC connections that the Windows server
is making at that exact time.
 Step 6 Click the ACTIONS > RUN ASSET SCAN option. You will see that
you can initiate asset scan from this menu as well.

Do not scan the asset again. Close the ASSET SCAN window.
Step 7 Navigate to ENVIRONMENT > ASSETS & GROUPS >
SCHEDULE SCAN. You should see one scheduled scanning job
of the 172.20.71.0/26 network as the result of the Getting Started
Wizard.

Step 8 Edit the scanning job by selecting the job row and clicking EDIT.
Examine the settings of the scheduled scanning jobs.
Step 9 Change the scan type to Normal, change the timing template to
Normal, enable Autodetect services and Operating System,
uncheck enable reverse DNS resolution, and SAVE changes.
In this lab we have performed an overview of AlienVault assets, such as hosts and
networks, and shown how to perform asset discovery.
Exercise 3: Create an Asset Group
In this exercise, you will first search for and filter specific assets. Then you will
create two asset groups. The first will combine assets from the 172.20.71.0/26
network , while the second will group assets that were labeled as critical assets.
Lab Exercise Procedure
Complete these steps:
Step 1 Return to the USM web UI. Log in using admin as a username and
password as a password.
Step 2 Navigate to ENVIRONMENT > ASSETS & GROUPS > ASSETS.
Create a search filter that will be used to create a group. Click
MORE FILTERS. Examine available filters.

Create a filter that will include devices from 172.20.71.0/26 network and
HEADQUARTERS location. Click APPLY after selecting the filters.
Step 3 You will see devices as a result of the search filter. Select all
assets and create an asset group by clicking ACTIONS >
CREATE/ADD TO GROUP option. Use Headquarters Assets as
the name of the group. Click the plus (+) sign to create the group
and to add assets to the group.
Step 4 After creating the group, examine the details about the group.
Observe the options that are available in the asset group and
compare them to options when examining details about individual
assets.

Step 5 Navigate to ENVIRONMENT > ASSETS & GROUPS > ASSET

GROUPS. The created group will be displayed.
Step 6 Create another group that will group critical assets. This time,
create the group by clicking the CREATE NEW GROUP option.
Use Lab Assets as a name of the group. SAVE the changes.

Step 7 Return to the list of assets by navigating to ENVIRONMENT >

ASSETS & GROUPS > ASSETS.
Filter for assets with the Critical Assets label by using More Filters.
Click APPLY.
Step 8 You will see two devices as a result of the search filter. Select both
assets and add them to the Lab Assets asset group by clicking
ACTIONS > CREATE/ADD TO GROUP option. Click the plus (+)
sign next to the group name to add the assets to the group.

Step 9 Examine the details about the Lab Assets group.

Step 10 Observe that you can also add assets by clicking the ADD ASSETS
option in the Group Details pane. However, you cannot use the
filtering capability when adding assets from this window. Close the
ADD ASSETS TO GROUP window.
Exercise 4: Search for, Examine, and Edit Networks
In this exercise you will manage networks that are configured in AlienVault USM. You
will examine details about the network, and you will edit the network by changing the
network name and description.
Lab Exercise Procedure
Complete these steps:
Step 1 Return to the USM web UI. Log in using admin as a username and
password as a password.
Step 2 Navigate to ENVIRONMENT > ASSETS & GROUPS >
NETWORKS. You should see two networks that were detected
during the Getting Started Wizard. Examine details about the
172.20.71.0/26 network.
 You will see that the options are similar to those available when examining
a single asset.
Step 3 Return to Networks and edit the network by selecting the edit icon
next to the 172.20.71.0/26 entry. Edit the name and description of
the network as shown in the figure. Click SAVE when done.

Step 4 Navigate to DASHBOARDS > DEPLOYMENT STATUS. Expand

the HEADQUARTERS location. You should see the edited name
of the network.

In this lab, you have learned how to manage assets, asset groups, and networks.
Exercise 5: Instalando Agentes OSSEC

INSTALANDO AGENTE OSSEC - WINDOWS

El agente es un pequeño programa instalado en los sistemas que se van a supervisar.

El agente recopilará información y la remitirá al server. Tiene una memoria muy pequeña
y CPU footprint por defecto, sin afectar el uso del sistema.

Ingresamos con cuenta de administrador en el servidor Windows donde se instalara el

agente. Para esto nos descargaremos desde la página oficial de OSSEC
la versión agente para Windows.

 Login como administrador al Windows donde se instalara.

 Descargar OSSEC Agent Windows desde

https://ossec.github.io/downloads.html y ejecutar.

NOTA: El instalador también se puede descargar del mismo Alienvault y facilitarlo para
su instalación en el servidor.

 Ejecutaremos el binario y seguiremos los pasos para la instalación del agente.

