Alienvault: Deploying a virtual SIEM

Last week, we see how to deploy a virtual firewall in VMware infrastructure to test new features and learning about FortiOS 5.4. However, this method of deploying virtual machines into VMware infrastructure is also a good way to learn how other products work, such as load balancers, routers, switches, SIEM, etc. Therefore, this time, we are going to see how to deploy Alienvault USM Appliance, which can be useful to compare with the free Alienvault OSSIM. In addition, we'll see the commercial edition has more security directives than the free edition, even for detecting last Apache Struts attacks.

The first step is to register for downloading the USM Appliance (On-Premises) Free Trial to deploy into our virtual infrastructure. We shouldn't confuse it with USM Anywhere (In the Cloud), which is a another product where the intelligence, events and information is in the cloud, and we only have to deploy sensors throughout the organization.

Next, I have deployed the OVF template called VMWARE-AlienVault_USM_All-in-One_5.3.6.ova as a new virtual machine into VMware infrastructure. We'll realise that USM Appliance needs a lot of resources; 8 CPU, 16 GB RAM and 1 TB of disk.

Alienvault USM Appliance

Once the virtual SIEM is imported into VMware, there will be some basic configuration like IP address for management and DNS, which have to be done through a wizard from console. Since then, everything is done from web interface.

Nevertheless, Alienvault has Quick Start Guide and Deployment Guide to help us deploy and configure their appliances in an easy way.

Alienvault Deployment Guide

If we are going to test, for instance, last security directives like the recently Apache Struts Vulnerability, we would have to upgrade the Threat Intelligence signatures, which is not possible from Free Trial. If we want to have USM Free Trial updated, we have to download security directives from commercial version and imported into USM Free Trial.

Correlation Directives

We are on time to create threat intelligence policies. I have created a new policy for alerting by email when something goes wrong like traffic scan, web attacks, malware infection, etc. What's more, we can also configure to execute an external program when something wrong is happening.

USM Policies

It's time to attack and check if USM is detecting malicious activity or we are bypassing security protections. This can be done watching security events and alarms.

Apache Struts Alarms

Regards my friends and remember, play and test with your toys to know how they work.