Security Infusion

1. Admin user - Quick Start
2. Agent Installation and Configuration
2.1 Windows version
2.1.1 Custom service monitoring
2.2 Linux version
2.2.1 Custom service monitoring
3. Manager Configuration
3.1 Managing Notifications
3.2 Managing Agents
3.3 Monitoring and Alerting Functionality
3.4 Event Analyser and Custom Filters Functionality
3.5 Reporting Functionality
3.6 Create Slack webhook
3.7 Adding support for Bitdefender events
3.8 Backup Configuration Instructions
4. Frequently Asked Questions
4.1 Web Interface
4.2 Windows Agent

User Manual

1. Admin user - Quick Start

Go to Admin Panel → Notifications to set the “Notification email”. This is the email address set to receive all alerts from Security Infusion. You can also set the preferred timezone for the report scheduling. Moreover, you can setup a webhook for sending notifications to other apps such as Slack.

To enable a new agent configuration, go to Admin Panel → Agents. Select “Create new agent’, provide a name for the agent and type (windows or linux). After enabling a new agent, you can download the installation package and install it in the node you want to monitor. More information about agent installation can be found in the next section.

2. Agent Installation and Configuration

2.1 Windows version

Video Tutorial

Unzip the packaged installer, downloaded from Admin Panel → Agents.

The installation of the Security Infusion Agent requires elevated windows privileges (admin). If the logged-on user performing the installation does not hold such rights, a prompt will be shown requiring credentials of an account with admin rights. Depending on the Windows Operating system, the user may be presented with the User Account Control (UAC) screen.

By clicking Show more details → Show information about the publisher’s certificates the information of the security certificate used to sign the installer is shown.

Note: For Windows 7 operating system the security prompt will state that the software publisher is “unknown”. This is due to the fact that Windows 7 support ended in January 2020 and therefore these systems lack the current Windows Root and Intermediate Certificates.

Security Infusion agent requires .Net Framework to be installed, with a version equal or greater of 4.6.1. If the installer detects that this requirement is not met then the message shown in Figure 6 appears.

By clicking OK the installer exits and the web page is opened in the web browser to download .Net Framework 4.8. After the installation of the downloaded installation package the user may be prompted for a reboot. Furthermore, depending on the Windows Operating System type the installer will check if Windows Powershell version v4 is installed. If it is not found the user will be prompted with the screen shown in Figure 6 Windows Powershell 4 not found:

The user has a choice to:

Terminate the installation and follow the instructions in the web page that will open in the web browser to download and install Windows Management Framework 5.1. After the installation of the downloaded package the user will be prompted to perform a reboot
Continue with the installation and complete the installation of the required package at a later point in time. In such case the computer information will not be available in the Inventory Section of the Security Infusion platform.

The main interface screen of the installer is shown in figure below

After the user clicks on Install Security Infusion the installation continues, informing the user about the intermediate steps taken. When completed the installation interface will prompt the user to click Close and exit the installer.

If the Security Infusion installer detects that the software is already installed the user will be given the choice to

Uninstall the Security Infusion agent
Repair the installation of the Security Infusion agent

Alternatively, the user can perform these options by doing so in the Add and remove programs Windows option.

Note: If any problems occur during the installation the user is advised to perform a repair installation.

The Security Infusion installer installs two windows services:

Security Infusion Auditing (ITML Windows Auditing Service)
Wazuh (Wazuh Windows Agent)

Additionally, a Windows Scheduled task Security Infusion Updater is created that will run once per day to check if an updated version of the Security Infusion agent is available. If an updated version is found the agent will proceed to self-update all installed components. If during this update the wazuh agent is updated a backup of its configuration (ossec.conf) will be backed up in the Security Infusion program folder renamed to contain the timestamp of the update.

After installing the windows agent, you can configure a set of parameters, located in:

%Program data path%/Security Infusion/WindowsAuditDService.exe.config

A typical installation path in a 64bit node would be: C:\Program Files (x86)\Security Infusion. The main configuration options of Security Infusion Agent are listed below.

For changes to take effect, you need to restart the Security Infusion Auditing service.

Main Parameters	Default value	Description
SleepTime	240000	Time in milliseconds between active scans of system (collection and analysis of process list, open handles, DLLs, and open connections). The higher the value, the less frequent the active scans of the system are.
ListDllsEnabled	1	If ListDllsEnabled is set to “1”, then the agent retrieves the list of DLLs used by each process. This is a cpu-intensive task that can be disabled by setting ListDllsEnabled to “0”.
ProcMonEnabled	1	If ProcMonEnabled is set to “0”, the collected data (process list, open handles, DLLs, and open connections) will not be sent to the cloud. Only local analysis of these data is performed.

