AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Size: px
Start display at page:

Download "AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals"

Transcription

1 AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals

2 USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM, and OSSIM are trademarks or service marks of AlienVault, Inc. All other registered trademarks, trademarks or service marks are the property of their respective owners. Revision to This Document Date February 21, 2015 November 25, 2015 Revision Description Original document. Added a note in Configure Actions. Added a paragraph in Policies Related to External Events vs. System Events to explain the avapi filter. November 25, 2015 USM 5.x Policy Management Fundamentals Page 2 of 58

3 Contents Contents Introduction... 5 Policies Overview... 5 What is an event?... 5 What is a policy?... 5 Policies Related to External Events vs. System Events... 6 External Event Policy Interface... 7 System Event Policy Interface... 8 Creating or Modifying a Policy... 8 Policy Conditions for External Event Policies... 9 Source Destination Source Ports Destination Ports Event Types: Data Source Groups Event Types: Taxonomy Sensors Reputation Event Priority Time Range Policy Conditions for System Event Policies Event Types Reputation Event Priority Time Range Policy Consequences Actions SIEM Logger Forwarding Managing Policies November 25, 2015 USM 5.x Policy Management Fundamentals Page 3 of 58

4 Contents View Existing Policies Policy Groups Policy Order Configure Actions Configure Action to Send Configure Action to Execute External Program Configure Action to Open Ticket Use Keywords in Actions Configure Policy to Discard Events Create DS Group to Specify Data Source Discard Events Configure Policy to Send s Triggered by Events Create Action to Send Create Policy Conditions for External Events Create Action as Policy Consequence for External Events Create Policy Conditions for Directive Events Create Action as Policy Consequence for Directive Events November 25, 2015 USM 5.x Policy Management Fundamentals Page 4 of 58

5 Introduction Introduction Use this document to understand policies and actions in AlienVault. Policies are used to influence event processing, filter events that don't need to be processed, and deal with events that result in noisy or false positive alarms. Understanding policies and actions is critical in managing AlienVault and tuning it to meet your security needs. Policies Overview What is an event? An event is a single line of data collected from an external system (e.g. Windows servers, firewalls) or produced by AlienVault components (e.g. USM Server, USM Sensor) that describe a particular system level or user level activity that took place. For example, security events collected from a Windows server will describe a user attempting to authenticate to a Windows server. Events from a firewall, such as Cisco ASA or Fortinet Fortigate, describe communication from a system within the customer network either to another system in the network or a system external to the network. Security analysts use these events to understand what is happening in a network and to identify potential security threats that can lead to a security incident. There are two types of events to consider in AlienVault: external events and system events. External events. USM sensors collect these events from external systems and devices. Then, these events go to the USM Server for correlation and to the USM Logger for long-term storage. System events. The USM Server create these events using correlation rules. What is a policy? Policies are AlienVault USM configuration objects that allow you to configure how the system processes events once they arrive at the AlienVault USM Server or Logger. The policies include conditions and consequences. Conditions determine which events are processed by the policy. Consequences define what will happen when events match the specified conditions. Policies are used widely within USM to alter the default behavior of USM when events are captured and sent to the USM Server or USM Logger. By default, all collected events will be processed and stored by both components. Common examples of how policies are used include: Perform risk assessment and correlation without storing events in the Server database. This is typically done with firewall events, but could be done with any type of event. It is common to process certain firewall events for use in correlation, but you may not want to store them in the USM Server database due to the volume. You will likely want to store the events in the USM Logger, however, for long-term retention and compliance reasons. Store events in the USM Logger and not correlate the events. This is typically done if the events in question have no directives or cross-correlation rules to process them. If there is no November 25, 2015 USM 5.x Policy Management Fundamentals Page 5 of 58

6 Policies Overview reason to send them to the USM Server for correlation, you can configure a policy to skip the USM Server and just store the data in the USM Logger. Correlate events and forward them to another USM Server without storing them. In larger, distributed deployments, the USM components can be tiered to allow for additional scale. You may want to correlate the events on a child server and send them to a higher-level USM server or Federation Server to further correlate or store them. You can use policies to set up the event forwarding. Reduce false positive alarms. As you collect more events from different external systems, you may run into a scenario that is causing the USM Server to generate more alarms than you want. You can use policies to filter the events to reduce the number of alarms that are created. Send an notification. Policies can be used to trigger on alarms to send a notification to an administrator or others to inform them of the alarm. Policies can be configured with an action to automate the notification. Temporarily hide true positive alarms. On occasion, you may want to disable the generation of alarms based on a particular set of events to avoid alarm regeneration or noise until analysis, corrective action, or preventative actions are taken. Use policies to limit the creation of alarms temporarily. Increase the importance of a specific event. On occasion, you may want to closely monitor a specific IP address or a specific port. You can use policies to generate alarms for these specific scenarios without writing a correlation rule. These use cases represent just examples of how to use policies to manage and control event processing within AlienVault USM. As you learn more about policies and how they are used to interact with events, you will find them to be a valuable and powerful tool. Policies Related to External Events vs. System Events You will notice that the policy view is separated into two halves. The upper half of the policy management web interface allows you to manage policies related to external events. The bottom half of the policy management web interface allows you to manage policies related to system events. November 25, 2015 USM 5.x Policy Management Fundamentals Page 6 of 58

7 Policies Overview External events System events Figure 1. Policy list interface No policies are created by default within AlienVault USM. You will need to create policies as needed. When you create a new policy or modify an existing policy, policy conditions and consequences must be defined to tell AlienVault what to evaluate and how to react. Starting with AlienVault USM version 4.12, a third policy group, AV Default policies, has been introduced. The AlienVault USM system generates lots of logs about the avapi user, a user that does lots of internal tasks in the system. These logs are only relevant to internal system processes or to the AlienVault support team, so usually they are not interesting to users. As there are lots of logs that may be annoying for administrators of the AlienVaulty USM, there is a rule named AVAPI filter, which filters events from the AlienVault avapi user to avoid these events appearing in Security Events (SIEM) or in Raw Logs. However, the system lets this decision to the user, so this policy is disabled by default. If the user wants to get rid of those events, he just needs to activate this policy. External Event Policy Interface You can use the policy management interface to create and manage policies related to external events. This includes all events collected from external systems via the sensors. Policy groups are used to organize policies into logical groups. After initial installation, a new AlienVault system will have a default policy group called Default Policy Group: Default Group Policy objects. This policy group includes no default policies, but can be used to create policies related to external events. The policy group includes a set of management options that allow you to manage policies within the policy group. They include: New. Click this button to create a new policy. Modify. Select an existing policy in the list and click this button to modify that policy. November 25, 2015 USM 5.x Policy Management Fundamentals Page 7 of 58

8 Creating or Modifying a Policy Delete Selected. Select an existing policy in the list and click this button to delete it. You will be asked to confirm the deletion. Duplicate Selected. Select an existing policy in the list and click this button to duplicate it. A duplicate of the selected policy will be created. You will need to provide a unique name, update the policy as desired, and save the policy. Reload Policies. After the external policies have been modified or reordered, they need to be reloaded so the Server and Logger are aware of the changes. Click this button to reload the policies. This forces a restart of the service used to manage the policies. Enable/Disable Policy. Select a policy in the list and click this button to enable or disable it. You will be prompted for confirmation before the change is made. System Event Policy Interface You can use the policy management interface to create and manage policies related to system events. These are events that are generated by AlienVault. After initial installation, a new AlienVault system will have a default policy group called Policies for events generated in server. This policy group includes no default policies, but can be used to create policies related to system events. Similar to external events, this section of the user interface also includes several management options. They include: New. Click this button to create a new policy. Modify. Select an existing policy in the list and click this button to modify that policy. Delete Selected. Select an existing policy in the list and click this button to delete it. You will be asked to confirm the deletion. Duplicate Selected. Select an existing policy in the list and click this button to duplicate it. A duplicate of the selected policy will be created. You will need to provide a unique name, update the policy as desired, and save the policy. Reload Policies. After the external policies have been modified or reordered, they need to be reloaded so the Server and Logger are aware of the changes. Click this button to reload the policies. This forces a restart of the service used to manage the policies. Enable/Disable Policy. Select a policy in the list and click this button to enable or disable it. You will be prompted for confirmation before the change is made. Creating or Modifying a Policy Click New to open the policy configuration interface for either an external policy or system policy. The web interface will open the policy configuration interface. To see the policy configuration interface for an existing policy, click on the policy name. The interfaces for an external policy and system policy are a bit different, but follow the same basic design principles. Across the top of the policy configuration interface, you can create or modify several settings: Policy Rule Name. This is the name given to the policy. November 25, 2015 USM 5.x Policy Management Fundamentals Page 8 of 58

