00:05
Welcome to our video on aux sous. I am architecture fundamentals.
00:11
The objectives for this video are to go over some glossary terms
00:15
view some of us A CM's main open source components
00:19
you a couple different appointment architectures.
00:22
Look at rationale for single versus multi sensor deployments.
00:26
We're gonna go over my lab overview.
00:31
To start, you'll see the three main components of a level
00:35
a server, a sensor and a lager
00:38
thes can either be separate machines were all combined into one machine,
00:42
also known as an all in one solution.
00:46
A sensor could perform multiple tasks such as roll log normalization, vulnerability scanning
00:52
passive and active asset discovery
00:54
on block forward into the asylum server.
00:59
A lager first with storage component In availing involved,
01:02
loggers can be used for extended roll log retention, which is often needed for compliance.
01:07
Please note that loggers cannot be separated out from the main Osa science server
01:14
This is a selling point of ailing bulls premium USM offering
01:19
the server component performs and now assistant correlation on the normalize logs.
01:23
This is also where in animals will connect to in order to view events and alarms kickoff vulnerability scans and perform other administrative tasks.
01:34
An all in one solution simply combines all three pieces into one single server.
01:42
Moving on to the next item. Roll logs are the UN normalized locks and two alien vault
01:48
through ingesting raw logs and analyzing network traffic. Oasis I am creates events
01:53
thes air used for correlation and alarm generation
02:00
Alarms are triggered when certain event criteria are met.
02:02
For example, a Windows failed log on my create one single event.
02:08
But three of these events within 60 seconds might generate an alarm.
02:13
Thes alarms prompted analysts to perform further investigation.
02:21
A data source plug in is essentially a large part, sir,
02:24
These air tied to specific service's or devices such as a Palo Alto firewall
02:31
thes par sir's help normalize the log data.
02:37
Sis Lock is a standardized protocol to send log and event information.
02:42
As an example, we're going to learn how to send system logs for Mullinix Web server toe are oh society installation over sis log via Port 514
02:53
Oh, it's a sigh. AM relies on many different open source programs, but here are some of the most notable
03:00
each are worth researching into individually.
03:04
You could install these programs in a lab environment to learn more about them without being the overhead of a sim insulation.
03:10
As an example, you may want to learn more about how to operate open boss.
03:15
You can simply install open boss on a separate virtual machine and perform some skins. This knowledge will transfer directly into utilizing open boss in an oasis. I am insulation.
03:29
Choosing a deployment setup relies on a couple of factors.
03:32
Firstly, if you need a network intrusion detection system at a remote branch, you're going to want a sense your own site with Sarah Cottle running.
03:40
You also might want more than one sensor to help manage the load on the main aux sous I Am server.
03:46
If you have a large corporate environment that is generating too many locks for your server to process, you can set up another sensor or two and haven't take a bit of load off the server.
03:58
Another factor to consider is open Boss
04:00
Open Boss Vulnerability scans can be performed through a specific sensor.
04:05
This can help keep scans local to the target in question,
04:09
which helps reduce span with work and activity limitations and more unreliable networks.
04:16
Regarding a lab set up, you only need to have a single sensor.
04:20
However, in this course we're going to learn how to set up both a server at a sensor individually.
04:27
This will help you learn to scale your lab is needed.
04:31
Here is a pretty simplified example of a single sensor deployment.
04:36
In this scenario, we have a network intrusion detection system monitoring the mere port of an internal network.
04:45
We have complete visibility into our internal network with only a single sensor
04:49
making this scenario a bit more complicated. We can see a basic layout of a multi sensor deployment.
04:57
In this deployment, both the N A and you sensors are collecting log information from their respective branches.
05:03
Additionally, there tied into the switch is providing network intrusion detection visibility for each site.
05:11
Note that the server is not marked inside a specific branch.
05:15
The server can actually reside in either the n A or U branch. In this scenario, assuming that proper routing is in place, it doesn't matter where the servers and centers are located.
05:26
This can potentially provide quite a bit of flexibility as you're pointing a deployment
05:32
moving on to my lab set up, you can see the basic overview of what we'll be installing and configuring.
05:40
While planning your own lab set up, I'd recommend documenting something similar
05:46
to start Will Install and O's Asylum Server and Sensor.
05:49
I'll start from the very first initial step and not assume any prior knowledge.
05:56
You know, if you have never installed the Knicks before, you'll be able to follow along just fine.
06:00
Once installation is finished, we will perform further configuration on our society virtual machines.
06:08
This will allow the two to communicate with each other properly.
06:12
Our next step will be installing our limits Web server, which will include a lamp stack and open sshh server.
06:18
Next, we'll be importing and updating our colleague directoral box image.
06:24
Once that is completed, we'll have all our machines ready to go
06:28
pushing forward. We can finish configuring our hostess. I am installation
06:32
Our last step. We will be learning how to forward logs of the SS lock from Olynyk server.
06:38
We'll do this by sending all our locally generated logs from our Lennox Web server to R. O. S s. I am installation
06:46
by the end of this course, you will have a fully functional alia ball. Oh, Jesus. I am lab set up.
06:51
This could be a great environment to learn Other skills such as penetration testing, were writing I. D s rules
07:01
before we dig into our lab creation. I do want to mention that alien vault has some wonderful documentation.
07:09
Well, much of this is geared toward their paid offering. These documents can be a valuable resource. Is you go through this course or want to do something more complex afterwards.
07:19
Now that you have some theory behind Simms and those asylum in particular, we can start getting our Bob ready.