Monitored Service Parameters	Default value	Description
CPULoadWarning	60	CPULoad monitors CPU usage. IF CPU Usage (%) passes the CPULoadWarning threshold , a warning alert is set off.
CPULoadCritical	95	IF CPU Usage (%) passes the CPULoadCritical threshold , a critical alert is set off.
AvailableMemoryWarning	500	If available RAM is less than AvailableMemoryWarning MBs, a warning alert is set off.
AvailableMemoryCritical	100	If available RAM is less than AvailableMemoryCritical MBs, a critical alert is set off.
FreeSpaceWarning	10	If Free space In any of the available disks of the system is below FreeSpaceWarning %, a warning alert is set off.
FreeSpaceCritical	5	If Free space In any of the available disks of the system is below FreeSpaceCritical %, a critical alert is set off.

To restart the service , search for the service called “Security Infusion Auditing” shown in figure below.

2.1.1 Custom service monitoring

In the %Program data path%/Security Infusion/WindowsAuditDService.exe.config, there is a section called RegisterServices where it is possible to define custom services for monitoring. To add a new custom service for monitoring, add a new record, with the following fields:

Term	Description	Optional
name	Name of the service, for identification. The name will be shown at the manager, it must be unique.	No
serviceName	Machine Name of the windows service: (e.g. WSSRV)	Yes
processName	Process name as shown by the process explorer	Yes
commandLine	The command of the process, e.g C:\Windows\System32\spoolsv.exe	Yes
port	Listening port opened by the process	Yes

At least one of the serviceName, processName, commandLine must be not null in the configuration. For example, to monitor the spooler service, add the following service definition


<RegisterServices>
    <services>
        <service name="spooler" serviceName="" processName="spoolsv.exe" commandLine="C:\Windows\System32\spoolsv.exe" port="49669" /> 
    </services>
</RegisterServices>

Windows Agent Requirements

	Minimum	Recommended
OS	Windows 7 Windows / Server 2008	Windows 10 or higher / Windows R2012 or higher
Requirements	32bit/64bit	32bit/64bit
CPU	Intel i3	Intel i5
Memory	2G	4G

2.2 Linux version

Video Tutorial

Untar the packaged installer (by running in a linux shell: tar zxvf linux_agent.tar.gz), downloaded from Admin Panel → Agents. Run (as root) the centos-installer or ubuntu-installer, based on your linux distribution. To run the installation script, you need to have Java 1.8 or later installed. Moreover, for centos installations, docker is also required. The installer puts all new files in /var/secinfusion path. After installing the Linux agent, you can configure a set of parameters, located in /var/secinfusion/config.xml.

The Security Infusion installer installs two services:

Secinfusion. To start, stop, or check the secinfusion service, you can type “service secinfusion {start|stop|status}
OSSEC HIDS. To control the Ossec service, you can use the “/var/ossec/bin/ossec_control” script
Cadvisor ( Either as a local service in ubuntu or in a docker container in centos).

The main configuration options of Security Infusion Agent are listed below. For changes to take effect, you need to restart the secinfusion service.

Main Parameters	Default value	Description
SleepTime	60	Time in seconds between active scans of system (collection and analysis of process list, open handles, DLLs, and open connections). The higher the value, the less frequent the active scans of the system are.
ProcMonEnabled	1	If ProcMonEnabled is set to “0”, the collected data (process list, open handles, DLLs, and open connections) will not be sent to the cloud. Only local analysis of these data is performed.

Monitored Service Parameters	Default value	Description
CPULoadWarning	60	CPULoad monitors CPU usage. IF CPU Usage (%) passes the CPULoadWarning threshold , a warning alert is set off.
CPULoadCritical	95	IF CPU Usage (%) passes the CPULoadCritical threshold , a critical alert is set off.
AvailableMemoryWarning	500	If available RAM is less than AvailableMemoryWarning MBs, a warning alert is set off.
AvailableMemoryCritical	100	If available RAM is less than AvailableMemoryCritical MBs, a critical alert is set off.
LoadWarning	1	If load is above this threshold, a warning alert is set off.
LoadCritical	3	If load is above this threshold, a critical alert is set off.

2.2.1 Custom service monitoring

In the /var/secinfusion/config.xml file, there is a section called RegisterServices where it is possible to define custom services for monitoring. To add a new custom service for monitoring, add a new record, with the following fields:

Term	Description	Optional
name	Name of the service, for identification. The name will be shown at the manager, it must be unique.	No
serviceName	Machine Name of the service as shown in the Monitoring-> processes tab , in the container group column. (e.g. /system.slice/sshd.service)	Yes
processName	Process name as shown by ps(e.g. sshd )	Yes
commandLine	The command of the process, (e.g /usr/sbin/sshd -D)	Yes
port	Listening port opened by the process	Yes

At least one of the serviceName, processName, commandLine must be not null in the configuration. For example, to monitor the sshd process, add the following service definition:


<RegisterServices>
    <services>
        <service name="sshdservice" serviceName="" processName="sshd" commandLine="" port="22" />
    </services>
</RegisterServices>

Linux Agent Requirements

	Minimum	Recommended
OS	Centos 7 or Ubuntu 18.04	Centos 7 or Ubuntu 18.04
Platform	32bit/64bit	32bit/64bit
Software requirements	JRE 1.8	JRE 1.8
CPU	Intel i3	Intel i5
Memory	2G	4G

3 Manager Configuration

3.1 Managing Notifications

In the Admin Panel → Notifications tab, you can setup a mail address for receiving alerts. You can also set the preferred timezone for the report scheduling (Figure 12 Notifications tab in Admin).