9 Creating or Modifying a Policy Active. This toggle allows you to determine if the policy is Active or not. By selecting Yes, the policy is enabled. By selecting No, the policy is disabled. This will be reflected in the Policy List view when saved. Policy Group. Select the policy group with which you want the policy to be associated. To change the default selection, use the drop-down menu to select another policy group. Policies are composed of conditions and consequences. Conditions determine which events are processed by the policy. Consequences define what will happen to events matching the specified conditions. Figure 2. Policy configuration interface Policy Conditions for External Event Policies Policy conditions determine which events are processed by the policy. You can configure policy conditions for external event policies by using the Default Policy Group section of the policy management interface. To configure policy conditions 1. Navigate to Configuration > Threat Intelligence > Policy. 2. Click New in the Default Policy Group section. 3. Click on the policy name to see the policy configuration interface for an existing policy. 4. To select a condition that you want to configure, you have two options. Each option produces the same result. On the top half of the policy configuration interface, you can click in the yellow or green area under SOURCE, DEST, SRC PORTS, DEST PORTS, or EVENT TYPES to open the configuration area for that condition. On the bottom half of the policy configuration interface, you can click on any of the vertical words SOURCE, DESTINATION, SOURCE PORTS, DEST PORTS, or EVENT TYPES to open the configuration area for that condition. November 25, 2015 USM 5.x Policy Management Fundamentals Page 9 of 58

10 Creating or Modifying a Policy Figure 3. Configure policy conditions Source Source defines assets, asset groups, networks, or network groups as the source IP address of the event. By choosing a source, you re determining that only events that come from that source will be processed by this policy. To add a source, click on Assets, Asset Groups, Networks, or Network Groups. You can also choose ANY as the source condition if you want the policy to apply to any source. For example, if you wanted to create a policy that affected any events that affect a particular destination, regardless of their source, you would choose ANY as the source policy condition. You can also configure objects on the fly, by clicking the INSERT NEW HOST?, INSERT NEW NET?, or INSERT NEW NET GROUP? link. In each case, a configuration window will open. Click Save in that window when you have finished the configuration tasks in that window. Here are a few ways you might make use of source as a policy condition: If you want to establish a policy for events from a single asset, use the source condition to select that asset. If you want to use several hosts in different subnets for the source, create an asset group containing those hosts and use this asset group object as source in the policy condition. November 25, 2015 USM 5.x Policy Management Fundamentals Page 10 of 58

11 Creating or Modifying a Policy If you want to establish a policy with all of the assets in a subnet as the source, use a network defined in the system to include an entire subnet as the source policy condition. If you want to establish a policy with several networks as the source, use a network group that contains those networks as the source policy condition. Figure 4. Source as policy condition Destination Destination defines assets, asset groups, networks, or network groups as the destination IP address of an event. By choosing a destination, you are determining that only events that have that specific destination will be processed by this policy. To add a destination, click Assets, Asset groups, Networks, or Network groups. You can also choose ANY as a destination condition. For example, if you wanted to create a policy that affected all events that come from a particular source, regardless of their destination, you would choose ANY as the destination policy condition. You can also configure objects on the fly, by clicking the INSERT NEW HOST?, INSERT NEW NET?, or INSERT NEW NET GROUP? link. In each case, a configuration window will open. Click Save when you have finished the configuration tasks in that window. Here are a few ways you might make use of a destination as a policy condition: If you want to establish a policy for events destined for a single asset, use the destination condition to select that asset. If you want to use several hosts in different subnets for the destination, create an asset group containing those hosts and use this asset group object as a destination in the policy condition. If you want to establish a policy with all of the assets in a subnet as the destination, use a network defined in the system to include an entire subnet as the destination policy condition. If you want to establish a policy with several networks as the destination, use a network group that contains those networks as the destination policy condition. November 25, 2015 USM 5.x Policy Management Fundamentals Page 11 of 58

12 Creating or Modifying a Policy Figure 5. Destination as policy condition Source Ports Source port defines the TCP/UDP source port of an event. To add an object as a source port, click on the object in Port Groups. You can also choose ANY as a source port condition to accept all ports. You can also configure port group objects on the fly, by clicking the INSERT NEW PORT GROUP? link. A configuration window will open. Click Save when you have finished the configuration tasks in that window. Here are a few ways you might make use of source ports as a policy condition: If you want to establish a policy for events sourced from certain TCP or UDP port, use the source port condition to select that port. If you want to establish a policy for events sourced from certain ports, create port group and add desired TCP or UDP ports to the port group. For instance, you could create an HTTP port group for TCP ports 80 and 8080, assuming that your web servers are sending HTTP responses sourced from these two ports. Figure 6. Source ports as policy condition Destination Ports Destination port defines the TCP/UDP destination port of an event. November 25, 2015 USM 5.x Policy Management Fundamentals Page 12 of 58

13 Creating or Modifying a Policy To add an object as a destination port, click on the object in Port Groups. You can also choose ANY as a destination port condition to accept all ports. You can also configure port group objects on the fly, by clicking the INSERT NEW PORT GROUP? link. A configuration window will open. Click Save when you have finished the configuration tasks in that window. Here are a few ways you might make use of destination ports as a policy condition: If you want to establish a policy for events destined for certain TCP or UDP port, use the source port condition to select that port. If you want to establish a policy for events destined for certain ports, create port group and add desired TCP or UDP ports to the port group. For instance, you could create HTTP port group for TCP ports 80 and 8080, assuming that customers are connecting to your web servers, which are listening on ports 80 and Figure 7. Destination ports as policy condition Event Types: Data Source Groups Event Types define the types of events that will be processed by this policy. This function uses Data Source Groups to define the data sources for events, or uses Taxonomy to define the types of events. In this section, we will review how to use of Data Source Groups. A data source is any application or device that generates information which can be collected and analyzed by AlienVault USM. AlienVault USM includes a number of integrated data sources that monitor traffic and assets to detect events, while also accepting events from external data sources, such as network devices, network firewalls, and antivirus applications. A data source group is a collection of different data sources. Once assembled in a data source group, you can then easily incorporate that collection into a policy. For instance, you could match all events from the Cisco ASA firewall and the Palo Alto firewall by adding these two data sources to one data source group. As another example, the predefined Document files data source group combines all file related event types belonging to snort data source into one data source group. To add a data source group to event type, select the desired data source groups from the DS Groups list by checking the box to the left of the group s name. Note that you will first need to uncheck ANY if that box is checked. To see which data sources are included in a data source November 25, 2015 USM 5.x Policy Management Fundamentals Page 13 of 58

14 Creating or Modifying a Policy group, or to edit the list of included data sources, click on the name of the group to display the View DS Group window. You can also add data source groups on the fly, by clicking the INSERT NEW DS GROUP? link. You can then add different data sources to the data source group or even choose only certain event types for a selected data source. You can also choose ANY as a data source group for event type. For example, if you want to create a policy that affected all events that come from a particular source, regardless of the type of event, you would choose ANY as the event types policy condition. This is a predefined list of DS groups: Document files: Microsoft Office or PDF documents detected in network transit. Executable files: Executable files detected in network transit. Get IP request: Get public IP request from external web service. Network anomalies: Network anomalies signatures. Sensitive data: Sensitive data detected in network transit. Snort HTTP INSPECT: Snort HTTP Inspect preprocessor signatures. Snort IDS sigs: Snort IDS signatures. Suspicious DNS: DNS queries to suspicious TLDs. Tor network: Access from or to Tor network exit nodes Figure 8. Event types data source group as policy condition Event Types: Taxonomy Event Types define the types of events that will be processed by this policy. This function uses Data Source Groups to define the data sources for events, or uses Taxonomy to define the types of events. In this section, we ll review the use of Taxonomy. Taxonomy is a classification system for security events. AlienVault open source security event taxonomy is a classification system based on 20 main categories and 240 subcategories. To use Taxonomy, click the Taxonomy button. You can then use the Product Type, Category, and Subcategory taxonomy parameters for creating a taxonomy condition. The Category options November 25, 2015 USM 5.x Policy Management Fundamentals Page 14 of 58

