The LevelBlue USM Appliance platform provides powerful tools to help you continually monitor the security and compliance of your customer's network and assets. These capabilities can be easily configured to address the specific priorities for each of your customers, as well as to optimize your services to these customers. To maximize the effectiveness of your MSSP services, we have assembled some guidelines below.
Confirm that the USM Appliance Operates Properly
On the Federation Server and the customer's USM Appliance, check to see if:
- Raw logs are in the Raw Logs view (Review and Verify Raw Logs )
- Events are populating the SIEM view (Security Events Views)
- Alarms are appearing in the Alarms view (Reviewing Alarms as a List)
- Email based on the alarm was sent and received, if you have connected the mail server
On the Federation Server only, check to see if:
- There are alarms coming from your customer's USM Appliance
Asset Valuation
After you discovered all assets on your network, go through and assign an asset value to each. The asset value plays a role in risk calculation, where the risk level of an event is: (Event priority Defines how urgently the event should be investigated. It ranges from 0 to 5. * Event reliability Specifies the likelihood that the event is accurate. It ranges from 0 to 10. * Asset value Specifies an asset’s importance or criticality relative to other managed assets.) / 25. See Asset Value and Event Risk Calculation for more details. Also, it is very important for readability, manageability, and understandability to name all your assets by their hostnames. If there is any asset in the database without a hostname, name that asset with the correct hostname. Please refer to Editing the Assets for instructions.
| Asset Value | Assets Recommended for This Value |
|---|---|
| 0 | Asset will never trigger any alarm. |
| 1 | Asset will not detect important attacks. Suitable for less important assets on your network, for example, printers and scanners. |
| 2 | Default asset value. Should be used for the majority of assets, especially end-user machines. Produces alarms on all major security events as well as environmental awareness. |
| 3 | Assets that provide services for multiple users such as a production environment or internal network devices. |
| 4 | Assets that run business operations. For example, a CRM system, domain controller, email server, or firewalls (unless firewall is really chatty, in that case, make it a 3, or create no-alarm policies for common false positives). |
| 5 | Be careful assigning any asset this value because it will generate many false positives. |
NIDS Troubleshooting
If NIDS Network Intrusion Dectection System (NIDS) monitors network traffic and events for suspicious or malicious activity using the sensors that provide management and network monitoring interfaces to networks and network devices. is not working, check the following:
- Has a SPAN / mirror / tap been configured?
- Does the virtual machine have a spare NIC that can be used for NIDS?
- Is the firewall, switch, or tap physically connected to the spare NIC?
- Has the Port Group been properly configured?
If yes for all the above, verify (and document) that we are receiving traffic on the appropriate interface (for example, eth1):
-
Connect to the LevelBlue Console through SSH and use your credentials to log in.
The LevelBlue Setup menu displays.
-
On the LevelBlue Setup main menu, select Jailbreak System to gain command line access.
Select Yes when prompted. You will be in the root directory.
- Generate a tcpdump on the network monitoring interface.
For VMware deployments, If you do not see any traffic, check the following:
- Are the vSwitch and the Port Group set to Promiscuous Mode: Accept?
- Is the Port Group VLAN ID set to All (4095)?
- Is the correct USM Appliance interface assigned to the SPAN Port Group? Keep in mind that VMware Network adapter 2 is equivalent to eth1 on USM Appliance because VMware starts at 1 and USM Appliance starts at 0.
See Monitor VMware Standard Virtual Switches for additional help.
For Hyper-V deployments, make sure that you have configured the VLAN ID and port mirroring correctly. See Deploy USM Appliance Using Hyper-V Manager for details.
Reduce False Positives
Leaving eth0 as-is will cause numerous false positives when running a vulnerability scan on USM Appliance itself.
To deselect eth0 as a listening interface / network monitoring port
- From the web UI, go to Configuration > Deployment.
- Under LevelBlue Components Information, click the System Details icon (
) of the system you want to change. - On the next page, click Sensor Configuration and then Detection.
-
Click the minus (-) sign to remove eth0 from Listening Interfaces.
In addition, if you see events around USM Appliance itself, especially those from the avapi user, you can add them to the AVAPI Event Types DS Group.
For example, you can safely add 1001 / 2001579 and 1001 / 2001569 (data source ID / event type ID) to the AVAPI Event Types DS Group. These are for "ET SCAN Behavioral Unusual Port 139 Traffic, Potential Scan or Infection" and "ET SCAN Behavioral Unusual Port 445 Traffic, Potential Scan or Infection," respectively, which we see quite frequently as false positives in USM Appliance.
HIDS Agents Installations
Some aspects of USM Appliance require the installation of an HIDS agent. This is not a requirement for operation of USM Appliance, but the agents provide great enhancements to the USM Appliance functionality. See AlienVault HIDS for details.
Updates
Updates to USM Appliance occur in three forms: signature/rules updates, plugin updates, and product updates. See USM Appliance Updates for additional information.
RBAC
RBAC, or Role-Based Access Control, can limit SOC operators to certain customers. Since correlation contexts are synced between the customers and the Federation Server, you can create users on the Federation Server and limit their visibility to a certain customer (context). When this user logs onto the Federation Server, he or she can only see the alarms from this customer.
You can also use RBAC more granularly by restricting visibility to certain assets within a customer environment as well. In addition to assets, RBAC can also control access to features of the product. For instance, you can prevent an analyst from running a vulnerability scan, yet allow them to view scanning results.
For more details on limiting user visibility, allowable assets, and user templates, see User Authorization.
Monitor Customer Equipment Availability
We recommend monitoring of customer equipment and alerting with the USM Appliance built-in availability monitoring solution. See Configure Availability Monitoring for instructions.
Schedule Periodic Customer Review Sessions
We recommend that you review your customer's USM Appliance installation for any events and alerts that need to be tuned. Often this means:
- Tune unnecessary and unwanted events and alarms out
- Disable correlation rules
- Adapt existing correlation rules
- Write new correlation rules
- Integrate new data sources
- Go over the asset value assignments to assign new values for new assets or reclassify assets
We also recommend making this review a formal process in certain intervals, for example, every two weeks/months/quarters, in order to keep up with the customer environment and customer needs.
Feedback