3.2 Managing Agents

In the Admin Panel → Agents tab, you can check the remaining licenses, and enable/disable agents. You can also download the installation packages from this screen (Figure 13 Agents tab).

3.3 Monitoring and Alerting Functionality

In Admin Panel → Monitoring tab (figure below), you can enable or disable email notifications for you agents. There are three types of notifications:

Host status notification: An email notification is sent when there is no communication with the agent for more than 10 minutes (Host down alert).
Service status notification: An email notification is sent when a monitored service is in warning or critical state.
Security event notification: An email notification is sent when a suspicious event is detected. (The whole list of events per agent can be found in Event Analyser.

3.4 Event Analyser and Custom Filters Functionality

In the Event Analyser ( Available in the vertical menu), the user has the option to monitor the events from all nodes.

Select “All labeled events” option to retrieve aggregated events, categorized by type ( Audit , Security,Network etc) and node.

Select “All events” to get a feed of events, where you can filter by node, log type, program producing the event and time range. You can also do full text search by adding a specific term.

Both aforementioned options provide a live feed of data for the current day and are refreshed periodically. If you need to go back to a previous date, disable the auto-refresh option and select previous date from the calendar.

In Admin Panel → Custom Filters tab you can customize the notifications you receive for events that are of importance. Create a filter by selecting specific nodes, alert types, alert severity, or specific conditions (e.g. source IP, account name, etc.).

Enabled filters will be visible in the Event Analyser, under the “Custom Filters” section. This section is updated every few minutes with new events/alerts and also an email notification is sent when such an event is detected.

3.5 Reporting Functionality

In Admin Panel → “Reporting” tab you can schedule the creation of reports. A report schedule is based on a pre-existing custom filter (that can be enabled or disabled) and a custom schedule. The reports are available for viewing online of downloading in the Reports section of the vertical menu.

Note: Make sure to download the reports, because they are available for only one month after their creation in the Manager.

3.6 Create Slack webhook

Head to https://api.slack.com/apps and click Create New App.

Fill in App Name and Development Slack Workspace and click Create App.

In the next screen you can edit your app, display info etc. Afterwards, click on “Add features and functionality” on the “Bots” tab.

Press the Incoming Webhooks panel and activate Webhooks by turning the switch to On. You will need to install the app on your Workspace selecting a channel for the bot to send messages to. After the installation step, on the webhooks page there is a webhook url on the bottom of the page.

Click on Copy to get the url and head to the security Infusion webpage.

Fill in the webhook URL to get alerts.

3.7 Adding support for Bitdefender events

Go to the cloud console of Bitdefender and select the “My Account” option in the submenu under your name.

Go to API keys and create a new key, giving access only to the “Event Push Service API”.

Copy the newly created key and go to https://security-infusion/admin, in the Notifications tab. Paste and save the key in the Bitdefender API key text box.

3.8 Backup Configuration Instructions

Click on the Admin Panel Icon menu and select the Backup Tab.

Click on the Configure Backup button and after selecting between SFTP or S3 type fill in the configuration details:

After pressing save if the configuration details are correct and the service is able to contact the backup destination, a notification will appear

Otherwise you’ll get an error notification

After a successful connection message the configuration settings will be shown along with the following actions:

Configure Backup: Edit configuration details
Restore Backup: Upload restoration files
Test Connection: Test service connectivity to current configuration
Status Toggle: Enable/Disable Backup process

Restore Backup

By pressing the Restore Backup Button you can see your available Backup Slots (maximum of 3). If there are already restored files, you can choose to view them (Event Viewer) or delete them to free the slot up (Empty Slot).

Uploading a backup file will start up a validation and restoration process. When it is complete you will be notified to access the restored index.

Errors during Backup

Every time an error is encountered during the Backup process (not enough space, connectivity issues etc) they will be logged in the Errors table:

4. Frequently Asked Questions

4.1 Web Interface

Can I remove disabled agents from the web interface?

The user can not remove agents that have been disabled so as to protect against data loss.

4.2 Windows Agent

Why am I not seeing an agent I installed in the Inventory Section?

If the agent's OS is Windows 7 check that Windows Management Framework 5.1 is installed.

Which services are installed in a computer by the Security Infusion Installer?

There are two different services installed:

Security Infusion Auditing
Wazuh

Security Infusion Auditing and Wazuh services are running but I do not see any agent data in the Web Interface

The monitored computer needs to have access to the internet and you need to allow outgoing traffic:

Port 443/tcp (https) for the Security Infusion Auditing Service
Port 1514/tcp for the Wazuh Service