15 Creating or Modifying a Policy change based on which Product Type is selected. Similarly, the Subcategory options change based on which Category is selected. In the example below, all system emergency events for the firewall product type will be matched. You need to click ADD NEW to add selected taxonomy parameters as taxonomy conditions. Figure 9. Event types taxonomy as policy condition Sensors To see additional options under policy conditions in a policy for external events, click ADD MORE CONDITIONS in the POLICY CONDITIONS section. Click Sensors to add it as a condition. Figure 10. Additional policy conditions The Sensors policy condition defines the USM Sensor that is collecting and normalizing an event. This allows user to specify which sensor or number of sensors are the source for the events identified for processing by the policy. For example, in distributed deployment, you might want to create a policy for events received from only the sensors that are installed at remote locations. To add a sensor, click on the sensor in the Sensor list. You can also choose ANY as a sensor condition. November 25, 2015 USM 5.x Policy Management Fundamentals Page 15 of 58

16 Creating or Modifying a Policy Figure 11. Sensors as policy condition You can also insert a new sensor on the fly, by clicking the INSERT NEW SENSOR? link. A new window opens where you can add a new sensor as a policy condition. Figure 12. Insert new server Reputation To see additional options under policy conditions in a policy for external events, click ADD MORE CONDITIONS in the POLICY CONDITIONS section. Click Reputation to add it as a condition. Figure 13. Additional policy conditions To add a reputation condition, select the desired Activity, Priority, Reliability, and Direction in the Reputation Parameters section and then click ADD NEW. Reputation defines the reputation of either source or destination IP address of an event. By selecting a direction, you can specify whether the policy should match the reputation of the source or destination IP address. November 25, 2015 USM 5.x Policy Management Fundamentals Page 16 of 58

17 Creating or Modifying a Policy By selecting an activity, you can specify malicious activity of an IP address that the policy should match. The following options are available: Advanced Persistent Threats Command and Control Server Malicious host Malware Malware distribution Malware domain Malware IP Scanning Host Spamming Each IP address, present in the OTX database, has a priority and reliability values. The priority value specifies the priority of malicious activity of the IP address. Priority is a number between 1 and 10, where 1 specifies low priority and 10 specifies high priority of the reported IP address reputation. Reliability specifies the accuracy of an IP address being reported as malicious. Reliability is a number between 1 and 10, where 1 specifies low reliability and 10 specifies high reliability of the reported IP address reputation. For instance, by using reputation as a policy condition you can filter events coming from a botnet command and control server with high priority and high accuracy of reported reputation. Figure 14. Reputation as policy condition Event Priority To see additional options under policy conditions in a policy for external events, click ADD MORE CONDITIONS in the POLICY CONDITIONS section. Click Event Priority to add it as a condition. November 25, 2015 USM 5.x Policy Management Fundamentals Page 17 of 58

18 Creating or Modifying a Policy Figure 15. Additional policy conditions Each event, detected by AlienVault USM, has an assigned priority value. It specifies the importance of the event, and defines how urgently the event should be investigated. Priority is a numeric value between 0 and 5, where priority event 0 has no importance, and priority event 5 is very important. Each event also has an associated reliability. Reliability specifies the likelihood that the event is accurate. Reliability is a numeric value between 0 and 10, where 0 means that the event is unreliable (False Positive), and 10 means that a real attack is in progress. Event Priority allows you to choose which events are processed by the policy based on the priority and reliability of the event. For example, you may want to create a policy that applies only to events with a priority of 5 and a reliability of 3. To add an event priority condition, select the desired Priority and Reliability in the Events Parameters section and then click ADD NEW. Figure 16. Event priority as policy condition Time Range To see additional options under policy conditions in a policy for external events, click ADD MORE CONDITIONS in the POLICY CONDITIONS section. Click Time Range to add it as a condition. November 25, 2015 USM 5.x Policy Management Fundamentals Page 18 of 58

19 Creating or Modifying a Policy Figure 17. Additional policy conditions Time Range allows you to set a time window for matching events. Only events that occur during the specified time range will be processed by the policy. You can set the time range on a daily, weekly, or monthly basis, or you can create your own custom time range. In the example below, the time range specifies weekdays between 7 a.m. and 6 p.m. in the US Eastern time zone. Figure 18. Time range as policy condition Policy Conditions for System Event Policies Policy conditions determine which events are processed by the policy. You can configure policy conditions for system event policies by using the Policies for events generated in server section of the policy management interface. To configure policy conditions 1. Navigate to Configuration > Threat Intelligence > Policy. 2. Click New to open the policy configuration interface in the Policies for events generated in server section. 3. Click on the policy name to see the policy configuration interface for an existing policy. You can configure policy condition in the lower part of the screen. November 25, 2015 USM 5.x Policy Management Fundamentals Page 19 of 58

20 Creating or Modifying a Policy Configure policy conditions Figure 19. Configure policy conditions Event Types Event Types define the types of events that will be processed by this policy. For policies affecting system events, this function uses Data Source Groups to define the data sources for events. A data source is any application or device that generates information which can be collected and analyzed by AlienVault USM. AlienVault USM includes a number of integrated data sources that monitor traffic and assets to detect events, while also accepting events from external data sources, such as network devices, network firewalls, and antivirus applications. A data source group is a collection of different data sources. Once assembled in a data source group, you can then easily incorporate that collection into a policy. To use directive events as a data source group event type, select Directive events by checking the box to the left of the group s name. You can also add data source groups on the fly, by clicking the INSERT NEW DS GROUP? link. You can then add different data sources to the data source group or even choose only certain event types for a selected data source. Note: For policies in the Policies for events generated in server policy group, you can only include data source groups that are comprised of system events. November 25, 2015 USM 5.x Policy Management Fundamentals Page 20 of 58

21 Creating or Modifying a Policy Figure 20. : Event type as policy condition for system events Reputation To see additional options under policy conditions in a policy for external events, click ADD MORE CONDITIONS in the POLICY CONDITIONS section. Click Reputation to add it as a condition. Figure 21. Additional policy conditions To add a reputation condition, select the desired Activity, Priority, Reliability, and Direction in the Reputation Parameters section and then click ADD NEW. Reputation defines the reputation of either the source or destination IP address of an event. By selecting a direction, you can specify whether the policy should match the reputation of the source or destination IP address. By selecting activity, you can specify the malicious activity of an IP address that the policy should match. The following options are available: Advanced Persistent Threats Command and Control Server Malicious host Malware Malware distribution Malware domain Malware IP Scanning Host Spamming November 25, 2015 USM 5.x Policy Management Fundamentals Page 21 of 58

22 Creating or Modifying a Policy Each IP address, present in the OTX database, has a priority and reliability values. The priority value specifies the priority of a malicious activity of the IP address. Priority is a number between 1 and 10, where 1 specifies low priority and 10 specifies high priority of the reported IP address reputation. Reliability specifies the accuracy of an IP address being reported as malicious. Reliability is a number between 1 and 10, where 1 specifies low reliability and 10 specifies high reliability of the reported IP address reputation. For instance, by using reputation as a policy condition you can filter events coming from a botnet command and control server with high priority and high accuracy of reported reputation. Figure 22. Reputation as policy condition Event Priority To see additional options under policy conditions in a policy for external events, click ADD MORE CONDITIONS in the POLICY CONDITIONS section. Click Event Priority to add it as a condition. Figure 23. Additional policy conditions Each event, detected by AlienVault USM, has an assigned priority value. It specifies the importance of the event, and defines how urgently the event should be investigated. Priority is a numeric value between 0 and 5, where priority event 0 has no importance, and priority event 5 is very important. Each event also has an associated reliability value. Reliability specifies the likelihood that the event is accurate. Reliability is a numeric value between 0 and 10, where 0 means that the event is unreliable (False Positive), and 10 means that a real attack is in progress. Event Priority allows you to choose which events are processed by the policy based on the priority and reliability of the event. For example, you may want to create a policy that applies only to events with a priority of 5 and a reliability of 3. November 25, 2015 USM 5.x Policy Management Fundamentals Page 22 of 58

