Hi Everyone, I’m back with another AlienVault Tip of the Month.
This month I will be extending a bit on the concepts from last month regarding SIEM views. Last month we saved a SIEM view based on search criteria, this month we will be taking information from a SIEM view, and setting up custom email alerts using DS Groups, Policies and Policy Actions.
Say for instance you see an event in the SIEM view where a configuration change has been made to your firewall. You would like to be notified from now on whenever this event occurs.
Determine Event Type
First we need to open an event and look at the event details. In this scenario, we will use the “ASA: A user made a configuration change” event which is Data Source ID 1636, and Event Type ID 111010. Make a note of these two numbers. (Data Source ID 1636 is the general cisco-asa data source that holds all the Cisco related event types.)
Create Data Source Group
The process takes a little bit of planning.
First, you need to create a data source group into which you can insert the event.
Navigate to “Configuration” --> “Threat Intelligence” --> “Data Source.”
Click on the “Data Source Groups” button, then click on “Add New Group.”
Name it something meaningful, like “Device Config Changes” and add a description if you like.
Hint: Use something general, so you can use this same DS group for config changes from other devices, which we will discuss in a later step.
Select “Add by Data Source” and search for the Data Source ID (1636) you noted from the previous step, using the “Search:” field on the right.
Click on the result to add it to the Data Source Group
Now we need to specify the exact Event Type ID
Click on the pencil icon, and note there is nothing in the left panel, and a large list in the right.
Type the Event Type ID in the field at the top of the right pane, to search for it.
Click the event “+” sign to move it to the left, then click “Submit Selection”
This will take you back to the Data Source Group edit page.
Note the “Events type selected: 1” to the right of the page.
Click “Update” to save group.
Create Policy / Action
Now that we have our data source group set up, let’s create a policy around it so we can do some cool stuff.
Let’s click back into to “Configuration” --> “Threat Intelligence” --> “Policy”
You will see three policy groups.
Select “New” in the “Default policy group”
Note the yellow colored fields, those require editing.
Name the policy first. Let’s call it “Config Changes”
Let’s set the “Source” and “Destination” fields to “Any”
The next thing we need to make this work is to assign the DS Group we just created.
Click into the “Event Types” field, and note the change in the window below.
Deselect the “Any” selection, and select the DS group we created before “Device Config Changes”
Now for Action!
Click on “Action” and “Insert New Action”
Populate the fields with a Name, Context, Description.
Set “Type” to email.
Fill out, From, To, and Subject.
For the Subject it’s helpful to put the SRC_IP or SRCIP_HOSTNAME keyword Like so:
“Config Change on SRCIP_HOSTNAME”
In the “Message” field, you can add freeform text that will be in the body of the email.
You can add keywords (listed at the top of the window) that correspond to event items, or you can check the box to “Append Email with all event fields”
Click Save and go back to the Policy and the action field.
You should now be able to move the new action from the “Available Actions” column, to the “Active Actions”
Click the “Update Policy” button, and notice “Reload Policies” is now highlighted in red.
Click “Reload Policies” and that’s it!
Now, say for instance later on you want to get notification of config change events from another device, all you have to do is select the event in the SIEM view, select the “Actions” dropdown, and “Insert Into DS Group” and select the “Device Config Changes” group.