Scribd Logo
Upload

Welcome to Scribd!

  • AlienVault Displaying Security Events From An External AlienVault Database

    Uploaded by

    paulohrodrigues
    141 views9 pages
    AlienVault Displaying Security Events From an External AlienVault Database

    Original Title

    AlienVault Displaying Security Events From an External AlienVault Database

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    AlienVault Displaying Security Events From an External AlienVault Database

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    141 views9 pages

    AlienVault Displaying Security Events From An External AlienVault Database

    Uploaded by

    paulohrodrigues
    AlienVault Displaying Security Events From an External AlienVault Database

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    AlienVault Unified Security Management Solution

    Complete. Simple. Affordable

    How to display Security Events from an


    external AlienVault Database

    Copyright 2014 AlienVault. All rights reserved.


    AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX,
    Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM and
    OSSIM are trademarks or service marks of AlienVault.
    AlienVault Unified Security Management Solution
    How to display Security Events from an external AlienVault Database

    CONTENTS

    1. INTRODUCTION .................................................................................................... 4

    2. PRE-REQUISITE: ALLOW AN EXTERNAL CONNECTION TO THE


    ALIENVAULT DATABASE .................................................................................... 4
    2.1. Alienvault Firewall Setup........................................................................................... 5
    2.2. Grant privileges to the remote user ........................................................................... 6

    3. HOW TO ADD AN EXTERNAL ALIENVAULT DATABASE .................................. 7

    4. HOW TO DISPLAY EVENTS FROM AN EXTERNAL ALIENVAULT


    DATABASE ............................................................................................................ 8

    DC-00158 Edition 01 Copyright 2014 AlienVault. All rights reserved. Page 3 of 9


    AlienVault Unified Security Management Solution
    How to display Security Events from an external AlienVault Database

    1. INTRODUCTION
    This document explains how to add a connection to external AlienVault databases and how
    to view the events related to those databases.

    This procedure only works with AlienVault databases, which must use the
    same version as that is used by the framework.

    A successful connection to an external AlienVault database has to follow the below points
    and in this specific order:

    1. Authorize remote access in the external AlienVault database.

    2. Add the external AlienVault database in the GUI.

    3. View events related to the external AlienVault database.

    2. PRE-REQUISITE: ALLOW AN EXTERNAL CONNECTION TO THE


    ALIENVAULT DATABASE
    Before adding the external database in your system, its necessary to perform the following
    actions in the target AV platform where the external database is located:

    To configure the AV firewall to allow an external connection to the database (the firewall
    is blocking this by default)

    Grant privileges to the external user connecting to the database.

    In case of not following these pre-requisites, AlienVault USM will display the below
    warning screen:

    DC-00158 Edition 01 Copyright 2014 AlienVault. All rights reserved. Page 4 of 9


    AlienVault Unified Security Management Solution
    How to display Security Events from an external AlienVault Database

    2.1. ALIENVAULT FIREWALL SETUP

    AlienVault uses the port 3306 as default for the databases.

    1. Connect by ssh, using the admin IP address, to the AlienVault appliance where the
    external DB is located. The AlienVault Setup main menu appears.

    2. On the computer keyboard, press the arrow keys to move to the option Jailbreak
    System. Then, press Enter to accept the selection (<OK>).

    3. Edit the file /etc/ossim/firewall_include and add the following line:

    -I INPUT -s <administration IP or network] -p tcp m state --state NEW -dport


    <database_port> -j ACCEPT

    4. Enter the following command:

    ossim_reconfig

    5. Check the rule is active by entering the following command:

    iptables nvL | grep <database_port>

    DC-00158 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 5 of 9


    AlienVault Unified Security Management Solution
    How to display Security Events from an external AlienVault Database

    2.2. GRANT PRIVILEGES TO THE REMOTE USER


    1. Connect by ssh, using the admin IP address, to the AlienVault appliance where the
    external DB is located. The AlienVault Setup main menu appears.

    2. On the computer keyboard, press the arrow keys to move to the option Jailbreak
    System. Then, press Enter to accept the selection (<OK>).

    3. Enter the following command:

    ossim-db

    4. Grant privileges to the remote user:

    GRANT ALL ON alienvault.* TO <user>@'<framework_ip>' IDENTIFIED BY


    '<user_pass>'; GRANT ALL ON alienvault_siem.* TO <user>@'<framework_ip>'
    IDENTIFIED BY '<user_pass>'; GRANT ALL ON datawarehouse.* TO
    <user>@'<framework_ip>' IDENTIFIED BY '<user_pass>'; FLUSH PRIVILEGES;

    Where:
    <user> refers to the user that will be entered in the web form when an external
    database is added.
    <framework_ip> refers to the platform IP where the external database is going to be
    added.
    <user_pass> refers to the associated/entered password in the web form when an
    external database is added.

    5. Enter this command:

    quit;

    6. Enter the following command:

    DC-00158 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 6 of 9


    AlienVault Unified Security Management Solution
    How to display Security Events from an external AlienVault Database

    ossim_reconfig

    3. HOW TO ADD AN EXTERNAL ALIENVAULT DATABASE


    1. Launch a web browser and enter your IP address into the address bar.

    2. Choose Analysis > Security event (SIEM) > External Databases and click on NEW.

    3. Fill the form out and click on SAVE.

    DC-00158 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 7 of 9


    AlienVault Unified Security Management Solution
    How to display Security Events from an external AlienVault Database

    4. HOW TO DISPLAY EVENTS FROM AN EXTERNAL ALIENVAULT


    DATABASE
    1. Launch a web browser and enter your IP address into the address bar.

    2. Choose Analysis > Security event (SIEM) > SIEM.

    3. Click on this icon ( ) and select your database.

    DC-00158 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 8 of 9


    AlienVault Unified Security Management Solution
    How to display Security Events from an external AlienVault Database

    4. If the window below appears, follow the instructions given in Section 2 PRE-
    REQUISITE: ALLOW AN EXTERNAL CONNECTION TO THE ALIENVAULT
    DATABASE.

    DC-00158 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 9 of 9

    You might also like