23 Creating or Modifying a Policy To add an event priority condition select the desired Priority and Reliability in the Events Parameters section and then click ADD NEW. Figure 24. Event priority as policy condition The Event Priority condition only works for events generated in a USM Server. In AlienVault USM version 4.14 and greater, a warning message displays if you try to use it in the Default policy group, AV default policies, or any policy groups created by users of your AlienVault USM system. Time Range To see additional options under policy conditions in a policy for external events, click ADD MORE CONDITIONS in the POLICY CONDITIONS section. Click Time Range to add it as a condition. Figure 25. Additional policy conditions Time Range allows you to set a time window for matching events. Only events that occur during the specified time range will be processed by the policy. You can set the time range on a daily, weekly, or monthly basis, or you can create your own custom time range. In the example below, the time range specifies weekdays between 7 a.m. and 6 p.m. in the US Eastern time zone. November 25, 2015 USM 5.x Policy Management Fundamentals Page 23 of 58

24 Creating or Modifying a Policy Figure 26. Time range as policy condition Policy Consequences Consequences define what will happen to events matching the specified conditions. To configure policy consequences for external events, choose Configuration > Threat Intelligence > Policy and click New in the Default Policy Group pane. To configure policy consequences for system events, choose Configuration > Threat Intelligence > Policy and click on New in the Policies for events generated in server pane. To modify the policy consequences for an existing policy, click on the policy name to open the policy configuration interface. Consequences that can be configured are the same for both types of policies. To select a consequence that you want to configure, you have two options. Each option produces the same result. On the top half of the policy configuration interface, you can click in the yellow or green area under ACTIONS, SIEM, LOGGER, or FORWARDING to open the configuration area for that consequence. On the bottom left side of the policy configuration interface, click on POLICY CONSEQUENCES. Next, on the bottom half of the policy configuration interface, you can click on any of the vertical words ACTIONS, SIEM, LOGGER, or FORWARDING to open the configuration area for that consequence. November 25, 2015 USM 5.x Policy Management Fundamentals Page 24 of 58

25 Creating or Modifying a Policy Figure 27. Configure policy consequences Actions The Actions section defines actions taken as a consequence of conditions met in the policy. Actions has a specific meaning in AlienVault USM. There are three possible actions that you can configure: Send an to a preconfigured address. Note that this capability could allow you to use an to send information from AlienVault USM to an external ticketing system. Execute a command to invoke a script on AlienVault USM. Open a ticket in the internal AlienVault USM ticketing system. Note: See Configure Actions for further information about settings actions in detail. Configure actions from the Insert New Action link or navigate to Configuration > Threat Intelligence > Actions. November 25, 2015 USM 5.x Policy Management Fundamentals Page 25 of 58

26 Creating or Modifying a Policy Figure 28. Actions as policy consequence SIEM The SIEM consequence defines the way events that match the policy conditions are processed by the AlienVault USM Server. Here are the possible SIEM settings in policy consequences: SIEM: Disables or enables processing of events by SIEM. The possible settings are Yes or No. The default setting is set to Yes. In almost all cases, you want to use the power of the SIEM within AlienVault USM to correlate events that arrive at the server. When you select the Yes option, you can granularly set other SIEM settings (Set event priority, Risk assessment, Logical correlation, Cross-correlation, SQL storage). When you select the No option, you disable all other SIEM settings (Set event priority, Risk assessment, Logical correlation, Cross-correlation, SQL storage) with one click. Set event priority: Each event, detected by AlienVault USM, has an assigned priority value, which specifies the importance of the event. The priority of an event is defined within the event definition, but it can be changed using policies if required. Change the priority by setting a numeric value between 0 and 5, where priority event 0 has no importance, and priority event 5 is very important. The accepted values are Do not change, or any number from 0 to 5. The default setting is set to Do not change, which uses the default priority of an event. Risk assessment: The process of determining the risk of an event based on an asset value and type of an event is called risk assessment. This process takes into account the asset value, event priority, and event reliability. You can enable or disable risk assessment of events that match a policy by setting the option to Yes or No. The default setting is set to Yes. Logical correlation: AlienVault USM Server performs logical correlation, which is used to create new events from multiple events provided by detectors and monitors. Logical correlation is configured using correlation directives, which are defined as logical trees that combine individual events. Each new event has new priority and reliability values, as defined by an individual directive. You can enable or disable logical correlation of events that match a policy by setting the option to Yes or No. The default setting is set to Yes. Cross-correlation: You can enable or disable cross-correlation of events that match a policy by setting the option to Yes or No. The default setting is set to Yes. November 25, 2015 USM 5.x Policy Management Fundamentals Page 26 of 58

27 Creating or Modifying a Policy SQL storage: Events that are detected or generated by AlienVault USM are by default stored in the SQL database. However, some events are not required or even desired to be stored in the database. You can enable or disable SQL storage of events that match a policy by setting the option to Yes or No. The default setting is set to Yes. Figure 29. SIEM as policy consequence Logger The Logger section defines whether events will be stored by the USM Logger, and how events that are stored will be signed. The possible Logger settings are Yes or No. The default setting is set to No. Note: In most cases, you will want to change the setting for Logger to Yes. Most AlienVault users choose to log events processed by policies in the USM Logger for analysis, compliance, or archiving purposes. When Logger is set to Yes, log files can be signed via either Line or Block. Line: Digitally sign every log that comes to USM Logger. This option ensures immediate protection from log tampering, but is more processing intensive. Block: Digitally sign a block of logs every 1 hour or whenever the log file is bigger than 100 MB. This option may leave a window of opportunity for someone to tamper with logs before singing them, but is less processing intensive. Block signing is the most commonly used approach, and meets all typical compliance requirements. November 25, 2015 USM 5.x Policy Management Fundamentals Page 27 of 58

28 Creating or Modifying a Policy Figure 30. : Logger as policy consequence Forwarding The forwarding section defines whether events will be forwarded to other USM Servers. In a distributed deployment, a USM Server is set up at each remote location. All USM Servers in remote locations could communicate with the USM Server at the headquarters to send normalized events. For this to happen, you would need to set forwarding from the server at the remote location to the headquarters server. This means that the forwarding server is enabled generally for a server. Forwarding that is set in policies overrides forwarding that is configured generally for a server. The latter configuration is used to forward all events, while policies can be used to configure forwarding for some events, and to configure exceptions to the general behavior. For instance, assume that you have configured a remote server to forward all events. By using policy conditions and disabling the forwarding of events in policy consequences, you could determine which events will not be forwarded from the remote location s server to the headquarters server. In that example, all events will be forwarded except for those that match the policy conditions. Possible forwarding settings are Yes or No. The default setting is set to No. When you select Yes, you need to select the server to which events should be forwarded. November 25, 2015 USM 5.x Policy Management Fundamentals Page 28 of 58

29 Managing Policies Figure 31. Forwarding as policy consequence Managing Policies View Existing Policies Go to Configuration > Threat Intelligence > Policy to view any policies that are configured on your AlienVault USM Server. Each policy is listed within a Policy Group. Figure 32. Policy list You can move the slider to the right to see additional settings of the configured policies. November 25, 2015 USM 5.x Policy Management Fundamentals Page 29 of 58

30 Managing Policies Figure 33. Additional settings in policy list There are two additional buttons at the bottom of policy view for system events: Security Events process priority threshold and Reorder Policies. When you drag and drop policies a few times to reorder them, you may accidently end up with duplicated order IDs. Whenever that happens, clicking Reorder policies fixes the IDs. Figure 34. Reorder Policies button When you click Reorder Policies, you will have to confirm your selection. Figure 35. Reorder Policies confirmation screen Note: Refer to Policy Order section to see the importance of the order in a policy. You may influence whether USM will process the event against configured policies by clicking Security Events process priority threshold. If the event's priority is greater or equal to the configured process priority threshold, USM will process the event, otherwise not. November 25, 2015 USM 5.x Policy Management Fundamentals Page 30 of 58

