Go to Admin Panel → Notifications to set the “Notification email”. This is the email address set to receive all alerts from Security Infusion. You can also set the preferred timezone for the report scheduling. Moreover, you can setup a webhook for sending notifications to other apps such as Slack.
To enable a new agent configuration, go to Admin Panel → Agents. Select “Create new agent’, provide a name for the agent and type (windows or linux). After enabling a new agent, you can download the installation package and install it in the node you want to monitor. More information about agent installation can be found in the next section.
Unzip the packaged installer, downloaded from Admin Panel → Agents.
The installation of the Security Infusion Agent requires elevated windows privileges (admin). If the logged-on user performing the installation does not hold such rights, a prompt will be shown requiring credentials of an account with admin rights. Depending on the Windows Operating system, the user may be presented with the User Account Control (UAC) screen.
By clicking Show more details → Show information about the publisher’s certificates the information of the security certificate used to sign the installer is shown.
Note: For Windows 7 operating system the security prompt will state that the software publisher is “unknown”. This is due to the fact that Windows 7 support ended in January 2020 and therefore these systems lack the current Windows Root and Intermediate Certificates.
Security Infusion agent requires .Net Framework to be installed, with a version equal or greater of 4.6.1. If the installer detects that this requirement is not met then the message shown in Figure 6 appears.
By clicking OK the installer exits and the web page is opened in the web browser to download .Net Framework 4.8. After the installation of the downloaded installation package the user may be prompted for a reboot. Furthermore, depending on the Windows Operating System type the installer will check if Windows Powershell version v4 is installed. If it is not found the user will be prompted with the screen shown in Figure 6 Windows Powershell 4 not found:
The user has a choice to:
The main interface screen of the installer is shown in figure below
After the user clicks on Install Security Infusion the installation continues, informing the user about the intermediate steps taken. When completed the installation interface will prompt the user to click Close and exit the installer.
If the Security Infusion installer detects that the software is already installed the user will be given the choice to
Alternatively, the user can perform these options by doing so in the Add and remove programs Windows option.
Note: If any problems occur during the installation the user is advised to perform a repair installation.
The Security Infusion installer installs two windows services:
Additionally, a Windows Scheduled task Security Infusion Updater is created that will run once per day to check if an updated version of the Security Infusion agent is available. If an updated version is found the agent will proceed to self-update all installed components. If during this update the wazuh agent is updated a backup of its configuration (ossec.conf) will be backed up in the Security Infusion program folder renamed to contain the timestamp of the update.
After installing the windows agent, you can configure a set of parameters, located in:
%Program data path%/Security Infusion/WindowsAuditDService.exe.config
A typical installation path in a 64bit node would be: C:\Program Files (x86)\Security Infusion. The main configuration options of Security Infusion Agent are listed below.
For changes to take effect, you need to restart the Security Infusion Auditing service.
Main Parameters | Default value | Description |
---|---|---|
SleepTime | 240000 | Time in milliseconds between active scans of system (collection and analysis of process list, open handles, DLLs, and open connections). The higher the value, the less frequent the active scans of the system are. |
ListDllsEnabled | 1 | If ListDllsEnabled is set to “1”, then the agent retrieves the list of DLLs used by each process. This is a cpu-intensive task that can be disabled by setting ListDllsEnabled to “0”. |
ProcMonEnabled | 1 | If ProcMonEnabled is set to “0”, the collected data (process list, open handles, DLLs, and open connections) will not be sent to the cloud. Only local analysis of these data is performed. |
Monitored Service Parameters | Default value | Description |
---|---|---|
CPULoadWarning | 60 | CPULoad monitors CPU usage. IF CPU Usage (%) passes the CPULoadWarning threshold , a warning alert is set off. |
CPULoadCritical | 95 | IF CPU Usage (%) passes the CPULoadCritical threshold , a critical alert is set off. |
AvailableMemoryWarning | 500 | If available RAM is less than AvailableMemoryWarning MBs, a warning alert is set off. |
AvailableMemoryCritical | 100 | If available RAM is less than AvailableMemoryCritical MBs, a critical alert is set off. |
FreeSpaceWarning | 10 | If Free space In any of the available disks of the system is below FreeSpaceWarning %, a warning alert is set off. |
FreeSpaceCritical | 5 | If Free space In any of the available disks of the system is below FreeSpaceCritical %, a critical alert is set off. |
To restart the service , search for the service called “Security Infusion Auditing” shown in figure below.
In the %Program data path%/Security Infusion/WindowsAuditDService.exe.config, there is a section called RegisterServices where it is possible to define custom services for monitoring. To add a new custom service for monitoring, add a new record, with the following fields:
Term | Description | Optional |
---|---|---|
name | Name of the service, for identification. The name will be shown at the manager, it must be unique. | No |
serviceName | Machine Name of the windows service: (e.g. WSSRV) | Yes |
processName | Process name as shown by the process explorer | Yes |
commandLine | The command of the process, e.g C:\Windows\System32\spoolsv.exe | Yes |
port | Listening port opened by the process | Yes |
At least one of the serviceName, processName, commandLine must be not null in the configuration. For example, to monitor the spooler service, add the following service definition
<RegisterServices>
<services>
<service name="spooler" serviceName="" processName="spoolsv.exe" commandLine="C:\Windows\System32\spoolsv.exe" port="49669" />
</services>
</RegisterServices>
Windows Agent Requirements
Minimum | Recommended | |
---|---|---|
OS | Windows 7 Windows / Server 2008 | Windows 10 or higher / Windows R2012 or higher |
Requirements | 32bit/64bit | 32bit/64bit |
CPU | Intel i3 | Intel i5 |
Memory | 2G | 4G |
Untar the packaged installer (by running in a linux shell: tar zxvf linux_agent.tar.gz), downloaded from Admin Panel → Agents. Run (as root) the centos-installer or ubuntu-installer, based on your linux distribution. To run the installation script, you need to have Java 1.8 or later installed. Moreover, for centos installations, docker is also required. The installer puts all new files in /var/secinfusion path. After installing the Linux agent, you can configure a set of parameters, located in /var/secinfusion/config.xml.
