1. No category

AlienVault Unified Security Management™ Solution
Complete. Simple. Affordable
How to display Security Events from an
external AlienVault Database
Copyright© 2014 AlienVault. All rights reserved.
AlienVault™, AlienVault Unified Security Management™, AlienVault USM™, AlienVault Open Threat Exchange™, AlienVault OTX™, Open Threat Exchange™, AlienVault OTX Reputation Monitor™, AlienVault OTX Reputation Monitor Alert™, AlienVault OSSIM™ and OSSIM™ are trademarks or service marks of AlienVault.
AlienVault Unified Security Management™ Solution
How to display Security Events from an external AlienVault Database
CONTENTS
1.
INTRODUCTION .................................................................................................... 4
2.
PRE-REQUISITE: ALLOW AN EXTERNAL CONNECTION TO THE
ALIENVAULT DATABASE .................................................................................... 4
2.1. Alienvault Firewall Setup .......................................................................................... 5
2.2. Grant privileges to the remote user ........................................................................... 6
3.
HOW TO ADD AN EXTERNAL ALIENVAULT DATABASE ................................. 7
4.
HOW TO DISPLAY EVENTS FROM AN EXTERNAL ALIENVAULT
DATABASE ............................................................................................................ 8
DC-00158
Edition 00
Copyright© 2014 AlienVault. All rights reserved.
Page 3 of 9
AlienVault Unified Security Management™ Solution
How to display Security Events from an external AlienVault Database
1.
INTRODUCTION
This document explains how to add a connection to external AlienVault databases and how
to view the events related to those databases.
This procedure only works with AlienVault databases, which must use the same version as that is used by the framework.
A successful connection to an external AlienVault database has to follow the below points
and in this specific order:
2.
1.
Authorize remote access in the external AlienVault database.
2.
Add the external AlienVault database in the GUI.
3.
View events related to the external AlienVault database.
PRE-REQUISITE: ALLOW AN EXTERNAL CONNECTION TO THE
ALIENVAULT DATABASE
Before adding the external database in your system, it’s necessary to perform the following actions in the target AV platform where the external database is located:
To configure the AV firewall to allow an external connection to the database (the firewall is blocking this by default)
Grant privileges to the external user connecting to the database.
In case of not following these pre-requisites, AlienVault USM™ will display the below warning screen:
DC-00158
Edition 00
Copyright© 2014 AlienVault. All rights reserved.
Page 4 of 9
AlienVault Unified Security Management™ Solution
How to display Security Events from an external AlienVault Database
2.1.
ALIENVAULT FIREWALL SETUP
AlienVault uses the port 3306 as default for the databases.
1.
Connect by ssh, using the admin IP address, to the AlienVault appliance where the external DB is located. The AlienVault Setup main menu appears.
2.
On the computer keyboard, press the arrow keys to move to the option ‘Jailbreak System’. Then, press Enter to accept the selection (<OK>).
3.
Edit the file /etc/ossim/firewall_include and add the following line:
-I INPUT -s <administration IP or network] -p tcp –m state --state NEW –dports <database_port> -j ACCEPT
4.
Enter the following command:
ossim-reconfig
5.
Check the rule is active by entering the following command:
iptables –nvL | grep <database_port>
DC-00158
Edition 00
Copyright© 2014 AlienVault. All rights reserved.
Page 5 of 9
AlienVault Unified Security Management™ Solution
How to display Security Events from an external AlienVault Database
2.2.
GRANT PRIVILEGES TO THE REMOTE USER
1.
Connect by ssh, using the admin IP address, to the AlienVault appliance where the external DB is located. The AlienVault Setup main menu appears.
2.
On the computer keyboard, press the arrow keys to move to the option ‘Jailbreak System’. Then, press Enter to accept the selection (<OK>).
3.
Enter the following command:
ossim-db
4.
Grant privileges to the remote user:
GRANT ALL ON alienvault.* TO <user>@'<framework_ip>' IDENTIFIED BY
'<user_pass>'; GRANT ALL ON alienvault_siem.* TO <user>@'<framework_ip>'
IDENTIFIED BY '<user_pass>'; GRANT ALL ON datawarehouse.* TO
<user>@'<framework_ip>' IDENTIFIED BY '<user_pass>'; FLUSH PRIVILEGES;
Where:
<user> refers to the user that will be entered in the web form when an external
database is added.
<framework_ip> refers to the platform IP where the external database is going to be
added.
<user_pass> refers to the associated/entered password in the web form when an
external database is added.
5.
Enter this command:
quit;
6.
DC-00158
Enter the following command:
Edition 00
Copyright© 2014 AlienVault. All rights reserved.
Page 6 of 9
AlienVault Unified Security Management™ Solution
How to display Security Events from an external AlienVault Database
ossim-reconfig
3.
DC-00158
HOW TO ADD AN EXTERNAL ALIENVAULT DATABASE
1.
Launch a web browser and enter your IP address into the address bar.
2.
Choose ‘Analysis > Security event (SIEM) > External Databases’ and click on NEW.
3.
Fill the form out and click on SAVE.
Edition 00
Copyright© 2014 AlienVault. All rights reserved.
Page 7 of 9
AlienVault Unified Security Management™ Solution
How to display Security Events from an external AlienVault Database
4.
DC-00158
HOW TO DISPLAY EVENTS FROM AN EXTERNAL ALIENVAULT
DATABASE
1.
Launch a web browser and enter your IP address into the address bar.
2.
Choose ‘Analysis > Security event (SIEM) > SIEM’.
3.
Click on this icon (
Edition 00
) and select your database.
Copyright© 2014 AlienVault. All rights reserved.
Page 8 of 9
AlienVault Unified Security Management™ Solution
How to display Security Events from an external AlienVault Database
4.
DC-00158
If the window below appears, follow the instructions given in Section 2 PREREQUISITE: ALLOW AN EXTERNAL CONNECTION TO THE ALIENVAULT DATABASE.
Edition 00
Copyright© 2014 AlienVault. All rights reserved.
Page 9 of 9