31 Managing Policies Figure 36. Security Events process priority threshold button Valid values for process priority threshold are from 0 to 5. Default value is set to 0, hence all the events will get processed against configured policies. Figure 37. Security Events process priority threshold button Policy Groups Policy groups allow you to group policies for administrative purposes, or to assign policies to a correlation context. Correlation context defines sensors and the scope of assets, upon which correlation is performed. Upon installation AlienVault USM has two preconfigured policy groups. Navigate to Configuration > Threat Intelligence > Policy and click EDIT POLICY GROUPS to create your own policy groups. Figure 38. Edit policy groups button In the EDIT POLICY GROUPS window, click NEW to create a new policy group. November 25, 2015 USM 5.x Policy Management Fundamentals Page 31 of 58

32 Managing Policies Figure 39. Edit policy groups window You can choose a name for the policy group and assign this policy group either to the entity or context. In the example below, a policy group named My Policy Group is applied to the entity named My Company. You could also assign the policy group to the context named Test context. Note: Entities and contexts can be managed under Configuration > Administration > Users > Structure. Figure 40. : Create policy group Policy Order When an event is being processed, policies are evaluated in order from top to bottom. When an event matches a rule, the system stops processing that event. Therefore, very specific and restrictive rules should be defined at the top of the rules list, while generic rules should be specified at the bottom of the rules list. The figure below shows an example where 3 policy rules are configured: The first rule matches Cisco ASA events with source IP address of The second rule matches all Cisco ASA events. The third rule matches Cisco ASA events with source IP address of Because the second rule is very general, it will match all Cisco ASA events. Therefore, the third rule, which is more specific, will never be evaluated. In order to correctly process events, the INTERNAL_NMAP rule should be placed before the FIREWALL_EVENTS rule. November 25, 2015 USM 5.x Policy Management Fundamentals Page 32 of 58

33 Managing Policies Policies can be reordered by dragging the policy and dropping it in the desired place. Note that you will need to click on Reload Policies for the new policy order to take effect. Figure 41. Policies order example You can also reorder policy groups by clicking the policy group. arrow icons in the upper right corner of a November 25, 2015 USM 5.x Policy Management Fundamentals Page 33 of 58

34 Configure Actions Figure 42. Prioritize policy groups Configure Actions The Actions section defines actions taken as a consequence of conditions met in the policy. This section describes each of the three possible action options and shows how to use them. Actions has a specific meaning in AlienVault USM. There are three possible actions that you can configure: Send an about an event detected by AlienVault USM to a preconfigured address. Note that this capability also allows you to use an to send information from AlienVault USM to an external ticketing system. Execute a command to invoke a script on AlienVault USM. Open a ticket in the internal AlienVault USM ticketing system. Note: Actions execute regardless of the policy consequences. November 25, 2015 USM 5.x Policy Management Fundamentals Page 34 of 58

35 Configure Actions To configure actions 1. Navigate to Configuration > Threat Intelligence > Actions. 2. Click NEW. Figure 43. Create new action Configure Action to Send To configure an action to send an , select the Send an message option from the Type drop-down menu. You must fill in these fields: Name: Specifies the name of the action. Context: Specifies the context, to which the action is attached. From: Specifies the sender of the . To: Specifies the recipient of the . Subject: Specifies the subject of the . Message: Specifies the content of the . Note that you can use keywords, discussed in a later section, to configure the message. Note: For delivery to be successful, you need to configure an relay server in system details under Deployment > Components > AlienVault Center. Note: After you configure an action to send , you have to apply the configured action as the policy consequence to one of your policies. See Configure Policy to Send s Triggered by Events for further information. November 25, 2015 USM 5.x Policy Management Fundamentals Page 35 of 58

36 Configure Actions Figure 44. Configure action to send message Configure Action to Execute External Program To configure an action to execute an external program, select Execute an external program from the TYPE drop-down menu. You must also define the name of the action and fill in the COMMAND field, which defines the file path to the script that gets executed when policy conditions are met. A script or a program resides locally on AlienVault USM. The script is launched from the USM, which has to have a way to communicate with an external device if it is trying to control it. November 25, 2015 USM 5.x Policy Management Fundamentals Page 36 of 58

37 Configure Actions Figure 45. Configure action to execute external program Note: After you configure an action to execute an external program, you have to apply the configured action as the policy consequence to one of your policies. Configure Action to Open Ticket AlienVault USM has an internal ticketing system, which can be used to delegate tasks to other administrator users, and to track investigation progress on specific alarms and events. To configure an action to open a ticket about events matched by a policy, select Open a ticket from the TYPE drop-down menu. You must also define the name of the action and specify the assignment of the ticket in the IN CHARGE field. You can assign a ticket either to a user or an entity. In the example below, the ticket is assigned to the user admin. If the policy conditions are met and the action in policy consequences for this policy is set to open the ticket, the user will find the opened ticket under Analysis > Tickets screen. Note: You can also integrate the AlienVault USM system with an external ticketing system, which opens a ticket upon receiving an from AlienVault USM. November 25, 2015 USM 5.x Policy Management Fundamentals Page 37 of 58

How to send emails triggered by events

How to send emails triggered by events Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

AlienVault. Unified Security Management 5.x Configuring a VPN Environment

AlienVault. Unified Security Management 5.x Configuring a VPN Environment AlienVault Unified Security Management 5.x Configuring a VPN Environment USM 5.x Configuring a VPN Environment, rev. 3 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

User Management Guide

User Management Guide AlienVault Unified Security Management (USM) 4.x-5.x User Management Guide USM v4.x-5.x User Management Guide, rev 1 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

Intrusion Detection in AlienVault

Intrusion Detection in AlienVault Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

Deploying HIDS Client to Windows Hosts

Deploying HIDS Client to Windows Hosts Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide AlienVault Unified Security Management (USM) 4.x-5.x Deployment Planning Guide USM 4.x-5.x Deployment Planning Guide, rev. 1 Copyright AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide AlienVault Unified Security Management (USM) 5.2 Vulnerability Assessment Guide USM 5.2 Vulnerability Assessment Guide, rev 1 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

AlienVault. Unified Security Management 5.x Configuration Backup and Restore

AlienVault. Unified Security Management 5.x Configuration Backup and Restore AlienVault Unified Security Management 5.x Configuration Backup and Restore USM 5.x Configuration Backup and Restore Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

AlienVault Unified Security Management (USM) 4.15-5.x. Configuring High Availability (HA)

AlienVault Unified Security Management (USM) 4.15-5.x. Configuring High Availability (HA) AlienVault Unified Security Management (USM) 4.15-5.x Configuring High Availability (HA) USM v4.15-5.x Configuring High Availability (HA), rev 1 Copyright 2015 AlienVault, Inc. All rights reserved. The

More information

AlienVault. Unified Security Management (USM) 5.1 Running the Getting Started Wizard

AlienVault. Unified Security Management (USM) 5.1 Running the Getting Started Wizard AlienVault Unified Security Management (USM) 5.1 Running the Getting Started Wizard USM v5.1 Running the Getting Started Wizard, rev. 2 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault

More information

Assets, Groups & Networks

Assets, Groups & Networks Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration Module 1: Overview This module provides an overview of the AlienVault Unified Security Management (USM) solution. Upon completing this module, you will meet these objectives: Describe the goal of network

More information

Suricata IDS. What is it and how to enable it

Suricata IDS. What is it and how to enable it Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

Device Integration: CyberGuard SG565

Device Integration: CyberGuard SG565 Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

McAfee Network Security Platform Administration Course

McAfee Network Security Platform Administration Course McAfee Network Security Platform Administration Course Intel Security Education Services Administration Course The McAfee Network Security Platform Administration course from McAfee Education Services

More information

Device Integration: Citrix NetScaler

Device Integration: Citrix NetScaler Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

The SIEM Evaluator s Guide

The SIEM Evaluator s Guide Using SIEM for Compliance, Threat Management, & Incident Response Security information and event management (SIEM) tools are designed to collect, store, analyze, and report on log data for threat detection,

More information

Module 2: AlienVault USM Basic Configuration and Verifying Operations

Module 2: AlienVault USM Basic Configuration and Verifying Operations Course Introduction Module 1: Overview The Course Introduction provides learners with the course objectives and prerequisite learner skills and knowledge. The Course Introduction presents the course flow

More information

Comprehensive Anti-Spam Service

Comprehensive Anti-Spam Service Comprehensive Anti-Spam Service Chapter 1: Document Scope This document describes how to implement and manage the Comprehensive Anti-Spam Service. This document contains the following sections: Comprehensive

More information

Configuration Information

Configuration Information Configuration Information Email Security Gateway Version 7.7 This chapter describes some basic Email Security Gateway configuration settings, some of which can be set in the first-time Configuration Wizard.

