Alien Vault SIEM

29th June 2020

Agents: Agents need to be deployed individually as a unique encryption string is generated per PC.
Environment, Detection, Agents Tab, Agent Control, Add Agent
search or choose from list
if a pc is not present add its subnet to scans
Agent name does NOT need to be DNS name
etc etc ok
Actions column, choose Automatic Agent Deployment for Windows
Enter an administrator User/pw
click Deploy

Plugins:
Environment, Assets,
find the asset and click the magnifying glass on right, Plugins tab, edit Plugins, Fortinet, FortiGate etc

Scans:
Environment, Vulnerabilities, Scan Jobs

Email setup:
Configuration, Deployment, click the Magnifying Glass icon, General Configuration, Mail Relay = Yes.
smtp relay = smtp.office365.com
user = steve@company.com
pw = whatever
tcp port = 587

Alerts from Alarms:
Config, Threat Intel, Actions, New
Name = Email Alert (or Something descriptive)
Description = name, date, description of change
Type = Send an Email message
From = must be a valid user
To = probably should be a valid user
Subject = AlienVault Alert
Body = https://lisiem.company.com, click some fields from top of page
Append Event fields = Yes

Now we use the Policy Menu to add this action as a policy.

  1. From the Threat Intelligence menu, choose Policy.
  2. Under “Policies for events generated in server,” click New.
  3. Top of page, near Policy Rule Name, enter a unique name like “Send Email Alerts”
  4. under Policy Conditions, checkmark Directive Events
  5. Under Consequences, Actions, click No Action
  6. In bottom pane under Available Actions, click the + next to Email Alert (or whatever you called it in the previous step)
  7. Near bottom of the page click Update Policy
  8. under Policies for events generated in server, click Reload Policies

Enable Syslogs from Ubiquiti
Settings Gear bottom left, Network Settings, Advanced,
Remote Logging, Enable Syslog = Yes
Syslog Server = DNS name of SIEM server

Alternate: DeepBlueCli