AT&T Cybersecurity AlienVault USM Anywhere Integration Guide

This document describes how to configure a WatchGuard Firebox to send log data to AT&T Cybersecurity AlienVault USM Anywhere.

Integration Summary

These devices and services were used to test this integration:

  • AlienVault USM Anywhere:
    • Cloud
    • Sensor version 7.6.822
  • WatchGuard Firebox:
    • M400
    • Version 12.7.1

Configuration

To complete this integration, you must first deploy AlienVault USM Anywhere. In our integration tests, we used the AlienVault USM Anywhere with a WatchGuard M400 Firebox.

Topology diagram

Before You Begin

To set up the AlienVault USM Anywhere environment, please refer to the AlienVault USM Anywhere Setup Guide. In this document, we describe how to configure the AlienVault USM Anywhere and how it works with the WatchGuard Firebox.

Set Up AlienVault USM Anywhere

After you deploy AlienVault USM Anywhere cloud and AlienVault USM Anywhere Sensor, login AlienVault USM Anywhere cloud WebUI.

At the first time login to AlienVault USM Anywhere cloud, There having the wizard to guide the user to discover assets. Users can also add asset manually.

Add Asset Manually

  1. Navigate to Environment > Assets.

Screen shot of the add Assets

  1. Select Actions > Advanced.
    The Create New Asset window opens.
  2. In the Name text box, enter a name to identify the asset. In this example it is M400.
  3. From the Sensor drop-down list, select your USM Anywhere sensor.
  4. In the IP Address text box, enter the IP address of the Firebox. In this example, it is 192.168.88.100.
  5. From the Asset Type drop-down list, select Firewall.
  6. The other fields are optional. Click Save to save the configuration.

Screen shot of the Create New Asset

Set Up Your Firebox to Send Syslog Messages to AlienVault USM Anywhere sensor

  1. Connect to your Firebox with Policy Manager or through the Fireware Web UI. In this example, we use Fireware Web UI.
  2. Select System > Logging.
  3. Select Syslog Server.
  4. Select the Send log messages to these syslog servers check box.
  5. Click Add.

Screen shot of the Syslog Server

  1. In the IP Address text box, type the AlienVault USM Anywhere sensor IP address. In this example, the IP address is 192.168.88.50.
  2. In the Port text box, type the port configured on AlienVault USM Anywhere sensor to receive syslog sourced messages. The default port is 514.
  3. From the Log Format drop-down list, select Syslog. Leave all other settings as their default values.
  4. Click OK.
  5. Click Save.

Test the Integration

Confirm Syslog Receive

  1. In the AlienVault USM Anywhere cloud WebUI. select Data sources > Sensors.
  2. Select Sensor Apps > Syslog Server to view Syslog Packets received.

Screen shot of the Confirm syslog receive

Event Display

  1. Select Activity > Events. When received, AlienVault USM Anywhere will analyze the log and create the event.

Screen shot of the Event display

  1. Select an event to show details.

Screen shot of the Event display