More information

Configuring PA Firewalls for a Layer 3 Deployment

Configuring PA Firewalls for a Layer 3 Deployment Configuring PA Firewalls for a Layer 3 Deployment Configuring PAN Firewalls for a Layer 3 Deployment Configuration Guide January 2009 Introduction The following document provides detailed step-by-step

More information

WildFire Reporting. WildFire Administrator s Guide 55. Copyright 2007-2015 Palo Alto Networks

WildFire Reporting. WildFire Administrator s Guide 55. Copyright 2007-2015 Palo Alto Networks WildFire Reporting When malware is discovered on your network, it is important to take quick action to prevent spread of the malware to other systems. To ensure immediate alerts to malware discovered on

More information

Sophos for Microsoft SharePoint startup guide

Sophos for Microsoft SharePoint startup guide Sophos for Microsoft SharePoint startup guide Product version: 2.0 Document date: March 2011 Contents 1 About this guide...3 2 About Sophos for Microsoft SharePoint...3 3 System requirements...3 4 Planning

More information

The following topics describe how to manage policies on the Management Center:

The following topics describe how to manage policies on the Management Center: The following topics describe how to manage policies on the Management Center: Policy Deployment, page 1 Policy Comparison, page 8 Policy Reports, page 10 Out-of-Date Policies, page 11 Policy Warnings,

More information

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts AlienVault Unified Security Management (USM) 4.x-5.x Deploying HIDS Agents to Linux Hosts USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Copyright 2015 AlienVault, Inc. All rights reserved. AlienVault,

More information

Outlook 2010 Essentials

Outlook 2010 Essentials Outlook 2010 Essentials Training Manual SD35 Langley Page 1 TABLE OF CONTENTS Module One: Opening and Logging in to Outlook...1 Opening Outlook... 1 Understanding the Interface... 2 Using Backstage View...

More information

Access Control Rules: URL Filtering

Access Control Rules: URL Filtering The following topics describe how to configure URL filtering for your Firepower System: URL Filtering and Access Control, page 1 Reputation-Based URL Filtering, page 2 Manual URL Filtering, page 5 Limitations

More information

Outlook Email. User Guide IS TRAINING CENTER. 833 Chestnut St, Suite 600. Philadelphia, PA 19107 215-503-7500

Outlook Email. User Guide IS TRAINING CENTER. 833 Chestnut St, Suite 600. Philadelphia, PA 19107 215-503-7500 Outlook Email User Guide IS TRAINING CENTER 833 Chestnut St, Suite 600 Philadelphia, PA 19107 215-503-7500 This page intentionally left blank. TABLE OF CONTENTS Getting Started... 3 Opening Outlook...

More information

Device Integration: Checkpoint Firewall-1

Device Integration: Checkpoint Firewall-1 Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

Setting up Microsoft Office 365

Setting up Microsoft Office 365 Setup Guide Revision F Using McAfee SaaS Email Protection to Secure Exchange Online in Microsoft Office 365 Setting up Microsoft Office 365 Use this guide to configure Microsoft Office 365 and Microsoft

More information

Configuration Information

Configuration Information This chapter describes some basic Email Security Gateway configuration settings, some of which can be set in the first-time Configuration Wizard. Other topics covered include Email Security interface navigation,

More information

AlienVault Unified Security Management for Government v4.12 & RT Logic CyberC4:Alert v4.12 User Management Guide

AlienVault Unified Security Management for Government v4.12 & RT Logic CyberC4:Alert v4.12 User Management Guide & RT Logic CyberC4:Alert v4.12 Copyright 2016 AlienVault. All rights reserved. DOCUMENT HISTORY AND VERSION CONTROL Edition Date of Issue Description of Change(s) 01 08/01/15 Initial Version AlienVault,

More information

Monitoring VMware ESX Virtual Switches

Monitoring VMware ESX Virtual Switches Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

http://docs.trendmicro.com/en-us/smb/hosted-email-security.aspx

http://docs.trendmicro.com/en-us/smb/hosted-email-security.aspx Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release

More information

NETWRIX USER ACTIVITY VIDEO REPORTER

NETWRIX USER ACTIVITY VIDEO REPORTER NETWRIX USER ACTIVITY VIDEO REPORTER ADMINISTRATOR S GUIDE Product Version: 1.0 January 2013. Legal Notice The information in this publication is furnished for information use only, and does not constitute

More information

Site Monitor. Version 5.3

Site Monitor. Version 5.3 Site Monitor Version 5.3 1 1 Table of contents 1 Table of contents... 2 2 Installation... 3 2.1 Components... 3 2.1.1 Monitoring Service... 3 2.1.2 Desktop User Interface... 3 2.1.3 Web User Interface...

More information

Automating Server Firewalls

Automating Server Firewalls Automating Server Firewalls With CloudPassage Halo Contents: About Halo Server Firewalls Implementing Firewall Policies Create and Assign a Firewall Policy Specify Firewall-Related Components Managing

More information

K7 Business Lite User Manual

K7 Business Lite User Manual K7 Business Lite User Manual About the Admin Console The Admin Console is a centralized web-based management console. The web console is accessible through any modern web browser from any computer on the

More information

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer IBM Security QRadar SIEM & Fortinet / FortiAnalyzer Introducing new functionality for IBM QRadar Security Intelligence Platform: integration with Fortinet s firewalls and logs forwarded by FortiAnalyzer.

More information

NETWRIX EVENT LOG MANAGER

NETWRIX EVENT LOG MANAGER NETWRIX EVENT LOG MANAGER ADMINISTRATOR S GUIDE Product Version: 4.0 July/2012. Legal Notice The information in this publication is furnished for information use only, and does not constitute a commitment

More information

Application Performance Monitoring for WhatsUp Gold v16.1 User Guide

Application Performance Monitoring for WhatsUp Gold v16.1 User Guide Application Performance Monitoring for WhatsUp Gold v16.1 User Guide Contents Table of Contents Introduction APM Overview... 1 Learning about APM terminology... 2 Getting Started with APM... 3 Application

More information

Unified Security Management and Open Threat Exchange

Unified Security Management and Open Threat Exchange 13/09/2014 Unified Security Management and Open Threat Exchange RICHARD KIRK SENIOR VICE PRESIDENT 11 SEPTEMBER 2014 Agenda! A quick intro to AlienVault Unified Security Management (USM)! Overview of the

More information

F-SECURE MESSAGING SECURITY GATEWAY

F-SECURE MESSAGING SECURITY GATEWAY F-SECURE MESSAGING SECURITY GATEWAY DEFAULT SETUP GUIDE This guide describes how to set up and configure the F-Secure Messaging Security Gateway appliance in a basic e-mail server environment. AN EXAMPLE

More information

D3 TECHNOLOGIES SPAM FILTER

D3 TECHNOLOGIES SPAM FILTER D3 TECHNOLOGIES SPAM FILTER The D3 Technologies spam filtering provides virus, attachment, and spam filtering services for email. We check all emails for viruses and malicious content, since we feel these

More information

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012 Sophos Enterprise Console Help Product version: 5.1 Document date: June 2012 Contents 1 About Enterprise Console...3 2 Guide to the Enterprise Console interface...4 3 Getting started with Sophos Enterprise

More information

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started Getting Started Symantec Client Security About Security Security provides scalable, cross-platform firewall, intrusion prevention, and antivirus protection for workstations and antivirus protection for

