AlienVault USM for Security Engineers
The Course Introduction provides students with the course objectives and prerequisite learner skills and knowledge for the AUSM for Security Engineers 5 day course. The Course Introduction presents the course flow diagram and the icons that are used in the course illustrations and figures.
Duration: 40hrsCourse Content:
Module 1: Overview
This module provides an overview of the AlienVault® Unified Security Management™ (USM™) solution. Upon completing this module, you will meet these objectives:
• Understand the basic function of AlienVault USM
• Describe AlienVault USM Architecture
• Describe AlienVault Labs and the threat intelligence it provides
Module 2: AlienVault USM Basic Configuration and Verifying Operations
This module describes AlienVault Unified Security Management (USM) installation, basic configuration and verification, and graphical user interface. Upon completing this module, you will meet these objectives:
• Describe the AlienVault USM graphical user interface
• Understand how to work with the menus and options available on the graphical user interface
• Verify basic AlienVault USM operations
Module 3: Asset Management
This module describes AlienVault Unified Security Management (USM) asset management. Upon completing this module, you will meet these objectives:
• Define AlienVault USM assets
• Describe how AlienVault uses asset management
• Add assets to the USM asset database
• Configure and schedule asset discovery in the USM
• Configure and manage assets using asset groups, networks, and asset labels
Module 4: Configuring Data Sources
This module describes AlienVault Unified Security Management (USM) security intelligence, which uses data source plugins to normalize events from various data sources. It also includes correlation to detect security threats by tracking behavior patterns. Upon completing this module, you will meet these objectives:
• Describe data aggregation and normalization
• Describe data sources and how they work in USM
• Enable different data sources in USM
• Understand how events are processed in USM
• Calculate risk for USM event
• Correlate events in USM
Module 5: Policies and Actions
This module describes AlienVault Unified Security Management (USM) policies which are used to influence event processing, and to filter unnecessary events and false positives. The module also describes actions that can be configured as policy consequences. Upon completing this module, you will meet these objectives:
• Navigate the USM Policies user interface
• Configure USM actions
• Configure USM policies for events
• Configure USM policies for directive events
Module 6: Correlation Directives
This module describes how to customize security intelligence in AlienVault Unified Security Management (USM) system. This module describes how to customize or create new correlation directives. Upon completing this module, you will meet these objectives:
• Understand logical correlation in USM
• Describe correlation directives
• Create a custom correlation directive
Module 7: Threat Detection
This module describes AlienVault Unified Security Management (USM) threat detection functionalities. The module describes the Intrusion Detection System (IDS) and the AlienVault USM IDS functionalities: network IDS, and host IDS. The module also describes the AlienVault USM vulnerability assessment functionality. Upon completing this module, you will meet these objectives:
• Configure AlienVault USM network IDS
• Configure AlienVault USM host IDS through the Environment screen
• Configure AlienVault USM host IDS through the Assets screen
• Configure and perform AlienVault USM vulnerability assessment
Module 8: Behavioral Monitoring
This module describes AlienVault Unified Security Management (USM) behavioral monitoring functionalities. The module first (briefly) describes log collection, followed by AlienVault USM NetFlow collection. The module also explains the AlienVault USM availability monitoring functionality. Upon completing this module, you will meet these objectives:
• Describe and configure AlienVault USM log collection
• Describe and configure AlienVault USM NetFlow collection
• Describe and configure AlienVault USM availability monitoring
Module 9: OTX
This module describes the Open Threat Exchange (OTX). The module describes OTX and pulses, then how to follow and subscribe to other users and their pulses. Finally, students will create their own pulses. Upon completing this module, you will meet these objectives:
• Describe OTX and its important concepts
• Setting up an OTX account
• Search and subscribe to pulses and follow other OTX users
• Create a pulse for OTX
Module 10: Security Analysis
This module describes security analysis of alarms and events produced by AlienVault Unified Security Management (USM). The module starts with a description of a security analysis process, reviews Dashboards and Alarms, and then provides a detailed breakdown of the steps and tools available during the process of security analysis. Upon completing this module, you will meet these objectives:
• Describe the Security Analysis Process
• Examine the dashboards
• Remediate the alarms in USM
• Investigate events in USM
• Check raw logs for more details
• Examine packet captures for more details about an event
• File tickets to manage event investigation
Module 11: System Maintenance
This module describes AlienVault Unified Security Management (USM) system maintenance. The module first describes how long AlienVault USM stores alarms, events, and logs, and how you can modify retention settings. The module also describes how to perform event and full system backup and restore. Upon completing this module, you will meet these objectives:
• Describe AlienVault USM alarms, events, and logs retention
• Describe how to perform backup and restore of events data
• Describe how to perform backup and restore of configuration data
Module 12: Administrative User Management
This module describes AlienVault Unified Security Management (USM) administrative user management. The module first describes the administrative user account that is the default account to manage the web UI in AlienVault USM. The module continues to describe how to change settings of an administartive user, how to manage administrative user accounts, and how to manage global authentication settings. The module also describes administrative user activity accounting, and how to perform admin user account password recovery. Upon completing this module, you will meet these objectives:
• Describe administrative user management
• Manage user profile
• Manage administrative users
• Describe administrative user accounting
• Manage global authentications settings
• Recover admin user account password
Module 13: AlienVault USM Deployment
This module describes AlienVault Unified Security Management (USM) deployment options and explains how to prepare for the deployment. Upon completing this module, you will meet these objectives:
• Understand how to deploy AlienVault USM components
• Understand various AlienVault USM deployments
• Understand Correlation Context and Entities
• Describe how to handle other deployment considerations
Module 14: Upgrading AlienVault Unified Security Management (USM)
This module describes AlienVault Unified Security Management (USM) system upgrade process. The module describes how to update the AlienVault USM system and threat intelligence feeds, and how to perform offline upgrades. Upon completing this module, you will meet these objectives:
• Understand the USM Upgrade Process
• Upgrading USM
• Upgrading the threat intelligence, plugins, and reports
• Upgrading the USM appliance offline
Module 15: Reporting
This module describes AlienVault Unified Security Management (USM) reporting. The module first describes how to generate, view, and schedule reports, and how to customize reports or how to generate custom ones. Upon completing this module, you will meet these objectives:
• Describe the AlienVault USM reporting system
• Run, schedule, and view a report
• Create custom reports
• Create custom layouts for your reports
• Create custom modules from security events and logs
Module 16: Custom Plugins
This module describes how to customize security intelligence in AlienVault Unified Security Management (USM) system. The module first describes the plugins delivered by AlienVault and then how to customize or create custom data source plugins. Then the module describes how to customize or create new correlation directives. Upon completing this module, you will meet these objectives:
• Understand how to create custom plugins for USM
• Describe the configuration files for custom plugins
• Understand the role regular expressions play in customizing plugins
• Understand the SQL files for custom plugins
• Enable the new plugin