  Instalar el agente usando todas las recomendaciones que muestra en el
proceso de instalación.
 Finalizada la instalación se ejecutara el Agent Manager y nos aparecerá una
ventana como la siguiente.
 Ingresar la IP del Alienvault (172.30.10.149) y salvar los cambios.

La llave de autenticación se generara del mismo Alienvault.

Se ingresa al equipo Alienvault opción Enviroment>Detection>Agent Control en donde

se visualizan todos los equipos con el agente instalado.
Se ubica en el equipo que se requiere extraer el key y se da click en “Extract Key”
Con ello se obtiene el key

Introducimos entonces en el agente la IP del Alienvault con el key obtenido del equipo.
Este key es único por dispositivo.

 Ahora nos pedirá confirmación y le daremos Aceptar.

 Comprobar en servicios que este haya empezado automáticamente en caso
contrario dar empezar el servicio OSSEC HIDS service.
  Miraremos los logs del sistema.
 Por ser la primer vez que ingresamos no hay un archivo de logs creado así que
nos dirá que si lo queremos crear.
 Reiniciaremos entonces el agente.

Y visualizaremos los logs, en estos podremos ver lo que se está monitoreando y al

final nos dice que el agente se ha iniciado.

INSTALANDO AGENTE OSSEC - LINUX

Procedimiento para la instalación de Ossec en modo agente.

Para sistemas UNIX , OSSEC únicamente requiere gnu make, gcc,
and libc. OpenSSL es opcional pre requisito.

Nota: En caso de Linux es necesario tener instalado el compilador

GCC , CC , en la implementación para los Linux en algunos servidores
que no contaban con este paquete nos salió el siguiente error:

Para lo cual fue necesario descargar estos paquetes de un repositorio

local e instalarlo en estos servidores Linux.

Download ossec-hids-2.9.1.tar.gz
of https://ossec.github.io/downloads.html

wget https://github.com/ossec/ossec-hids/archive/2.9.1.tar.gz

# tar -zxvf ossec-hids-*.tar.gz (or gunzip -d; tar -xvf)

# cd ossec-hids-*

# ./install.sh

1- What kind of installation do you want (server, agent, local or

help)? Agent

- Agent(client) installation chosen.

2- Setting up the installation environment.

- Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec

- Installation will be made at /var/ossec.

3- Configuring the OSSEC HIDS.

3.1- What's the IP Address of the OSSEC HIDS server?:

- Adding Server IP 172.30.10.149 (Alienvault)
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
- Running rootcheck (rootkit detection).
3.4 - Do you want to enable active response? (y/n) [y]: n
- Active response disabled.
3.5- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/mail.info
-- /var/log/dpkg.log

- If you want to monitor any other file, just change

the ossec.conf and add a new localfile entry.
--- Press ENTER to continue ---
Ejecutar:
./bin/manage_agents
***********************************************
* OSSEC HIDS v1.6 Agent manager. *
* The following options are available: *
***********************************************
(I)mport key from the server (I).
(Q)uit.

Choose your action: I or Q: I

* Provide the Key generated by the server (Alienvault).
* The best approach is to cut and paste it.

*** OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit):

Para obtener el KEY se ingresa al equipo Alienvault opción

Enviroment>Agents>Agent Control en donde se visualizan todos los
equipos con el agente instalado.
Se ubica en el equipo que se requiere extraer el key y se da click en
“Extract Key”

Con ello se obtiene el key

Introducimos entonces en el agente instalado en el servidor Linux el
key obtenido del equipo Alienvault. Este key es único por dispositivo.

Confirm adding it?(y/n): y

Added.
** Press ENTER to return to the main menu.

Start the agent

/var/ossec/bin/ossec-control start
Para monitorear por logs que el agente se instale de forma correcta
ejecutar el siguiente comando:

Para una correcta instalación no debería mostrar error alguno, por

ejemplo errores relacionados a la conexión con el sensor Alienvault.

Ingresando vía GUI al Alienvault se debería mostrar el servidor con el

agente en estado ACTIVO (este puede tardar unos minutos).
Otra forma de verificar es ingresando vía SSH al Sensor Alienvault y
ejecutando el comando /var/ossec/bin/list_agents –c donde debería
mostrar en estado ACTIVO.

NOTA: El refresco se ve más rápido vía CLI, vía GUI demora unos
minutos más el cambiar de estado.

Una vez concluida la instalación ya se podría ver los eventos enviados

por el servidor Linux en la interfaz de SIEM del Alienvault.
Ir a ANALYSIS>SECURITY EVENTS (SIEM) seleccionar
DATASOURCE Alienvault HIDS y en ADVANCED SEARCH ingresar
la IP del servidor Linux como source a filtrar.