More information

Application Performance Monitoring for WhatsUp Gold v16.2 User Guide

Application Performance Monitoring for WhatsUp Gold v16.2 User Guide Application Performance Monitoring for WhatsUp Gold v16.2 User Guide C o n t e n t s CHAPTER 1 Introduction APM Overview... 1 Learning about APM terminology... 2 Getting Started with APM... 3 Application

More information

WhatsUp Event Alarm v10.x Listener Console User Guide

WhatsUp Event Alarm v10.x Listener Console User Guide WhatsUp Event Alarm v10.x Listener Console User Guide Contents WhatsUp Event Alarm Listener Console Overview Firewall Considerations... 6 Using the WhatsUp Event Alarm Listener Console... 7 Event Alarm

More information

Sophos Anti-Virus for Mac OS X Help

Sophos Anti-Virus for Mac OS X Help Sophos Anti-Virus for Mac OS X Help For networked and standalone Macs running Mac OS X Product version: 9 Document date: June 2013 Sophos TOC 3 Contents About Sophos Anti-Virus...5 About the Scans window...5

More information

GETTING STARTED GUIDE. FileAudit VERSION. www.isdecisions.com

GETTING STARTED GUIDE. FileAudit VERSION. www.isdecisions.com GETTING STARTED GUIDE FileAudit 5 VERSION www.isdecisions.com Introduction FileAudit monitors access or access attempts to sensitive files and folders on Microsoft Windows servers. FileAudit allows you

More information

NetFlow Analytics for Splunk

NetFlow Analytics for Splunk NetFlow Analytics for Splunk User Manual Version 3.5.1 September, 2015 Copyright 2012-2015 NetFlow Logic Corporation. All rights reserved. Patents Pending. Contents Introduction... 3 Overview... 3 Installation...

More information

Setting up Microsoft Office 365

Setting up Microsoft Office 365 Integration Guide Revision G McAfee SaaS Email Protection Securing Exchange Online in Microsoft Office 365 Setting up Microsoft Office 365 Use this guide to configure Microsoft Office 365 and Microsoft

More information

McAfee SIEM Alarms. Setting up and Managing Alarms. Introduction. What does it do? What doesn t it do?

McAfee SIEM Alarms. Setting up and Managing Alarms. Introduction. What does it do? What doesn t it do? McAfee SIEM Alarms Setting up and Managing Alarms Introduction McAfee SIEM provides the ability to send alarms on a multitude of conditions. These alarms allow for users to be notified in near real time

More information

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

vcloud Air - Virtual Private Cloud OnDemand Networking Guide vcloud Air - Virtual Private Cloud OnDemand Networking Guide vcloud Air This document supports the version of each product listed and supports all subsequent versions until the document is replaced by

More information

Device Management. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks

Device Management. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks Device Management Palo Alto Networks PAN-OS Administrator s Guide Version 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us

More information

BitDefender Security for Exchange

BitDefender Security for Exchange Quick Start Guide Copyright 2011 BitDefender 1. About This Guide This guide will help you install and get started with BitDefender Security for Exchange. For detailed instructions, please refer to the

More information

Tutorial: Assigning Prelogin Criteria to Policies

Tutorial: Assigning Prelogin Criteria to Policies CHAPTER 4 This tutorial provides an overview of the CSD configuration sequence. The configuration chapters that follow provide detailed instructions on the attributes. The sections are as follows: Overview

More information

Kaseya Server Instal ation User Guide June 6, 2008

Kaseya Server Instal ation User Guide June 6, 2008 Kaseya Server Installation User Guide June 6, 2008 About Kaseya Kaseya is a global provider of IT automation software for IT Solution Providers and Public and Private Sector IT organizations. Kaseya's

More information

Endpoint Security Console. Version 3.0 User Guide

Endpoint Security Console. Version 3.0 User Guide Version 3.0 Table of Contents Summary... 2 System Requirements... 3 Installation... 4 Configuring Endpoint Security Console as a Networked Service...5 Adding Computers, Groups, and Users...7 Using Endpoint

More information

Knowledge Base Articles

Knowledge Base Articles Knowledge Base Articles 2005 Jalasoft Corp. All rights reserved. TITLE: How to configure and use the Jalasoft Xian Syslog Server. REVISION: Revision : B001-SLR01 Date : 11/30/05 DESCRIPTION: Jalasoft has

More information

HDA Integration Guide. Help Desk Authority 9.0

HDA Integration Guide. Help Desk Authority 9.0 HDA Integration Guide Help Desk Authority 9.0 2011ScriptLogic Corporation ALL RIGHTS RESERVED. ScriptLogic, the ScriptLogic logo and Point,Click,Done! are trademarks and registered trademarks of ScriptLogic

More information

GETTING STARTED GUIDE 4.5. FileAudit VERSION. www.isdecisions.com

GETTING STARTED GUIDE 4.5. FileAudit VERSION. www.isdecisions.com GETTING STARTED GUIDE FileAudit 4.5 VERSION www.isdecisions.com Introduction FileAudit monitors access or access attempts to sensitive files and folders on Microsoft Windows servers. FileAudit allows you

More information

HoneyBOT User Guide A Windows based honeypot solution

HoneyBOT User Guide A Windows based honeypot solution HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3

More information

Service Managed Gateway TM. How to Configure a Firewall

Service Managed Gateway TM. How to Configure a Firewall Service Managed Gateway TM Issue 1.3 Date 10 March 2006 Table of contents 1 Introduction... 3 1.1 What is a firewall?... 3 1.2 The benefits of using a firewall... 3 2 How to configure firewall settings

More information

Configuring Trend Micro Content Security

Configuring Trend Micro Content Security 9 CHAPTER This chapter describes how to configure the CSC SSM using the CSC Setup Wizard in ASDM and the CSC SSM GUI, and includes the following sections: Information About the CSC SSM, page 9-1 Licensing

More information

NETWRIX EVENT LOG MANAGER

NETWRIX EVENT LOG MANAGER NETWRIX EVENT LOG MANAGER QUICK-START GUIDE FOR THE ENTERPRISE EDITION Product Version: 4.0 July/2012. Legal Notice The information in this publication is furnished for information use only, and does not

More information

ez Agent Administrator s Guide

ez Agent Administrator s Guide ez Agent Administrator s Guide Copyright This document is protected by the United States copyright laws, and is proprietary to Zscaler Inc. Copying, reproducing, integrating, translating, modifying, enhancing,

More information

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity How to configure Sophos UTM Web Application Firewall for Microsoft Exchange connectivity This article explains how to configure your Sophos UTM 9.2 to allow access to the relevant Microsoft Exchange services

More information

TSM Studio Server User Guide 2.9.0.0

TSM Studio Server User Guide 2.9.0.0 TSM Studio Server User Guide 2.9.0.0 1 Table of Contents Disclaimer... 4 What is TSM Studio Server?... 5 System Requirements... 6 Database Requirements... 6 Installing TSM Studio Server... 7 TSM Studio

More information

ESET Mobile Security Business Edition for Windows Mobile

ESET Mobile Security Business Edition for Windows Mobile ESET Mobile Security Business Edition for Windows Mobile Installation Manual and User Guide Click here to download the most recent version of this document Contents 1. Installation...3 of ESET Mobile Security

More information

GFI Product Manual. Administration and Configuration Manual

GFI Product Manual. Administration and Configuration Manual GFI Product Manual Administration and Configuration Manual http://www.gfi.com info@gfi.com The information and content in this document is provided for informational purposes only and is provided "as is"

More information

How to configure High Availability (HA) in AlienVault USM (for versions 4.14 and prior)

How to configure High Availability (HA) in AlienVault USM (for versions 4.14 and prior) Complete. Simple. Affordable How to configure High Availability (HA) in AlienVault USM Copyright 2015 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM,

More information

Configuration Manager

Configuration Manager After you have installed Unified Intelligent Contact Management (Unified ICM) and have it running, use the to view and update the configuration information in the Unified ICM database. The configuration

More information

DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Oracle E-Business Suite 12

DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Oracle E-Business Suite 12 DEPLOYMENT GUIDE Version 1.2 Deploying F5 with Oracle E-Business Suite 12 Table of Contents Table of Contents Introducing the BIG-IP LTM Oracle E-Business Suite 12 configuration Prerequisites and configuration

More information

CA Spectrum and CA Service Desk

CA Spectrum and CA Service Desk CA Spectrum and CA Service Desk Integration Guide CA Spectrum 9.4 / CA Service Desk r12 and later This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter

More information

Networking for Caribbean Development

Networking for Caribbean Development Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n

More information

Managing Latency in IPS Networks

Managing Latency in IPS Networks Application Note Revision B McAfee Network Security Platform Managing Latency in IPS Networks Managing Latency in IPS Networks McAfee Network Security Platform provides you with a set of pre-defined recommended

More information

SecuraLive ULTIMATE SECURITY

SecuraLive ULTIMATE SECURITY SecuraLive ULTIMATE SECURITY Home Edition for Windows USER GUIDE SecuraLive ULTIMATE SECURITY USER MANUAL Introduction: Welcome to SecuraLive Ultimate Security Home Edition. SecuraLive Ultimate Security

More information

LogLogic Trend Micro OfficeScan Log Configuration Guide

LogLogic Trend Micro OfficeScan Log Configuration Guide LogLogic Trend Micro OfficeScan Log Configuration Guide Document Release: September 2011 Part Number: LL600065-00ELS090000 This manual supports LogLogic Trend Micro OfficeScan Release 1.0 and later, and

More information

About this Getting Started Guide. Enabling Log Management... 2 Applying a License... 4 Using Log Management... 5. How to forward logs...

About this Getting Started Guide. Enabling Log Management... 2 Applying a License... 4 Using Log Management... 5. How to forward logs... Connect With Confidence Astaro Log Management Getting Started Guide About this Getting Started Guide To use Astaro Log Management, logs need to be transferred from individual systems to the cloud. This

More information

DEPLOYMENT GUIDE Version 1.1. Deploying F5 with Oracle Application Server 10g

DEPLOYMENT GUIDE Version 1.1. Deploying F5 with Oracle Application Server 10g DEPLOYMENT GUIDE Version 1.1 Deploying F5 with Oracle Application Server 10g Table of Contents Table of Contents Introducing the F5 and Oracle 10g configuration Prerequisites and configuration notes...1-1

More information

Adaptive Log Exporter Users Guide

Adaptive Log Exporter Users Guide IBM Security QRadar Version 7.1.0 (MR1) Note: Before using this information and the product that it supports, read the information in Notices and Trademarks on page page 119. Copyright IBM Corp. 2012,

More information

Getting started. Symantec AntiVirus Corporate Edition. About Symantec AntiVirus. How to get started

Getting started. Symantec AntiVirus Corporate Edition. About Symantec AntiVirus. How to get started Getting started Corporate Edition Copyright 2005 Corporation. All rights reserved. Printed in the U.S.A. 03/05 PN: 10362873 and the logo are U.S. registered trademarks of Corporation. is a trademark of

More information

ViRobot Desktop 5.5. User s Guide

ViRobot Desktop 5.5. User s Guide ViRobot Desktop 5.5 User s Guide ViRobot Desktop 5.5 User s Guide Copyright Notice Copyright 2007 by HAURI Inc. All rights reserved worldwide. No part of this publication or software may be reproduced,

More information

Citrix EdgeSight for Load Testing User s Guide. Citrix EdgeSight for Load Testing 3.8

Citrix EdgeSight for Load Testing User s Guide. Citrix EdgeSight for Load Testing 3.8 Citrix EdgeSight for Load Testing User s Guide Citrix EdgeSight for Load Testing 3.8 Copyright Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement.

More information

Spector 360 Deployment Guide. Version 7

Spector 360 Deployment Guide. Version 7 Spector 360 Deployment Guide Version 7 December 11, 2009 Table of Contents Deployment Guide...1 Spector 360 DeploymentGuide... 1 Installing Spector 360... 3 Installing Spector 360 Servers (Details)...

More information

NetWrix USB Blocker. Version 3.6 Administrator Guide

NetWrix USB Blocker. Version 3.6 Administrator Guide NetWrix USB Blocker Version 3.6 Administrator Guide Table of Contents 1. Introduction...3 1.1. What is NetWrix USB Blocker?...3 1.2. Product Architecture...3 2. Licensing...4 3. Operation Guide...5 3.1.

More information

Best Practices for Deploying Behavior Monitoring and Device Control

Best Practices for Deploying Behavior Monitoring and Device Control Best Practices for Deploying Behavior Monitoring and Device Control 1 Contents Overview... 3 Behavior Monitoring Overview... 3 Malware Behavior Blocking... 3 Event Monitoring... 4 Enabling Behavior Monitoring...

More information

Green House Data Spam Firewall Administrator Guide

Green House Data Spam Firewall Administrator Guide Green House Data Spam Firewall Administrator Guide Spam Firewall Administrator Guide... 2 Navigating the Web Interface... 2 How to Drill Down from the DOMAINS Page to Account Level... 2 Message Logs...

More information

Monitor Network Activity

Monitor Network Activity Monitor Network Activity Palo Alto Networks Panorama Administrator s Guide Version 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us

More information

QUICK START GUIDE. Cisco C170 Email Security Appliance

QUICK START GUIDE. Cisco C170 Email Security Appliance 1 0 0 1 QUICK START GUIDE Email Security Appliance Cisco C170 303357 Cisco C170 Email Security Appliance 1 Welcome 2 Before You Begin 3 Document Network Settings 4 Plan the Installation 5 Install the Appliance

More information

Active Directory Integration

Active Directory Integration January 11, 2011 Author: Audience: SWAT Team Evaluator Product: Cymphonix Network Composer EX Series, XLi OS version 9 Active Directory Integration The following steps will guide you through the process

More information

USER GUIDE WEB-BASED SYSTEM CONTROL APPLICATION. www.pesa.com August 2014 Phone: 256.726.9200. Publication: 81-9059-0703-0, Rev. C

USER GUIDE WEB-BASED SYSTEM CONTROL APPLICATION. www.pesa.com August 2014 Phone: 256.726.9200. Publication: 81-9059-0703-0, Rev. C USER GUIDE WEB-BASED SYSTEM CONTROL APPLICATION Publication: 81-9059-0703-0, Rev. C www.pesa.com Phone: 256.726.9200 Thank You for Choosing PESA!! We appreciate your confidence in our products. PESA produces

More information

Network Load Balancing

Network Load Balancing Network Load Balancing Step by Step installation of Network Load Balancing in Windows Server 2008 R2. Prerequisite for NLB Cluster 1. Log on to NODE1 Windows Server 2008 R2 system with a domain account

More information

Monitor Network Activity

Monitor Network Activity Monitor Network Activity Palo Alto Networks Panorama Administrator s Guide Version 6.1 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us

More information

Monnit Wi-Fi Sensors. Quick Start Guide

Monnit Wi-Fi Sensors. Quick Start Guide Monnit Wi-Fi Sensors Quick Start Guide Inside the Box You should find the following items in the box: Monnit Wi-Fi (MoWi ) Sensors 2 x AA Batteries for Each MoWi Sensor Quick Start Guide Note: A MoWi USB

More information

Configuring Security for FTP Traffic

Configuring Security for FTP Traffic 2 Configuring Security for FTP Traffic Securing FTP traffic Creating a security profile for FTP traffic Configuring a local traffic FTP profile Assigning an FTP security profile to a local traffic FTP

More information

Copyright 2013 GE Multilin Inc. All rights reserved. CyberSentry SEM software revision 1.00. CyberSentry, Digital Energy, Multilin, and GE Multilin

Copyright 2013 GE Multilin Inc. All rights reserved. CyberSentry SEM software revision 1.00. CyberSentry, Digital Energy, Multilin, and GE Multilin Copyright 2013 GE Multilin Inc. All rights reserved. CyberSentry SEM software revision 1.00. CyberSentry, Digital Energy, Multilin, and GE Multilin are trademarks or registered trademarks of GE Multilin

More information

Citrix EdgeSight for Load Testing User s Guide. Citrx EdgeSight for Load Testing 2.7

Citrix EdgeSight for Load Testing User s Guide. Citrx EdgeSight for Load Testing 2.7 Citrix EdgeSight for Load Testing User s Guide Citrx EdgeSight for Load Testing 2.7 Copyright Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement.

More information