The Security Infusion installer installs two services:
The main configuration options of Security Infusion Agent are listed below. For changes to take effect, you need to restart the secinfusion service.
Main Parameters | Default value | Description |
---|---|---|
SleepTime | 60 | Time in seconds between active scans of system (collection and analysis of process list, open handles, DLLs, and open connections). The higher the value, the less frequent the active scans of the system are. |
ProcMonEnabled | 1 | If ProcMonEnabled is set to “0”, the collected data (process list, open handles, DLLs, and open connections) will not be sent to the cloud. Only local analysis of these data is performed. |
Monitored Service Parameters | Default value | Description |
---|---|---|
CPULoadWarning | 60 | CPULoad monitors CPU usage. IF CPU Usage (%) passes the CPULoadWarning threshold , a warning alert is set off. |
CPULoadCritical | 95 | IF CPU Usage (%) passes the CPULoadCritical threshold , a critical alert is set off. |
AvailableMemoryWarning | 500 | If available RAM is less than AvailableMemoryWarning MBs, a warning alert is set off. |
AvailableMemoryCritical | 100 | If available RAM is less than AvailableMemoryCritical MBs, a critical alert is set off. |
LoadWarning | 1 | If load is above this threshold, a warning alert is set off. |
LoadCritical | 3 | If load is above this threshold, a critical alert is set off. |
In the /var/secinfusion/config.xml file, there is a section called RegisterServices where it is possible to define custom services for monitoring. To add a new custom service for monitoring, add a new record, with the following fields:
Term | Description | Optional |
---|---|---|
name | Name of the service, for identification. The name will be shown at the manager, it must be unique. | No |
serviceName | Machine Name of the service as shown in the Monitoring-> processes tab , in the container group column. (e.g. /system.slice/sshd.service) | Yes |
processName | Process name as shown by ps(e.g. sshd ) | Yes |
commandLine | The command of the process, (e.g /usr/sbin/sshd -D) | Yes |
port | Listening port opened by the process | Yes |
At least one of the serviceName, processName, commandLine must be not null in the configuration. For example, to monitor the sshd process, add the following service definition:
<RegisterServices>
<services>
<service name="sshdservice" serviceName="" processName="sshd" commandLine="" port="22" />
</services>
</RegisterServices>
Linux Agent Requirements
Minimum | Recommended | |
---|---|---|
OS | Centos 7 or Ubuntu 18.04 | Centos 7 or Ubuntu 18.04 |
Platform | 32bit/64bit | 32bit/64bit |
Software requirements | JRE 1.8 | JRE 1.8 |
CPU | Intel i3 | Intel i5 |
Memory | 2G | 4G |
In the Admin Panel → Notifications tab, you can setup a mail address for receiving alerts. You can also set the preferred timezone for the report scheduling (Figure 12 Notifications tab in Admin).
In the Admin Panel → Agents tab, you can check the remaining licenses, and enable/disable agents. You can also download the installation packages from this screen (Figure 13 Agents tab).
In Admin Panel → Monitoring tab (figure below), you can enable or disable email notifications for you agents. There are three types of notifications:
In the Event Analyser ( Available in the vertical menu), the user has the option to monitor the events from all nodes.
Select “All labeled events” option to retrieve aggregated events, categorized by type ( Audit , Security,Network etc) and node.
Select “All events” to get a feed of events, where you can filter by node, log type, program producing the event and time range. You can also do full text search by adding a specific term.
Both aforementioned options provide a live feed of data for the current day and are refreshed periodically. If you need to go back to a previous date, disable the auto-refresh option and select previous date from the calendar.
In Admin Panel → Custom Filters tab you can customize the notifications you receive for events that are of importance. Create a filter by selecting specific nodes, alert types, alert severity, or specific conditions (e.g. source IP, account name, etc.).
Enabled filters will be visible in the Event Analyser, under the “Custom Filters” section. This section is updated every few minutes with new events/alerts and also an email notification is sent when such an event is detected.
In Admin Panel → “Reporting” tab you can schedule the creation of reports. A report schedule is based on a pre-existing custom filter (that can be enabled or disabled) and a custom schedule. The reports are available for viewing online of downloading in the Reports section of the vertical menu.
Note: Make sure to download the reports, because they are available for only one month after their creation in the Manager.
Head to https://api.slack.com/apps and click Create New App.
Fill in App Name and Development Slack Workspace and click Create App.
In the next screen you can edit your app, display info etc. Afterwards, click on “Add features and functionality” on the “Bots” tab.
Press the Incoming Webhooks panel and activate Webhooks by turning the switch to On. You will need to install the app on your Workspace selecting a channel for the bot to send messages to. After the installation step, on the webhooks page there is a webhook url on the bottom of the page.
Click on Copy to get the url and head to the security Infusion webpage.
Fill in the webhook URL to get alerts.
Go to the cloud console of Bitdefender and select the “My Account” option in the submenu under your name.
Go to API keys and create a new key, giving access only to the “Event Push Service API”.
Copy the newly created key and go to https://security-infusion/admin, in the Notifications tab. Paste and save the key in the Bitdefender API key text box.
The user can not remove agents that have been disabled so as to protect against data loss.
If the agent's OS is Windows 7 check that Windows Management Framework 5.1 is installed.
There are two different services installed:
The monitored computer needs to have access to the internet and you need to allow outgoing traffic: